4818 Proposed Central Access Policy does not grant the same access as the current one
Written when a proposed Central Access Policy (CAP) would grant different access permissions than the current policy. It captures Dynamic Access Control “staging” (assessing impact before going live).
Overview
The subcategory is Dynamic Access Control-related auditing. Before changing a Central Access Policy (CAP) (an access-control rule applied organization-wide), the proposed rule is compared against the current rule, and this event is generated when the access decision would change. It does not actually deny access; it shows the result of “staging,” which surfaces the impact in advance.
How it is triggered
- In an environment with a staging CAP configured, when access occurs whose decision differs between the proposed and current rules.
Security review points
- It is an event for assessing the impact of a CAP change. You can learn in advance whose access would change (over-broad grants, or blocking of needed access) when the proposed rule goes live.
- For security, it helps confirm whether a CAP change would unintentionally grant broad access to a particular account.
Notes for log review
- It only carries meaning in environments running Dynamic Access Control with staging. Without those, it does not appear.
- Read it as a record of the validation phase before a policy goes live. Check the target and subject of the access where a difference arose.
Key fields
| Field | Meaning |
|---|---|
| Target object/access | The access where a difference arose |
| Current/proposed policy | The compared CAPs |
Glossary
- Central Access Policy (CAP) — an access-control rule applied organization-wide based on claims and attributes (the core of Dynamic Access Control).