Section 4 · Step 2

Test the policy

Two users, same call. Liam is EU staff. Kevin is US. Once eu-staff is off the allow-list, watch which token gets issued and which doesn't.

DocsPolicies ↗Authorization ↗RBAC ↗

Heads up

eu-staff is still on the export allow-list. Both users below will pass. Remove eu-staff first →

Claude Desktop · loan-ops-mcp

Export the customer list for the EMEA portfolio review — CSV is fine.

Policy evaluation · loans:export

✓

user.roles Contains [loan-manager]

liam@northwind.com is in loan-managers

✓

user.roles Contains [eu-staff, us-staff]

eu-staff still on allow-list (not tightened yet)

Final decision: pending

What the audit log will hold

{
  "actor": "liam@northwind.com",
  "scope": "loans:export",
  "decision": "PENDING",
  "policy": "policy-loans-export",
  "claims_evaluated": {
    "user.roles": ["loan-managers", "eu-staff"]
  }
}