🛠️ title: PBAC Operator Playbooks description: Deterministic playbooks for common OPA/Policy Bridge-based PBAC troubleshooting scenarios.

🛡️ PBAC Operator Playbooks

These playbooks are optimized for remote support handoff and deterministic diagnosis.

🛡️ 1) Policy Not Working

• Confirm policy scope, environment, and binding target.
• Verify required attributes are present in the request context.
• Compare expected policy version with active commit/version.
• Use denial replay to identify first failing branch.

📌 2) No Bouncer or Resource Detected

• Check bouncer registration and heartbeat freshness.
• Validate resource-to-bouncer mapping.
• Confirm Policy Bridge config and sync status for the target bouncer.
• Re-run topology discovery after config correction.

🛡️ 3) Slow Policy Evaluation

• Inspect p95/p99 decision latency in the incident window.
• Check policy/module count and trace depth.
• Identify context-fetch dependencies and timeout behavior.
• Validate no stale/duplicate policy modules are loaded.

🛠️ 4) Policy Bridge Sync or Policy Freshness Issues

• Compare Control Plane bundle hash with bouncer active hash.
• Review sync failure/partial events and timestamps.
• Validate repo path/branch credentials and filter scopes.
• Trigger controlled resync and verify parity.

🛠️ 5) Masking/Redaction Behavior Issues

• Confirm active masking policy exists in the loaded bundle.
• Verify role/classification attributes in decision input.
• Check mutation selection and field path coverage.
• Distinguish masked-by-policy fields from absent-data fields.