Policy, Quota, and Entitlements Service implemented
This service family answers three different questions that are easy to blur:
- are you allowed to do the thing;
- do you still have quota for the thing;
- is there physical/runtime capacity for the thing right now.
The platform keeps those separate so admission can fail for the right reason.
Scope Hierarchy
global/platform
-> plan
-> organization
-> department
-> project
-> principal or api key
-> request
Lower scopes can specialize or narrow. They do not raise a parent ceiling unless that authority is explicitly delegated.
Service Boundary
| Capability | Owned here | Adjacent service |
|---|---|---|
| Policy values | effective limits and decision rules | IAM, Billing, Product facades |
| Entitlements | who can use which product/resource/action | IAM and product access flows |
| Quota composition | hierarchy-aware usage ceilings | Billing and product usage signals |
| Capacity reservations | pre-allocated intent, not money movement | schedulers, provider inventory, runtime pools |
Decision Contract
Every decision should be explainable from the same input shape:
- actor type, id, roles, scopes;
- organization, department, project;
- product, resource type, action;
- requested delta and usage unit;
- current usage snapshot;
- registry versions and correlation ID.
Output must name:
allow,deny, orwarn;- reason code;
- user-safe message;
- effective ceiling and inherited scope;
- matched rules and evidence version.
Why This Matters
If the platform says “launch blocked,” the operator and the customer need to know whether that came from:
- policy hard deny;
- quota exhaustion;
- missing entitlement;
- stale snapshot;
- no physical capacity.
This service owns that distinction.
Dimension Families
| Dimension family | Examples |
|---|---|
| Compute | active allocations, GPU count, vCPU, memory GiB |
| App runtime | instance concurrency, runtime hours, route count |
| Token/request | RPM, TPM, endpoint concurrency |
| Storage | bucket bytes, volume bytes, object count |
| Network | public endpoints, ingress rules, egress |
| Capacity reservation | reserved GPU SKU, model concurrency, app pool slots |
Decision Flow
Design Constraints
- Quota is not ledger.
- Capacity reservation is not billing.
- Usage units must be registry-backed.
- Overrides that raise limits are privileged mutations with audit.
- Missing or stale snapshots fail closed on launch-sensitive paths.
What Reviewers Should See
| Persona | Required conclusion |
|---|---|
| Product | commercial packaging is not hardcoded into handlers |
| Security | deny and override paths are reviewable and auditable |
| Architecture | policy/quota logic is shared-platform, not duplicated per product |
| Developers | new products must register units/dimensions instead of inventing literals |
Related Pages
- Resource Model and Naming
- Tenant, Billing Unit, Department, and Project Hierarchy
- IAM Capabilities and Boundaries
- Billing, Metering, and Payments Service
Canonical sources