up

docs/security/policy-governance.md

@@ -21,16 +21,14 @@
 | Scope | Description | Recommended role |
 |-------|-------------|------------------|
 | `policy:read` | View policies, revisions, runs, findings. | Readers, auditors. |
-| `policy:write` | Create/edit drafts, run lint/compile. | Authors (SecOps engineers). |
-| `policy:submit` | Move draft → submitted, attach simulations. | Authors with submission rights. |
-| `policy:review` | Comment/approve/request changes (non-final). | Reviewers (peer security, product). |
-| `policy:approve` | Final approval; can archive. | Approval board/security lead. |
-| `policy:activate` | Promote approved version, schedule activation. | Runtime operators / release managers. |
-| `policy:run` | Trigger runs, inspect live status. | Operators, automation bots. |
-| `policy:runs` | Read run history, replay bundles. | Operators, auditors. |
-| `policy:archive` | Retire versions, perform rollbacks. | Approvers, operators. |
+| `policy:author` | Create/edit drafts, lint/compile, quick simulate. | `role/policy-author`. |
+| `policy:review` | Comment, request changes, approve in-progress drafts. | `role/policy-reviewer`. |
+| `policy:approve` | Final approval; archive decisions. | `role/policy-approver`. |
+| `policy:operate` | Promote revisions, trigger runs, manage rollouts. | `role/policy-operator`, automation bots. |
+| `policy:audit` | Access immutable history and evidence bundles. | `role/policy-auditor`, compliance teams. |
 | `policy:simulate` | Execute simulations via API/CLI. | Authors, reviewers, CI. |
-| `policy:operate` | Activate incident mode, toggle sampling. | SRE/on-call. |
+| `policy:run` | Trigger runs, inspect live status. | Operators, automation bots. |
+| `policy:activate` | Promote approved version, schedule activation. | Runtime operators / release managers. |
 | `findings:read` | View effective findings/explain. | Analysts, auditors, CLI. |
 | `effective:write` | **Service only** – materialise findings. | Policy Engine service principal. |