{"id":"azure-governance-hierarchy-dual-enforcement","text":"Azure governance cascades through a single management group hierarchy with two complementary enforcement mechanisms: RBAC grants accumulate additively downward (broader scopes can only widen access), while Policy restrictions tighten subtractively downward (broader scopes can only narrow what resources may exist) — creating an asymmetric funnel where identity permissions expand and resource constraints contract as scope narrows.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"azure-governance-hierarchy-dual-enforcement","truth_value":"IN","reason":"premise"}]}}