Access Control Policy (ACP) are high-level Policy requirements that specify how Access Control is managed and who, under what circumstances, may access what resources.
Access Control Policy has traditionally been done in an Application-centric or Organizational-centric bounded Context. With microservices and Zero Trust architectures a data-centric bounded Context is more appropriate.
While Access Control Policy can be Application-centric and thus taken into consideration by the application vendor, Access Control Policy are just as likely to pertain to user actions within the context of an organizational unit or across Organizational-centric boundaries. For instance, Access Control Policy may pertain to resource usage within or across organizational units or may be based on need to know, competence, authority, obligation, or conflict-of-interest factors.