Policy-CRDT: Conflict-Free Replicated Data Type with Remove-Wins Strategy for Convergent Access Control in Asynchronous Environments

Modern multi-cloud and edge-cloud systems replicate both data and access control policies across geographically distributed nodes under weak consistency models. In asynchronous environments with possible network partitions, policy updates (additions and revocations of rules, delegation and revocation of privileges) may occur concurrently, causing conflicts and potential privilege escalation when naïve conflict resolution schemes such as last-writer-wins (LWW) or add-wins are used. This paper proposes a formal model of Policy-CRDT, a conflict-free replicated data type (CRDT) for sets of access control policies with a remove-wins strategy, based on the two-phase set (2P-Set) and a join-semilattice structure on replica states. At the CRDT abstraction level, each replica state is represented by a pair of monotonically growing sets of added and revoked policy identifiers, and state merging is defined as a commutative, associative, and idempotent union operator. We show that the proposed data type satisfies the standard Strong Eventual Consistency (SEC) conditions for state-based CRDTs: replica states form a join-semilattice, local updates are monotone, and the merge function computes least upper bounds, which ensures convergence of replicas once they have received the same set of updates. We formally prove that the remove-wins strategy guarantees inevitable suppression of any policy for which at least one revocation exists in the global history, in contrast to LWW and add-wins schemes that can admit dangerous states with excessive permissions. We further propose an architecture for deploying Policy-CRDT in a distributed PDP/PEP infrastructure in the spirit of Zero Trust and NIST SP 800-207/800-207A, and we present an analytical evaluation of convergence latency and the probability of potentially dangerous states compared to alternative strategies. The results demonstrate that Policy-CRDT provides formally grounded convergence of access control policies at reasonable overhead and is semantically safe in multi-cloud and edge deployment scenarios.