How-to

Set up an approval chain rule

Applies to: .NET SDK Last updated: 2026-06-24

Goal

Require that an inbound multi-party message has passed through a specific set of approvers before reaching the final recipient.

How the chain is identified

Every multi-party ciphertext produced by MultiEncryptMessageUsingSharedKeyAsync binds the chain into the envelope's RECEIVER field — semicolon-separated, in the order specified at encrypt time. When the final recipient calls MultiDecryptMessageUsingSharedKeyAsync, the recovered plaintext envelope carries the full chain, so a policy rule can match on it.

Code

// Rule: only accept messages that have been through HR AND Legal
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*",
    Destination: "mp:[hr.acme.com,legal.acme.com]",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

The mp:[...] destination matches inbound multi-party messages whose chain includes all listed parties. Order does not matter and extras are allowed.

Wildcard chains

// Any multi-party chain at all (regardless of who's in it)
await policies.AddPolicyRuleAsync(new PolicyRule(
    "*", "mp:*", "default", "inbound", "allow"));

See also