Rules defining what operations a key can perform, by whom, from where, and under what context constraints.