Passports

Controlled Update & Break-Glass

Once a passport is published, its content is captured as an immutable snapshot. However, real-world operations sometimes require corrections — a typo in a material declaration, an updated compliance certification, or a regulatory correction. tieback provides two governance mechanisms for amending published passport data without reissuing the passport.

Why Two Mechanisms?

The two amendment paths serve different operational purposes:

MechanismWhen to useRestrictions
Controlled UpdateRoutine corrections to published passport dataAvailable for published passports only
Break-GlassExceptional amendments requiring justification and auditAvailable for published and revoked passports

Both mechanisms apply changes as controlled overrides — a separate data layer that sits on top of the original snapshot values. The original snapshot is never modified, preserving the full audit trail.

Controlled Update

Controlled Update is the standard path for correcting published passport data.

How It Works

  1. Select a passport (or multiple passports via bulk selection)
  2. Choose the field to update
  3. Provide the new value
  4. Provide a reason for the change
  5. Submit the update

The update is applied immediately. The new value takes effect in the public passport rendering, while the original snapshot value is preserved in the audit record.

Eligible Fields

Only fields that are registered in the governance policy as eligible for controlled update can be amended. The available fields are determined by the DPP Field Catalogue and the brand’s governance configuration.

Scope

  • Available for passports in the published state
  • Can be applied to individual passports or in bulk
  • Requires the passports.controlled_update permission

Break-Glass

Break-Glass is the exceptional amendment path, designed for situations that require an auditable justification — such as regulatory corrections, safety-related updates, or post-revocation amendments.

How It Works

  1. Select a passport (or multiple passports via bulk selection)
  2. Select a reason code from the brand’s configured list of break-glass reasons
  3. Choose the field to update
  4. Provide the new value using the appropriate type-aware input (country selector, date picker, boolean toggle, etc.)
  5. Provide a written justification explaining why this amendment is necessary
  6. Submit the amendment

Reason Codes

Each brand configures its own set of break-glass reason codes in Settings. Reason codes provide structured categorisation of why an exceptional amendment was needed.

Once a reason code has been used in a break-glass amendment, it cannot be deleted — only deactivated. This ensures the historical audit trail remains intact.

Audit Trail

Every break-glass amendment is recorded in an append-only ledger that captures:

  • the passport and field that was amended
  • the old and new values
  • the reason code selected
  • the written justification
  • the actor who applied the amendment
  • the timestamp

This ledger is visible in the passport’s Compliance View tab as part of the unified governance change log.

Scope

  • Available for passports in the published or revoked state
  • Can be applied to individual passports or in bulk
  • Requires the passports.break_glass permission

How Overrides Are Applied

Both Controlled Update and Break-Glass store their changes as controlled overrides on the passport record. When the passport is rendered:

  1. The original snapshot values are loaded
  2. Controlled overrides are merged on top, replacing the original values for amended fields
  3. The consumer sees the corrected values

The Machine Readable (JSON-LD) output also reflects controlled overrides, ensuring that both human-readable and machine-readable representations are consistent.

Viewing Amendment History

All amendments — both Controlled Update and Break-Glass — are visible in the passport’s Compliance View tab. The governance change log presents a unified, chronological timeline showing:

  • amendment type
  • field changed
  • old and new values
  • actor
  • reason / justification
  • timestamp

Product Edits vs Passport Amendments

It is important to understand the distinction:

ActionEffect
Editing a productChanges the product master record. Applies to future mints only. Existing passports are unaffected.
Controlled UpdateCorrects a specific published passport’s data without affecting the product master or other passports.
Break-GlassSame as Controlled Update, but with mandatory justification and available for revoked passports too.

Product edits and passport amendments are independent operations. Editing a product does not update existing passports, and amending a passport does not change the product master.