# Breakglass policy

The policy engine is designed to enforce governance strictly, with no super-admin user capable of single-handedly reconfiguring the system.

A breakglass policy provides an override mechanism that fully complies with the Ripple Custody governance framework, for scenarios where you need to bypass policies, for example:

- A court order requiring the custodian to freeze an account against the will of the client's policies.
- An improper policy deployment locking down the access to certain features of the system with no recourse.
- The loss of some user keys required to complete an approval workflow.


The main objective of a breakglass policy is to force a subdomain to execute an intent, even if doing so bypasses the subdomain's own policies. In scenarios such as those outlined above, a root domain armed with a proper breakglass policy can:

- Force a subdomain to freeze an account.
- Unlock a subdomain that was locked due to an improper policy setup.
- Force the creation of new users or a policy update in a subdomain locked because of lost user keys.


## Characteristics of a breakglass policy

A breakglass policy has the following characteristics:

- Applies to intents submitted in a parent domain with one of its subdomains as the target domain.
- The parent domain has a governing strategy of `CoerceDescendants`. For more information, see [Governing strategy](/products/custody/v1.26/get-started/deployment/system-setup/setup#governing-strategy).
- The parent domain has a policy with scope `Descendants` or `SelfAndDescendants` that matches the intent.


For more information and an example, see [Scope of a policy](/products/custody/v1.26/get-started/design/policies/overview#scope-of-a-policy).

## Recommended setup

The recommended setup for a breakglass policy is as follows:

- The breakglass policy is created in the root domain.
- The root domain can trigger any intent within its subdomains, subject to a strict approval workflow requiring multiple approvals from senior members of the custodian management team.
- The size of the quorum should not be so small that the breakglass policy becomes a concentrated point of compromise, but it should equally be large enough to ensure that the loss of breakglass user keys does not affect the ability to execute an operation.


Given the criticality of a proper breakglass setup, we recommend that you contact Ripple for guidance if you are not sure how to define the proper governance and exception clauses.