2026-01-14 03:09:18 +00:00
|
|
|
# Cedar Policies Production Guide\n\n**Version**: 1.0.0\n**Date**: 2025-10-08\n**Audience**: Platform Administrators, Security Teams\n**Prerequisites**: Understanding of Cedar policy language, Provisioning platform architecture\n\n---\n\n## Table of Contents\n\n1. [Introduction](#introduction)\n2. [Cedar Policy Basics](#cedar-policy-basics)\n3. [Production Policy Strategy](#production-policy-strategy)\n4. [Policy Templates](#policy-templates)\n5. [Policy Development Workflow](#policy-development-workflow)\n6. [Testing Policies](#testing-policies)\n7. [Deployment](#deployment)\n8. [Monitoring & Auditing](#monitoring--auditing)\n9. [Troubleshooting](#troubleshooting)\n10. [Best Practices](#best-practices)\n\n---\n\n## Introduction\n\nCedar policies control **who can do what** in the Provisioning platform. This guide helps you create, test, and deploy production-ready Cedar policies\nthat balance security with operational efficiency.\n\n### Why Cedar\n\n- **Fine-grained**: Control access at resource + action level\n- **Context-aware**: Decisions based on MFA, IP, time, approvals\n- **Auditable**: Every decision is logged with policy ID\n- **Hot-reload**: Update policies without restarting services\n- **Type-safe**: Schema validation prevents errors\n\n---\n\n## Cedar Policy Basics\n\n### Core Concepts\n\n```\npermit (\n principal, # Who (user, team, role)\n action, # What (create, delete, deploy)\n resource # Where (server, cluster, environment)\n) when {\n condition # Context (MFA, IP, time)\n};\n```\n\n### Entities\n\n| Type | Examples | Description |\n| ------ | ---------- | ------------- |\n| **User** | `User::"alice"` | Individual users |\n| **Team** | `Team::"platform-admin"` | User groups |\n| **Role** | `Role::"Admin"` | Permission levels |\n| **Resource** | `Server::"web-01"` | Infrastructure resources |\n| **Environment** | `Environment::"production"` | Deployment targets |\n\n### Actions\n\n| Category | Actions |\n| ---------- | --------- |\n| **Read** | `read`, `list` |\n| **Write** | `create`, `update`, `delete` |\n| **Deploy** | `deploy`, `rollback` |\n| **Admin** | `ssh`, `execute`, `admin` |\n\n---\n\n## Production Policy Strategy\n\n### Security Levels\n\n#### Level 1: Development (Permissive)\n\n```\n// Developers have full access to dev environment\npermit (\n principal in Team::"developers",\n action,\n resource in Environment::"development"\n);\n```\n\n#### Level 2: Staging (MFA Required)\n\n```\n// All operations require MFA\npermit (\n principal in Team::"developers",\n action,\n resource in Environment::"staging"\n) when {\n context.mfa_verified == true\n};\n```\n\n#### Level 3: Production (MFA + Approval)\n\n```\n// Deployments require MFA + approval\npermit (\n principal in Team::"platform-admin",\n action in [Action::"deploy", Action::"delete"],\n resource in Environment::"production"\n) when {\n context.mfa_verified == true &&\n context has approval_id &&\n context.approval_id.startsWith("APPROVAL-")\n};\n```\n\n#### Level 4: Critical (Break-Glass Only)\n\n```\n// Only emergency access\npermit (\n principal,\n action,\n resource in Resource::"production-database"\n) when {\n context.emergency_access == true &&\n context.session_approved == true\n};\n```\n\n---\n\n## Policy Templates\n\n### 1. Role-Based Access Control (RBAC)\n\n```\n// Admin: Full access\npermit (\n principal in Role::"Admin",\n action,\n resource\n);\n\n// Operator: Server management + read clusters\npermit (\n principal in Role::"Operator",\n action in [\n Action::"create",\n Action::"update",\n Action::"delete"\n ],\n resource is Server\n);\n\npermit (\n principal in Role::"Operator",\n action in [Action::"read", Action::"list"],\n resource is Cluster\n);\n\n// Viewer: Read-only everywhere\npermit (\n principal in Role::"Viewer",\n action in [Action::"read", Action::"list"],\n resource\n);\n\n// Auditor: Read audit logs only\npermit (\n principal in Role::"Auditor",\n action in [Action::"read", Action::"list"],\n resource is AuditLog\n);\n```\n\n### 2. Team-Base
|
