// Administrative Authorization Policies // Super-user permissions and emergency access // ============================================================================ // PLATFORM ADMIN POLICIES // ============================================================================ // Platform admins have full access to all environments @id("admin-full-access") @description("Platform admins have unrestricted access") permit ( principal in Provisioning::Team::"platform-admin", action, resource ); // ============================================================================ // EMERGENCY ACCESS POLICIES // ============================================================================ // Emergency access with special approval bypasses some restrictions @id("emergency-access") @description("Emergency approval bypasses time restrictions") permit ( principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"], action in [ Provisioning::Action::"deploy", Provisioning::Action::"delete", Provisioning::Action::"rollback", Provisioning::Action::"update" ], resource ) when { context has approval_id && context.approval_id.startsWith("EMERGENCY-") }; // ============================================================================ // AUDIT AND COMPLIANCE POLICIES // ============================================================================ // Audit actions always allowed for audit team @id("audit-access") @description("Audit team can view all resources") permit ( principal in Provisioning::Team::"audit", action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource ); // Forbid audit team from making changes @id("audit-no-modify") @description("Audit team cannot modify resources") forbid ( principal in Provisioning::Team::"audit", action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update", Provisioning::Action::"deploy", Provisioning::Action::"rollback", Provisioning::Action::"admin" ], resource ); // ============================================================================ // SRE TEAM POLICIES // ============================================================================ // SRE team has elevated access but not admin @id("sre-elevated-access") @description("SRE team has elevated permissions") permit ( principal in Provisioning::Team::"sre", action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor", Provisioning::Action::"ssh", Provisioning::Action::"deploy", Provisioning::Action::"rollback" ], resource ); // SRE can perform updates with approval @id("sre-update-approval") @description("SRE updates require approval") permit ( principal in Provisioning::Team::"sre", action == Provisioning::Action::"update", resource ) when { context has approval_id && context.approval_id != "" }; // SRE cannot delete resources without approval @id("sre-delete-restricted") @description("SRE deletions require approval") permit ( principal in Provisioning::Team::"sre", action == Provisioning::Action::"delete", resource ) when { context has approval_id && context.approval_id != "" }; // ============================================================================ // SECURITY TEAM POLICIES // ============================================================================ // Security team has read access to everything @id("security-read-all") @description("Security team can view all resources") permit ( principal in Provisioning::Team::"security", action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource ); // Security team can lock down resources @id("security-lockdown") @description("Security team can perform emergency lockdowns") permit ( principal in Provisioning::Team::"security", action == Provisioning::Action::"admin", resource ) when { context has operation && context.operation == "lockdown" }; // ============================================================================ // CROSS-ENVIRONMENT POLICIES // ============================================================================ // Nobody can perform admin operations without MFA (except platform-admin) @id("admin-action-mfa") @description("Admin actions require MFA verification") forbid ( principal, action == Provisioning::Action::"admin", resource ) when { context.mfa_verified != true } unless { principal in Provisioning::Team::"platform-admin" }; // ============================================================================ // WORKSPACE OWNERSHIP POLICIES // ============================================================================ // Workspace owners have full control over their workspaces @id("workspace-owner-access") @description("Workspace owners control their resources") permit ( principal, action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update", Provisioning::Action::"read", Provisioning::Action::"list" ], resource ) when { resource has workspace && resource.workspace.owner == principal }; // ============================================================================ // TIME-BASED RESTRICTIONS // ============================================================================ // Maintenance window policies (outside business hours for critical ops) @id("maintenance-window") @description("Critical operations allowed during maintenance window") permit ( principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"], action in [ Provisioning::Action::"update", Provisioning::Action::"deploy" ], resource in Provisioning::Environment::"production" ) when { // Maintenance window: 22:00 - 06:00 UTC context.time.split("T")[1].split(":")[0].decimal() >= 22 || context.time.split("T")[1].split(":")[0].decimal() <= 6 }; // ============================================================================ // RATE LIMITING HINTS // ============================================================================ // Note: Cedar doesn't enforce rate limits directly, but can provide hints // Rate limiting should be implemented in middleware using these policy IDs // Critical operations should be rate limited @id("rate-limit-critical") @description("Hint: Rate limit critical operations") permit ( principal, action in [ Provisioning::Action::"delete", Provisioning::Action::"admin" ], resource in Provisioning::Environment::"production" ) when { // Hint: Implement rate limit in middleware // Max 10 operations per hour per principal true }; // ============================================================================ // DEFAULT DENY POLICY // ============================================================================ // Note: Cedar defaults to deny-by-default, so this is implicit // All actions not explicitly permitted are denied