// Cedar Authorization Schema for Provisioning Platform // Defines entities, actions, and their relationships // ============================================================================ // NAMESPACES // ============================================================================ namespace Provisioning { // ========================================================================== // ENTITY TYPES // ========================================================================== // User entity represents authenticated principals entity User = { "email": String, "username": String, "mfa_enabled": Bool, "created_at": String, } tags ["principal"]; // Team entity represents groups of users entity Team = { "name": String, "description": String, "created_at": String, } tags ["principal"]; // Environment entity represents deployment environments entity Environment = { "name": String, "tier": String, // "development", "staging", "production" "requires_approval": Bool, "requires_mfa": Bool, } tags ["resource"]; // Workspace entity represents logical isolation boundaries entity Workspace = { "name": String, "owner": User, "environment": Environment, "created_at": String, } tags ["resource"]; // Server entity represents compute instances entity Server = { "hostname": String, "provider": String, "workspace": Workspace, "environment": Environment, "status": String, } tags ["resource"]; // Taskserv entity represents infrastructure services entity Taskserv = { "name": String, "category": String, "version": String, "workspace": Workspace, "environment": Environment, } tags ["resource"]; // Cluster entity represents multi-node deployments entity Cluster = { "name": String, "type": String, "workspace": Workspace, "environment": Environment, "node_count": Long, } tags ["resource"]; // Workflow entity represents orchestrated operations entity Workflow = { "workflow_id": String, "workflow_type": String, "workspace": Workspace, "environment": Environment, "status": String, } tags ["resource"]; // Secret entity represents stored secrets (DB credentials, API keys, SSH keys, etc.) entity Secret = { "secret_id": String, "secret_type": String, // "database", "application", "ssh", "provider" "workspace": Workspace, "domain": String, // "postgres", "redis", "web-api", "ssh", etc. "ttl_hours": Long, "auto_rotate": Bool, "created_by": User, "is_expired": Bool, "tags": Set, } tags ["resource", "sensitive"]; // ========================================================================== // ACTION TYPES // ========================================================================== // Resource lifecycle actions action create appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "approval_id": String?, "reason": String?, } }; action delete appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "approval_id": String?, "force": Bool, } }; action update appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "changes": String, } }; // Read operations action read appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "ip_address": String, "time": String, } }; action list appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "ip_address": String, "time": String, } }; // Deployment actions action deploy appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "approval_id": String?, "deployment_config": String, } }; action rollback appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "approval_id": String?, "target_version": String, } }; // Administrative actions action admin appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workspace, Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "operation": String, } }; // SSH and access actions action ssh appliesTo { principal: [User, Team], resource: [Server], context: { "ip_address": String, "time": String, "ssh_key_fingerprint": String, } }; // Workflow execution actions action execute appliesTo { principal: [User, Team], resource: [Workflow], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "workflow_params": String, } }; action monitor appliesTo { principal: [User, Team], resource: [Server, Taskserv, Cluster, Workflow], context: { "ip_address": String, "time": String, } }; // Secret-specific actions action access appliesTo { principal: [User, Team], resource: [Secret], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "secret_type": String, "domain": String, } }; action rotate appliesTo { principal: [User, Team], resource: [Secret], context: { "mfa_verified": Bool, "ip_address": String, "time": String, "approval_id": String?, "reason": String?, } }; action renew appliesTo { principal: [User, Team], resource: [Secret], context: { "mfa_verified": Bool, "ip_address": String, "time": String, } }; // ========================================================================== // ENTITY RELATIONSHIPS // ========================================================================== // User membership in Teams entityTypes User memberOf [Team]; // Resource hierarchy entityTypes Server memberOf [Workspace, Environment]; entityTypes Taskserv memberOf [Workspace, Environment]; entityTypes Cluster memberOf [Workspace, Environment]; entityTypes Workflow memberOf [Workspace, Environment]; entityTypes Secret memberOf [Workspace]; entityTypes Workspace memberOf [Environment]; }