prvng_platform/control-center/policies/require-mfa.cedar

// Multi-Factor Authentication Policy
// Requires MFA for access to sensitive resources
// Compliance: SOC2 Type II, ISO 27001

// Allow access to sensitive resources only with MFA enabled
permit(
    principal,
    action == Action::"access",
    resource
) when {
    resource has classification &&
    resource.classification in ["sensitive", "confidential"] &&
    principal has mfa_enabled &&
    principal.mfa_enabled == true &&
    principal has mfa_last_verified &&
    principal.mfa_last_verified > (context.time.timestamp - 3600) // MFA verified within last hour
};

// Allow access to non-sensitive resources without MFA requirement
permit(
    principal,
    action == Action::"access",
    resource
) when {
    !(resource has classification) ||
    resource.classification in ["public", "internal"]
};

// Explicit deny for sensitive access without MFA
forbid(
    principal,
    action == Action::"access",
    resource
) when {
    resource has classification &&
    resource.classification in ["sensitive", "confidential"] &&
    (
        !(principal has mfa_enabled) ||
        principal.mfa_enabled == false ||
        !(principal has mfa_last_verified) ||
        principal.mfa_last_verified <= (context.time.timestamp - 3600)
    )
};

// Special exemption for service accounts with proper justification
permit(
    principal,
    action == Action::"access",
    resource
) when {
    principal has account_type &&
    principal.account_type == "service" &&
    principal has mfa_exemption &&
    principal.mfa_exemption.approved == true &&
    principal.mfa_exemption.expires_at > context.time.timestamp &&
    principal.mfa_exemption.justification != ""
};
core: init repo and codebase 2025-10-07 10:59:52 +01:00			`// Multi-Factor Authentication Policy`
			`// Requires MFA for access to sensitive resources`
			`// Compliance: SOC2 Type II, ISO 27001`

			`// Allow access to sensitive resources only with MFA enabled`
			`permit(`
			`principal,`
			`action == Action::"access",`
			`resource`
			`) when {`
			`resource has classification &&`
			`resource.classification in ["sensitive", "confidential"] &&`
			`principal has mfa_enabled &&`
			`principal.mfa_enabled == true &&`
			`principal has mfa_last_verified &&`
			`principal.mfa_last_verified > (context.time.timestamp - 3600) // MFA verified within last hour`
			`};`

			`// Allow access to non-sensitive resources without MFA requirement`
			`permit(`
			`principal,`
			`action == Action::"access",`
			`resource`
			`) when {`
			`!(resource has classification) \|\|`
			`resource.classification in ["public", "internal"]`
			`};`

			`// Explicit deny for sensitive access without MFA`
			`forbid(`
			`principal,`
			`action == Action::"access",`
			`resource`
			`) when {`
			`resource has classification &&`
			`resource.classification in ["sensitive", "confidential"] &&`
			`(`
			`!(principal has mfa_enabled) \|\|`
			`principal.mfa_enabled == false \|\|`
			`!(principal has mfa_last_verified) \|\|`
			`principal.mfa_last_verified <= (context.time.timestamp - 3600)`
			`)`
			`};`

			`// Special exemption for service accounts with proper justification`
			`permit(`
			`principal,`
			`action == Action::"access",`
			`resource`
			`) when {`
			`principal has account_type &&`
			`principal.account_type == "service" &&`
			`principal has mfa_exemption &&`
			`principal.mfa_exemption.approved == true &&`
			`principal.mfa_exemption.expires_at > context.time.timestamp &&`
			`principal.mfa_exemption.justification != ""`
			`};`