// Data Classification and Access Control Policy // Controls access based on data sensitivity levels and user clearance // Compliance: Data Protection, Information Security Classification // Public data - accessible to all authenticated users permit( principal, action in [Action::"read", Action::"list"], resource ) when { resource has classification && resource.classification == "public" && principal has authentication_status && principal.authentication_status == "authenticated" }; // Internal data - accessible to employees and authorized contractors permit( principal, action, resource ) when { resource has classification && resource.classification == "internal" && principal has employment_status && principal.employment_status in ["employee", "contractor"] && principal has security_training && principal.security_training.completed == true }; // Confidential data - requires specific authorization permit( principal, action, resource ) when { resource has classification && resource.classification == "confidential" && principal has clearance_level && principal.clearance_level in ["confidential", "secret", "top_secret"] && principal has need_to_know && resource.data_category in principal.need_to_know.categories && principal has data_handling_training && principal.data_handling_training.confidential_level == true }; // Secret data - high-level clearance required permit( principal, action, resource ) when { resource has classification && resource.classification == "secret" && principal has clearance_level && principal.clearance_level in ["secret", "top_secret"] && principal has background_check && principal.background_check.level == "extensive" && principal.background_check.valid_until > context.time.timestamp }; // Top Secret data - maximum security clearance permit( principal, action, resource ) when { resource has classification && resource.classification == "top_secret" && principal has clearance_level && principal.clearance_level == "top_secret" && principal has security_clearance && principal.security_clearance.ts_approved == true && principal.security_clearance.polygraph_current == true && principal.security_clearance.valid_until > context.time.timestamp }; // Personally Identifiable Information (PII) access permit( principal, action, resource ) when { resource has data_type && resource.data_type == "pii" && principal has pii_authorization && principal.pii_authorization.granted == true && principal has privacy_training && principal.privacy_training.completed == true && principal.privacy_training.expires_at > context.time.timestamp && // Purpose limitation - access only for authorized purposes resource.data_purpose in principal.pii_authorization.authorized_purposes }; // Protected Health Information (PHI) access permit( principal, action, resource ) when { resource has data_type && resource.data_type == "phi" && principal has hipaa_authorization && principal.hipaa_authorization.valid == true && principal has medical_data_training && principal.medical_data_training.current == true && // Minimum necessary standard principal.hipaa_authorization.minimum_necessary == true && resource.patient_id in principal.hipaa_authorization.authorized_patients }; // Financial data access controls permit( principal, action, resource ) when { resource has data_type && resource.data_type == "financial" && principal has financial_data_access && principal.financial_data_access.authorized == true && principal has sox_training && principal.sox_training.completed == true && // Segregation of duties for financial operations !(action in [Action::"create", Action::"modify", Action::"approve"] && principal.role == "FinancialAnalyst" && resource.requires_dual_control == true) || (resource.requires_dual_control == true && principal has dual_control_approval && principal.dual_control_approval.second_approver != principal.id) }; // Intellectual property access permit( principal, action, resource ) when { resource has data_type && resource.data_type == "intellectual_property" && resource has ip_classification && principal has ip_access && resource.ip_classification in principal.ip_access.authorized_categories && principal has nda_signed && principal.nda_signed.valid == true && principal.nda_signed.expires_at > context.time.timestamp }; // Data subject rights (GDPR compliance) permit( principal, action in [Action::"access", Action::"rectify", Action::"erase", Action::"port"], resource ) when { resource has data_type && resource.data_type == "personal_data" && resource has data_subject && principal.id == resource.data_subject.id && principal has identity_verified && principal.identity_verified.timestamp > (context.time.timestamp - 3600) // Within last hour }; // Data retention policy enforcement forbid( principal, action in [Action::"read", Action::"modify"], resource ) when { resource has retention_period && resource.created_at < (context.time.timestamp - (resource.retention_period * 86400)) && // Convert days to seconds !(principal has data_retention_override) && !(resource has legal_hold && resource.legal_hold.active == true) }; // Export control restrictions forbid( principal, action in [Action::"export", Action::"download", Action::"transfer"], resource ) when { resource has export_controlled && resource.export_controlled == true && ( !(principal has export_license) || principal.export_license.valid == false || principal.export_license.expires_at <= context.time.timestamp || (context has geo && context.geo.country in resource.restricted_countries) ) }; // Audit all access to classified data @audit(true) permit(principal, action, resource) when { resource has classification && resource.classification in ["confidential", "secret", "top_secret"] || resource has data_type && resource.data_type in ["pii", "phi", "financial", "intellectual_property"] };