jesus/prvng_platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_platform/control-center/policies/data-classification.cedar
Jesús Pérez f2be2414e4 core: init repo and codebase
2025-10-07 10:59:52 +01:00

198 lines
6.2 KiB
Plaintext
Raw Permalink Blame History

// Data Classification and Access Control Policy
// Controls access based on data sensitivity levels and user clearance
// Compliance: Data Protection, Information Security Classification
// Public data - accessible to all authenticated users
permit(
principal,
action in [Action::"read", Action::"list"],
resource
) when {
resource has classification &&
resource.classification == "public" &&
principal has authentication_status &&
principal.authentication_status == "authenticated"
};
// Internal data - accessible to employees and authorized contractors
permit(
principal,
action,
resource
) when {
resource has classification &&
resource.classification == "internal" &&
principal has employment_status &&
principal.employment_status in ["employee", "contractor"] &&
principal has security_training &&
principal.security_training.completed == true
};
// Confidential data - requires specific authorization
permit(
principal,
action,
resource
) when {
resource has classification &&
resource.classification == "confidential" &&
principal has clearance_level &&
principal.clearance_level in ["confidential", "secret", "top_secret"] &&
principal has need_to_know &&
resource.data_category in principal.need_to_know.categories &&
principal has data_handling_training &&
principal.data_handling_training.confidential_level == true
};
// Secret data - high-level clearance required
permit(
principal,
action,
resource
) when {
resource has classification &&
resource.classification == "secret" &&
principal has clearance_level &&
principal.clearance_level in ["secret", "top_secret"] &&
principal has background_check &&
principal.background_check.level == "extensive" &&
principal.background_check.valid_until > context.time.timestamp
};
// Top Secret data - maximum security clearance
permit(
principal,
action,
resource
) when {
resource has classification &&
resource.classification == "top_secret" &&
principal has clearance_level &&
principal.clearance_level == "top_secret" &&
principal has security_clearance &&
principal.security_clearance.ts_approved == true &&
principal.security_clearance.polygraph_current == true &&
principal.security_clearance.valid_until > context.time.timestamp
};
// Personally Identifiable Information (PII) access
permit(
principal,
action,
resource
) when {
resource has data_type &&
resource.data_type == "pii" &&
principal has pii_authorization &&
principal.pii_authorization.granted == true &&
principal has privacy_training &&
principal.privacy_training.completed == true &&
principal.privacy_training.expires_at > context.time.timestamp &&
// Purpose limitation - access only for authorized purposes
resource.data_purpose in principal.pii_authorization.authorized_purposes
};
// Protected Health Information (PHI) access
permit(
principal,
action,
resource
) when {
resource has data_type &&
resource.data_type == "phi" &&
principal has hipaa_authorization &&
principal.hipaa_authorization.valid == true &&
principal has medical_data_training &&
principal.medical_data_training.current == true &&
// Minimum necessary standard
principal.hipaa_authorization.minimum_necessary == true &&
resource.patient_id in principal.hipaa_authorization.authorized_patients
};
// Financial data access controls
permit(
principal,
action,
resource
) when {
resource has data_type &&
resource.data_type == "financial" &&
principal has financial_data_access &&
principal.financial_data_access.authorized == true &&
principal has sox_training &&
principal.sox_training.completed == true &&
// Segregation of duties for financial operations
!(action in [Action::"create", Action::"modify", Action::"approve"] &&
principal.role == "FinancialAnalyst" &&
resource.requires_dual_control == true) ||
(resource.requires_dual_control == true &&
principal has dual_control_approval &&
principal.dual_control_approval.second_approver != principal.id)
};
// Intellectual property access
permit(
principal,
action,
resource
) when {
resource has data_type &&
resource.data_type == "intellectual_property" &&
resource has ip_classification &&
principal has ip_access &&
resource.ip_classification in principal.ip_access.authorized_categories &&
principal has nda_signed &&
principal.nda_signed.valid == true &&
principal.nda_signed.expires_at > context.time.timestamp
};
// Data subject rights (GDPR compliance)
permit(
principal,
action in [Action::"access", Action::"rectify", Action::"erase", Action::"port"],
resource
) when {
resource has data_type &&
resource.data_type == "personal_data" &&
resource has data_subject &&
principal.id == resource.data_subject.id &&
principal has identity_verified &&
principal.identity_verified.timestamp > (context.time.timestamp - 3600) // Within last hour
};
// Data retention policy enforcement
forbid(
principal,
action in [Action::"read", Action::"modify"],
resource
) when {
resource has retention_period &&
resource.created_at < (context.time.timestamp - (resource.retention_period * 86400)) && // Convert days to seconds
!(principal has data_retention_override) &&
!(resource has legal_hold && resource.legal_hold.active == true)
};
// Export control restrictions
forbid(
principal,
action in [Action::"export", Action::"download", Action::"transfer"],
resource
) when {
resource has export_controlled &&
resource.export_controlled == true &&
(
!(principal has export_license) ||
principal.export_license.valid == false ||
principal.export_license.expires_at <= context.time.timestamp ||
(context has geo && context.geo.country in resource.restricted_countries)
)
};
// Audit all access to classified data
@audit(true)
permit(principal, action, resource) when {
resource has classification &&
resource.classification in ["confidential", "secret", "top_secret"] ||
resource has data_type &&
resource.data_type in ["pii", "phi", "financial", "intellectual_property"]
};
Reference in New Issue View Git Blame Copy Permalink