178 lines
5.3 KiB
Plaintext
178 lines
5.3 KiB
Plaintext
// Geographic Access Restrictions Policy
|
|
// Controls access based on geographic location and data residency requirements
|
|
// Compliance: GDPR, Data Residency, Export Control Regulations
|
|
|
|
// Allow access from approved geographic regions
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
context has geo &&
|
|
context.geo has country &&
|
|
// General allowed countries for standard resources
|
|
(
|
|
(
|
|
!(resource has geo_restricted) &&
|
|
context.geo.country in ["US", "CA", "GB", "DE", "FR", "AU", "JP", "SG"]
|
|
) ||
|
|
// Specific country restrictions for sensitive data
|
|
(
|
|
resource has geo_restricted &&
|
|
resource.geo_restricted == true &&
|
|
resource has allowed_countries &&
|
|
context.geo.country in resource.allowed_countries
|
|
)
|
|
)
|
|
};
|
|
|
|
// GDPR-compliant EU data access
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
resource has data_classification &&
|
|
resource.data_classification == "eu_personal_data" &&
|
|
context has geo &&
|
|
context.geo has country &&
|
|
context.geo.country in ["GB", "DE", "FR", "IT", "ES", "NL", "SE", "DK", "FI", "IE", "AT", "BE", "PT", "CZ", "PL", "HU"] &&
|
|
principal has gdpr_training &&
|
|
principal.gdpr_training.completed == true &&
|
|
principal.gdpr_training.expires_at > context.time.timestamp
|
|
};
|
|
|
|
// US-only access for export-controlled data
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
resource has export_controlled &&
|
|
resource.export_controlled == true &&
|
|
context has geo &&
|
|
context.geo has country &&
|
|
context.geo.country == "US" &&
|
|
principal has security_clearance &&
|
|
principal.security_clearance.level in ["confidential", "secret", "top_secret"] &&
|
|
principal.security_clearance.valid == true
|
|
};
|
|
|
|
// Healthcare data - HIPAA geographic restrictions
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
resource has data_type &&
|
|
resource.data_type == "healthcare" &&
|
|
context has geo &&
|
|
context.geo has country &&
|
|
context.geo.country == "US" && // HIPAA applies to US healthcare data
|
|
principal has hipaa_authorization &&
|
|
principal.hipaa_authorization.valid == true &&
|
|
principal.hipaa_authorization.minimum_necessary == true
|
|
};
|
|
|
|
// Financial data - regional compliance
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
resource has data_type &&
|
|
resource.data_type == "financial" &&
|
|
context has geo &&
|
|
(
|
|
// US financial data
|
|
(
|
|
resource has jurisdiction &&
|
|
resource.jurisdiction == "US" &&
|
|
context.geo.country == "US" &&
|
|
principal has sox_compliance &&
|
|
principal.sox_compliance.certified == true
|
|
) ||
|
|
// EU financial data
|
|
(
|
|
resource has jurisdiction &&
|
|
resource.jurisdiction == "EU" &&
|
|
context.geo.country in ["GB", "DE", "FR", "IT", "ES", "NL", "IE"] &&
|
|
principal has mifid_compliance &&
|
|
principal.mifid_compliance.certified == true
|
|
)
|
|
)
|
|
};
|
|
|
|
// VPN exception for authorized remote access
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
context has connection &&
|
|
context.connection.type == "vpn" &&
|
|
context.connection.verified == true &&
|
|
principal has vpn_authorization &&
|
|
principal.vpn_authorization.valid == true &&
|
|
principal.vpn_authorization.expires_at > context.time.timestamp &&
|
|
// Additional verification for sensitive access via VPN
|
|
(
|
|
!(resource has geo_restricted) ||
|
|
(
|
|
resource has geo_restricted &&
|
|
resource.geo_restricted == true &&
|
|
principal.vpn_authorization.level in ["executive", "emergency", "business_travel"]
|
|
)
|
|
)
|
|
};
|
|
|
|
// Emergency access override with strict controls
|
|
permit(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
principal has emergency_override &&
|
|
principal.emergency_override.active == true &&
|
|
principal.emergency_override.expires_at > context.time.timestamp &&
|
|
principal.emergency_override.expires_at < (context.time.timestamp + 14400) && // Max 4 hours
|
|
principal.emergency_override.authorized_by in ["CISO", "CTO", "CEO"] &&
|
|
principal.emergency_override.incident_id != "" &&
|
|
principal.emergency_override.business_justification != ""
|
|
};
|
|
|
|
// Explicit deny for restricted geographic access
|
|
forbid(
|
|
principal,
|
|
action,
|
|
resource
|
|
) when {
|
|
context has geo &&
|
|
context.geo has country &&
|
|
(
|
|
// Sanctioned or embargoed countries
|
|
context.geo.country in ["IR", "KP", "SY", "CU", "RU"] ||
|
|
// Countries blocked by company policy
|
|
(
|
|
resource has blocked_countries &&
|
|
context.geo.country in resource.blocked_countries
|
|
) ||
|
|
// Data residency violations
|
|
(
|
|
resource has required_jurisdiction &&
|
|
resource.required_jurisdiction != context.geo.country &&
|
|
!(principal has jurisdiction_override)
|
|
)
|
|
) &&
|
|
!(principal has emergency_override && principal.emergency_override.active == true)
|
|
};
|
|
|
|
// Audit logging for all geographic access decisions
|
|
@audit(true)
|
|
permit(principal, action, resource) when {
|
|
context has geo &&
|
|
(
|
|
resource has geo_restricted ||
|
|
resource has data_classification in ["sensitive", "confidential", "restricted"]
|
|
)
|
|
}; |