57 lines
1.6 KiB
Plaintext
57 lines
1.6 KiB
Plaintext
// Multi-Factor Authentication Policy
|
|
// Requires MFA for access to sensitive resources
|
|
// Compliance: SOC2 Type II, ISO 27001
|
|
|
|
// Allow access to sensitive resources only with MFA enabled
|
|
permit(
|
|
principal,
|
|
action == Action::"access",
|
|
resource
|
|
) when {
|
|
resource has classification &&
|
|
resource.classification in ["sensitive", "confidential"] &&
|
|
principal has mfa_enabled &&
|
|
principal.mfa_enabled == true &&
|
|
principal has mfa_last_verified &&
|
|
principal.mfa_last_verified > (context.time.timestamp - 3600) // MFA verified within last hour
|
|
};
|
|
|
|
// Allow access to non-sensitive resources without MFA requirement
|
|
permit(
|
|
principal,
|
|
action == Action::"access",
|
|
resource
|
|
) when {
|
|
!(resource has classification) ||
|
|
resource.classification in ["public", "internal"]
|
|
};
|
|
|
|
// Explicit deny for sensitive access without MFA
|
|
forbid(
|
|
principal,
|
|
action == Action::"access",
|
|
resource
|
|
) when {
|
|
resource has classification &&
|
|
resource.classification in ["sensitive", "confidential"] &&
|
|
(
|
|
!(principal has mfa_enabled) ||
|
|
principal.mfa_enabled == false ||
|
|
!(principal has mfa_last_verified) ||
|
|
principal.mfa_last_verified <= (context.time.timestamp - 3600)
|
|
)
|
|
};
|
|
|
|
// Special exemption for service accounts with proper justification
|
|
permit(
|
|
principal,
|
|
action == Action::"access",
|
|
resource
|
|
) when {
|
|
principal has account_type &&
|
|
principal.account_type == "service" &&
|
|
principal has mfa_exemption &&
|
|
principal.mfa_exemption.approved == true &&
|
|
principal.mfa_exemption.expires_at > context.time.timestamp &&
|
|
principal.mfa_exemption.justification != ""
|
|
}; |