diff options
Diffstat (limited to 'doc/share/authz/POLICY.md')
| -rw-r--r-- | doc/share/authz/POLICY.md | 124 |
1 files changed, 0 insertions, 124 deletions
diff --git a/doc/share/authz/POLICY.md b/doc/share/authz/POLICY.md deleted file mode 100644 index ab2e8f1a..00000000 --- a/doc/share/authz/POLICY.md +++ /dev/null @@ -1,124 +0,0 @@ -# Policy - -> Policy is a planned system of rules and guidelines that directs users and automation to execute within purposeful boundaries. [1][1] - -The parts of a policy include: [1][1] - -* name: used to label the policy for future reference -* purpose: the reason this policy exists -* situation: the context in which the policy will be used -* rules: individual controls or prescribed behaviours; -* actions: action taken if a policy rule is violated - -> A policy is a statement that declares which principals are explicitly -> permitted, or explicitly forbidden, to perform an action on a resource. - [2][2] - -## Policy Language - -A policy language facilitates: [3][3] - -1. the specification of composite policies, which in turn forms the basis of trust delegation. -1. **the static analysis of policies and system configuration.** - -### Policy as Code (PaC) - -These are policies that are written, stored, managed and interpreted as code -artifacts. - -> A policy engine is a program or process that is able to ingest -> machine-readable policies and apply them to a particular problem domain to -> constrain the behaviour of network resources. [1][1] - -PaC policy engine characteristics: [1][1] - -* Ingeting machine-readable policies (PaC) -* Applying policies to specific problem domains (data) -* Constraining behaviors (outcomes) - -```plaintext - ---------- - | Policy |--------- A - ---------- | / \ - V / \ - -------- --------- / \ -------------- -------- - | Data |------>| Input |--->< match >--->| Evaluation |--->( Outcom ) - -------- --------- \ / -------------- -------- - A \ / - --------- | \ / - | Query |---------- V - --------- -``` - -Selection Criteria: [1][1] - -* Alignment - - Technical Capabilities of team. - - Internal strategy for how tools and applications are adopted/managed. - - Fits the need and internal standards driving the decision - - Primary use cases match our use cases -* Analytics - - logging - - metrics - - auditing -* Automation - - CI/CD Pipelines - - Automated Deployments -* Documentation - - Examples - - Patterns - - Understandable -* Adoption - - Who is using this? - - How much adoption has this project seen? - - Active? - - Project Maturity - - Support Model - - Intuitive -* Complexity - - Installation - - Deployment - - Configuration - - Operation Modes (server, library, CLI) -* Reporting - * Standard reporting tools e.g. [OSCAL](https://pages.nist.gov/OSCAL/) -* Security - * Risks, vulnerabilities - * Tools and processes for security issue discovery -* Extensibility - * Can custom code be written to extend the language. - -Scorecard [1][1] - -| Selection Criteria | Casbin | Cedar | Rego | -| ------------------ | ------ | ----- | ---- | -| Alignment | | | | -| Analytics | | | | -| Adoption | | | | -| Automation | | | | -| Documentation | | | | -| Complexity | | | | -| Reporting | | | | -| Security | | | | -| Extensibility | | | | -| Total | | | | - -### Cedar - -### Rego - -[Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) is a declarative assertion language that provides reasoning. This is a DSL -for applying reasoning and assertions to domain-agnostic, structured data. - -* [Regorus](https://github.com/microsoft/regorus) - * [Go binding](https://github.com/microsoft/regorus/tree/main/bindings/go) - * [Ruby binding](https://github.com/microsoft/regorus/tree/main/bindings/ruby) - -## See Also - -* [Zanzibar](./ZANZIBAR.md) -* [Dafny](https://dafny.org) -* [Policy as Code by Jimmy Ray][1] - -[1]: https://learning.oreilly.com/library/view/policy-as-code/ -[2]: https://docs.cedarpolicy.com/overview/terminology.html#term-policy -[3]: https://ucalgary.scholaris.ca/server/api/core/bitstreams/833a86a8-eb7f-4c50-af4d-696b8deb6fd8/content |