admin / Syanpse-Vanguard
public
Syanpse-Vanguard / synapse-vanguard-v3 / sv / auth / rbac.py
1667 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | """Role-Based Access Control — Python port of Synapse Sonar's lib/rbac.ts, extended with SIEM verbs. Roles map 1:1 to Sonar so identities are portable across the suite. TENANT_ADMIN is the superset.""" from __future__ import annotations from enum import Enum class Role(str, Enum): READ_ONLY_VIEWER = "READ_ONLY_VIEWER" # Auditor / read-only SECURITY_ANALYST = "SECURITY_ANALYST" TENANT_ADMIN = "TENANT_ADMIN" # System Administrator class Permission(str, Enum): LOG_READ = "log:read" LOG_EXPORT = "log:export" ALERT_READ = "alert:read" ALERT_TRIAGE = "alert:triage" # ack / close / assign PLAYBOOK_RUN = "playbook:run" RULE_WRITE = "rule:write" AGENT_MANAGE = "agent:manage" # enroll / revoke certs INTEGRATION_WRITE = "integration:write" # AI module config + vault USER_MANAGE = "user:manage" SYSTEM_CONFIG = "system:config" _MATRIX: dict[Role, set[Permission]] = { Role.READ_ONLY_VIEWER: { Permission.LOG_READ, Permission.LOG_EXPORT, Permission.ALERT_READ, }, Role.SECURITY_ANALYST: { Permission.LOG_READ, Permission.LOG_EXPORT, Permission.ALERT_READ, Permission.ALERT_TRIAGE, Permission.PLAYBOOK_RUN, Permission.RULE_WRITE, }, Role.TENANT_ADMIN: set(Permission), # superset, exactly like Sonar } def can(role: Role, permission: Permission) -> bool: return permission in _MATRIX.get(role, set()) def assert_can(role: Role, permission: Permission) -> None: if not can(role, permission): raise PermissionError(f"role {role.value} lacks {permission.value}") |