Catalyst / admin/Syanpse-Vanguard 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Syanpse-Vanguard

public
Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Syanpse-Vanguard / synapse-vanguard-v3 / sv / auth / rbac.py 1667 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
"""Role-Based Access Control — Python port of Synapse Sonar's lib/rbac.ts,
extended with SIEM verbs. Roles map 1:1 to Sonar so identities are portable
across the suite. TENANT_ADMIN is the superset."""
from __future__ import annotations

from enum import Enum


class Role(str, Enum):
    READ_ONLY_VIEWER = "READ_ONLY_VIEWER"   # Auditor / read-only
    SECURITY_ANALYST = "SECURITY_ANALYST"
    TENANT_ADMIN = "TENANT_ADMIN"           # System Administrator


class Permission(str, Enum):
    LOG_READ = "log:read"
    LOG_EXPORT = "log:export"
    ALERT_READ = "alert:read"
    ALERT_TRIAGE = "alert:triage"           # ack / close / assign
    PLAYBOOK_RUN = "playbook:run"
    RULE_WRITE = "rule:write"
    AGENT_MANAGE = "agent:manage"           # enroll / revoke certs
    INTEGRATION_WRITE = "integration:write"  # AI module config + vault
    USER_MANAGE = "user:manage"
    SYSTEM_CONFIG = "system:config"


_MATRIX: dict[Role, set[Permission]] = {
    Role.READ_ONLY_VIEWER: {
        Permission.LOG_READ,
        Permission.LOG_EXPORT,
        Permission.ALERT_READ,
    },
    Role.SECURITY_ANALYST: {
        Permission.LOG_READ,
        Permission.LOG_EXPORT,
        Permission.ALERT_READ,
        Permission.ALERT_TRIAGE,
        Permission.PLAYBOOK_RUN,
        Permission.RULE_WRITE,
    },
    Role.TENANT_ADMIN: set(Permission),     # superset, exactly like Sonar
}


def can(role: Role, permission: Permission) -> bool:
    return permission in _MATRIX.get(role, set())


def assert_can(role: Role, permission: Permission) -> None:
    if not can(role, permission):
        raise PermissionError(f"role {role.value} lacks {permission.value}")