andrewbwm
commented
2 years ago * `Lockout` a whole `Group` if all of the member `Identities` have been locked out.
This is a debatable inclusion, I liked it enough to include it in the initial pull request, but let me know what you think of it, @skatsikeas. If you feel it is overly assumptive let me know and we can drop it.
One could make the case that since the group itself is not denied it should not be reflected on it, new users or users not modelled could exist that could still make use of those privileges. However, if we do decide to drop it we may have some funky situations where all of the users Idenitities are locked out, but since the relevant privileges are on the Group for whichever reason the lockout is not propagated.
Rework the
IAMObjectabstract asset to extend theInformationasset and connect the attack steps that make sense.IAMObjectDenyleads toLockout.IAMObjectWriteleads toAssume.IAMObjectLockoutleads toDenyon theDatais hasReadPrivilegesfor and on theApplicationsit hasExecutionPrivilegeson. The other types of privilegesWriteandDeleteonDataandHighandLowonApplicationswere not seen as necessarily propagating the effects of a lockout. There may be circumstances where, for example, removing write privileges would impact the functionality of using the data. However, these are defined by the specific functionality of thatDataasset and therefore beyond the scope of coreLang.Privilegesto serve as a subset for anyIAMObjectclass, not justIdentityandGroup. This also allows the modeller to buildPrivilegeshierarchies, I doubt it will be a commonly used feature, but it seemed like a more generic and cleaner design anyway.Lockouta wholeGroupif all of the memberIdentitieshave been locked out.