存取審查與認證

# Access Review and Certification Workflow
# Pull permissions, AI analysis, flag anomalies, manager review, remediate
osop_version: "2.0"
id: access-review
name: "存取審查與認證"

nodes:
  - id: pull_permissions
    type: cli
    purpose: Extract current access permissions from all identity sources
    runtime:
      command: |
        python collect_access.py \
          --sources okta,aws-iam,github,gcp,azure-ad,database \
          --scope all-employees \
          --output access-snapshot-$(date +%Y%m%d).json
    outputs: [access_snapshot, user_count, permission_count, source_count]
    timeout_sec: 600
    security:
      credentials: [OKTA_API_TOKEN, AWS_IAM_ROLE, GITHUB_ADMIN_TOKEN, GCP_SA_KEY, AZURE_AD_TOKEN]
    explain: |
      Aggregates permissions across all identity providers and resource platforms.
      Creates a point-in-time snapshot for audit trail.

  - id: correlate_hr_data
    type: db
    purpose: Join access data with HR records to identify role, department, and employment status
    runtime:
      engine: postgresql
      connection: postgresql://hr:5432/people
    inputs: [access_snapshot]
    outputs: [enriched_access, terminated_with_access, role_changes]
    timeout_sec: 120
    explain: |
      Flags terminated employees who still have active access (immediate risk).
      Identifies employees who changed roles but retained previous permissions.

  - id: ai_anomaly_detection
    type: agent
    purpose: AI analysis to detect excessive permissions, unusual access patterns, and policy violations
    runtime:
      provider: anthropic
      model: claude-sonnet-4-20250514
      config:
        system_prompt: |
          Analyze the access permission data. Flag:
          1. Terminated employees with active access
          2. Permissions inconsistent with current role
          3. Excessive admin/privileged access
          4. Dormant accounts (no login > 90 days)
          5. Segregation of duty violations
          6. Access outliers compared to role peers
    inputs: [enriched_access, terminated_with_access, role_changes]
    outputs: [anomalies, risk_score_per_user, sod_violations, dormant_accounts, recommended_revocations]
    timeout_sec: 120

  - id: generate_review_packets
    type: cli
    purpose: Generate per-manager review packets with flagged items highlighted
    runtime:
      command: |
        python generate_review_packets.py \
          --access-data enriched-access.json \
          --anomalies anomalies.json \
          --group-by manager \
          --output review-packets/
    inputs: [enriched_access, anomalies, risk_score_per_user]
    outputs: [review_packet_count, manager_list]
    timeout_sec: 60

  - id: manager_review
    type: human
    purpose: Managers certify or revoke each direct report's access permissions
    role: people_manager
    inputs: [review_packet_count, anomalies, recommended_revocations]
    outputs: [certified_access, revocation_requests, escalations]
    approval_gate:
      required_approvers: 1
      timeout_min: 10080
    explain: |
      Each manager receives a review packet listing their reports' permissions.
      AI-flagged anomalies are highlighted. Manager must certify (approve) or
      revoke each permission. 7-day SLA with escalation to VP if not completed.

  - id: execute_revocations
    type: cli
    purpose: Automatically revoke access permissions marked for removal
    runtime:
      command: |
        python revoke_access.py \
          --revocations revocation-requests.json \
          --dry-run false \
          --audit-log revocation-audit.json
    inputs: [revocation_requests]
    outputs: [revoked_count, revocation_failures, audit_log]
    timeout_sec: 300
    security:
      credentials: [OKTA_API_TOKEN, AWS_IAM_ROLE, GITHUB_ADMIN_TOKEN]

  - id: compliance_report
    type: cli
    purpose: Generate SOX/SOC2 compliance report documenting the review cycle
    runtime:
      command: |
        python generate_compliance_report.py \
          --review-cycle $(date +%Y-Q$((($(date +%-m)-1)/3+1))) \
          --access-snapshot access-snapshot.json \
          --certifications certified-access.json \
          --revocations revocation-audit.json \
          --output compliance-report.pdf
    inputs: [certified_access, revoked_count, audit_log]
    outputs: [compliance_report_url, review_completion_rate, open_items]
    timeout_sec: 120

edges:
  - from: pull_permissions
    to: correlate_hr_data
    mode: sequential

  - from: correlate_hr_data
    to: ai_anomaly_detection
    mode: sequential

  - from: ai_anomaly_detection
    to: generate_review_packets
    mode: sequential

  - from: generate_review_packets
    to: manager_review
    mode: sequential

  - from: manager_review
    to: execute_revocations
    mode: sequential

  - from: execute_revocations
    to: compliance_report
    mode: sequential

  - from: execute_revocations
    to: execute_revocations
    mode: fallback
    label: "Retry failed revocations"