Skip to content

Implement SecurityReaderRoleAssigned metric#174

Open
ezzeddinemtar wants to merge 4 commits into
mainfrom
feature/ScurityReaderRoleAssigned_implemented
Open

Implement SecurityReaderRoleAssigned metric#174
ezzeddinemtar wants to merge 4 commits into
mainfrom
feature/ScurityReaderRoleAssigned_implemented

Conversation

@ezzeddinemtar

Copy link
Copy Markdown
Collaborator

No description provided.

@@ -0,0 +1,11 @@
# ====== Metadata ======
id: SecurityReaderRoleAssigned
description: This rule assesses whether a [RoleAssignment] covering cryptographic oversight responsibilities has the property [p1:securityReaderRoleAssigned] indicating that at least one [Identity] is assigned to fulfil the responsibility.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can see, the RoleAssignment Resource does not yet have any properties defined in the ontology. So, we need to adapt there and add something like a list of permissions.

description: This rule assesses whether a [RoleAssignment] covering cryptographic oversight responsibilities has the property [p1:securityReaderRoleAssigned] indicating that at least one [Identity] is assigned to fulfil the responsibility.
category: CryptographyEncryptionKeyManagement
version: "1.0"
comments: Security reader duties should never remain unassigned; the metric also evaluates available user assignments to ensure the role is covered.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could phrase this more clearly: Why should they never be unassigned? What's the duty of a security reader?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to change the description. Please let me know if there is anything I should change.


applicable if {
flag := security_reader_role_flag
flag == false

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it applicable if the role flag is true AND it is applicable if it is false?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right. It should be fixed right now. Thank you !

}

security_reader_assigned_users_available if {
security_reader_assigned_users

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems redundant. Why not directly check for security_ready_assigned_users?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed it accordingly , thank you :)

@ezzeddinemtar ezzeddinemtar force-pushed the feature/ScurityReaderRoleAssigned_implemented branch from 4aeb21d to d2c9540 Compare October 2, 2025 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants