# Introduction

This notebook introduces a practical implementation of **access control, least privilege enforcement, and action approval systems** to ensure secure and efficient handling of user permissions and critical operations. 

The key components of the code include:

1. **Access Control**: Implements a role-based permission system where users are assigned roles such as "admin," "editor," or "viewer," determining their actions within the system.
2. **Least Privilege Enforcer**: Enforces security policies by ensuring users have the minimum required privileges to perform specific actions, logging allowed and denied attempts for audit purposes.
3. **Action Approval System**: Manages the approval process for high-impact operations, providing mechanisms to request, approve, and review pending approvals.

These tools collectively ensure a secure, principle-driven approach to managing user access and operations in sensitive environments.


In [1]:
class AccessControl:
    def __init__(self):
        """
        Initializes the access control system with role-based permissions.
        """
        self.roles = {
            "admin": {"access_level": 3, "permissions": {"read", "write", "delete", "approve"}},
            "editor": {"access_level": 2, "permissions": {"read", "write"}},
            "viewer": {"access_level": 1, "permissions": {"read"}},
        }
        self.user_roles = {}  # Maps users to roles

    def assign_role(self, user, role):
        """
        Assigns a role to a user.
        :param user: Username.
        :param role: Role to assign.
        """
        if role in self.roles:
            self.user_roles[user] = role
        else:
            raise ValueError(f"Invalid role: {role}")

    def check_permission(self, user, action):
        """
        Checks if a user has permission to perform a specific action.
        :param user: Username.
        :param action: Action to check.
        :return: True if allowed, False otherwise.
        """
        role = self.user_roles.get(user)
        if not role:
            return False
        return action in self.roles[role]["permissions"]

class LeastPrivilegeEnforcer:
    def __init__(self):
        """
        Initializes the least privilege enforcer.
        """
        self.access_log = []

    def enforce(self, user, action, required_access_level, user_access_level):
        """
        Enforces the least privilege principle.
        :param user: Username.
        :param action: Action requested.
        :param required_access_level: Minimum access level for the action.
        :param user_access_level: User's current access level.
        :return: True if the user has sufficient access, False otherwise.
        """
        if user_access_level >= required_access_level:
            self.access_log.append((user, action, "allowed"))
            return True
        else:
            self.access_log.append((user, action, "denied"))
            return False

    def get_access_log(self):
        """
        Returns the access log.
        """
        return self.access_log

class ActionApproval:
    def __init__(self):
        """
        Initializes the action approval system.
        """
        self.pending_approvals = {}

    def request_approval(self, action, user):
        """
        Requests approval for a high-impact action.
        :param action: Action requiring approval.
        :param user: Username requesting the action.
        :return: Approval request ID.
        """
        approval_id = len(self.pending_approvals) + 1
        self.pending_approvals[approval_id] = {"action": action, "user": user, "status": "pending"}
        return approval_id

    def approve(self, approval_id):
        """
        Approves a pending action.
        :param approval_id: ID of the approval request.
        :return: True if approved, False otherwise.
        """
        if approval_id in self.pending_approvals and self.pending_approvals[approval_id]["status"] == "pending":
            self.pending_approvals[approval_id]["status"] = "approved"
            return True
        return False

    def get_pending_approvals(self):
        """
        Returns all pending approvals.
        """
        return {k: v for k, v in self.pending_approvals.items() if v["status"] == "pending"}

# Example Usage
if __name__ == "__main__":
    # 1. Access Control Example
    ac = AccessControl()
    ac.assign_role("alice", "admin")
    ac.assign_role("bob", "viewer")
    print("Alice can delete:", ac.check_permission("alice", "delete"))
    print("Bob can write:", ac.check_permission("bob", "write"))

    # 2. Least Privilege Principle Example
    lpe = LeastPrivilegeEnforcer()
    user_access_level = 2  # Editor
    required_access_level = 3  # Admin action
    print("Access allowed:", lpe.enforce("bob", "delete", required_access_level, user_access_level))
    print("Access log:", lpe.get_access_log())

    # 3. User Approval Example
    approval_system = ActionApproval()
    approval_id = approval_system.request_approval("delete_all_records", "alice")
    print("Pending approvals:", approval_system.get_pending_approvals())
    print("Action approved:", approval_system.approve(approval_id))
    print("Updated approvals:", approval_system.get_pending_approvals())

Alice can delete: True
Bob can write: False
Access allowed: False
Access log: [('bob', 'delete', 'denied')]
Pending approvals: {1: {'action': 'delete_all_records', 'user': 'alice', 'status': 'pending'}}
Action approved: True
Updated approvals: {}


# Conclusion

This notebook showcases essential mechanisms for implementing **secure user permissions and operational workflows** using access control, least privilege enforcement, and action approval systems.

Through the examples provided, the following core principles were demonstrated:

- **Role-Based Access Control (RBAC)** ensures that users can perform actions within their designated roles, enhancing security and accountability.
- The **Least Privilege Principle** restricts user capabilities to the minimum necessary for their tasks, reducing the risk of misuse or accidental damage.
- **Action Approval Processes** introduce an additional layer of oversight for high-impact actions, ensuring that sensitive operations are authorized appropriately.

These foundational techniques provide a robust starting point for designing secure and scalable access management systems. While basic in design, they are extendable and adaptable for real-world applications requiring advanced policy management and integration with existing infrastructure.
