🔐 RBAC Policy Engine

An AI-powered Role-Based Access Control (RBAC) Policy Engine with natural language interface for defining, validating, and managing access policies.

A Role-Based Access Control (RBAC) policy engine with a natural language chat interface. Build access control policies by simply describing them in plain English.

🎯 Features

• Natural Language Interface: Create policies using conversational AI (powered by Claude)
• Real-time Policy Preview: See your policy update as you build it
• Smart Validation: Automatic validation against available roles, resources, and permissions
• Contextual Conditions: Add conditions based on environment, time, MFA status, etc.
• Clarifying Questions: The system asks for clarification when instructions are ambiguous
• Policy Evaluation: Test your policies with simulated access requests
• Export: Generate final_policy.json and validation_report.json

📋 Prerequisites

• Python 3.10 or higher
• Claude API key (provided in assignment email)

🚀 Quick Start

1. Clone and Setup

cd RBAC_CRED

# Create virtual environment (recommended)
python -m venv venv

# Activate virtual environment
# On Windows:
venv\Scripts\activate
# On macOS/Linux:
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

2. Configure Environment

The .env file is already configured with the provided Claude API key. If you need to change it:

# Edit .env file
ANTHROPIC_API_KEY=your-api-key-here

3. Run the Application

Option A: Run both API and UI together (Recommended)

# On Windows, run in two separate terminals:

# Terminal 1 - Start the API server
python -m uvicorn src.api.main:app --reload --host 0.0.0.0 --port 8000

# Terminal 2 - Start the UI
streamlit run src/ui/app.py

Option B: Using Make (if you have Make installed)

make run-api    # In terminal 1
make run-ui     # In terminal 2

4. Access the Application

• Chat UI: http://localhost:8501
• API Docs: http://localhost:8000/docs
• Health Check: http://localhost:8000/health

💬 How to Use

Chat Commands

Simply type what you want in natural language:

"Admins can do everything"
"Viewers can only read invoices and reports"
"Operators can edit orders in production only"
"Deny delete access to guests"
"Allow analysts to export reports during business hours"

Quick Commands

• list roles - Show available roles
• list resources - Show available resources
• list permissions - Show available permissions
• list context - Show context attributes for conditions
• show policy - View current policy
• validate - Validate the policy
• clear - Start over
• help - Show help

Example Session

You: Admins can do everything
Bot: ✅ Rule 'Admin Full Access' added successfully.
     Admin role now has all permissions on all resources.

You: Viewers can only read invoices
Bot: ✅ Rule 'Viewer Read Invoices' added successfully.
     Viewers can now read invoices.

You: Operators can edit orders
Bot: I need a bit more information. In which environment should 
     operators be able to edit orders? (production, staging, development)

You: Only in staging
Bot: ✅ Rule 'Operator Edit Orders Staging' added successfully.
     Operators can edit orders when environment is staging.

You: validate
Bot: ✅ Policy is valid! 3 rules defined, no errors.

You: (Click "Export Policy" in sidebar)
Bot: Policy exported to output/final_policy.json

📁 Project Structure

RBAC_CRED/
├── src/
│   ├── api/              # FastAPI backend
│   │   └── main.py       # API endpoints
│   ├── agent/            # Conversation agent
│   │   ├── conversation_agent.py  # Claude-powered NL processing
│   │   └── session_manager.py     # Session persistence
│   ├── core/             # Core policy engine
│   │   ├── policy_builder.py      # Policy construction
│   │   ├── decision_engine.py     # ALLOW/DENY evaluation
│   │   └── schema_cache.py        # Schema caching
│   ├── mock_apis/        # Mock discovery APIs
│   │   ├── roles_api.py           # Roles & permissions
│   │   ├── resource_api.py        # Resource schemas
│   │   ├── context_api.py         # Context attributes
│   │   └── validator_api.py       # Policy validation
│   ├── models/           # Pydantic data models
│   │   ├── policy.py              # Policy, Rule, Condition
│   │   ├── role.py                # Role, Permission
│   │   ├── resource.py            # Resource, Action
│   │   └── context.py             # Context attributes
│   └── ui/               # Streamlit chat interface
│       └── app.py        # Chat UI
├── tests/                # Unit tests
├── output/               # Generated artifacts
│   ├── final_policy.json
│   └── validation_report.json
├── data/                 # Cached data & sessions
├── Makefile              # Build commands
├── docker-compose.yml    # Docker setup
├── requirements.txt      # Dependencies
├── README.md             # This file
└── DESIGN.md             # Architecture documentation

🧪 Running Tests

# Run all tests
pytest

# Run with verbose output
pytest -v

# Run specific test file
pytest tests/test_decision_engine.py

# Run with coverage
pytest --cov=src

🐳 Docker (Optional)

# Build and run with Docker Compose
docker-compose up --build

# Stop containers
docker-compose down

📊 Available Schema

Roles

• admin - Full system administrator
• operator - Operational user
• viewer - Read-only access
• auditor - Audit activities
• developer - Development resources
• analyst - Data analysis
• manager - Team management
• guest - Limited access

Resources

• invoice - Financial invoices
• user_profile - User accounts
• report - Analytics reports
• payment - Payment transactions
• order - Customer orders
• product - Product catalog
• customer - Customer accounts
• audit_log - Audit logs
• configuration - System settings
• dashboard - Analytics dashboards

Permissions

• read, write, delete, create, list
• export, import, approve, reject
• execute, configure, audit

Context Attributes

• environment: production, staging, development, testing
• time_of_day: business_hours, off_hours, morning, evening
• day_of_week: weekday, weekend, monday-sunday
• mfa_verified: true, false
• data_classification: public, internal, confidential, restricted
• device_type: desktop, mobile, tablet, api, service
• And more...

📤 Output Files

After exporting, you'll find:

• output/final_policy.json - The complete policy definition
• output/validation_report.json - Validation results

🔗 API Endpoints

Endpoint	Method	Description
/api/chat	POST	Send a chat message
/api/sessions	GET/POST	Manage sessions
/api/policy/{session_id}	GET	Get current policy
/api/policy/validate/{session_id}	POST	Validate policy
/api/policy/export/{session_id}	POST	Export to files
/api/evaluate	POST	Evaluate access request
/api/discovery/roles	GET	Discover roles
/api/discovery/resources	GET	Discover resources
/api/discovery/context	GET	Discover context attributes

See full API documentation at http://localhost:8000/docs

🛠️ Troubleshooting

"Cannot connect to API server"

Make sure the API is running on port 8000:

python -m uvicorn src.api.main:app --reload --host 0.0.0.0 --port 8000

"ANTHROPIC_API_KEY not found"

Ensure your .env file contains the API key:

ANTHROPIC_API_KEY=sk-ant-api03-...

Import errors

Make sure you're running from the project root directory and the virtual environment is activated.

📝 License

This project is for CRED's backend engineer internship assessment.