Access control and identity management prompts

Design a multi-factor authentication (MFA) implementation for [application/infrastructure access]. Include:
- MFA methods (authenticator app, hardware token, SMS, biometric)
- Enforcement scope (all users, privileged only, conditional)
- Identity provider integration ([Okta/Azure AD/Google Workspace/Auth0])
- Enrollment process and user communication
- Backup authentication methods and account recovery
- Exemption process and risk acceptance
- Monitoring and reporting on MFA adoption
- Grace period and enforcement timeline
- User training and support resources
- Technical implementation ([SAML/OIDC/RADIUS/custom])

Map to ISO 27001 A.9.4.2, SOC 2 CC6.1, NIST SP 800-63B.

Create an SSO architecture for [organization size] using [identity provider]. Include:
- Application inventory and SSO readiness assessment
- Protocol selection (SAML 2.0, OpenID Connect, OAuth 2.0)
- User provisioning and deprovisioning automation (SCIM)
- Session management and timeout policies
- Conditional access policies (device compliance, location, risk score)
- Break-glass admin access procedures
- Monitoring SSO events and anomalies
- Integration with on-premises directory ([Active Directory/LDAP])
- Migration plan from local authentication
- Compliance documentation (ISO 27001 A.9.4.2, SOC 2 CC6.2)

Output as architecture diagram and implementation roadmap.

Design a passwordless authentication system for [use case] using [FIDO2/WebAuthn/biometrics/certificate-based]. Include:
- Authentication flow and user experience
- Device registration and management
- Fallback mechanisms for lost devices
- Phishing resistance verification
- Integration with existing identity infrastructure
- Privileged access considerations
- Risk assessment and threat modeling
- User adoption strategy and rollout phases
- Support processes and troubleshooting
- Compliance benefits (ISO 27001 A.9.4.2, SOC 2 CC6.1)

Include technical specifications and user guides.

Create an RBAC model for [application/system/cloud environment]. Include:
- Role definition methodology (job function-based)
- Role hierarchy and inheritance
- Permission granularity (resource-level, action-level)
- Default-deny principle enforcement
- Segregation of duties matrix (incompatible role combinations)
- Role assignment workflow and approval
- Periodic access reviews (quarterly/annually)
- Temporary access (time-bound roles)
- Emergency access procedures
- Documentation for audit (ISO 27001 A.9.2.1, SOC 2 CC6.2)

Output as role matrix spreadsheet and policy document.

Design an ABAC system for [complex access requirements]. Define:
- User attributes (department, clearance level, location, device posture)
- Resource attributes (data classification, owner, sensitivity)
- Environmental attributes (time, network, threat level)
- Policy engine and decision point architecture
- Policy authoring and testing framework
- Attribute sources and synchronization
- Performance and caching considerations
- Audit logging and policy evaluation traces
- Migration from RBAC to ABAC
- Integration with [identity provider/directory service]

Map to ISO 27001 A.9.2.1, Zero Trust principles, NIST SP 800-162.

Create a least privilege access policy for [organization]. Address:
- Default access levels (new users, new resources)
- Justification and approval workflow for elevated access
- Time-limited access grants
- Privilege escalation procedures (sudo, runas, assume role)
- Standing privileges vs. just-in-time access
- Access review process and frequency
- Privilege creep detection and remediation
- Monitoring and alerting on privilege use
- Segregation of duties enforcement
- Documentation requirements

Align with ISO 27001 A.9.2.1, SOC 2 CC6.2, PCI DSS 7.1.

Design a PAM implementation using [CyberArk/BeyondTrust/Delinea/HashiCorp Boundary/custom]. Include:
- Privileged account inventory (admin, root, service accounts)
- Password vaulting and rotation automation
- Session recording and monitoring
- Just-in-time access provisioning
- Approval workflows and break-glass procedures
- Integration with [ticketing/SIEM/SOAR]
- Audit trail and compliance reporting
- Onboarding plan for critical systems
- User training for privileged users
- Threat detection (anomalous admin activity)

Map to ISO 27001 A.9.2.3, SOC 2 CC6.2, NIST SP 800-53 AC-2.

Create service account and API key management procedures for [cloud/applications]. Include:
- Service account inventory and ownership
- Least privilege permission assignment
- Credential rotation policy (90 days or key-based)
- Secrets storage ([Vault/Secrets Manager/Key Vault])
- Usage monitoring and anomaly detection
- Elimination of shared credentials
- Migration to managed identities where possible ([AWS IAM Roles/Azure Managed Identity/GCP Service Accounts])
- Offboarding and credential revocation
- Audit logging of service account actions
- Compliance documentation

Align with ISO 27001 A.9.2.4, SOC 2 CC6.1.

Design break-glass access procedures for [critical systems]. Include:
- Break-glass account creation and storage (sealed envelope, vault)
- Activation criteria and authorization process
- Access method (separate authentication, hardware token)
- Monitoring and immediate alerting on use
- Post-use review and justification documentation
- Credential rotation after each use
- Testing schedule (annual verification)
- Communication plan during emergencies
- Integration with incident management
- Compliance evidence collection

Map to ISO 27001 A.17.1.3, SOC 2 A1.2.

Design automated user provisioning for [organization] using [identity management tool]. Include:
- Onboarding workflow (HR system trigger → account creation → access assignment)
- Role-based provisioning templates by department/job function
- Approval automation and escalation
- Account creation in all systems ([AD/cloud/SaaS apps])
- Default security settings (MFA enrollment, password policy)
- Welcome email and training assignment
- Audit trail of provisioning actions
- Integration points ([Workday/BambooHR/custom HRIS] → [Okta/Azure AD])
- Error handling and manual fallback
- Compliance reporting (SOC 2 CC6.2)

Output as workflow diagram and automation scripts.

Create comprehensive user deprovisioning process for [organization]. Include:
- Immediate actions upon termination notification
- Account disablement timeline (immediate for involuntary, last day for voluntary)
- Access revocation across all systems (SSO, VPN, physical access, cloud, SaaS)
- Data backup and transfer to manager
- Equipment return and device wiping
- Group membership and distribution list removal
- Contractor and third-party access termination
- Rehire procedures and account reactivation
- Audit trail and compliance documentation
- Monitoring for orphaned accounts

Map to ISO 27001 A.5.10, A.9.2.5, SOC 2 CC6.2.

Design periodic access review process for [organization/system]. Include:
- Review frequency (quarterly for privileged, annually for standard)
- Scope (all users, all systems, all permissions)
- Reviewer assignment (managers, resource owners, security team)
- Review workflow and approval tracking
- Automated reporting (current access vs. required access)
- Remediation of inappropriate access
- Exception handling and risk acceptance
- Metrics (% reviewed, % revoked, time to complete)
- Integration with [IGA tool/HRIS/ticketing]
- Audit evidence for compliance (ISO 27001 A.9.2.5, SOC 2 CC6.2)

Output as process document and review template.

Create AWS IAM security configuration for [organization]. Include:
- Root account MFA and usage restrictions
- IAM user vs. IAM role strategy (prefer roles)
- Password policy (complexity, rotation, reuse)
- Permission boundaries for delegated administration
- Service Control Policies (SCPs) for organization-wide controls
- Cross-account access patterns (assume role, resource policies)
- Access key rotation and monitoring
- Unused credential detection and removal
- IAM Access Analyzer for external access
- CloudTrail logging of IAM events

Map to CIS AWS Foundations Benchmark, ISO 27001 A.9, SOC 2 CC6.1-CC6.2.

Design Azure AD security for [tenant]. Include:
- Conditional Access policies (require MFA, compliant device, approved location)
- Privileged Identity Management (PIM) for admin roles
- Azure AD Identity Protection (risk-based policies)
- Password protection (banned passwords, smart lockout)
- Self-service password reset with secure verification
- Application access management and consent policies
- B2B guest access restrictions
- Continuous access evaluation
- Security defaults vs. custom policies
- Audit logging to Log Analytics

Align with Microsoft Security Baseline, ISO 27001 A.9, SOC 2 CC6.

Implement GCP IAM security for [organization/project]. Include:
- Organization policy constraints
- Predefined roles vs. custom role strategy
- Service account key management (prefer Workload Identity)
- IAM Recommender for least privilege
- VPC Service Controls for data exfiltration prevention
- Resource hierarchy and inheritance
- IAM Conditions for attribute-based access
- Domain restricted sharing
- Audit logging with Cloud Logging
- Access Transparency and Access Approval

Map to CIS GCP Foundations Benchmark, ISO 27001 A.9, SOC 2 CC6.

Create third-party access management policy for [vendors/contractors/partners]. Include:
- Access request and justification process
- Risk assessment and due diligence requirements
- Contractual obligations (NDA, security requirements, audit rights)
- Least privilege access scoping
- Dedicated accounts (no shared credentials)
- Network segmentation for vendor access
- MFA enforcement and authentication standards
- Monitoring and logging of vendor activity
- Access review frequency (monthly/quarterly)
- Termination procedures upon contract end
- Compliance documentation (ISO 27001 A.5.19-A.5.22, SOC 2 CC6.2)

Output as policy document and vendor access form.

Design federated identity system for B2B collaboration with [partners/customers]. Include:
- Federation protocol ([SAML/OIDC/OAuth])
- Trust establishment and metadata exchange
- Attribute mapping and claims
- Authorization model (what federated users can access)
- Account lifecycle (just-in-time provisioning, deprovisioning)
- Session management and timeout
- Monitoring federated logins
- Security requirements for partner IdPs
- Fallback for non-federated users
- Privacy and data sharing considerations (GDPR)

Align with ISO 27001 A.5.19, SOC 2 CC6.2.

Design access control monitoring for [environment]. Include:
- Event sources (AD, SSO, cloud IAM, PAM, applications)
- Alert scenarios (failed login threshold, privilege escalation, off-hours access, impossible travel, new admin account)
- SIEM correlation rules
- Dashboard for access analytics
- Anomaly detection and behavioral analytics
- Integration with incident response
- Reporting for security reviews
- Metrics (failed logins, MFA adoption, access review completion)
- Compliance evidence (ISO 27001 A.12.4.1, SOC 2 CC7.2)

Output as SIEM rules and dashboard configurations.