Create a policy
Pre-Requisites
- Setting up server
- Setting up the CLI (if you want to create policy using CLI)
Example Policy
id: my-first-policy
steps:
- name: resource_owner_approval
description: approval from resource owner
strategy: manual
approvers:
- $appeal.resource.details.owner
- name: admin_approval
description: approval from admin (John Doe)
strategy: manual
approvers:
- john.doe@company.com
appeal:
- duration_options:
- name: 1 day
value: 24h
- name: 1 week
value: 98h
- allow_on_behalf: false
Check policy reference for more details on the policy configuration.
Explanation of this Policy example
When a Guardian user creates an appeal to the BigQuery resource (Playground here), this policy will applied, and the approvals required to approve that appeal are in the order as follows:
- Approval from the resource owner ( this information is contained in the resource details object), and
- Approval from John Doe as an admin
Policies can be created in the following ways:
- Using
guardian policy createCLI command - Calling to
POST /api/v1beta1/policiesAPI
- CLI
- HTTP
$ guardian policy create --file=<path to the policy.yaml file>
$ curl --request POST '{{HOST}}/api/v1beta1/policies' \
--header 'Content-Type: application/json' \
--data-raw '{
"id": "my-first-policy",
"steps": [
{
"name": "resource_owner_approval",
"description": "Approval from Resource owner",
"strategy": "manual",
"approvers": [
"$appeal.resource.details.owner"
]
},
{
"name": "admin_approval",
"description": "Approval from the Admin (John Doe)",
"strategy": "manual",
"approvers": [
"john.doe@company.com"
]
}
],
"appeal": {
"duration_options": [
{
"name": "1 Day",
"value": "24h"
},
{
"name": "3 Day",
"value": "72h"
}
],
"allow_on_behalf": true
}
}'
Note : For using the CLI tool, create a Policy.yaml file using the example configurations shown above and provide the path to it here.