Skip to main content

Policy

YAML Representation

id: bigquery_approval
version: 1
steps:
- name: supervisor_approval
description: 'only will get evaluated if check_if_dataset_is_pii return true'
when: $appeal.resource.details.is_pii
strategy: manual
approvers:
- $appeal.creator.userManager
- name: admin_approval
description: approval from dataset admin/owner
strategy: manual
approvers:
- $appeal.resource.details.owner
appeal_config:
duration_options:
- name: 1 Day
value: 24h
- name: 3 Days
value: 72h
- name: Permanent
value: 0h
allow_permanent_access: true
allow_active_access_extension_in: 24h
questions:
- key: reason
question: 'Why do you need access to this dataset?'
required: true
description: |
Explain why you need access to this dataset.
This will be sent to the dataset owner for approval.
- key: team
question: 'What team are you in?'
required: false
description: Please provide the name of the team you are in
iam:
provider: http
config:
url: http://localhost:5000/users/{user_id}
schema:
id: user_id
name: full_name
email: email
entity: company_name
userManager: manager_email
requirements:
- on:
provider_type: bigquery
role: writer
appeals:
- resource:
id: 99
role: roles/bigquery.jobUser
policy:
id: auto_approval
version: 1

Policy

FieldTypeDescriptionRequired
idstringPolicy unique identifierYES
versionuintAuto increment value. Keeping theNO
steps[]object(Step)Sequence of approval stepsYES
appeal_configobject(PolicyAppealConfig)appeal configuration optionsNO
iamobject(IAM)Identity manager configuration for client and identity/creator schemaNO
requirements[]object(Requirement)Additional appealsYES

Step

FieldTypeDescriptionRequired
namestringApproval step identifierYES
descriptionstringApproval step descriptionNO
whenExpressionDetermines whether the step should be evaluated or it can be skipped. If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).NO
strategystringExecution behaviour of the step. Possible values are auto or manualYES
rejection_reasonstringThis fills Approval.Reason if current approval step gets rejected based on ApproveIf expression. If strategy=manual, this field ignored.NO
approvers[]stringList of email or Expression string. The Expression is expected to return an email address or list of email addresses.YES if strategy is manual
approve_ifExpressionDetermines the automatic resolution of current step when strategy is autoYES if strategy is auto
allow_failedbooleanIf true, and current step is rejected, it will mark the appeal status as skipped instead of rejectedNO

PolicyAppealConfig

FieldTypeDescriptionRequired
duration_options[]object(DurationOptions)list of duration optionsNO
allow_permanent_accessbooleanSet this to true if you want to allow users to have permanent access to the resources. Default: falseNo
allow_active_access_extension_instringDuration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access).
Valid time units are ns, us (or µs), ms, s, m, h. Reference: ParseDuration
No
questions[]object(Question)Questions to be asked to the user when creating an appealNO

DurationOptions

FieldTypeDescriptionRequired
namestringname of durationYES
valuestringactual value of duration such as 24h, 72h. value will be 0h in case of permanent duration.
Valid time units are ns, us (or µs), ms, s, m, h. Reference: ParseDuration
YES

Question

FieldTypeDescriptionRequired
keystringUnique key of the questionYES
questionstringQuestion to be asked to the appeal creatorYES
requiredbooleanIndicates whether the question is required or notYES
descriptionstringThe description to be shown to the appeal creatorNO

Question

FieldTypeDescriptionRequired
keystringUnique key of the questionYES
questionstringQuestion to be asked to the appeal creatorYES
requiredbooleanIndicates whether the question is required or notYES
descriptionstringThe description to be shown to the appeal creatorNO

IAM

FieldTypeDescriptionRequired
providerstringIdentity manager type. Supported types are http and shieldYES
configobjectClient configuration according to the provider typeYES
schemamap<string,string>User (appeal creator) profile details schema to be shown in the creator field in an appealNO

Requirement

FieldTypeDescriptionRequired
onobjectCriteria or conditions based on the current appeal to check before creating additional appealsYES
on.provider_typestringCriteria for the provider type of the current appeal's selected resource. Regex supportedNO
on.provider_urnstringCriteria for the provider URN of the current appeal's selected resource. Regex supportedNO
on.resource_typestringCriteria for the resource type of the current appeal's selected resource. Regex supportedNO
on.resource_urnstringCriteria for the resource type of the current appeal's selected resource. Regex supportedNO
on.rolestringCriteria for the role of the current appeal. Regex supportedNO
appeals[]objectList of additional appeals that will automatically created when on criteria is fulfilledYES
appeals[].resourceobjectResource selectorYES
appeals[].resource.iduintResource selector using the resource unique identifierNO
appeals[].resource.provider_typestringResource selector using provider_type, provider_urn, type, and urn. Required if appeals[].resource.id is not presentNO
appeals[].resource.provider_urnstringResource selector using provider_type, provider_urn, type, and urn. Required if appeals[].resource.id is not presentNO
appeals[].resource.typestringResource selector using provider_type, provider_urn, type, and urn. Required if appeals[].resource.id is not presentNO
appeals[].resource.urnstringResource selector using provider_type, provider_urn, type, and urn. Required if appeals[].resource.id is not presentNO
appeals[].rolestringRole/permission to be assigned to the account_id of the current appeal to access the resource specified in the resource selector fieldYES
appeals[].policyobjectPolicy selector to be used for overriding the original policy linked to the resource specified in the resource selector fieldNO
appeals[].policy.idstringPolicy identifierYES
appeals[].policy.versionuintPolicy version identifier. Used together with appeals[].policy.id to reference to a policyYES

Expression

Expression is an evaluatable statement intented to make the policy highly flexible. Guardian uses https://github.com/antonmedv/expr to parse expressions. There's also some accessible variables specific to Guardian use cases:

Variables

  1. $appeal: Appeal

    Usage example:

    • $appeal.resource.id => 1
    • $appeal.resource.details.owners => ["owner@email.com", "another.owner@email.com"]
    • $appeal.resource.labels.key => "value"
    • $appeal.creator.manager_email => "manager@email.com"