Skip to main content

Create Policy

Create Policy creates a new policy in Guardian

Query Parameters
    dryRun boolean
Request Body required
    id string

    Policy unique identifier

    version int64

    Policy version. Auto-incremented when policy is updated

    description string
    steps object[]

    Sequence of approval steps. Each step can have different approval strategy and approvers

  • Array [
    • name string required

    Approval step identifier

    description string

    Approval step description

    allowFailed boolean

    If set true, and current step is rejected, it will mark the appeal status as skipped instead of rejected

    when string

    Determines whether the step should be evaluated or it can be skipped. If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).

    strategy string required

    Execution behaviour of the step. Possible values are auto or manual

    approveIf string

    Determines the automatic resolution of current step when strategy is auto. Required when strategy is auto

    approvers string[]

    List of email or Expression string. The Expression is expected to return an email address or list of email addresses. Required when strategy is manual

    rejectionReason string

    This fills Approval.Reason if current approval step gets rejected based on ApproveIf expression. If strategy is manual, this field ignored.

  • ]
    • labels object
    property name* string
    createdAt date-time

    Policy creation timestamp

    updatedAt date-time

    Policy last update timestamp

    requirements object[]
  • Array [
    • on object required

    Requirement trigger. If the trigger is matched, the requirement will be evaluated

    providerType string

    Criteria for the provider type of the current appeal's selected resource. Regex supported

    providerUrn string

    Criteria for the provider URN of the current appeal's selected resource. Regex supported

    resourceType string

    Criteria for the resource type of the current appeal's selected resource. Regex supported

    resourceUrn string

    Criteria for the resource URN of the current appeal's selected resource. Regex supported

    role string

    Criteria for the role of the current appeal. Regex supported

    conditions object[]
  • Array [
    • field string
    match object
    eq
  • ]
    • expression string
    appeals object[]
  • Array [
    • resource object
    providerType string
    providerUrn string
    type string
    urn string
    id string
    role string
    options object
    expirationDate date-time
    duration string
    policy object
    id string
    version int32
  • ]
  • ]
    • iam object
    provider string required

    Identity manager type. Supported types are http and frontier

    config required

    Client configuration according to the provider type

    schema object

    User (appeal creator) profile details schema to be shown in the creator field in an appeal

    property name* string
    appeal object
    durationOptions object[]

    List of duration options

  • Array [
    • name string required

    Name of the duration option

    value string required

    Actual value of duration such as 24h, 72h. value will be 0h in case of permanent duration. Valid time units are ns, us (or µs). Reference: ParseDuration

  • ]
    • allowOnBehalf boolean
    allowPermanentAccess boolean

    Set this to true if you want to allow users to have permanent access to the resources. Default is false

    allowActiveAccessExtensionIn string

    Duration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access). Valid time units are ns, us (or µs), ms, s, m, h

    questions object[]

    List of questions to be asked to the appeal creator

  • Array [
    • key string required

    Unique key of the question

    question string required

    Question to be asked to the appeal creator

    required boolean required

    Whether the question is required or not

    description string

    The description to be shown to the appeal creator

  • ]
    • allowCreatorDetailsFailure boolean
Responses

A successful response.

Schema
    policy object
    id string

    Policy unique identifier

    version int64

    Policy version. Auto-incremented when policy is updated

    description string
    steps object[]

    Sequence of approval steps. Each step can have different approval strategy and approvers

  • Array [
    • name string required

    Approval step identifier

    description string

    Approval step description

    allowFailed boolean

    If set true, and current step is rejected, it will mark the appeal status as skipped instead of rejected

    when string

    Determines whether the step should be evaluated or it can be skipped. If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).

    strategy string required

    Execution behaviour of the step. Possible values are auto or manual

    approveIf string

    Determines the automatic resolution of current step when strategy is auto. Required when strategy is auto

    approvers string[]

    List of email or Expression string. The Expression is expected to return an email address or list of email addresses. Required when strategy is manual

    rejectionReason string

    This fills Approval.Reason if current approval step gets rejected based on ApproveIf expression. If strategy is manual, this field ignored.

  • ]
    • labels object
    property name* string
    createdAt date-time

    Policy creation timestamp

    updatedAt date-time

    Policy last update timestamp

    requirements object[]
  • Array [
    • on object required

    Requirement trigger. If the trigger is matched, the requirement will be evaluated

    providerType string

    Criteria for the provider type of the current appeal's selected resource. Regex supported

    providerUrn string

    Criteria for the provider URN of the current appeal's selected resource. Regex supported

    resourceType string

    Criteria for the resource type of the current appeal's selected resource. Regex supported

    resourceUrn string

    Criteria for the resource URN of the current appeal's selected resource. Regex supported

    role string

    Criteria for the role of the current appeal. Regex supported

    conditions object[]
  • Array [
    • field string
    match object
    eq
  • ]
    • expression string
    appeals object[]
  • Array [
    • resource object
    providerType string
    providerUrn string
    type string
    urn string
    id string
    role string
    options object
    expirationDate date-time
    duration string
    policy object
    id string
    version int32
  • ]
  • ]
    • iam object
    provider string required

    Identity manager type. Supported types are http and frontier

    config required

    Client configuration according to the provider type

    schema object

    User (appeal creator) profile details schema to be shown in the creator field in an appeal

    property name* string
    appeal object
    durationOptions object[]

    List of duration options

  • Array [
    • name string required

    Name of the duration option

    value string required

    Actual value of duration such as 24h, 72h. value will be 0h in case of permanent duration. Valid time units are ns, us (or µs). Reference: ParseDuration

  • ]
    • allowOnBehalf boolean
    allowPermanentAccess boolean

    Set this to true if you want to allow users to have permanent access to the resources. Default is false

    allowActiveAccessExtensionIn string

    Duration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access). Valid time units are ns, us (or µs), ms, s, m, h

    questions object[]

    List of questions to be asked to the appeal creator

  • Array [
    • key string required

    Unique key of the question

    question string required

    Question to be asked to the appeal creator

    required boolean required

    Whether the question is required or not

    description string

    The description to be shown to the appeal creator

  • ]
    • allowCreatorDetailsFailure boolean
POST /v1beta1/policies

Authorization

name: X-Auth-Emailtype: apiKeydescription: Email address of the userin: header

Request

Base URL
http://127.0.0.1:7400
apiKey
dryRun — query
Body required
{

  "id": "f4b7a3c0-9f9b-4b9b-9b0a-9e4b1a1b1b1b",

  "version": 1,

  "description": "string",

  "steps": [

    {

      "name": "Step 1",

      "description": "Step 1 description",

      "allowFailed": true,

      "when": "string",

      "strategy": "auto",

      "approveIf": "string",

      "approvers": [

        "string"

      ],

      "rejectionReason": "string"

    }

  ],

  "labels": {},

  "createdAt": "2023-06-07T05:39:56.961Z",

  "updatedAt": "2023-06-07T05:39:56.961Z",

  "requirements": [

    {

      "on": {

        "providerType": "string",

        "providerUrn": "string",

        "resourceType": "string",

        "resourceUrn": "string",

        "role": "string",

        "conditions": [

          {

            "field": "string",

            "match": {

              "eq": {}

            }

          }

        ],

        "expression": "string"

      },

      "appeals": [

        {

          "resource": {

            "providerType": "string",

            "providerUrn": "string",

            "type": "string",

            "urn": "string",

            "id": "string"

          },

          "role": "string",

          "options": {

            "expirationDate": "2023-10-24T20:41:02.734Z",

            "duration": "string"

          },

          "policy": {

            "id": "string",

            "version": 0

          }

        }

      ]

    }

  ],

  "iam": {

    "provider": "bigquery",

    "schema": {}

  },

  "appeal": {

    "durationOptions": [

      {

        "name": "string",

        "value": "string"

      }

    ],

    "allowOnBehalf": true,

    "allowPermanentAccess": true,

    "allowActiveAccessExtensionIn": "string",

    "questions": [

      {

        "key": "string",

        "question": "string",

        "required": true,

        "description": "string"

      }

    ],

    "allowCreatorDetailsFailure": true

  }

}
curl / cURL
curl -L -X POST 'http://127.0.0.1:7400/v1beta1/policies' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'X-Auth-Email: <API_KEY_VALUE>' \
--data-raw '{
  "id": "f4b7a3c0-9f9b-4b9b-9b0a-9e4b1a1b1b1b",
  "version": 1,
  "description": "string",
  "steps": [
    {
      "name": "Step 1",
      "description": "Step 1 description",
      "allowFailed": true,
      "when": "string",
      "strategy": "auto",
      "approveIf": "string",
      "approvers": [
        "string"
      ],
      "rejectionReason": "string"
    }
  ],
  "labels": {},
  "createdAt": "2023-06-07T05:39:56.961Z",
  "updatedAt": "2023-06-07T05:39:56.961Z",
  "requirements": [
    {
      "on": {
        "providerType": "string",
        "providerUrn": "string",
        "resourceType": "string",
        "resourceUrn": "string",
        "role": "string",
        "conditions": [
          {
            "field": "string",
            "match": {
              "eq": {}
            }
          }
        ],
        "expression": "string"
      },
      "appeals": [
        {
          "resource": {
            "providerType": "string",
            "providerUrn": "string",
            "type": "string",
            "urn": "string",
            "id": "string"
          },
          "role": "string",
          "options": {
            "expirationDate": "2023-10-24T20:41:02.734Z",
            "duration": "string"
          },
          "policy": {
            "id": "string",
            "version": 0
          }
        }
      ]
    }
  ],
  "iam": {
    "provider": "bigquery",
    "schema": {}
  },
  "appeal": {
    "durationOptions": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "allowOnBehalf": true,
    "allowPermanentAccess": true,
    "allowActiveAccessExtensionIn": "string",
    "questions": [
      {
        "key": "string",
        "question": "string",
        "required": true,
        "description": "string"
      }
    ],
    "allowCreatorDetailsFailure": true
  }
}'