Approvals Service
Service to manage centralized approval policies.
Approvals
The Approvals service exposes methods for working with approval policies. $hide_from_yaml
SetPolicy
GetPolicy
QueryPolicies
DeletePolicy
AddAccessRequest
DeleteAccessRequest
ApproveAccessRequest
AddApprovedAccess
DeleteApprovedAccess
Access
Access is an access request for a subject with a set of permission.
Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
Field | Description | Validation Rule |
---|---|---|
subject | string | string = { |
permissions | List of string | repeated = { |
metadata | tetrateio.api.tsb.q.v2.Metadata | – |
AccessRequest
AccessRequest is a request used for requesting or approving access to a resource.
Example: AccessRequest { Resource: "organizations/demo/tenants/demo/applications/target", Access: []Access{{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }
Field | Description | Validation Rule |
---|---|---|
resource | string | string = { |
access | tetrateio.api.tsb.q.v2.Access | – |
ApprovalPolicy
ApprovalPolicy is a set of authorization rules that define access to a resource. When applied to a resource, the rules enforce access to the resource based on the permission set.
Example: ApprovalPolicy { Mode: ApprovalPolicy_REQUIRE_APPROVAL, Resource: "organizations/demo/tenants/demo/applications/target-app", Approved: []Access {{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.q.v2.ApprovalPolicy.Mode | enum = { |
resource | string | string = { |
requested | List of tetrateio.api.tsb.q.v2.Access | – |
approved | List of tetrateio.api.tsb.q.v2.Access | – |
metadata | tetrateio.api.tsb.q.v2.Metadata | – |
DeletePolicyRequest
DeletePolicyRequest is the request message for DeletePolicy.
Example: DeletePolicyRequest { Resource: "organizations/demo/tenants/demo/applications/target-app" }
Field | Description | Validation Rule |
---|---|---|
resource | string | string = { |
GetPolicyRequest
GetPolicyRequest is the request message for GetPolicy.
Example: GetPolicyRequest { Resource: "organizations/demo/tenants/demo/applications/example" }
Field | Description | Validation Rule |
---|---|---|
resource | string | string = { |
Metadata
Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
Field | Description | Validation Rule |
---|---|---|
details | tetrateio.api.tsb.q.v2.Metadata.Details | – |
rules | List of tetrateio.api.tsb.rbac.v2.Role.Rule | – |
Details
Details is additional information about a resource.
Field | Description | Validation Rule |
---|---|---|
name | string | – |
description | string | – |
QueryPoliciesRequest
QueryPoliciesRequest is the request message for QueryPolicies.
Example: QueryPoliciesRequest { Parent: "organizations/demo/tenants/demo", Types: []string{"applications"}, IncludeDetails: true, IncludePermissions: true, }
Field | Description | Validation Rule |
---|---|---|
parent | string | string = { |
types | List of string | repeated = { |
includeDetails | bool | – |
includePermissions | bool | – |
QueryPoliciesResponse
QueryPoliciesResponse is the response message for QueryPolicies.
Field | Description | Validation Rule |
---|---|---|
policies | List of tetrateio.api.tsb.q.v2.ApprovalPolicy | – |
ResourceAndSubject
ResourceAndSubject is a resource and subject pair used for approval and deletion operations.
Example: ResourceAndSubject { Resource: "organizations/demo/tenants/demo/applications/target", Subject: "organizations/demo/tenants/demo/applications/caller" }
Field | Description | Validation Rule |
---|---|---|
resource | string | string = { |
subject | string | string = { |
Mode
Field | Number | Description |
---|---|---|
UNRESTRICTED | 0 | Allows all subjects in the same policy class to access the resource. |
ALLOW_REQUESTED | 1 | Allows only the subjects in the request and approved list to access the resource. |
REQUIRE_APPROVAL | 2 | Allows only the subjects in the approved list to access the resource. |