Approvals Service

Service to manage centralized approval policies.

Approvals

The Approvals service exposes methods for working with approval policies. $hide_from_yaml

SetPolicy

GetPolicy

QueryPolicies

DeletePolicy

AddAccessRequest

DeleteAccessRequest

ApproveAccessRequest

AddApprovedAccess

DeleteApprovedAccess

Access

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

Field	Description	Validation Rule
subject	string REQUIRED Subject is the subject that is requested to access the resource.	string = {   min_len: 1 }
permissions	List of string REQUIRED Permissions is a list of permissions that the subject is allowed to use.	repeated = {   min_items: 1   items: {string:{min_len:1}} }
metadata	tetrateio.api.tsb.q.v2.Metadata Metadata is additional information about this Access entity.	–

AccessRequest

AccessRequest is a request used for requesting or approving access to a resource.

Example: AccessRequest { Resource: "organizations/demo/tenants/demo/applications/target", Access: []Access{{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

Field	Description	Validation Rule
resource	string REQUIRED Resource for which the access request is made.	string = {   min_len: 1 }
access	tetrateio.api.tsb.q.v2.Access REQUIRED Access is the subject and permissions for the access request.	–

ApprovalPolicy

ApprovalPolicy is a set of authorization rules that define access to a resource. When applied to a resource, the rules enforce access to the resource based on the permission set.

Example: ApprovalPolicy { Mode: ApprovalPolicy_REQUIRE_APPROVAL, Resource: "organizations/demo/tenants/demo/applications/target-app", Approved: []Access {{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

Field	Description	Validation Rule
mode	tetrateio.api.tsb.q.v2.ApprovalPolicy.Mode REQUIRED Mode indicates how access to the resource is configured.	enum = {   defined_only: true }
resource	string REQUIRED Resource is a fully qualified name of the resource that the policy applies to.	string = {   min_len: 1 }
requested	List of tetrateio.api.tsb.q.v2.Access Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.	–
approved	List of tetrateio.api.tsb.q.v2.Access Approved is a list of subjects that are approved to access the resource.	–
metadata	tetrateio.api.tsb.q.v2.Metadata Metadata is additional information about this Policy and the resource it applies to.	–

DeletePolicyRequest

DeletePolicyRequest is the request message for DeletePolicy.

Example: DeletePolicyRequest { Resource: "organizations/demo/tenants/demo/applications/target-app" }

Field	Description	Validation Rule
resource	string REQUIRED Resource is the fully qualified name of the policy delete being requested.	string = {   min_len: 1 }

GetPolicyRequest

GetPolicyRequest is the request message for GetPolicy.

Example: GetPolicyRequest { Resource: "organizations/demo/tenants/demo/applications/example" }

Field	Description	Validation Rule
resource	string REQUIRED Resource is the fully qualified name of the policy being requested.	string = {   min_len: 1 }

Metadata

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

Field	Description	Validation Rule
details	tetrateio.api.tsb.q.v2.Metadata.Details Details includes details about the resource or subject.	–
rules	List of tetrateio.api.tsb.rbac.v2.Role.Rule Permissions includes permissions for which an authenticated user is allowed to perform. This applies to ApprovalPolicy or Access entities respectively.	–

Details

Details is additional information about a resource.

Field	Description	Validation Rule
name	string Name is the resources name.	–
description	string Description is the resources description.	–

QueryPoliciesRequest

QueryPoliciesRequest is the request message for QueryPolicies.

Example: QueryPoliciesRequest { Parent: "organizations/demo/tenants/demo", Types: []string{"applications"}, IncludeDetails: true, IncludePermissions: true, }

Field	Description	Validation Rule
parent	string REQUIRED Parent is the resource where the query will collect ApprovalPolicy for the children that match the specified types.	string = {   min_len: 1 }
types	List of string REQUIRED Type is the type of the resources to query for policies.	repeated = {   min_items: 1   items: {string:{min_len:1}} }
includeDetails	bool IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.	–
includePermissions	bool IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.	–

QueryPoliciesResponse

QueryPoliciesResponse is the response message for QueryPolicies.

Field	Description	Validation Rule
policies	List of tetrateio.api.tsb.q.v2.ApprovalPolicy Policies is a list of policies that match the query.	–

ResourceAndSubject

ResourceAndSubject is a resource and subject pair used for approval and deletion operations.

Example: ResourceAndSubject { Resource: "organizations/demo/tenants/demo/applications/target", Subject: "organizations/demo/tenants/demo/applications/caller" }

Field	Description	Validation Rule
resource	string REQUIRED Resource for which the access request is made.	string = {   min_len: 1 }
subject	string REQUIRED Subject for which the access request is made.	string = {   min_len: 1 }

Mode

Field	Number	Description
UNRESTRICTED	0	Allows all subjects in the same policy class to access the resource.
ALLOW_REQUESTED	1	Allows only the subjects in the request and approved list to access the resource.
REQUIRE_APPROVAL	2	Allows only the subjects in the approved list to access the resource.