Skip to main content
logoTetrate Service BridgeVersion: 1.11.x

Approvals Service

Service to manage centralized approval policies.

Approvals

The Approvals service exposes methods for working with approval policies. $hide_from_yaml

SetPolicy

GetPolicy

QueryPolicies

DeletePolicy

AddAccessRequest

DeleteAccessRequest

ApproveAccessRequest

AddApprovedAccess

DeleteApprovedAccess

Access

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

FieldDescriptionValidation Rule

subject

string
REQUIRED
Subject is the subject that is requested to access the resource.

string = {
  min_len: 1
}

permissions

List of string
REQUIRED
Permissions is a list of permissions that the subject is allowed to use.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}

metadata

tetrateio.api.tsb.q.v2.Metadata
Metadata is additional information about this Access entity.

AccessRequest

AccessRequest is a request used for requesting or approving access to a resource.

Example: AccessRequest { Resource: "organizations/demo/tenants/demo/applications/target", Access: []Access{{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

FieldDescriptionValidation Rule

resource

string
REQUIRED
Resource for which the access request is made.

string = {
  min_len: 1
}

access

tetrateio.api.tsb.q.v2.Access
REQUIRED
Access is the subject and permissions for the access request.

ApprovalPolicy

ApprovalPolicy is a set of authorization rules that define access to a resource. When applied to a resource, the rules enforce access to the resource based on the permission set.

Example: ApprovalPolicy { Mode: ApprovalPolicy_REQUIRE_APPROVAL, Resource: "organizations/demo/tenants/demo/applications/target-app", Approved: []Access {{ Subject: "organizations/demo/tenants/demo/applications/calling-app", Permissions: []string{"GET", "POST"} }} }

FieldDescriptionValidation Rule

mode

tetrateio.api.tsb.q.v2.ApprovalPolicy.Mode
REQUIRED
Mode indicates how access to the resource is configured.

enum = {
  defined_only: true
}

resource

string
REQUIRED
Resource is a fully qualified name of the resource that the policy applies to.

string = {
  min_len: 1
}

requested

List of tetrateio.api.tsb.q.v2.Access
Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

approved

List of tetrateio.api.tsb.q.v2.Access
Approved is a list of subjects that are approved to access the resource.

metadata

tetrateio.api.tsb.q.v2.Metadata
Metadata is additional information about this Policy and the resource it applies to.

DeletePolicyRequest

DeletePolicyRequest is the request message for DeletePolicy.

Example: DeletePolicyRequest { Resource: "organizations/demo/tenants/demo/applications/target-app" }

FieldDescriptionValidation Rule

resource

string
REQUIRED
Resource is the fully qualified name of the policy delete being requested.

string = {
  min_len: 1
}

force

bool
Force the deletion of internal resources even if they are protected against deletion.

GetPolicyRequest

GetPolicyRequest is the request message for GetPolicy.

Example: GetPolicyRequest { Resource: "organizations/demo/tenants/demo/applications/example" }

FieldDescriptionValidation Rule

resource

string
REQUIRED
Resource is the fully qualified name of the policy being requested.

string = {
  min_len: 1
}

Metadata

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

FieldDescriptionValidation Rule

details

tetrateio.api.tsb.q.v2.Metadata.Details
Details includes details about the resource or subject.

rules

List of tetrateio.api.tsb.rbac.v2.Role.Rule
Permissions includes permissions for which an authenticated user is allowed to perform. This applies to ApprovalPolicy or Access entities respectively.

Details

Details is additional information about a resource.

FieldDescriptionValidation Rule

name

string
Name is the resources name.

description

string
Description is the resources description.

QueryPoliciesRequest

QueryPoliciesRequest is the request message for QueryPolicies.

Example: QueryPoliciesRequest { Parent: "organizations/demo/tenants/demo", Types: []string{"applications"}, IncludeDetails: true, IncludePermissions: true, }

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent is the resource where the query will collect ApprovalPolicy for the children that match the specified types.

string = {
  min_len: 1
}

types

List of string
REQUIRED
Type is the type of the resources to query for policies.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}

includeDetails

bool
IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions

bool
IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

QueryPoliciesResponse

QueryPoliciesResponse is the response message for QueryPolicies.

FieldDescriptionValidation Rule

policies

List of tetrateio.api.tsb.q.v2.ApprovalPolicy
Policies is a list of policies that match the query.

ResourceAndSubject

ResourceAndSubject is a resource and subject pair used for approval and deletion operations.

Example: ResourceAndSubject { Resource: "organizations/demo/tenants/demo/applications/target", Subject: "organizations/demo/tenants/demo/applications/caller" }

FieldDescriptionValidation Rule

resource

string
REQUIRED
Resource for which the access request is made.

string = {
  min_len: 1
}

subject

string
REQUIRED
Subject for which the access request is made.

string = {
  min_len: 1
}

Mode

FieldNumberDescription

UNRESTRICTED

0

Allows all subjects in the same policy class to access the resource.

ALLOW_REQUESTED

1

Allows only the subjects in the request and approved list to access the resource.

REQUIRE_APPROVAL

2

Allows only the subjects in the approved list to access the resource.