Create Policy
Create Policy creates a new policy in Guardian
Query Parameters
Request Body required
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
Policy unique identifier
Policy version. Auto-incremented when policy is updated
steps object[]
Sequence of approval steps. Each step can have different approval strategy and approvers
Approval step identifier
Approval step description
If set true, and current step is rejected, it will mark the appeal status as skipped instead of rejected
Determines whether the step should be evaluated or it can be skipped. If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
Execution behaviour of the step. Possible values are auto or manual
Determines the automatic resolution of current step when strategy is auto. Required when strategy is auto
List of email or Expression string. The Expression is expected to return an email address or list of email addresses. Required when strategy is manual
This fills Approval.Reason if current approval step gets rejected based on ApproveIf expression. If strategy is manual, this field ignored.
labels object
Policy creation timestamp
Policy last update timestamp
requirements object[]
on object required
Requirement trigger. If the trigger is matched, the requirement will be evaluated
Criteria for the provider type of the current appeal's selected resource. Regex supported
Criteria for the provider URN of the current appeal's selected resource. Regex supported
Criteria for the resource type of the current appeal's selected resource. Regex supported
Criteria for the resource URN of the current appeal's selected resource. Regex supported
Criteria for the role of the current appeal. Regex supported
conditions object[]
match object
appeals object[]
resource object
options object
policy object
iam object
Identity manager type. Supported types are http and frontier
Client configuration according to the provider type
schema object
User (appeal creator) profile details schema to be shown in the creator field in an appeal
appeal object
durationOptions object[]
List of duration options
Name of the duration option
Actual value of duration such as 24h, 72h. value will be 0h in case of permanent duration. Valid time units are ns, us (or µs). Reference: ParseDuration
Set this to true if you want to allow users to have permanent access to the resources. Default is false
Duration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access). Valid time units are ns, us (or µs), ms, s, m, h
questions object[]
List of questions to be asked to the appeal creator
Unique key of the question
Question to be asked to the appeal creator
Whether the question is required or not
The description to be shown to the appeal creator
- 200
- 400
- 401
- 403
- 404
- 500
- default
A successful response.
Schema
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
policy object
Policy unique identifier
Policy version. Auto-incremented when policy is updated
steps object[]
Sequence of approval steps. Each step can have different approval strategy and approvers
Approval step identifier
Approval step description
If set true, and current step is rejected, it will mark the appeal status as skipped instead of rejected
Determines whether the step should be evaluated or it can be skipped. If it evaluates to be falsy, the step will automatically skipped. Otherwise, step become pending/blocked (normal).
Execution behaviour of the step. Possible values are auto or manual
Determines the automatic resolution of current step when strategy is auto. Required when strategy is auto
List of email or Expression string. The Expression is expected to return an email address or list of email addresses. Required when strategy is manual
This fills Approval.Reason if current approval step gets rejected based on ApproveIf expression. If strategy is manual, this field ignored.
labels object
Policy creation timestamp
Policy last update timestamp
requirements object[]
on object required
Requirement trigger. If the trigger is matched, the requirement will be evaluated
Criteria for the provider type of the current appeal's selected resource. Regex supported
Criteria for the provider URN of the current appeal's selected resource. Regex supported
Criteria for the resource type of the current appeal's selected resource. Regex supported
Criteria for the resource URN of the current appeal's selected resource. Regex supported
Criteria for the role of the current appeal. Regex supported
conditions object[]
match object
appeals object[]
resource object
options object
policy object
iam object
Identity manager type. Supported types are http and frontier
Client configuration according to the provider type
schema object
User (appeal creator) profile details schema to be shown in the creator field in an appeal
appeal object
durationOptions object[]
List of duration options
Name of the duration option
Actual value of duration such as 24h, 72h. value will be 0h in case of permanent duration. Valid time units are ns, us (or µs). Reference: ParseDuration
Set this to true if you want to allow users to have permanent access to the resources. Default is false
Duration before the access expiration date when the user allowed to create appeal to the same resource (extend their current access). Valid time units are ns, us (or µs), ms, s, m, h
questions object[]
List of questions to be asked to the appeal creator
Unique key of the question
Question to be asked to the appeal creator
Whether the question is required or not
The description to be shown to the appeal creator
{
"policy": {
"id": "f4b7a3c0-9f9b-4b9b-9b0a-9e4b1a1b1b1b",
"version": 1,
"description": "string",
"steps": [
{
"name": "Step 1",
"description": "Step 1 description",
"allowFailed": true,
"when": "string",
"strategy": "auto",
"approveIf": "string",
"approvers": [
"string"
],
"rejectionReason": "string"
}
],
"labels": {},
"createdAt": "2023-06-07T05:39:56.961Z",
"updatedAt": "2023-06-07T05:39:56.961Z",
"requirements": [
{
"on": {
"providerType": "string",
"providerUrn": "string",
"resourceType": "string",
"resourceUrn": "string",
"role": "string",
"conditions": [
{
"field": "string",
"match": {
"eq": {}
}
}
],
"expression": "string"
},
"appeals": [
{
"resource": {
"providerType": "string",
"providerUrn": "string",
"type": "string",
"urn": "string",
"id": "string"
},
"role": "string",
"options": {
"expirationDate": "2023-10-24T20:41:02.817Z",
"duration": "string"
},
"policy": {
"id": "string",
"version": 0
}
}
]
}
],
"iam": {
"provider": "bigquery",
"schema": {}
},
"appeal": {
"durationOptions": [
{
"name": "string",
"value": "string"
}
],
"allowOnBehalf": true,
"allowPermanentAccess": true,
"allowActiveAccessExtensionIn": "string",
"questions": [
{
"key": "string",
"question": "string",
"required": true,
"description": "string"
}
],
"allowCreatorDetailsFailure": true
}
}
}
Bad Request - The request was malformed or contained invalid parameters.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Unauthorized - Authentication is required
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Forbidden - User does not have permission to access the resource
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Not Found - The requested resource was not found
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Internal Server Error. Returned when theres is something wrong with Frontier server.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}