Self-governance Trust Framework
To make it easier to get started developing self-governance policies, the Admin Point Governance branch initializes with a default set of Trust Framework definitions.
Use the self-governance attributes and conditions to build your policy logic and then include self-governance actions and services to target when your policies will apply. The following tables describe the included Trust Framework definitions for self-governance.
|
Avoid using Trust Framework definitions related to self-governance permissions. While some of these items are visible and exposed within the Policy Editor, the permissions system is not enabled or supported. |
Attributes
| Attribute Name | Scope | Description |
|---|---|---|
Branch |
All operations |
JSON data regarding the branch on which the current operation is being performed. |
Branch.Id |
All operations |
GUID of the branch on which the current operation is being performed. |
Branch.Name |
All operations |
Name of the branch on which the current operation is being performed. |
Branch.ParentId |
All operations |
GUID of the parent branch for the branch on which the current operation is being performed. |
DeploymentPackage |
Deployment package operations |
A folder to contain nested attributes. It has no value of its own. |
DeploymentPackage.Decision Node ID |
Deployment package operations |
GUID of the decision node referred to by the deployment package that the user is acting upon. |
DeploymentPackage.Snapshot Id |
Deployment package operations |
GUID of the snapshot referred to by the deployment package that the user is acting upon. |
fromId |
Diff or merge operations |
The |
id |
Diff or merge operations |
The ID argument passed to the service. |
name |
Diff or merge operations |
The string argument passed to the service. |
Object |
None |
A folder to contain nested attributes. It has no value of its own. |
Object.Existing |
All operations |
JSON data containing details of the current state of the object that the user is acting upon. Nested attributes below this attribute in the hierarchy extract specific values from this JSON data using JSONPath. |
Object.Existing.Approvals |
None |
Collection of all the approvals for the deployment package that the user is acting upon. |
Object.Existing.Approvals.UserIds |
Deployment package operations |
Collection of user IDs for all approvals on the deployment package that the user is acting upon. |
Object.Existing.Approvals.Count |
Deployment package operations |
Total number of approvals on the deployment package that the user is acting upon. |
Object.Existing.AttributeResolvers |
Attributes |
Collection of all the resolvers for the attribute that the user is acting upon. |
Object.Existing.BranchId |
Attributes |
The branch ID of the object being acted upon by the user. |
Object.Existing.CacheConfig |
Attributes |
JSON data detailing the cache settings for the attribute that the user is acting upon. |
Object.Existing.Children |
All operations |
The direct first level children of the object that the user is acting upon. |
Object.Existing.CombiningAlgorithm |
Policy sets, policies |
The combining algorithm of the policy or policy set that the user is acting upon. |
Object.Existing.CustomProperties |
All operations |
JSON data of the custom properties set for the object that the user is acting upon. |
Object.Existing.DefaultValue |
Attributes |
The default value of the attribute that the user is acting upon. |
Object.Existing.DefinitionId |
Trust Framework definitions |
The GUID of the Trust Framework definition that the user is acting upon. |
Object.Existing.Description |
All operations |
The description of the object that the user is acting upon. |
Object.Existing.Disabled |
Policy sets, policies, rules |
Boolean value indicating whether or not the policy node that the user is acting upon is disabled. |
Object.Existing.FullName |
Trust Framework definitions |
The full name, including parent names, of the Trust Framework definition. |
Object.Existing.Id |
All operations |
The GUID of the object that the user is acting upon. |
Object.Existing.IdentityProperties |
Identity classes, identity providers |
Collection of all the identity properties for the definition that the user is acting upon. |
Object.Existing.IsPresent |
All operations |
Boolean that is true if the object that the user is acting upon is present. |
Object.Existing.Name |
All operations |
The name of the object being acted upon by the user. |
Object.Existing.Name.IsPresent |
All operations |
Boolean that is true if the Object.Existing.Name attribute is present in the self-governance decision request. |
Object.Existing.ObjectType |
Trust Framework |
The type of Trust Framework definition that the user is acting upon. |
Object.Existing.ParentId |
All operations |
The GUID of the direct parent of the object being acted upon by the user. |
Object.Existing.Resolvers |
Attributes |
JSON value detailing the resolvers of the attribute that the user is acting upon. |
Object.Existing.Secret |
Attributes |
Boolean indicating whether the attribute that the user is acting upon has been marked as secret. |
Object.Existing.ServiceSettings |
Services |
JSON value detailing all of the service settings for the service that the user is acting upon. |
Object.Existing.ServiceType |
Services |
The type of the service that the user is acting upon. |
Object.Existing.Shared |
Rules, targets, statements |
Boolean that is true if the object that the user is acting upon is shared (appears in the Library). |
Object.Existing.Statements |
Policy nodes |
Collection containing the list of statements for the policy node that the user is acting upon. |
Object.Existing.Targets |
Policy nodes |
Collection containing the list of targets for the policy node that the user is acting upon. |
Object.Existing.TestCase |
Test case definitions |
JSON representation of the test case associated with this definition. |
Object.Existing.TestScenario |
Test scenario definitions |
JSON representation of the test scenario associated with this definition. |
Object.Existing.Type |
Definition |
The type of definition (Trust Framework or Test Suite entity) that the user is acting upon. |
Object.Existing.Version |
All operations |
Version of the entity that the user is acting upon. |
Object.Intended |
All operations |
JSON data containing details of the intended state of the object after the action the user is trying to perform. Nested attributes below this attribute in the hierarchy extract specific values from this JSON data using JSONPath. |
Object.Intended.* |
All operations |
Object.Intended has the same child attribute structure as Object.Existing. |
Snapshot |
Snapshots |
JSON data regarding the commit that the user is acting upon. |
Snapshot.Approval Count |
Snapshots |
Number of approvals on the commit that the user is acting upon. |
Snapshot.Approvals |
Snapshots |
Collection of names of all users who have approved the commit that the user is acting upon. |
Snapshot.BranchId |
Snapshots |
GUID of the branch of the commit that the user is acting upon. |
Snapshot.Id |
Snapshots |
GUID of the commit that the user is acting upon. |
Snapshot.ParentId |
Snapshots |
GUID of the direct parent of the commit that the user is acting upon. |
Snapshot.State |
Snapshots |
Current state of the commit that the user is acting upon. The value can be either |
toId |
Diff or merge operations |
ID of the entity the change is being merged to. |
user |
All operations |
JSON data describing the user performing the action. User attributes like LDAP properties or OIDC claims are mapped as keys and values, where a single value is expressed as a JSON array. If OIDC claims have an attribute nickname with value To get the scalar value of an attribute, use a processor and access the zeroth value of the JSON array. Any derived user attribute that contains sensitive information must be marked as secret in Value Settings. |
user.name |
All operations |
Name of the user performing the action. |
user.name.lowercase |
All operations |
Lowercase value of the name. |
Services
| Service Name | Description |
|---|---|
Core |
A folder containing child services. It has no other function. |
Core.Branch |
Targets operations involving branches. |
Core.Definition |
Targets operations involving Trust Framework definitions. |
Core.Delta |
Targets operations involving Version Control deltas. |
Core.DeploymentPackage |
Targets operations involving deployment packages. |
Core.DiffMerge |
Targets Version Control diff or merge operations. |
Core.Entity.Change |
Targets operations involving entity changes. |
Core.Policy |
Targets operations involving policies. |
Core.PolicySet |
Targets operations involving policy sets. |
Core.RecentDecisions |
Targets operations involving the recent decisions diagnostics buffers. |
Core.RecentDecisions.Configuration |
Targets operations involving the configuration of a recent decisions buffer. |
Core.RecentDecisions.Content |
Targets operations involving the content of a recent decisions buffer. |
Core.Rule |
Targets operations involving rules. |
Core.Snapshot |
Targets operations involving snapshots. |
Core.Statement |
Targets operations involving statements (obligations or advice). |
Core.Target |
Targets operations involving targets. |
Test.Scenario |
Targets operations involving test scenarios and scenario groups. |
Test.TestCase |
Targets operations involving test cases and test groups. |
Actions
| Action Name | Scope | Description |
|---|---|---|
Modify |
All operations |
Targets any modification: commit, create, delete, import, roll back, or update. |
Modify.Commit |
Version Control |
Targets commits within Branch Manager → Version Control. |
Modify.Create |
All operations |
Targets the creation of any object, including branches, attributes, policies, and so on. |
Modify.Delete |
All operations |
Targets the deletion of any object, including branches, attributes, policies, and so on. |
Modify.Import |
Snapshots |
Targets importing snapshots. |
Modify.Rollback |
Version Control |
Targets attempts to roll back deltas within Version Control. |
Modify.Update |
All operations |
Targets the update of any object, including branches, attributes, policies, and so on. |
Read |
All operations |
Targets reading any object, including branches, attributes, policies, and so on. |
Read.Diff |
Version Control |
Targets reading a diff within Version Control. |
Read.Export |
Deployment packages and snapshots |
Targets exporting a snapshot or deployment package. |
Read.List |
All operations |
Targets any operations that read a listing (in other words, list all branches). |
Read.History |
All operations |
Targets operations that attempt to read the history of an entity. |
Conditions
| Condition Name | Scope | Description |
|---|---|---|
Object.Is Root |
All operations |
True if the object is a root element (in other words, has no parent) but otherwise false. |
Object.Is Shared |
All operations |
True if the object is a shared element (in other words, it is in the Library and has no parent) but otherwise false. |
Object.Is Shared.Existing |
All operations |
True if the object is already shared before being updated but otherwise false. |
Object.Is Shared.Intended |
All operations |
True if the object will be shared after being updated but otherwise false. |