PingAuthorize

Self-governance Trust Framework

To make it easier to get started developing self-governance policies, the Admin Point Governance branch initializes with a default set of Trust Framework definitions.

Use the self-governance attributes and conditions to build your policy logic and then include self-governance actions and services to target when your policies will apply. The following tables describe the included Trust Framework definitions for self-governance.

Avoid using Trust Framework definitions related to self-governance permissions. While some of these items are visible and exposed within the Policy Editor, the permissions system is not enabled or supported.

Attributes
Attribute Name Scope Description

Branch

All operations

JSON data regarding the branch on which the current operation is being performed.

Branch.Id

All operations

GUID of the branch on which the current operation is being performed.

Branch.Name

All operations

Name of the branch on which the current operation is being performed.

Branch.ParentId

All operations

GUID of the parent branch for the branch on which the current operation is being performed.

DeploymentPackage

Deployment package operations

A folder to contain nested attributes. It has no value of its own.

DeploymentPackage.Decision Node ID

Deployment package operations

GUID of the decision node referred to by the deployment package that the user is acting upon.

DeploymentPackage.Snapshot Id

Deployment package operations

GUID of the snapshot referred to by the deployment package that the user is acting upon.

fromId

Diff or merge operations

The from ID argument passed to the service, if from and to arguments are required.

id

Diff or merge operations

The ID argument passed to the service.

name

Diff or merge operations

The string argument passed to the service.

Object

None

A folder to contain nested attributes. It has no value of its own.

Object.Existing

All operations

JSON data containing details of the current state of the object that the user is acting upon. Nested attributes below this attribute in the hierarchy extract specific values from this JSON data using JSONPath.

Object.Existing.Approvals

None

Collection of all the approvals for the deployment package that the user is acting upon.

Object.Existing.Approvals.UserIds

Deployment package operations

Collection of user IDs for all approvals on the deployment package that the user is acting upon.

Object.Existing.Approvals.Count

Deployment package operations

Total number of approvals on the deployment package that the user is acting upon.

Object.Existing.AttributeResolvers

Attributes

Collection of all the resolvers for the attribute that the user is acting upon.

Object.Existing.BranchId

Attributes

The branch ID of the object being acted upon by the user.

Object.Existing.CacheConfig

Attributes

JSON data detailing the cache settings for the attribute that the user is acting upon.

Object.Existing.Children

All operations

The direct first level children of the object that the user is acting upon.

Object.Existing.CombiningAlgorithm

Policy sets, policies

The combining algorithm of the policy or policy set that the user is acting upon.

Object.Existing.CustomProperties

All operations

JSON data of the custom properties set for the object that the user is acting upon.

Object.Existing.DefaultValue

Attributes

The default value of the attribute that the user is acting upon.

Object.Existing.DefinitionId

Trust Framework definitions

The GUID of the Trust Framework definition that the user is acting upon.

Object.Existing.Description

All operations

The description of the object that the user is acting upon.

Object.Existing.Disabled

Policy sets, policies, rules

Boolean value indicating whether or not the policy node that the user is acting upon is disabled.

Object.Existing.FullName

Trust Framework definitions

The full name, including parent names, of the Trust Framework definition.

Object.Existing.Id

All operations

The GUID of the object that the user is acting upon.

Object.Existing.IdentityProperties

Identity classes, identity providers

Collection of all the identity properties for the definition that the user is acting upon.

Object.Existing.IsPresent

All operations

Boolean that is true if the object that the user is acting upon is present.

Object.Existing.Name

All operations

The name of the object being acted upon by the user.

Object.Existing.Name.IsPresent

All operations

Boolean that is true if the Object.Existing.Name attribute is present in the self-governance decision request.

Object.Existing.ObjectType

Trust Framework

The type of Trust Framework definition that the user is acting upon.

Object.Existing.ParentId

All operations

The GUID of the direct parent of the object being acted upon by the user.

Object.Existing.Resolvers

Attributes

JSON value detailing the resolvers of the attribute that the user is acting upon.

Object.Existing.Secret

Attributes

Boolean indicating whether the attribute that the user is acting upon has been marked as secret.

Object.Existing.ServiceSettings

Services

JSON value detailing all of the service settings for the service that the user is acting upon.

Object.Existing.ServiceType

Services

The type of the service that the user is acting upon.

Object.Existing.Shared

Rules, targets, statements

Boolean that is true if the object that the user is acting upon is shared (appears in the Library).

Object.Existing.Statements

Policy nodes

Collection containing the list of statements for the policy node that the user is acting upon.

Object.Existing.Targets

Policy nodes

Collection containing the list of targets for the policy node that the user is acting upon.

Object.Existing.TestCase

Test case definitions

JSON representation of the test case associated with this definition.

Object.Existing.TestScenario

Test scenario definitions

JSON representation of the test scenario associated with this definition.

Object.Existing.Type

Definition

The type of definition (Trust Framework or Test Suite entity) that the user is acting upon.

Object.Existing.Version

All operations

Version of the entity that the user is acting upon.

Object.Intended

All operations

JSON data containing details of the intended state of the object after the action the user is trying to perform. Nested attributes below this attribute in the hierarchy extract specific values from this JSON data using JSONPath.

Object.Intended.*

All operations

Object.Intended has the same child attribute structure as Object.Existing.

Snapshot

Snapshots

JSON data regarding the commit that the user is acting upon.

Snapshot.Approval Count

Snapshots

Number of approvals on the commit that the user is acting upon.

Snapshot.Approvals

Snapshots

Collection of names of all users who have approved the commit that the user is acting upon.

Snapshot.BranchId

Snapshots

GUID of the branch of the commit that the user is acting upon.

Snapshot.Id

Snapshots

GUID of the commit that the user is acting upon.

Snapshot.ParentId

Snapshots

GUID of the direct parent of the commit that the user is acting upon.

Snapshot.State

Snapshots

Current state of the commit that the user is acting upon. The value can be either UNCOMMITTED or COMMITTED.

toId

Diff or merge operations

ID of the entity the change is being merged to.

user

All operations

JSON data describing the user performing the action.

User attributes like LDAP properties or OIDC claims are mapped as keys and values, where a single value is expressed as a JSON array. If OIDC claims have an attribute nickname with value abc, the JSON data will be \{"nickname":["abc"]}.

To get the scalar value of an attribute, use a processor and access the zeroth value of the JSON array. Any derived user attribute that contains sensitive information must be marked as secret in Value Settings.

user.name

All operations

Name of the user performing the action.

user.name.lowercase

All operations

Lowercase value of the name.

Services
Service Name Description

Core

A folder containing child services. It has no other function.

Core.Branch

Targets operations involving branches.

Core.Definition

Targets operations involving Trust Framework definitions.

Core.Delta

Targets operations involving Version Control deltas.

Core.DeploymentPackage

Targets operations involving deployment packages.

Core.DiffMerge

Targets Version Control diff or merge operations.

Core.Entity.Change

Targets operations involving entity changes.

Core.Policy

Targets operations involving policies.

Core.PolicySet

Targets operations involving policy sets.

Core.RecentDecisions

Targets operations involving the recent decisions diagnostics buffers.

Core.RecentDecisions.Configuration

Targets operations involving the configuration of a recent decisions buffer.

Core.RecentDecisions.Content

Targets operations involving the content of a recent decisions buffer.

Core.Rule

Targets operations involving rules.

Core.Snapshot

Targets operations involving snapshots.

Core.Statement

Targets operations involving statements (obligations or advice).

Core.Target

Targets operations involving targets.

Test.Scenario

Targets operations involving test scenarios and scenario groups.

Test.TestCase

Targets operations involving test cases and test groups.

Actions
Action Name Scope Description

Modify

All operations

Targets any modification: commit, create, delete, import, roll back, or update.

Modify.Commit

Version Control

Targets commits within Branch Manager → Version Control.

Modify.Create

All operations

Targets the creation of any object, including branches, attributes, policies, and so on.

Modify.Delete

All operations

Targets the deletion of any object, including branches, attributes, policies, and so on.

Modify.Import

Snapshots

Targets importing snapshots.

Modify.Rollback

Version Control

Targets attempts to roll back deltas within Version Control.

Modify.Update

All operations

Targets the update of any object, including branches, attributes, policies, and so on.

Read

All operations

Targets reading any object, including branches, attributes, policies, and so on.

Read.Diff

Version Control

Targets reading a diff within Version Control.

Read.Export

Deployment packages and snapshots

Targets exporting a snapshot or deployment package.

Read.List

All operations

Targets any operations that read a listing (in other words, list all branches).

Read.History

All operations

Targets operations that attempt to read the history of an entity.

Conditions
Condition Name Scope Description

Object.Is Root

All operations

True if the object is a root element (in other words, has no parent) but otherwise false.

Object.Is Shared

All operations

True if the object is a shared element (in other words, it is in the Library and has no parent) but otherwise false.

Object.Is Shared.Existing

All operations

True if the object is already shared before being updated but otherwise false.

Object.Is Shared.Intended

All operations

True if the object will be shared after being updated but otherwise false.