Self-governance use cases
You can use self-governance to control access to Policy Editor entities and operations in a wide variety of ways.
Controls that you can configure using self-governance include:
-
Protecting a policy set from deletion
-
Ensuring a policy can never be updated
-
Preventing policies from being added or created in a policy set
-
Blocking a user’s ability to delete attributes
-
Restricting a user’s ability to read policies or policy sets
-
Allowing attributes to be elevated to secret status while forbidding secret attributes from moving to non-secret status
The following use cases demonstrate how to build and deploy some common self-governance policies.
To view a visual flow of your self-governance policy decisions, see Visualizing a policy decision response. |
Use case: Preventing a user from viewing a branch
About this task
The following are the general steps needed to prevent a user from viewing a branch:
Steps
-
Create a policy named
Prevent a user from viewing a branch
in the System Policy Set of the [.label]#Admin Point Governance#branch. -
Add a rule and name it
Deny if branch is Admin Point Governance and user is Steve Smith
. -
Add a condition that returns true when Branch.Name equals
Admin Point Governance
. -
Add a condition that returns true when user.name equals
Steve Smith
. -
Select Components and drag the Core.Branch service to the Applies to section of the rule.
-
Drag the Read action to the Applies to section of the rule.
-
Save the policy.
-
Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.
Result
This self-governance policy returns a Deny
response if a user named Steve Smith tries to view the Admin Point Governance branch.
Use case: Preventing users from updating a policy set
About this task
The following are the general steps needed to prevent users from updating a policy set:
Steps
-
Create a policy named
Prevent users from updating a policy set
in the System Policy Set of the [.label]#Admin Point Governance#branch. -
Add a rule that returns a
Deny
if Object.Existing.Name equalsexamplePolicySet
. -
Select Components and drag the Core.PolicySet service to the Applies to section of the rule.
-
Drag the Modify.Update action to the Applies to section of the rule.
-
Save the policy.
-
Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.
Result
This self-governance policy returns a Deny
response when a user tries to modify a policy set with the name examplePolicySet.
Use case: Preventing users from deleting policies
About this task
The following are the general steps needed to prevent users from deleting policies:
Steps
-
Create a policy named
Prevent users from deleting policies
in the System Policy Set of the Admin Point Governance branch. -
Add a rule that always returns a
Deny
response. -
Select Components and drag the Core.Policy service to the Applies to section of the rule.
-
Drag the Modify.Delete action to the Applies to section of the rule.
-
Save the policy.
-
Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.
Result
This self-governance policy returns a Deny
response when a user tries to delete a policy within the system.