PingAuthorize

Self-governance use cases

You can use self-governance to control access to Policy Editor entities and operations in a wide variety of ways.

Controls that you can configure using self-governance include:

  • Protecting a policy set from deletion

  • Ensuring a policy can never be updated

  • Preventing policies from being added or created in a policy set

  • Blocking a user’s ability to delete attributes

  • Restricting a user’s ability to read policies or policy sets

  • Allowing attributes to be elevated to secret status while forbidding secret attributes from moving to non-secret status

The following use cases demonstrate how to build and deploy some common self-governance policies.

To view a visual flow of your self-governance policy decisions, see Visualizing a policy decision response.

Use case: Preventing a user from viewing a branch

About this task

The following are the general steps needed to prevent a user from viewing a branch:

Steps

  1. Create a policy named Prevent a user from viewing a branch in the System Policy Set of the [.label]#Admin Point Governance#branch.

  2. Add a rule and name it Deny if branch is Admin Point Governance and user is Steve Smith.

  3. Add a condition that returns true when Branch.Name equals Admin Point Governance.

  4. Add a condition that returns true when user.name equals Steve Smith.

  5. Select Components and drag the Core.Branch service to the Applies to section of the rule.

  6. Drag the Read action to the Applies to section of the rule.

  7. Save the policy.

  8. Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.

Result

This self-governance policy returns a Deny response if a user named Steve Smith tries to view the Admin Point Governance branch.

Use case: Preventing users from updating a policy set

About this task

The following are the general steps needed to prevent users from updating a policy set:

Steps

  1. Create a policy named Prevent users from updating a policy set in the System Policy Set of the [.label]#Admin Point Governance#branch.

  2. Add a rule that returns a Deny if Object.Existing.Name equals examplePolicySet.

  3. Select Components and drag the Core.PolicySet service to the Applies to section of the rule.

  4. Drag the Modify.Update action to the Applies to section of the rule.

  5. Save the policy.

  6. Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.

Result

This self-governance policy returns a Deny response when a user tries to modify a policy set with the name examplePolicySet.

Use case: Preventing users from deleting policies

About this task

The following are the general steps needed to prevent users from deleting policies:

Steps

  1. Create a policy named Prevent users from deleting policies in the System Policy Set of the Admin Point Governance branch.

  2. Add a rule that always returns a Deny response.

  3. Select Components and drag the Core.Policy service to the Applies to section of the rule.

  4. Drag the Modify.Delete action to the Applies to section of the rule.

  5. Save the policy.

  6. Commit the changes to the Admin Point Governance branch in Branch Manger → Version Control.

Result

This self-governance policy returns a Deny response when a user tries to delete a policy within the system.