Approvals Service

Service to manage centralized approval policies.

Approvals

The Approvals service exposes methods for working with approval policies. $hide_from_yaml

SetPolicy

rpc SetPolicy (tetrateio.api.tsb.q.v2.ApprovalPolicy) returns (google.protobuf.Empty)

Requires CreateApprovalPolicy, WriteApprovalPolicy

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

GetPolicy

rpc GetPolicy (tetrateio.api.tsb.q.v2.GetPolicyRequest) returns (tetrateio.api.tsb.q.v2.ApprovalPolicy)

Requires ReadApprovalPolicy

GetPolicy returns the approval policy for the given resource.

QueryPolicies

rpc QueryPolicies (tetrateio.api.tsb.q.v2.QueryPoliciesRequest) returns (tetrateio.api.tsb.q.v2.QueryPoliciesResponse)

DeletePolicy

rpc DeletePolicy (tetrateio.api.tsb.q.v2.DeletePolicyRequest) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicy

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

AddAccessRequest

rpc AddAccessRequest (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires CreateApprovalPolicyAccessRequest, WriteApprovalPolicyAccessRequest

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is “ALLOW_REQUESTED”, access is allowed immediately. If the policy approval mode is “REQUIRE_APPROVAL” access will be pending until the request is approved.

DeleteAccessRequest

rpc DeleteAccessRequest (tetrateio.api.tsb.q.v2.ResourceAndSubject) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicyAccessRequest

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

ApproveAccessRequest

rpc ApproveAccessRequest (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires WriteApprovalPolicyApproveAccess

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

AddApprovedAccess

rpc AddApprovedAccess (tetrateio.api.tsb.q.v2.AccessRequest) returns (google.protobuf.Empty)

Requires CreateApprovalPolicyApprovedAccess, WriteApprovalPolicyApprovedAccess

AddApprovedAccess adds a new entry in the approved access list for the given resource.

DeleteApprovedAccess

rpc DeleteApprovedAccess (tetrateio.api.tsb.q.v2.ResourceAndSubject) returns (google.protobuf.Empty)

Requires DeleteApprovalPolicyApprovedAccess

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

Access

Access is an access request for a subject with a set of permission.

Example: Access { Subject: “organizations/demo/tenants/demo/applications/caller”, Permissions: []string{“GET”} }

Field Description Validation Rule

subject

string
REQUIRED
Subject is the subject that is requested to access the resource.

string = {
  min_len: 1
}

permissions

List of string
REQUIRED
Permissions is a list of permissions that the subject is allowed to use.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}

metadata

tetrateio.api.tsb.q.v2.Metadata
Metadata is additional information about this Access entity.

AccessRequest

AccessRequest is a request used for requesting or approving access to a resource.

Example: AccessRequest { Resource: “organizations/demo/tenants/demo/applications/target”, Access: []Access{{ Subject: “organizations/demo/tenants/demo/applications/calling-app”, Permissions: []string{“GET”, “POST”} }} }

Field Description Validation Rule

resource

string
REQUIRED
Resource for which the access request is made.

string = {
  min_len: 1
}

access

tetrateio.api.tsb.q.v2.Access
REQUIRED
Access is the subject and permissions for the access request.

ApprovalPolicy

ApprovalPolicy is a set of authorization rules that define access to a resource. When applied to a resource, the rules enforce access to the resource based on the permission set.

Example: ApprovalPolicy { Mode: ApprovalPolicy_REQUIRE_APPROVAL, Resource: “organizations/demo/tenants/demo/applications/target-app”, Approved: []Access {{ Subject: “organizations/demo/tenants/demo/applications/calling-app”, Permissions: []string{“GET”, “POST”} }} }

Field Description Validation Rule

mode

tetrateio.api.tsb.q.v2.ApprovalPolicy.Mode
REQUIRED
Mode indicates how access to the resource is configured.

enum = {
  defined_only: true
}

resource

string
REQUIRED
Resource is a fully qualified name of the resource that the policy applies to.

string = {
  min_len: 1
}

requested

List of tetrateio.api.tsb.q.v2.Access
Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

approved

List of tetrateio.api.tsb.q.v2.Access
Approved is a list of subjects that are approved to access the resource.

metadata

tetrateio.api.tsb.q.v2.Metadata
Metadata is additional information about this Policy and the resource it applies to.

DeletePolicyRequest

DeletePolicyRequest is the request message for DeletePolicy.

Example: DeletePolicyRequest { Resource: “organizations/demo/tenants/demo/applications/target-app” }

Field Description Validation Rule

resource

string
REQUIRED
Resource is the fully qualified name of the policy delete being requested.

string = {
  min_len: 1
}

force

bool
Force the deletion of internal resources even if they are protected against deletion.

GetPolicyRequest

GetPolicyRequest is the request message for GetPolicy.

Example: GetPolicyRequest { Resource: “organizations/demo/tenants/demo/applications/example” }

Field Description Validation Rule

resource

string
REQUIRED
Resource is the fully qualified name of the policy being requested.

string = {
  min_len: 1
}

Metadata

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

Field Description Validation Rule

details

tetrateio.api.tsb.q.v2.Metadata.Details
Details includes details about the resource or subject.

rules

List of tetrateio.api.tsb.rbac.v2.Role.Rule
Permissions includes permissions for which an authenticated user is allowed to perform. This applies to ApprovalPolicy or Access entities respectively.

Details

Details is additional information about a resource.

Field Description Validation Rule

name

string
Name is the resources name.

description

string
Description is the resources description.

QueryPoliciesRequest

QueryPoliciesRequest is the request message for QueryPolicies.

Example: QueryPoliciesRequest { Parent: “organizations/demo/tenants/demo”, Types: []string{“applications”}, IncludeDetails: true, IncludePermissions: true, }

Field Description Validation Rule

parent

string
REQUIRED
Parent is the resource where the query will collect ApprovalPolicy for the children that match the specified types.

string = {
  min_len: 1
}

types

List of string
REQUIRED
Type is the type of the resources to query for policies.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}

includeDetails

bool
IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions

bool
IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

QueryPoliciesResponse

QueryPoliciesResponse is the response message for QueryPolicies.

Field Description Validation Rule

policies

List of tetrateio.api.tsb.q.v2.ApprovalPolicy
Policies is a list of policies that match the query.

ResourceAndSubject

ResourceAndSubject is a resource and subject pair used for approval and deletion operations.

Example: ResourceAndSubject { Resource: “organizations/demo/tenants/demo/applications/target”, Subject: “organizations/demo/tenants/demo/applications/caller” }

Field Description Validation Rule

resource

string
REQUIRED
Resource for which the access request is made.

string = {
  min_len: 1
}

subject

string
REQUIRED
Subject for which the access request is made.

string = {
  min_len: 1
}

Mode

Field Number Description

UNRESTRICTED

0

Allows all subjects in the same policy class to access the resource.

ALLOW_REQUESTED

1

Allows only the subjects in the request and approved list to access the resource.

REQUIRE_APPROVAL

2

Allows only the subjects in the approved list to access the resource.