API
Managing Policies
Policy controls how users or accounts can get access to a resource. Policy used by appeal to determine the approval flow, get creator's identity/profile, and decide whether it needs additional appeals. Policy is attached to a resource type in the provider config, thus a policy should be the first thing to setup before creating a provider and getting its resources.
Create Policy
Policies can be created by calling with a POST Method on {{HOST}}/api/v1beta1/policies
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| body | body | Contains a policy name, steps for approval flow, External identity manager(IAM) details for authorization required for the accessing the resource | Yes | Policy |
| X-Auth-Email | header | Contains the user/service account email used for authorization | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response | Policy |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request POST '{{HOST}}/api/v1beta1/policies' \
--header 'Content-Type: application/json' \
--data-raw '{
"id": "my_policy",
"steps": [
{
"name": "manager_approval",
"description": "Manager approval for sensitive data",
"when": "$appeal.resource.details.is_sensitive == true",
"strategy": "manual",
"approvers": [
"$appeal.creator.manager_email"
]
},
{
"name": "resource_owner_approval",
"description": "Approval from resource admin/owner",
"strategy": "manual",
"approvers": [
"$appeal.resource.details.owner"
]
}
]
}'
Policy has version to ensure each appeal has a reference to an applied policy when it's created. A policy is created with an initial version equal to 1.
Check policy reference for more details on the policy configuration.
Updating Policy
Updating a policy actually means creating a new policy with the same id but the version gets incremented by 1. Both the new and previous policies still can be used by providers.
Policies can be updated by using the PUT Method on {{HOST}}/api/v1beta1/policies/:id
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique identifier for policy to be updated | Yes | String |
| body | body | Contains the fields reuired to be added/updated in the policy | Yes | Policy |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Policy |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request PUT '{{HOST}}/api/v1beta1/policies/{{policy_id}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"steps": [
{
"name": "manager_approval",
"description": "Manager approval for sensitive data",
"when": "$appeal.resource.details.is_sensitive == true",
"strategy": "manual",
"approvers": [
"$appeal.creator.manager_email"
]
},
{
"name": "resource_owner_approval",
"description": "Approval from resource admin/owner",
"strategy": "manual",
"approvers": [
"$appeal.resource.details.owner"
]
}
]
}'
Listing Policies
To get the list of all the policies created by the user, use the GET Method on {{HOST}}/api/v1beta1/policies
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Policy] |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/policies'
Viewing Policies
Viewing a policy can be done by the GET Method on {{HOST}}/api/v1beta1/policies/:id/versions/:version
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Policy unique identifier | Yes | string |
| version | path | Policy version | Yes | uint32 |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Policy |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/policies/{{policy_id}}/versions/{{policy_version}}'
Managing Providers
Provider manages roles, resources, provider credentials and also points each resource type to a considered policy.
Registering Providers
Once a provider config is registered, Guardian will immediately fetch the resources and store it in the database.
Providers can be created by calling to POST Method {{HOST}}/api/v1beta1/providers
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| body | body | Provider config data | Yes | ProviderConfig |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | ProviderResponse |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request POST '{{HOST}}/api/v1beta1/providers' \
--header 'Content-Type: application/json' \
--data-raw '{
"type": "bigquery",
"urn": "gcp-project-id-bigquery",
"allowed_account_types": [
"user",
"serviceAccount"
],
"credentials": {
"service_account_key": "{{base64 encoded service account key json}}",
"resource_name": "projects/gcp-project-id"
},
"appeal": {
"allow_permanent_access": false,
"allow_active_access_extension_in": "168h"
},
"resources": [
{
"type": "dataset",
"policy": {
"id": "my_policy",
"version": 1
},
"roles": [
{
"id": "viewer",
"name": "Viewer",
"permissions": [
"READER"
]
},
{
"id": "editor",
"name": "Editor",
"permissions": [
"WRITER"
]
}
]
},
{
"type": "table",
"policy": {
"id": "my_policy",
"version": 1
},
"roles": [
{
"id": "viewer",
"name": "Viewer",
"permissions": [
"roles/bigquery.dataViewer"
]
},
{
"id": "editor",
"name": "Editor",
"permissions": [
"roles/bigquery.dataEditor"
]
}
]
}
]
}'
Check provider reference for more details on Provider schema.
Updating Providers
Providers can be updated by calling to PUT Method {HOST}}/api/v1beta1/providers/:id
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique identifier of the provider to be updated | Yes | String |
| body | body | Provider config update payload | Yes | ProviderConfig |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | ProviderResponse |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request PUT '{{HOST}}/api/v1beta1/providers/{{provider_id}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"allowed_account_types": [
"user"
]
}'
Listing Providers
To get the list of all the providers avaliable, call the GET Method on {{HOST}}/api/v1beta1/providers
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [ProviderResponse] |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/providers'
Viewing Providers
To see the details of a particular provider by id, call the GET Method on {{HOST}}/api/v1beta1/providers/:id with the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Yes | String |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | ProviderResponse |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/providers/{{provider_id}}'
Delete Provider
To delete a particular provider from the database use the DELETE Method on {{HOST}}/api/v1beta1/providers/:id with the parameters as shown here:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Yes | String |
Response
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | NIL |
| default | An unexpected error response. | rpcStatus |
Listing Roles for a Resource Type
Listing roles can be done by calling to GET Method {{HOST}}/api/v1beta1/providers/:id/resources/:resource_type/roles
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Yes | string | |
| resource_type | path | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Role] |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/providers/{{provider_id}}/resources/{{resource_type}}/roles'
Managing Resources
Resource in Guardian represents the actual resource in the provider e.g. for BigQuery provider, a resource represents a dataset or a table. One of Guardian's responsibility is to manage the access to resources, and in order to do that Guardian needs to be able to manage the resources as well.
Listing Resources
To get the list of all the resources available, call the GET Method on {{HOST}}/api/v1beta1/resources
Query Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| provider_type | query | Unique Provider name Enum: - bigquery , gcs , gcloud_iam , metabase , grafana , tableau , noop | No | string |
| provider_urn | query | Unique provider URN | No | string |
| type | query | Unique resource name Enum: - dataset , table for the BigQuery - folder , dashboard for the Grafana - project , organization for the Gcloud IAM - workbook , view , metric , datasource , flow for Tableau - bucket for Google Cloud Storage - database , table , collection , group for Metabase | No | string |
| urn | query | Unique Resource URN | No | string |
| name | query | Unique Resource Name | No | string |
| details | query | No | [string] | |
| is_deleted | query | Set to query for resources which have been deleted | No | bool |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Resource] |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/resources'
Viewing Resources
To see the details of a particular resource by id, call the GET Method on {{HOST}}/api/v1beta1/resources/:id using the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Resource Identifier | Yes | String |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Resource |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request GET '{{HOST}}/api/v1beta1/resources/{{resource_id}}'
Update Resources
Guardian allows users to add metadata to the resources. This can be useful when configuring the approval steps in the policy that needs information from metadata e.g. “owners” as the approvers.
Update a resource can be done by calling to PUT Method {{HOST}}/api/v1beta1/resources/:id
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Resource Identifier | Yes | String |
| body | body | Yes | Resource |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Resource |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request PUT '{{HOST}}/api/v1beta1/resources/{{resource_id}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"details": {
"key1": "value1",
"key2": "value2"
}
}'
Delete Resource
To delete a particular provider from the database use the DELETE Method on {{HOST}}/api/v1beta1/resources/:id with the parameters as shown here:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Resource Identifier | Yes | String |
Response
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | NIL |
| default | An unexpected error response. | rpcStatus |
Managing Appeals
An appeal is essentially a request created by users to give them access to resources. In order to grant the access, an appeal has to be approved by approvers which is assigned based on the applied policy. Appeal contains information about the requested account, the creator, the selected resources, the specific role for accessing the resource, and options to determine the behaviour of the access e.g. permanent or temporary access.
Create Appeal
Guardian creates access for users to resources with configurable approval flow. Appeal created by user with specifying which resource they want to access and also the role.
Appeals can be created by calling the POST Method on {{HOST}}/api/v1beta1/appeals using the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| body | body | Contains account id and type of the user creating appeal. It also contains a list of resources for which request is created | Yes | Appeal Request |
| X-Auth-Email | header | Contains the user email creating the appeal | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Appeal |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request POST '{{HOST}}/api/v1beta1/appeals' \
--header 'X-Auth-Email: user@example.com' \
--header 'Content-Type: application/json' \
--data-raw '{
"account_id": "user@example.com",
"resources": [
{
"id": "a32b702a-029d-4d76-90c4-c3b8cc52941b",
"role": "viewer"
}
]
}'
List Appeals
To get the list of all appeals with addtional queries on the result, use the GET Method on {{HOST}}/api/v1beta1/appeals
The request parameters associated with this is API are as follows:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| account_id | query | this will be depcreate use account_ids | No | string |
| account_ids | query | No | [string] | |
| statuses | query | Enum: pending , rejected , active , terminated , cancelled | No | [string] |
| role | query | No | string | |
| provider_types | query | Enum: - bigquery , gcs , gcloud_iam , metabase , grafana , tableau , noop | No | [string] |
| provider_urns | query | No | [string] | |
| resource_types | query | No | [string] | |
| resource_urns | query | No | [string] | |
| order_by | query | No | [string] | |
| created_by | query | Email of the appeal creator | No | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Appeal] |
| default | An unexpected error response. | rpcStatus |
List User Appeal
To get the list of all the appeals by the current user, use the GET Method on {{HOST}}/api/v1beta1/me/appeals
The request parameters associated with this is API are as follows:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| statuses | query | Enum: pending , rejected , active , terminated , cancelled | No | [string] |
| role | query | No | string | |
| provider_types | query | Enum: - bigquery , gcs , gcloud_iam , metabase , grafana , tableau , noop | No | [string] |
| provider_urns | query | No | [string] | |
| resource_types | query | No | [string] | |
| resource_urns | query | No | [string] | |
| order_by | query | No | [string] | |
| X-Auth-Email | header | Contains the user email who is requesting for the list of all its appeals | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Appeal] |
| default | An unexpected error response. | rpcStatus |
Get Appeal
To get a particular appeal by its id use the GET Method on {{HOST}}/api/v1beta1/appeals/{id}
using the parameters given below:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Identifier for the Appeal | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Appeal |
| default | An unexpected error response. | rpcStatus |
Revoke Access
Access to a resource by a user can be revoked by calling the PUT Method on {{HOST}}/api/v1beta1/appeals/{id}/revoke using the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Identifier for the Appeal | Yes | string |
| reason | body | Contains the reason of revoking the access | No | string |
| X-Auth-Email | header | Contains the user/service account email of the person revoking the access | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Appeal |
| default | An unexpected error response. | rpcStatus |
Canceling Appeals
Appeal creator can cancel their appeal while it's status is still on pending.
Appeals can be canceled by calling the PUT Method on {{HOST}}/api/v1beta1/appeals/:id/cancel endpoint using the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Identifier for the Appeal | Yes | String |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Appeal |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request PUT '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/cancel'
Bulk Revoke Access
Bulk revoke of active resource-accesses based on parameters by calling the POST Method on {{HOST}}/api/v1beta1/appeals/revoke using the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| account_ids | query | No | [string] | |
| provider_types | query | Enum: - bigquery , gcs , gcloud_iam , metabase , grafana , tableau , noop | No | [string] |
| provider_urns | query | No | [string] | |
| resource_types | query | No | [string] | |
| resource_urns | query | No | [string] | |
| reason | query | No | string | |
| X-Auth-Email | header | Contains the user email who is requesting to bulk revoke of access | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | []Appeal |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
$ curl --request PUT '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/cancel'
$ curl --request POST 'localhost:3000/api/v1beta1/appeals/revoke'
--header 'X-Auth-Email: abc@xyz.com'
--header 'Content-Type: application/json'
--data-raw '{
"account_id":["user1.@domain1.com", "user2.@domain1.com"],
"reason": "Bulk revoke"
}'
List Approvals
To get the list of all approvals, use the GET Method on {{HOST}}/api/v1beta1/approvals using the following parameters as given below:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| account_id | query | No | string | |
| statuses | query | Enum: pending , rejected , active , terminated , cancelled | No | [string] |
| order_by | query | No | [string] | |
| created_by | query | No | string | |
| size | query | No | int | |
| offset | query | No | int |
Response
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Approval] |
| default | An unexpected error response. | rpcStatus |
List User Approvals
To get the list of all approvals for the current user, use the GET Method on {{HOST}}/api/v1beta1/me/approvals using the following parameters as given below:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| account_id | query | No | string | |
| statuses | query | Enum: pending , rejected , active , terminated , cancelled | No | [string] |
| order_by | query | No | [string] | |
| X-Auth-Email | header | Contains the user/service account email used for authorization | Yes | string |
Response
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | [Approval] |
| default | An unexpected error response. | rpcStatus |
Update Approval (Approving and Rejecting Appeals)
Appeals can be approved/rejected by calling the POST Method on {{HOST}}/api/v1beta1/appeals/:id/approvals/:approval_name endpoint with the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | Unique Identifier for the Appeal | Yes | String |
| approval_name | path | Name of the approval step. For instance resource_owner_approval or admin_approvalin this Example | Yes | String |
| action | body | Action which the approver wants to take(Approve or Reject) | Yes | Object(Action) |
| X-Auth-Email | header | Contains the approver's email id | Yes | string |
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | Appeal |
| default | An unexpected error response. | rpcStatus |
Here is an example below:
Approve an Appeal
$ curl --request POST '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/approvals/{{approval_step_name}}' \
--header 'X-Auth-Email: user@example.com' \
--header 'Content-Type: application/json' \
--data-raw '{
"action": "approve"
}'
Reject an Appeal
$ curl --request POST '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/approvals/{{approval_step_name}}' \
--header 'X-Auth-Email: user@example.com' \
--header 'Content-Type: application/json' \
--data-raw '{
"action": "reject",
"reason": "{{rejection_message}}"
}'
Add Approver
Approver can be added by calling POST /api/v1beta1/appeals/:appeal_id/approvals/:approval_id/approvers endpoint with the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| appeal_id | path | Unique identifier of the appeal | Yes | string(UUID) |
| approval_id | path | Unique identifier or name of the approval | Yes | string(UUID) or string |
| body | New approver email | Yes | Object(AddApproverRequest) |
Example:
$ curl --location --request POST '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/approvals/{{approval_id}}/approvers' \
--header 'Content-Type: application/json' \
--data-raw '{
"email": "new.approver@example.com"
}'
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | AddApproverResponse |
| default | An unexpected error response. | rpcStatus |
Delete Approver
Existing approver can be removed by calling DELETE /api/v1beta1/appeals/:appeal_id/approvals/:approval_id/approvers/:email endpoint with the following parameters:
Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| appeal_id | path | Unique identifier of the appeal | Yes | string(UUID) |
| approval_id | path | Unique identifier or name of the approval | Yes | string(UUID) or string |
| path | To be deleted approver email | Yes | string |
Example:
$ curl --location --request DELETE '{{HOST}}/api/v1beta1/appeals/{{appeal_id}}/approvals/{{approval_id}}/approvers/{{email}}'
Responses
| Code | Description | Type |
|---|---|---|
| 200 | A successful response. | DeleteApproverResponse |
| default | An unexpected error response. | rpcStatus |
Models
rpcStatus
| Name | Type | Description | Required |
|---|---|---|---|
| code | integer | The status code, which should be an enum value of google.rpc.Code | No |
| message | string | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | No |
| details | [protobufAny] | A list of messages that carry the error details. There is a common set of message types for APIs to use. | No |
protobufAny
| Name | Type | Description | Required |
|---|---|---|---|
| typeUrl | string | A URL/resource name whose content describes the type of the serialized message | No |
| value | byte | Must be valid serialized data of the above specified type. | No |
providerResponse
| Name | Type | Description |
|---|---|---|
| id | string | Unique identifier for the Provider |
| Type | string | Name of the Provider type. Possible values: bigquery, metabase, tableau, gcloud_iam, grafana |
| URN | string | Provider instance identifier |
| Config | object(Provider Config) | Contains the credentials, provider type and URN, allowed account types and other info about the Provider |
| CreatedAt | dateTime | Timestamp when the resource is created. |
| UpdatedAt | dateTime | Timestamp when the resource was last updated |
Appeal Request Config
| Name | Type | Description |
|---|---|---|
| id | string | User/Service Account Email creating the appeal |
| account_type | [string] | Contains the allowed account type for the provider. For example, the possible values for BigQuery Provider and Google Cloud IAM is user and serviceAccount |
| resources | [Object(Resource)] | List of resource objects |
Resource
| Name | Type | Description |
|---|---|---|
| id | string | |
| role | string | Role to be assigned. Can be Viewer, Editor, Admin depending on the Provider |
| options | Object (Appeal Options) | |
| details | object | Additional information for the appeal. Details can be added from the appeal creation. |
AppealOptions
| Name | Type | Description |
|---|---|---|
| expiration_date | dateTime | Timestamp when the appeal expires |
| duration | string | Duration of the access to the resource |
Action
| Name | Type | Description |
|---|---|---|
| action | string | Can be Approve or Reject the Appeal |
| reason | string | In case an appeal is rejected, the reason is to be updated in this field |
AddApproverRequest
| Name | Type | Description |
|---|---|---|
| string | Email address of the new approver |
AddApproverResponse
| Name | Type | Description |
|---|---|---|
| appeal | Object(Appeal) | Appeal object |
DeleteApproverResponse
| Name | Type | Description |
|---|---|---|
| appeal | Object(Appeal) | Appeal object |