Manage Permissions in Governor API
Summary
Application roles must be granted in Entra ID.
Additional policies must be added to the Policy DB as "Groups" and "Members".
The best option to modify the policy DB with custom policies or assign new users is to update your terraform repository and then re-deploy the environment.
Configuration Types
Every authorized user can read any configuration type.
Write operations are permitted for Governor.Admin and Governor.Engineer user roles, and for ConfigurationType.Write applicaton role.
Object Types
Every authorized user can read any object type.
Write operations are permitted for Governor.Admin and Governor.Engineer user role,s and for ObjectType.Write applicaton role.
Schemas
Every authorized user can read any object schema
Write operations are permitted for Governor.Admin and Governor.Engineer user roles, and for Schema.Write application role.
Profiles
Every authorized user can read any profile.
Write operations are permitted for Governor.Admin and Governor.Engineer user roles, and for Profile.Write application role.
Controller Scripts
Without special permissions, users and applications are not allowed to list or see controller scripts and bindings.
Read and write operations are permitted for Governor.Admin and Governor.Engineer user roles, and for ControllerScript.Write application role.
Observation Results
Observation results can be submitted by Governor.Admin and Governor.Engineer user roles, and by Governor.Observer application role.
In addition, the submitter must be allowed by policy.
Syntax:
path="/ObservationResult:c({ConfigurationType.Id})" action="(write)"
Samples
path="/ObservationResult:c(*)" action="(write)" | Submit any observation result
path="/ObservationResult:c(AzureADUser)" action="(write)" | Submit observation results for configuration type AzureADUser
Observation Errors
Observation errors can be submitted by Governor.Admin and Governor.Engineer user roles, and by Governor.Observer application role.
Any interactive user can list observation errors, but only Governor.Admin and Governor.Engineer roles are allowed to truncate the observation errors.
Observation Requests
To request a list observation, one must be an interactive user or must have the ObservationRequest.Write app role.
In addition, the submitter must be allowed by policy.
Syntax:
path="/ObserveAll:c({ConfigurationTypeId})" action="(write)"
Samples:
path="/ObserveAll:c(*)" action="(write)" | Request list observation on any configuration type
path="/ObserveAll:c(AzureADUser)" action="(write)" | Request list observation on configuration type "AzureADUser"
Execution Results
Execution results and errors can be submitted by Governor.Admin and Governor.Engineer user roles, and by applications with Governor.Executor application role.
In addition, the submitter must be allowed by policy.
Syntax:
path="/ExecutionResult:o({ObjectType.Id})" action="(write)"
path="/ExecutionResult:s({Schema.Id})" action="(write)"
Samples:
path="/ExecutionResult:o(*)" action="(write)" | Submit any execution result
path="/ExecutionResult:o(Users)" action="(write)" | Submit execution results for objects with objectType="Users"
path="/ExecutionResult:s(HybridUser)" action="(write)" | Submit execution results for objects with schema="HybridUser"
Governed Objects
To read governed objects, you must be an interactive user, or an application with app role GovernedObject.Read.
To manage governed objects, you must be an interactive user, or an application with app role GovernedObject.Write.
Governed objects are additionally protected by policy. To list or modify governed objects, you either must have permission by object type or by schema.
Syntax:
path="/GovernedObject:o({ObjectType.Id}) action="(read)"
path="/GovernedObject:s({Schema.Id}) action="(read)"
path="/GovernedObject:o({ObjectType.Id}) action="(read|write)"
path="/GovernedObject:s({Schema.Id}) action="(read|write)"
Samples:
Read governed objects
---------------------
path="/GovernedObject:*" action="(read)" | read any governed object
path="/GovernedObject:s(HybridUser) action="(read) | read governed objects with schemaId="HybridUser". Read permission on "objects with schema X" allows you to re-observe a single object.
path="/GovernedObject:o(Users)" action="(read)" | read governed objects with objectTypeId="Users". Read permission on "objects with object type X" allows you to re-observe a single object.
Manage governed objects
-----------------------
path="/GovernedObject:*" action="(read|write)" | read/write any governed object
path="/GovernedObject:s(HybridUser) action="(read|write)" | read/write governed objects with schemaId="HybridUser". Write permission includes invocation of custom actions.
path="/GovernedObject:o(Users)" action="(read|write)" | read/write governed objects with objectTypeId="Users". Write permission includes invocation of custom actions.
Invoke actions
--------------
path="/GovernedObject:s(CloudOnlyUser):a(*)" action="(invoke)" | invoke any action on governed objects with schemaId="CloudOnlyUser"
path="/GovernedObject:s(CloudOnlyUser):a(ResetPassword)" action="(invoke)" | invoke "ResetPassword" action on governed objects with schemaId="CloudOnlyUser"
Change Requests
To read change requests, you must be an interactive user or an application with app role ChangeRequests.Read.
To submit change requests, you must be an interactive user or an application with app role ChangeRequests.Write.
While interactive users can list all change requests, service principals can only see their own change requests.
Change request submission is additionally regulated by policies.
Syntax:
path="/CR:{ChangeRequest.Action}:s({ChangeRequest.Schema})" action="(write)"
Samples:
path="/CR:*:s(*)" action="(write)" | submit any change request on all schemas
path="/CR:Create:s(*)" action="(write)" | submit "Create" requests for any schema
path="/CR:Create:s(HybridUser)" action="(write)" | submit "Create" requests with schema="HybridUser"
path="/CR:Update:s(HybridUser)" action="(write)" | submit "Update" requests with schema="HybridUser"
path="/CR:CustomAction:s(HybridUser):a(*)" action="(invoke)" | submit "CustomAction" requests on objects with schema="HybridUser"
path="/CR:CustomAction:s(HybridUser):a(*)" action="(invoke)" | submit "CustomAction" requests on objects with schema="HybridUser"