Understanding policies
Policies are user-defined rules that establish desired behaviors. Blue Planet supports two types of policies on a per-tenant basis:
-
Authorization—accept or deny access to Blue Planet REST API calls. The RBAC system controls access to all the Blue Planet app REST APIs from a REST operation perspective. The authorization policies allow more detailed REST API access controls to the Orchestration app.
-
Event—policies to monitor the BPO event bus and to react to specific events.
The following table describes the attributes of the policy structure that you set for REST API calls.
| Attribute | Description | Examples |
|---|---|---|
Triggers |
Defines when a policy needs to be evaluated |
• Authorization policies are triggered by REST API calls. |
Conditions |
Defines the logic that determines if policy conditions are met, yields a Boolean (true or false) answer |
• Authorization condition such as user role equals admin. |
Actions |
Indicates the resulting action to take if the policy conditions are met |
• Authorization policy actions are accept or deny. |
The following figure depicts the Blue Planet Policy Manager workflow.
Figure 1. Blue Planet policy manager workflow
| Callout | Description |
|---|---|
1 |
Relates to event authorization policies. Authorizes REST authentication. |
2 |
Relates to event policies. |
REST API calls to Blue Planet orchestrator app or internal events trigger the Policy Manager. Policy Manager finds applicable policies in its database, and performs the actions contained in the policies if their conditions are met.
For example, Blue Planet receives an API call to create a domain and allows the request since the requester has an admin role that satisfies an authorization policy condition for this operation.
The actions for an authorization policy are to accept or deny the request. The actions for an event policy are to send out a REST API call, an internal BP event, or both.