Viewing, Accepting, and Rejecting Policy Requests
When creating cross scope policies using the method described in (Advanced) Create Cross-Scope Policies, a policy is required in the primary workspace of the provider's scope in addition to the policy in the consumer's scope. When a cross-scope policy is created in the primary workspace of the consumer's scope, a policy request is automatically created in the primary workspace of the provider's scope.
Use the information in this topic to accept the request (to create the required policy in the provider scope) or reject the request (in which case the cross-scope policy will not take effect.)
To view, accept, or reject policy requests:
|
To |
Do This |
|---|---|
|
View all policy requests |
|
|
View policy requests for a particular scope |
To view pending policy requests for a provider scope:
Or To view a policy request from the consumer scope: In the Policies tab of the primary workspace of the consumer scope, click the value in the Protocols and Ports column, then look at the panel that opens on the right side of the page. In the Protocols and Ports section, click a yellow dot to see pending policy requests. |
|
Manually accept a request and automatically create the required policy in the Provider scope |
From either of the locations above, click Accept next to the policy request. |
|
Manually reject a request |
From either of the locations above, click Reject next to the policy request. |
|
View policy request status from the consumer workspace |
On the Policies page of the primary consumer workspace, click the policy, then click the port/protocol value. Status is shown in the panel that opens on the right. A pending request is shown with a yellow dot: When the request is accepted, the dot changes to a green check mark: Click the indicator for details. |
|
View policy request status from the provider's workspace |
View request status in the Provided Services tab described above. |
|
Allow policy discovery to create the required policy for the provider |
Automatically discover policies in the provider scope's primary workspace, using a time range that ensures that the corresponding flows are seen, then publish the policy. |
|
See also options for automating handling of policy requests |
Accepting Policy Requests: Details
Accepting a policy request on a service is equivalent to creating a policy from the requested filter as the consumer to the service as the provider. Additionally, upon accepting a policy request, the original policy from the consumer application’s workspace (in the example, FrontEnd App and Serving Layer) will be marked as accepted (see figures below)
The new policy created on the provider application’s workspace (in this example, the workspace is named Tetration) is marked with a plus icon indicating that this policy was created due to an external policy request.
|
If the original policy on the consumer side is deleted after the policy request is accepted, the policy on provider side will not be deleted. However, the tooltip next to the policy shows the original policy as deleted with the timestamp of the event: |
Rejecting Policy Requests: Details
Rejecting a policy request does not create or update any policies. The original policy from the consumer application’s workspace (in the example, Serving Layer App) will be marked as rejected, but the policy remains in effect, i.e., outbound traffic still will be allowed. The tooltip next to the reject policy has information about the provider application, the user that rejected the policy request as well as the time of the rejection.
