When Consumer and Provider Are in Different Scopes: Policy Options

Example Scenario

The following situation is an example showing cross-scope traffic:

Your scope hierarchy includes a Network Services scope that includes an authentication application (the provider). An HR application, which is a member of a scope on a different branch of the scope hierarchy, is a consumer of the service provided by the authentication application.

Example of cross-scope situation

Policy Options

Secure Workload offers several ways to address this situation:

Option	Instructions	Pros and Cons
Create these policies in a parent or ancestor scope that includes both consumer and provider as children or descendants	Manually create one or more policies in the common-ancestor scope. (Optional) For more precise policies, group workloads using inventory filters. For examples and instructions, see Create an Inventory Filter. Automatically discover policies in the common-ancestor scope, for the entire branch of the scope tree.	These methods are the simplest way to address cross-scope policies. These methods require only one policy per consumer-provider pair. If you are considering using automatic policy discovery, see important considerations in Discover Policies for One Scope or for a Branch of the Scope Tree.
Use the advanced method for creating cross-scope policies	Automatically discover policies for each individual scope. See (Advanced) Create Cross-Scope Policies. (This procedure applies to both manually created policies and discovered policies.)	This method requires two policies for each consumer-provider pair: A policy for the consumer and a policy for the provider. This method allows policy creation when consumer and provider policies are owned by different people. See other considerations in Discover Policies for One Scope or for a Branch of the Scope Tree.

Option

Instructions

Pros and Cons

Create these policies in a parent or ancestor scope that includes both consumer and provider as children or descendants

Manually create one or more policies in the common-ancestor scope.

(Optional) For more precise policies, group workloads using inventory filters. For examples and instructions, see Create an Inventory Filter.
Automatically discover policies in the common-ancestor scope, for the entire branch of the scope tree.

These methods are the simplest way to address cross-scope policies.

These methods require only one policy per consumer-provider pair.

If you are considering using automatic policy discovery, see important considerations in Discover Policies for One Scope or for a Branch of the Scope Tree.

Use the advanced method for creating cross-scope policies

Automatically discover policies for each individual scope.

See (Advanced) Create Cross-Scope Policies.

(This procedure applies to both manually created policies and discovered policies.)

This method requires two policies for each consumer-provider pair: A policy for the consumer and a policy for the provider.

This method allows policy creation when consumer and provider policies are owned by different people.

See other considerations in Discover Policies for One Scope or for a Branch of the Scope Tree.

Previous topic (Advanced) Change Policy Priorities Next topic (Advanced) Create Cross-Scope Policies