Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Policy resources

policy/access

AccessReport

Represents any access made by the user.

Example

{
  "action": "Accept",
  "enforcerID": "xxx-xxx-xxx",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitName": "pu1",
  "processingUnitNamespace": "/my/ns",
  "type": "SSHLogin"
}

Relations

POST /accessreports

Create an access report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action applied to the access.

claimHash

Type: string

Hash of the claims used to communicate.

enforcerID [required]

Type: string

Identifier of the enforcer.

enforcerNamespace [required]

Type: string

Namespace of the enforcer.

processingUnitID

Type: string

ID of the processing unit of the report.

processingUnitName

Type: string

Name of the processing unit of the report.

processingUnitNamespace

Type: string

Namespace of the processing unit of the report.

reason

Type: string

This field is only set if action is set to Reject. It specifies the reason for the rejection.

timestamp

Type: time

Date of the report.

type [required]

Type: enum(SSHLogin | SSHLogout | SudoEnter | SudoExit)

Type of the report.

UserAccessPolicy

The enforcer policy that controls user access.

Example

{
  "disabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /useraccesspolicies

Retrieves the list of user access policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /useraccesspolicies

Creates a new enforcer policy.

DELETE /useraccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /useraccesspolicies/:id

Retrieves the policy with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /useraccesspolicies/:id

Updates the policy with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowedSudoUsers

Type: []string

Indicates the list of user who can use sudo commands.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Contains the tag expression matching the enforcers the subject is allowed to connect to.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Contains the tag expression the tags need to match for the policy to apply.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/audit

AuditProfile

A set of audit rules that determine the types of events that must be captured in the kernel.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /auditprofiles

Retrieves the list of audit profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /auditprofiles

Creates a new audit profile.

DELETE /auditprofiles/:id

Deletes the profile with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /auditprofiles/:id

Retrieves the object with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /auditprofiles/:id

Updates the profile with the given ID.

GET /auditprofilemappingpolicies/:id/auditprofiles

Returns the list of audit profiles that are referred to by this mapping.

GET /enforcers/:id/auditprofiles

Returns a list of the audit profiles that must be applied to this enforcer.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

rules

Type: _audit_profile_rule_list

List of audit rules associated with this profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

AuditProfileMappingPolicy

Use an audit profile mapping to define the set of enforcers that must implement a specific audit profile.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /auditprofilemappingpolicies

Retrieves the list of audit profile mapping policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /auditprofilemappingpolicies

Creates a new audit profile mapping policy.

DELETE /auditprofilemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /auditprofilemappingpolicies/:id

Retrieves the mapping with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /auditprofilemappingpolicies/:id

Updates the mapping with the given ID.

GET /auditprofilemappingpolicies/:id/auditprofiles

Returns the list of audit profiles that are referred to by this mapping.

GET /auditprofilemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The tag or tag expression that identifies the audit profile to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The tag or tag expression that identifies the enforcer(s) to implement the audit profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

AuditReport

Post a new audit report.

Example

{
  "AUID": "xxx-xxx",
  "CWD": "/etc",
  "EXE": "/bin/ls",
  "a0": "xxx-xxx",
  "a1": "xxx-xxx",
  "a2": "xxx-xxx",
  "a3": "xxx-xxx",
  "arch": "x86_64",
  "auditProfileID": "xxx-xxx-xxx-xxx",
  "auditProfileNamespace": "/my/ns",
  "command": "ls",
  "enforcerID": "xxx-xxx-xxx-xxx",
  "enforcerNamespace": "/my/ns",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "recordType": "Syscall",
  "success": false,
  "syscall": "execve",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /auditreports

Create a audit statistics report.

Attributes

AUID

Type: string

The login ID of the user who started the audited process.

CWD

Type: string

Command working directory.

EGID

Type: integer

Effective group ID of the user who started the audited process.

EUID

Type: integer

Effective user ID of the user who started the audited process.

EXE

Type: string

Path to the executable.

FSGID

Type: integer

File system group ID of the user who started the audited process.

FSUID

Type: integer

File system user ID of the user who started the audited process.

FilePath

Type: string

Full path of the file that was passed to the system call.

GID

Type: integer

Group ID of the user who started the analyzed process.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

PER

Type: integer

File or directory permissions.

PID

Type: integer

Process ID of the executable.

PPID

Type: integer

Process ID of the parent executable.

SGID

Type: integer

Set group ID of the user who started the audited process.

SUID

Type: integer

Set user ID of the user who started the audited process.

UID

Type: integer

User ID.

a0

Type: string

First argument of the executed system call.

a1

Type: string

Second argument of the executed system call.

a2

Type: string

Third argument of the executed system call.

a3

Type: string

Fourth argument of the executed system call.

arch

Type: string

Architecture of the system of the monitored process.

arguments

Type: []string

Arguments passed to the command.

auditProfileID [required]

Type: string

ID of the audit profile that triggered the report.

auditProfileNamespace [required]

Type: string

Namespace of the audit profile that triggered the report.

command

Type: string

Command issued.

enforcerID [required]

Type: string

ID of the enforcer reporting.

enforcerNamespace [required]

Type: string

Namespace of the enforcer reporting.

exit

Type: integer

Exit code of the executed system call.

processingUnitID [required]

Type: string

ID of the processing unit originating the report.

processingUnitNamespace [required]

Type: string

Namespace of the processing unit originating the report.

recordType [required]

Type: string

Type of audit record.

sequence

Type: integer

Needs documentation.

success

Type: boolean

Tells if the operation has been a success or a failure.

syscall

Type: string

System call executed.

timestamp [required]

Type: time

Date of the report.

policy/authorization

APIAuthorizationPolicy

An API authorization defines the operations a user can perform in a namespace: GET, POST, PUT, DELETE, PATCH, and/or HEAD. It is also possible to restrict the user to a subset of the APIs in the namespace by setting authorizedIdentities. An API authorization always propagates down to all the children of the current namespace.

Example

{
  "authorizedIdentities": [
    "@auth:role=namespace.administrator"
  ],
  "authorizedNamespace": "/namespace",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagationHidden": false,
  "protected": false
}

Relations

GET /apiauthorizationpolicies

Retrieves the list of API authorizations.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /apiauthorizationpolicies

Creates a new API authorization.

DELETE /apiauthorizationpolicies/:id

Deletes the authorization with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /apiauthorizationpolicies/:id

Retrieves the authorization with the given ID.

PUT /apiauthorizationpolicies/:id

Updates the authorization with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedIdentities [required]

Type: []string

A list of roles assigned to the user.

authorizedNamespace [required]

Type: string

Defines the namespace the user is authorized to access.

authorizedSubnets

Type: []string

If set, the API authorization will only be valid if the request comes from one the declared subnets.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set, the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression that identifies the authorized user(s).

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

APICheck

Allows you to verify if a client identified by his token is allowed to do some operations on some APIs.

Example

{
  "namespace": "/namespace",
  "operation": "Create",
  "targetIdentities": [
    "processingunit",
    "enforcer"
  ]
}

Relations

POST /apichecks

Verifies the authorizations on various identities for a given token.

Attributes

authorized [autogenerated,read_only]

Type: map[string]bool

Contains the results of the check.

namespace [required]

Type: string

The namespace to use to check the API authorization.

operation [required]

Type: enum(Create | Delete | Info | Patch | Retrieve | RetrieveMany | Update)

The operation you want to check.

targetIdentities [required]

Type: []string

Contains the list of identities you want to check the authorization of.

AppCredential

Create an app credential.

Example

{
  "CSR": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "disabled": false,
  "name": "the name",
  "protected": false,
  "roles": [
    "@auth:role=enforcer",
    "@auth:role=kubesquall"
  ]
}

Relations

GET /appcredentials

Retrieves the list of app credentials.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /appcredentials

Creates a new app credential.

DELETE /appcredentials/:id

Deletes the app credential with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /appcredentials/:id

Retrieves the app credential with the given ID.

PUT /appcredentials/:id

Updates the app credential with the given ID.

Attributes

CSR

Type: string

Contains a PEM-encoded certificate signing request (CSR). It can only be set during a renew.

  • The CN MUST be app:credential:<appcred-id>:<appcred-name>
  • The O MUST be the namespace of the app credential

If you send anything else, the signing request will be rejected.

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedSubnets

Type: []string

If set, the app credential will only be valid if the request comes from one the declared subnets.

certificate [read_only]

Type: string

The string representation of the certificate used by the app credential.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

credentials [autogenerated,read_only]

Type: credential

The app credential data.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

email

Type: string

The email address that will receive a copy of the app credential.

maxIssuedTokenValidity

Type: string

If set, this will limit the maximum validity of the token issued from this app credential. This information will be embedded into the delivered certificate and cannot be changed once set. In order to change it, you need to renew the certificate.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parentIDs [autogenerated,read_only]

Type: []string

Contains the ID of the parent app credential if this is a derived app credential.

protected

Type: boolean

Defines if the object is protected.

roles [required]

Type: []string

List of roles to give the app credential.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Credential

Represents an app credential.

Attributes

APIURL

Type: string

The URL of the Microsegmentation Console API.

ID

Type: string

The ID of the app credential.

certificate

Type: string

The base64-encoded certificate.

certificateAuthority

Type: string

The base64-encoded certificate authority.

certificateKey

Type: string

The base64-encoded certificate key.

name

Type: string

The name of the app credential.

namespace

Type: string

The namespace of the app credential.

Role

Returns the available roles that can be used with API authorizations.

Relations

GET /roles

Retrieves the list of existing roles.

Attributes

authorizations [autogenerated,read_only]

Type: map[string][]string

Authorizations of the role.

description [autogenerated,read_only]

Type: string

Description of the role.

key [autogenerated,read_only]

Type: string

Key of the role.

name [autogenerated,read_only]

Type: string

Name of the role.

private [autogenerated,read_only]

Type: boolean

Set to true to make the role private and hidden from the UI.

policy/dns

DNSLookupReport

A DNS lookup report is used to report a DNS lookup that is happening on behalf of a processing unit. If the DNS server is on the standard UDP port 53 then the enforcer can proxy the DNS traffic and make a report. The report indicate whether or not the lookup was successful.

Example

{
  "action": "Accept",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "resolvedName": "www.google.com",
  "sourceIP": "10.0.0.1",
  "value": 1
}

Relations

POST /dnslookupreports

Create a DNS Lookup report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Fail | Reject | Resolve)

Action of the DNS request.

enforcerID

Type: string

ID of the enforcer.

enforcerNamespace [required]

Type: string

Namespace of the enforcer.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

processingUnitID [required]

Type: string

ID of the PU.

processingUnitNamespace

This attribute is deprecated.

Type: string

Namespace of the PU. This is deprecated. Use namespace instead.

reason

Type: string

This field is only set when the lookup fails. It specifies the reason for the failure.

resolvedCNAMEs

Type: []string

CNAME aliases.

resolvedIPs

Type: []string

resolved IP addresses.

resolvedName [required]

Type: string

name used for DNS resolution.

sourceIP [required]

Type: string

Type of the source.

timestamp

Type: time

Time and date of the log.

value [required]

Type: integer

Number of times the client saw this activity.

policy/enforcerconfig

EnforcerProfile

Allows you to create reusable configuration profiles for your enforcers. Enforcer profiles contain various startup information that can (for some) be updated live. Enforcer profiles are assigned to enforcers using a enforcer profile mapping.

Example

{
  "kubernetesMetadataExtractor": "PodAtomic",
  "kubernetesSupportEnabled": false,
  "metadataExtractor": "Docker",
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /enforcerprofiles

Retrieves the list of enforcer profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /enforcerprofiles

Creates a new enforcer profile.

DELETE /enforcerprofiles/:id

Deletes the enforcer profile with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /enforcerprofiles/:id

Retrieves the enforcer profile with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /enforcerprofiles/:id

Updates the enforcer profile with the given ID.

GET /enforcerprofilemappingpolicies/:id/enforcerprofiles

Returns the list of enforcer profiles that an enforcer profile mapping matches.

GET /enforcers/:id/enforcerprofiles

Returns the enforcer profile that must be used by a enforcer.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

excludedInterfaces

Type: []string

Ignore traffic with a source or destination matching the specified interfaces.

excludedNetworks

Type: []string

Ignore any networks specified here and do not even report any flows. This can be useful for excluding localhost loopback traffic, ignoring traffic to the Kubernetes API, and using Microsegmentation for SSH only.

ignoreExpression

Type: [][]string

A tag expression that identifies processing units to ignore. This can be useful to exclude kube-system pods, AWS EC2 agent pods, and third-party agents.

kubernetesMetadataExtractor

This attribute is deprecated.

Type: enum(KubeSquall | PodAtomic | PodContainers)

This field is kept for backward compatibility for enforcers <= 3.5.

Default value:

"PodAtomic"
kubernetesSupportEnabled

This attribute is deprecated.

Type: boolean

This field is kept for backward compatibility for enforcers <= 3.5.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

metadataExtractor

This attribute is deprecated.

Type: enum(Docker | ECS | Kubernetes)

This field is kept for backward compatibility for enforcers <= 3.5.

Default value:

"Docker"
name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

targetNetworks

Type: []string

If empty, the enforcer auto-discovers the TCP networks. Auto-discovery works best in Kubernetes and OpenShift deployments. You may need to manually specify the TCP networks if middle boxes exist that do not comply with TCP Fast Open RFC 7413.

targetUDPNetworks

Type: []string

If empty, the enforcer enforces all UDP networks. This works best when all UDP networks have enforcers. If some UDP networks do not have enforcers, you may need to manually specify the UDP networks that should be enforced.

trustedCAs

Type: []string

List of trusted certificate authorities. If empty, the main chain of trust will be used.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

EnforcerProfileMappingPolicy

Allows you to map an enforcer profile to one or more enforcers. The mapping can also be propagated down to the child namespace.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "object": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ],
  "propagate": false,
  "protected": false,
  "subject": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ]
}

Relations

GET /enforcerprofilemappingpolicies

Retrieves the list of enforcer profile mappings.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /enforcerprofilemappingpolicies

Creates a new enforcer profile mappings.

DELETE /enforcerprofilemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /enforcerprofilemappingpolicies/:id

Retrieves the mapping with the given ID.

PUT /enforcerprofilemappingpolicies/:id

Updates the mapping with the given ID.

GET /enforcerprofilemappingpolicies/:id/enforcerprofiles

Returns the list of enforcer profiles that an enforcer profile mapping matches.

GET /enforcerprofilemappingpolicies/:id/enforcers

Returns the list of enforcers affected by an enforcer profile mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The tag or tag expression that identifies the enforcer profile to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The tag or tag expression that identifies the enforcers that should implement the mapped profile.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

TrustedCA

Represents a trusted certificate authority (CA).

Relations

GET /trustedcas

Retrieves the trusted CAs of a namespace.

Parameters:

  • type (enum(Any | X509 | SSH | JWT)): The type of certificates that it should return.
GET /enforcers/:id/trustedcas

Returns the list of certificate authorities that should be trusted by this enforcer.

Parameters:

  • type (enum(Any | X509 | SSH)): Type of certificate to get.
GET /namespaces/:id/trustedcas

Returns the list of trusted CAs for this namespace.

Parameters:

  • type (enum(Any | X509 | SSH | JWT)): Type of certificate to get.

Attributes

certificate [autogenerated,read_only]

Type: string

The private certificate of the corresponding type associated with this namespace.

controller [autogenerated,read_only]

Type: string

The controller that this certificate or CA was issued from.

namespace [autogenerated,read_only]

Type: string

The namespace that this certificate or CA was defined at.

namespaceID [autogenerated,read_only]

Type: string

The ID of namespace that this certificate or CA was defined at.

serialnumber [autogenerated,read_only]

Type: string

SerialNumber is the serial number of the certificate.

type [autogenerated,read_only]

Type: enum(X509 | SSH | JWT)

Type of the certificate.

TrustedNamespace

This object allows you to declare trust between namespaces that are cryptographically isolated. The namespaces can be local or served by different Microsegmentation Console controllers.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "name": "the name",
  "protected": false
}

Relations

GET /trustednamespaces

Retrieves the list of trusted namespaces.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /trustednamespaces

Creates a new trusted namespace.

DELETE /trustednamespaces/:id

Delete the trusted namespace with the given ID.

GET /trustednamespaces/:id

Retrieve the trusted namespace with the given ID.

PUT /trustednamespaces/:id

Update the trusted namespace with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Contains the PEM block of the certificate authority trusted namespace.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate [autogenerated,read_only]

Type: boolean

Propagates the object to all of its children.

Default value:

true
protected

Type: boolean

Defines if the object is protected.

remoteController [autogenerated,read_only]

Type: string

The controller declared in the certificate authority.

remoteNamespace [autogenerated,read_only]

Type: string

The namespace declared in the certificate authority.

serialNumber [autogenerated,read_only]

Type: string

The serial number of the CA.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/files

FileAccessPolicy

A file access policy allows processing units to access various folder and files. It will use the tags of a file path to know what is the path of the file or folder to allow access to. You can allow the processing unit to have any combination of read, write, or execute.

When a processing unit is a Docker container, then it will police the volumes. Mount and execute won’t have any effect.

File paths are not supported yet for standard Linux processes.

Example

{
  "allowsExecute": false,
  "allowsRead": false,
  "allowsWrite": false,
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /fileaccesspolicies

Retrieves the list of file access policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /fileaccesspolicies

Creates a new file access policies.

DELETE /fileaccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /fileaccesspolicies/:id

Retrieves the policy with the given ID.

PUT /fileaccesspolicies/:id

Updates the policy with the given ID.

GET /fileaccesspolicies/:id/filepaths

Returns the list of file paths that match the policy.

GET /fileaccesspolicies/:id/processingunits

Returns the list of processing units that match the policy.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowsExecute

Type: boolean

Allows files to be executed.

allowsRead

Type: boolean

Allows files to be read.

allowsWrite

Type: boolean

Allows files to be written.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

encryptionEnabled

Type: boolean

Set to true to enable automatic encryption.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

logsEnabled

Type: boolean

A value of true enables logging.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

The object of the policy.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

The subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

FileAccessReport

Post a new file access report.

Example

{
  "action": "Accepted",
  "host": "localhost",
  "mode": "rxw",
  "path": "/etc/passwd",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

Relations

POST /fileaccessreports

Create a file access statistics report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject | Limit)

Action taken.

host [required]

Type: string

Host storing the file.

Default value:

"localhost"
mode [required]

Type: string

Mode of file access.

Default value:

"rxw"
path [required]

Type: string

Path of the file.

Default value:

"/etc/passwd"
processingUnitID [required]

Type: string

ID of the processing unit.

processingUnitNamespace [required]

Type: string

Namespace of the processing unit.

timestamp [required]

Type: time

Date of the report.

FilePath

A file path represents a random path to a file or a folder. They can be used in file access policies to allow processing units to access them, using various modes (read, write, execute). You will need to use the file paths tags to set some policies. A good example would be volume=web or file=/etc/passwd.

Example

{
  "filepath": "/etc/passwd",
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /filepaths

Retrieves the list of file paths.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /filepaths

Create a new file path.

DELETE /filepaths/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /filepaths/:id

Retrieves the object with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /filepaths/:id

Updates the object with the given ID.

GET /fileaccesspolicies/:id/filepaths

Returns the list of file paths that match the policy.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

filepath [required]

Type: string

FilePath refer to the file mount path.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

server [creation_only]

Type: string

server is the server name/ID/IP associated with the file path.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/hooks

HookPolicy

Allows you to define hooks to the write operations in squall. Hooks are sent to an external Rufus server that will do the processing and eventually return a modified version of the object before we save it.

Example

{
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "clientCertificate": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "clientCertificateKey": "-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49
AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg
F9eXFkofGX3UgRtsHe123456789xQ1naSw==
-----END EC PRIVATE KEY-----",
  "continueOnError": false,
  "disabled": false,
  "endpoint": "https://hooks.hookserver.com/remoteprocessors",
  "endpointType": "URL",
  "fallback": false,
  "mode": "Pre",
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "selectors": [
    [
      "automation:name=myautomation"
    ]
  ],
  "subject": [
    [
      "$identity=processingunit"
    ]
  ]
}

Relations

GET /hookpolicies

Retrieves the list of hooks.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hookpolicies

Creates a new hook.

DELETE /hookpolicies/:id

Deletes the hook with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hookpolicies/:id

Retrieves the hook with the given ID.

PUT /hookpolicies/:id

Updates the hook with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

certificateAuthority

Type: string

Contains the PEM block of the certificate authority used by the remote endpoint.

clientCertificate

Type: string

Contains the client certificate that will be used to connect to the remote endpoint. If provided, the private key associated with this certificate must also be configured.

clientCertificateKey

Type: string

Contains the key associated with the clientCertificate. It must be provided only when clientCertificate has been configured.

continueOnError

Type: boolean

If set to true and mode is in Pre, the request will be honored even if calling the hook fails.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

endpoint

Type: string

Contains the full address of the remote processor endpoint.

endpointType

Type: enum(URL | Automation)

Defines the type of endpoint for the hook.

Default value:

"URL"
expirationTime

Type: time

If set the hook will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

mode

Type: enum(Both | Post | Pre)

Defines the type of hook.

Default value:

"Pre"
name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

selectors

Type: [][]string

A tag or tag expression that identifies the automation that must be run in case no endpoint is provided.

subject

Type: [][]string

Contains the tag expression that an object must match in order to trigger the hook.

triggerOperations

Type: []string

Select on which operation(s) you want to the hook to trigger. An empty list. Only means all operations. You can only set any combination of create, update or delete. Any other value will trigger a validation error.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

RemoteProcessor

Hook to integrate a Microsegmentation service.

Example

{
  "claims": [
    "@auth:realm=certificate",
    "@auth:commonname=john"
  ],
  "input": "{
  \"name\": \"hello\",
  \"description\": \"hello\",
}",
  "mode": "Pre",
  "namespace": "/my/namespace",
  "operation": "create",
  "targetIdentity": "processingunit"
}

Relations

POST /remoteprocessors

This should be be here.

Attributes

claims [required]

Type: []string

Represents the claims of the currently managed object.

input [required]

Type: json.RawMessage

Represents data received from the service.

mode

Type: enum(Post | Pre)

Defines the hook’s type.

namespace [required]

Type: string

Represents the current namespace.

operation [required]

Type: elemental.Operation

Defines the operation that is currently handled by the service.

output [autogenerated,read_only]

Type: _elemental_identifiable

Returns OutputData filled with the processor information.

requestID

Type: string

Gives the ID of the request coming from the main server.

targetIdentity [required]

Type: string

Represents the identity name of the managed object.

policy/hosts

HostService

Represents services that a host must expose and protect.

Example

{
  "hostModeEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /hostservices

Retrieves the list of host services.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hostservices

Creates a new host service.

DELETE /hostservices/:id

Deletes the host service with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hostservices/:id

Retrieves the host service with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /hostservices/:id

Updates the host service with the given ID.

GET /enforcers/:id/hostservices

Returns a list of the host services policies that apply to this enforcer.

Parameters:

  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
GET /hostservicemappingpolicies/:id/hostservices

Returns the list of host services that are referenced by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

hostModeEnabled

Type: boolean

Forces the corresponding enforcers to enable host protection. When true, all incoming and outgoing flows will be monitored. Flows will be allowed if and only if a network policy has been created to allow the flow. The option applies to all enforcers to which the host service is mapped.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

services

Type: []string

Lists all protocols and ports a service is running. A service entry can be defined by a protocol and port (tcp/80), or range of protocol/port pairs (udp/80:100). If no protocol is provided, it is assumed to be TCP. Only tcp and udp protocols are allowed.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

HostServiceMappingPolicy

Host service mapping allows you to map host services to the enforcers that should implement them. You must map host services to one or more enforcers for the host services to have any effect.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /hostservicemappingpolicies

Retrieves the list of host service mappings.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /hostservicemappingpolicies

Creates a new host service mapping.

DELETE /hostservicemappingpolicies/:id

Deletes the mapping with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /hostservicemappingpolicies/:id

Retrieves the mapping with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /hostservicemappingpolicies/:id

Updates the mapping with the given ID.

GET /hostservicemappingpolicies/:id/enforcers

Returns the list of enforcers that are affected by this mapping.

GET /hostservicemappingpolicies/:id/hostservices

Returns the list of host services that are referenced by this mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

A tag or tag expression identifying the host service(s) to be mapped.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression identifying the enforcer(s) that should implement the specified host service(s).

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/networking

CachedFlowReport

Post a new cached flow report.

Example

{
  "action": "Accept",
  "destinationController": "api.east.acme.com",
  "destinationID": "xxx-xxx-xxx",
  "destinationNamespace": "/my/namespace",
  "destinationPlatform": "api.east.acme.com",
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "enforcerID": "5c6cce207ddf1fc159a104bf",
  "isLocalDestinationID": false,
  "isLocalSourceID": false,
  "namespace": "/my/namespace",
  "observed": false,
  "observedAction": "NotApplicable",
  "observedEncrypted": false,
  "observedPolicyID": "xxx-xxx-xxx",
  "observedPolicyNamespace": "/my/namespace",
  "policyID": "xxx-xxx-xxx",
  "policyNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "NotApplicable",
  "sourceController": "api.west.acme.com",
  "sourceID": "xxx-xxx-xxx",
  "sourceNamespace": "/my/namespace",
  "sourcePlatform": "api.west.acme.com",
  "sourceType": "ProcessingUnit",
  "value": 1
}

Relations

POST /cachedflowreports

Create a cached flow statistics report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action applied to the flow.

destinationController

Type: string

Identifier of the destination controller.

destinationID [required]

Type: string

ID of the destination.

destinationIP

Type: string

Destination IP address.

destinationNamespace

This attribute is deprecated.

Type: string

Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.

destinationPlatform

Type: string

Identifier of the destination platform.

destinationPort

Type: integer

Port of the destination.

destinationType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Destination type.

dropReason

Type: string

This field is only set if action is set to Reject. It specifies the reason for the rejection.

encrypted

Type: boolean

If true, the flow was encrypted.

enforcerID

Type: string

ID of the enforcer where the report was collected.

isLocalDestinationID

Type: boolean

Indicates if the destination endpoint is an enforcer-local processing unit.

isLocalSourceID

Type: boolean

Indicates if the source endpoint is an enforcer-local processing unit.

namespace [required]

This attribute is deprecated.

Type: string

This is here for backward compatibility.

observed

Type: boolean

If true, design mode is on.

observedAction

Type: enum(Accept | Reject | NotApplicable)

Action observed on the flow.

Default value:

"NotApplicable"
observedDropReason

Type: string

Specifies the reason for a rejection. Only set if observedAction is set to Reject.

observedEncrypted

Type: boolean

Value of the encryption of the network policy that observed the flow.

observedPolicyID

Type: string

ID of the network policy that observed the flow.

observedPolicyNamespace

Type: string

Namespace of the network policy that observed the flow.

policyID [required]

Type: string

ID of the network policy that accepted the flow.

policyNamespace [required]

Type: string

Namespace of the network policy that accepted the flow.

protocol

Type: integer

Protocol number.

remoteNamespace

Type: string

Namespace of the object at the other end of the flow.

ruleName

Type: string

Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.

serviceClaimHash

Type: string

Hash of the claims used to communicate.

serviceID

Type: string

ID of the service.

serviceNamespace

Type: string

Namespace of Service accessed.

serviceType

Type: enum(L3 | HTTP | TCP | NotApplicable)

ID of the service.

Default value:

"NotApplicable"
serviceURL

Type: string

Service URL accessed.

sourceController

Type: string

Identifier of the source controller.

sourceID [required]

Type: string

ID of the source.

sourceIP

Type: string

Type of the source.

sourceNamespace

This attribute is deprecated.

Type: string

Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.

sourcePlatform

Type: string

Identifier of the source platform.

sourceType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Type of the source.

timestamp

Type: time

Time and date of the log.

value [required]

Type: integer

Number of flows in the log.

Claims

Represents the claims in the token used to access a service.

Example

{
  "content": {
    "exp": 1553899021,
    "iat": 1553888221,
    "iss": "https://accounts.acme.com",
    "sub": "alice@acme.com"
  },
  "hash": "1134423925458173049"
}

Relations

GET /claims

Retrieves the list of claims.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /claims

Creates a new claims record.

GET /claims/:id

Retrieves the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

content [creation_only]

Type: map[string]string

Contains the raw JSON web token (JWT) claims.

hash [required]

Type: string

XXH64 hash of the claims content. It will be used as ID. To compute a correct hash, you must first clob content as an string array in the form key=value, sort it then apply the XXH64 function.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

ConnectionExceptionReport

Post a new flow log.

Example

{
  "destinationController": "api.west.acme.com",
  "destinationProcessingUnitID": "xxx-xxx-xxx",
  "enforcerID": "xxx-xxx-xxx",
  "enforcerNamespace": "/my/namespace",
  "namespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "L3",
  "state": [
    "Unknown"
  ],
  "value": 1
}

Relations

POST /connectionexceptionreports

Create a connection exception report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

destinationController

This attribute is deprecated.

Type: string

Identifier of the destination controller. This should be set in SynAckTransmitted state.

destinationIP

Type: string

Destination IP address.

destinationPort

Type: integer

Port of the destination.

destinationProcessingUnitID

Type: string

ID of the destination processing unit. This should be set in SynAckTransmitted state.

enforcerID [required]

Type: string

ID of the enforcer.

enforcerNamespace

This attribute is deprecated.

Type: string

Namespace of the enforcer.

namespace [read_only]

Type: string

Namespace of the processing unit that encountered this exception.

processingUnitID [required]

Type: string

ID of the processing unit encountered this exception.

processingUnitNamespace

This attribute is deprecated.

Type: string

Namespace of the processing unit encountered this exception.

protocol [required]

Type: integer

Protocol number.

reason

Type: string

It specifies the reason for the exception.

serviceType

Type: enum(L3 | HTTP | TCP)

Type of the service.

Default value:

"L3"
sourceIP

Type: string

Source IP address.

state [required]

Type: enum(SynTransmitted | SynAckTransmitted | AckTransmitted | Unknown)

Represents the current state this report was generated.

timestamp

Type: time

Time and date of the report.

value [required]

Type: integer

Number of packets hit.

ExternalNetwork

An external network represents a random network or IP address that is not managed by Microsegmentation. External networks can be used in network policies to allow traffic from or to the declared network or IP, using the provided protocol and port (or range of ports). If you want to describe the internet (i.e., anywhere), use 0.0.0.0/0 as the address and 1-65000 for the ports. You must assign the external network one or more tags. These allow you to reference the external network from your network policies.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false,
  "servicePorts": [
    "tcp/80",
    "udp/80:100"
  ],
  "type": "Subnet"
}

Relations

GET /externalnetworks

Retrieves the list of external networks.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /externalnetworks

Creates a new external network.

DELETE /externalnetworks/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /externalnetworks/:id

Retrieves the object with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /externalnetworks/:id

Updates the object with the given ID.

GET /infrastructurepolicies/:id/externalnetworks

Returns the list of external networks affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/externalnetworks

Returns the list of external networks affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkrulesetpolicies/:id/externalnetworks

Returns the list of external networks affected by a network rule set policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

entries

Type: []string

List of CIDRs or domain name.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

servicePorts

Type: []string

List of protocol/ports (tcp/80) or (udp/80:100).

type

Type: enum(ENI | RDSCluster | RDSInstance | SecurityGroup | Subnet)

The type of external network (default Subnet).

Default value:

"Subnet"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

FlowReport

Post a new flow log.

Example

{
  "action": "Accept",
  "destinationController": "api.east.acme.com",
  "destinationID": "xxx-xxx-xxx",
  "destinationNamespace": "/my/namespace",
  "destinationPlatform": "api.east.acme.com",
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "enforcerID": "5c6cce207ddf1fc159a104bf",
  "namespace": "/my/namespace",
  "observed": false,
  "observedAction": "NotApplicable",
  "observedEncrypted": false,
  "observedPolicyID": "xxx-xxx-xxx",
  "observedPolicyNamespace": "/my/namespace",
  "policyID": "xxx-xxx-xxx",
  "policyNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "NotApplicable",
  "sourceController": "api.west.acme.com",
  "sourceID": "xxx-xxx-xxx",
  "sourceNamespace": "/my/namespace",
  "sourcePlatform": "api.west.acme.com",
  "sourceType": "ProcessingUnit",
  "value": 1
}

Relations

POST /flowreports

Create a flow statistics report.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action [required]

Type: enum(Accept | Reject)

Action applied to the flow.

destinationController

Type: string

Identifier of the destination controller.

destinationID [required]

Type: string

ID of the destination.

destinationIP

Type: string

Destination IP address.

destinationNamespace

This attribute is deprecated.

Type: string

Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.

destinationPlatform

Type: string

Identifier of the destination platform.

destinationPort

Type: integer

Port of the destination.

destinationType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Destination type.

dropReason

Type: string

This field is only set if action is set to Reject. It specifies the reason for the rejection.

encrypted

Type: boolean

If true, the flow was encrypted.

enforcerID

Type: string

ID of the enforcer where the report was collected.

namespace [required]

This attribute is deprecated.

Type: string

This is here for backward compatibility.

observed

Type: boolean

If true, design mode is on.

observedAction

Type: enum(Accept | Reject | NotApplicable)

Action observed on the flow.

Default value:

"NotApplicable"
observedDropReason

Type: string

Specifies the reason for a rejection. Only set if observedAction is set to Reject.

observedEncrypted

Type: boolean

Value of the encryption of the network policy that observed the flow.

observedPolicyID

Type: string

ID of the network policy that observed the flow.

observedPolicyNamespace

Type: string

Namespace of the network policy that observed the flow.

policyID [required]

Type: string

ID of the network policy that accepted the flow.

policyNamespace [required]

Type: string

Namespace of the network policy that accepted the flow.

protocol

Type: integer

Protocol number.

remoteNamespace

Type: string

Namespace of the object at the other end of the flow.

ruleName

Type: string

Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.

serviceClaimHash

Type: string

Hash of the claims used to communicate.

serviceID

Type: string

ID of the service.

serviceNamespace

Type: string

Namespace of Service accessed.

serviceType

Type: enum(L3 | HTTP | TCP | NotApplicable)

ID of the service.

Default value:

"NotApplicable"
serviceURL

Type: string

Service URL accessed.

sourceController

Type: string

Identifier of the source controller.

sourceID [required]

Type: string

ID of the source.

sourceIP

Type: string

Type of the source.

sourceNamespace

This attribute is deprecated.

Type: string

Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.

sourcePlatform

Type: string

Identifier of the source platform.

sourceType [required]

Type: enum(ProcessingUnit | ExternalNetwork | Claims)

Type of the source.

timestamp

Type: time

Time and date of the log.

value [required]

Type: integer

Number of flows in the log.

InfrastructurePolicy

Infrastructure policies represent the network access rules of the underlying infrastructure. They can assist you in analyzing how AWS security groups, firewalls, and other access control list (ACL) mechanisms may affect Microsegmentation network policies. Microsegmentation’s AWS integration app automatically populates AWS security groups.

Example

{
  "action": "Allow",
  "applyPolicyMode": "OutgoingTraffic",
  "disabled": false,
  "name": "the name",
  "protected": false
}

Relations

GET /infrastructurepolicies

Retrieves the list of infrastructure policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /infrastructurepolicies

Creates a new infrastructure policy.

DELETE /infrastructurepolicies/:id

Deletes the infrastructure policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /infrastructurepolicies/:id

Retrieves the infrastructure policy with the given ID.

PUT /infrastructurepolicies/:id

Updates the infrastructure policy with the given ID.

GET /infrastructurepolicies/:id/externalnetworks

Returns the list of external networks affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /infrastructurepolicies/:id/processingunits

Returns the list of processing units affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /infrastructurepolicies/:id/services

Returns the list of services affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Allow | Reject)

Defines the action to apply to a flow.

Default value:

"Allow"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

applyPolicyMode

Type: enum(OutgoingTraffic | IncomingTraffic)

Determines if the policy applies to the outgoing traffic of the subject or the incoming traffic of the subject. OutgoingTraffic (default) or IncomingTraffic.

Default value:

"OutgoingTraffic"
associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Object of the policy.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

NetworkAccessPolicy

Allows you to define network policies to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

Example

{
  "action": "Allow",
  "applyPolicyMode": "Bidirectional",
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "negateObject": false,
  "negateSubject": false,
  "observationEnabled": false,
  "observedTrafficAction": "Continue",
  "propagate": false,
  "protected": false
}

Relations

GET /networkaccesspolicies

Retrieves the list of network policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /networkaccesspolicies

Creates a new network policy. This is deprecated. in favor of NetworkRuleSetPolicy.

DELETE /networkaccesspolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /networkaccesspolicies/:id

Retrieves the policy with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /networkaccesspolicies/:id

Updates the policy with the given ID.

GET /networkaccesspolicies/:id/externalnetworks

Returns the list of external networks affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/processingunits

Returns the list of processing units affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/services

Returns the list of services affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Allow | Reject | Continue)

Defines the action to apply to a flow.

  • Allow: allows the defined traffic.
  • Reject: rejects the defined traffic; useful in conjunction with an allow all policy.
  • Continue: neither allows or rejects the traffic; useful for applying another property to the traffic.

Default value:

"Allow"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

applyPolicyMode

Type: enum(OutgoingTraffic | IncomingTraffic | Bidirectional)

Sets three different types of policies. IncomingTraffic: applies the policy to all processing units that match the object and allows them to accept connections from processing units or external networks that match the subject. OutgoingTraffic: applies the policy to all processing units that match the subject and allows them to initiate connections with processing units or external networks that match the object. Bidirectional (default): applies the policy to all processing units that match the object and allows them to accept connections from processing units that match the subject. Also applies the policy to all processing units that match the subject and allows them to initiate connections with processing units that match the object.

Default value:

"Bidirectional"
associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

encryptionEnabled

This attribute is deprecated.

Type: boolean

Defines if the flow has to be encrypted. This property is deprecated and have no incidence.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

logsEnabled

Type: boolean

If true, the relevant flows are logged and available from Microsegmentation Console. Under some advanced scenarios you may wish to set this to false, such as to save space or improve performance.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

negateObject

Type: boolean

Setting this to true will invert the object to find what is not matching.

negateSubject

Type: boolean

Setting this to true will invert the subject to find what is not matching.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

A tag or tag expression identifying the object of the policy.

observationEnabled

Type: boolean

If set to true, the flow will be in observation mode.

observedTrafficAction

Type: enum(Apply | Continue)

If observationEnabled is set to true, this defines the final action taken on the packets: Apply or Continue (default).

Default value:

"Continue"
ports

Type: []string

Represents the ports and protocols this policy applies to.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag or tag expression identifying the subject of the policy.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

NetworkRuleSetPolicy

Allows you to define network rule sets to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /networkrulesetpolicies

Retrieves the list of network rule set policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /networkrulesetpolicies

Creates a new network rule set policy policy.

DELETE /networkrulesetpolicies/:id

Deletes the policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /networkrulesetpolicies/:id

Retrieves the policy with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /networkrulesetpolicies/:id

Updates the policy with the given ID.

GET /networkrulesetpolicies/:id/externalnetworks

Returns the list of external networks affected by a network rule set policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkrulesetpolicies/:id/processingunits

Returns the list of processing units affected by a network rule set policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkrulesetpolicies/:id/services

Returns the list of services affected by a network rule set policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

incomingRules

Type: []networkrule

The set of rules to apply to incoming traffic (traffic coming to the Processing Unit matching the subject).

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

outgoingRules

Type: []networkrule

The set of rules to apply to outgoing traffic (traffic coming from the Processing Unit matching the subject).

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

A tag expression identifying used to match processing units to which this policy applies to.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/processingunits

IsolationProfile

Defines system call rules, system call actions, and other capabilities on a processing unit.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /isolationprofiles

Retrieves the list of isolation profiles.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /isolationprofiles

Creates a new isolation profile.

DELETE /isolationprofiles/:id

Deletes the profile with the given ID.

GET /isolationprofiles/:id

Retrieves the profile with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /isolationprofiles/:id

Updates the profile with the given ID.

GET /processingunitpolicies/:id/isolationprofiles

Returns the list of isolation profiles associated with the mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

capabilitiesActions

Type: _cap_map

The capabilities that should be added to or removed from the processing unit.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

defaultSyscallAction

Type: _syscall_action

The default action applied to all system calls of this profile. Default is Allow.

description [max_length=1024]

Type: string

Description of the object.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

syscallRules

Type: _syscall_rules

A list of system call rules that identify actions for particular system calls.

targetArchitectures

Type: _arch_list

The processor architectures that the profile supports. Default all.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ProcessingUnitPolicy

Processing unit policies allow you to define special behavior for processing units. For example you can associate an isolation profile with a set of processing units or select a specific datapath.

Example

{
  "action": "Default",
  "datapathType": "Default",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /processingunitpolicies

Retrieves the list of processing unit policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /processingunitpolicies

Creates a new processing unit policy.

DELETE /processingunitpolicies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /processingunitpolicies/:id

Retrieves the object with the given ID.

PUT /processingunitpolicies/:id

Updates the object with the given ID.

GET /processingunitpolicies/:id/isolationprofiles

Returns the list of isolation profiles associated with the mapping.

GET /processingunitpolicies/:id/processingunits

Returns the list of processing units referenced by the mapping.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

action

Type: enum(Default | Delete | Enforce | LogCompliance | Reject | Snapshot | Stop)

Action determines the action to take while enforcing the isolation profile. NOTE: Choose Default if your processing unit is not supposed to make a decision on isolation profiles at all.

Default value:

"Default"
activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

datapathType

Type: enum(Default | Aporeto | EnvoyAuthorizer)

The datapath type that processing units selected by subject should implement: - Default: This policy is not making a decision for the datapath. - Aporeto: The enforcer is managing and handling the datapath. - EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs for every processing unit that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not going to own the datapath in this example. It is merely providing an authorizer API.

Default value:

"Default"
description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

isolationProfileSelector

Type: [][]string

The isolation profiles to be mapped. Only applies to Enforce and LogCompliance actions.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Contains the tag expression the tags need to match for the policy to apply.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ProcessingUnitService

Represents a service attached to a processing unit.

Attributes

ports [read_only]

This attribute is deprecated.

Type: string

Contains the list of allowed ports and ranges.

protocol

Type: integer

Protocol used by the service.

targetPorts

Type: []string

List of single ports or range (xx:yy).

policy/quota

QuotaCheck

Allows you to verify the quota for a given identity in a given namespace with the given tags.

Example

{
  "targetIdentity": "processingunit",
  "targetNamespace": "/my/namespace"
}

Relations

POST /quotacheck

Verifies if the quota is exceeded for a particular object.

Parameters:

  • remaining (boolean): Makes the system count how many object are left available in the quota.

Attributes

quota [autogenerated,read_only]

Type: integer

Contains the maximum number of matching entities that can be created.

remaining [autogenerated,read_only]

Type: integer

If the parameter remaining=true is passed, this value will be populated with the number of remaining objects in the quota.

Default value:

-1
targetIdentity [required]

Type: string

The identity name of the object you want to check the quota on.

targetNamespace

Type: string

The namespace from which you want to check the quota on.

QuotaPolicy

Allows you to set quotas on the number of objects that can be created in a namespace.

Example

{
  "disabled": false,
  "fallback": false,
  "identities": [
    "processingunit",
    "enforcer"
  ],
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "targetNamespace": "/my/namespace"
}

Relations

GET /quotapolicies

Retrieves the list of quotas.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /quotapolicies

Creates a new quota.

DELETE /quotapolicies/:id

Deletes the quota with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /quotapolicies/:id

Retrieves the quota with the given ID.

PUT /quotapolicies/:id

Updates the quota with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the quota will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

identities [required]

Type: []string

Contains the list of identity names where the quota will be applied.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

propagationHidden

Type: boolean

If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.

protected

Type: boolean

Defines if the object is protected.

quota

Type: integer

Specifies the maximum number of objects matching the policy subject that can be created.

targetNamespace [required]

Type: string

Contains the base namespace from where the count will be done.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/services

ClaimMapping

Allows you to map a claim in a token to an HTTP header. This can be useful when offloading authentication and authorization to Microsegmentation. Some applications may expect to receive information in the HTTP header.

Example

{
  "claimName": "email",
  "targetHTTPHeader": "X-Username"
}

Attributes

claimName [required,format=^[a-zA-Z0-9-_/*#&@\+\$~:]+$]

Type: string

The name of the claim to map to the HTTP header. header.

targetHTTPHeader [required,format=^[a-zA-Z0-9-_/*#&@\+\$~:]+$]

Type: string

The HTTP header that will be the destination of the mapped claim.

Endpoint

Represents an HTTP endpoint.

Example

{
  "public": false
}

Attributes

URI

Type: string

URI of the exposed API.

allowedScopes

Type: [][]string

The scopes authorized to access the API.

methods

Type: []string

Methods exposed to access the API.

public

Type: boolean

If true, the API is public.

scopes [read_only]

This attribute is deprecated.

Type: []string

Use allowedScopes.

HTTPResourceSpec

Describes an HTTP resource exposed by one or more services.

Example

{
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /httpresourcespecs

Retrieves the list of HTTP resource specifications.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
  • archived (boolean): Also retrieve the objects that have been archived.
POST /httpresourcespecs

Creates a new HTTP resource specification.

DELETE /httpresourcespecs/:id

Deletes the HTTP resource with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /httpresourcespecs/:id

Retrieves the HTTP resource with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
PUT /httpresourcespecs/:id

Updates the HTTP resource with the given ID.

GET /services/:id/httpresourcespecs

Retrieves the HTTP Resource exposed by this service.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

endpoints

Type: []endpoint

A list of API endpoints that are exposed for the service.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

Service

Defines a generic service object at layer 4 or layer 7 that encapsulates the description of a microservice. A service exposes APIs and can be implemented through third-party entities (such as a cloud provider) or through processing units.

Example

{
  "OIDCProviderURL": "https://accounts.google.com",
  "OIDCScopes": [
    "email",
    "profile"
  ],
  "TLSType": "Aporeto",
  "authorizationType": "None",
  "disabled": false,
  "exposedAPIs": [
    [
      "package=p1"
    ]
  ],
  "exposedPort": 443,
  "exposedServiceIsTLS": false,
  "external": false,
  "name": "the name",
  "port": 443,
  "propagate": false,
  "protected": false,
  "publicApplicationPort": 443,
  "selectors": [
    [
      "$identity=processingunit"
    ]
  ],
  "type": "HTTP"
}

Relations

GET /services

Retrieves the list of services.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /services

Creates a new service.

DELETE /services/:id

Deletes the service with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /services/:id

Retrieves the service with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /services/:id

Updates the service with the given ID.

GET /infrastructurepolicies/:id/services

Returns the list of services affected by an infrastructure policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkaccesspolicies/:id/services

Returns the list of services affected by a network policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /networkrulesetpolicies/:id/services

Returns the list of services affected by a network rule set policy.

Parameters:

  • mode (enum(subject | object)): Matching mode.
GET /processingunits/:id/services

Retrieves the services used by a processing unit.

GET /servicedependencies/:id/services

Returns the list of external services that are targets of service dependency.

GET /services/:id/httpresourcespecs

Retrieves the HTTP Resource exposed by this service.

GET /services/:id/processingunits

Retrieves the processing units that implement this service.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

IPs

Type: []string

The list of IP addresses where the service can be accessed. This is an optional attribute and is only required if no host names are provided. The system will automatically resolve IP addresses from host names otherwise.

JWTSigningCertificate

Type: string

PEM-encoded certificate that will be used to validate the user’s JSON web token (JWT) in HTTP requests. This is an optional field, needed only if the authorizationType is set to JWT.

MTLSCertificateAuthority

Type: string

PEM-encoded certificate authority to use to verify client certificates. This only applies if authorizationType is set to MTLS. If it is not set, Microsegmentation Console’s public signing certificate authority will be used.

OIDCCallbackURL

Type: string

This is an advanced setting. Optional OIDC callback URL. If you don’t set it, the enforcer will autodiscover it. It will be https://<hosts[0]|IPs[0]>/aporeto/oidc/callback.

OIDCClientID

Type: string

OIDC Client ID. Only has effect if the authorizationType is set to OIDC.

OIDCClientSecret

Type: string

OIDC Client Secret. Only has effect if the authorizationType is set to OIDC.

OIDCProviderURL

Type: string

OIDC discovery endpoint. Only has effect if the authorizationType is set to OIDC.

OIDCScopes

Type: []string

Configures the scopes you want to request from the OIDC provider. Only has effect if authorizationType is set to OIDC.

TLSCertificate

Type: string

PEM-encoded certificate to expose to the clients for TLS. Only has effect and required if TLSType is set to External.

TLSCertificateKey

Type: string

PEM-encoded certificate key associated with TLSCertificate. Only has effect and required if TLSType is set to External.

TLSType

Type: enum(Aporeto | LetsEncrypt | External | None)

Set how to provide a server certificate to the service.

  • Aporeto: Generate a certificate signed by the Microsegmentation Console public CA.
  • LetsEncrypt: Issue a certificate from Let’s Encrypt.
  • External: Let you define your own certificate and key to use.
  • None: TLS is disabled (not recommended).

Default value:

"Aporeto"
annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizationType

Type: enum(None | JWT | OIDC | MTLS)

Defines the user authorization type that should be used.

  • None (default): No authorization.
  • JWT: Configures a simple JWT verification from the HTTP Authorization header.
  • OIDC: Configures OIDC authorization. You must then set OIDCClientID,OIDCClientSecret, OIDCProviderURL.
  • MTLS: Configures client certificate authorization. Then you can optionally use MTLSCertificateAuthority, otherwise Microsegmentation Console’s public signing certificate will be used.

Default value:

"None"
claimsToHTTPHeaderMappings

Type: []claimmapping

Defines a list of mappings between claims and HTTP headers. When these mappings are defined, the enforcer will copy the values of the claims to the corresponding HTTP headers.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

endpoints [read_only]

Type: []endpoint

Resolves the API endpoints that the service is exposing. Only valid during policy rendering.

exposedAPIs

Type: [][]string

Contains a tag expression that will determine which APIs a service is exposing. The APIs can be defined as the RESTAPISpec or similar specifications for other layer 7 protocols.

exposedPort [required,max_value=65535.000000]

Type: integer

The port that the service can be accessed on. Note that this is different from the port attribute that describes the port that the service is actually listening on. For example if a load balancer is used, the exposedPort is the port that the load balancer is listening for the service, whereas the port that the implementation is listening on can be different.

exposedServiceIsTLS

Type: boolean

Indicates that the exposed service is TLS. This means that the enforcer has to initiate a TLS session in order to forward traffic to the service.

Default value:

false
external

Type: boolean

Indicates if this is an external service.

Default value:

false
hosts

Type: []string

The host names that the service can be accessed on.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

port [max_value=65535.000000]

Type: integer

The port that the implementation of the service is listening to. It can be different than exposedPort. This is needed for port mapping use cases where there are private and public ports.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

publicApplicationPort [max_value=65535.000000]

Type: integer

A new virtual port that the service can be accessed on using HTTPS. Since the enforcer transparently inserts TLS in the application path, you might want to declare a new port where the enforcer listens for TLS. However, the application does not need to be modified and the enforcer will map the traffic to the correct application port. This is useful when an application is being accessed from a public network.

redirectURLOnAuthorizationFailure

Type: string

If this is set, the user will be redirected to that URL in case of any authorization failure, allowing you to provide a nice message to the user. The query parameter ?failure_message=<message> will be added to that URL explaining the possible reason for the failure.

selectors

Type: [][]string

A tag or tag expression that identifies the processing unit that implements this particular service.

trustedCertificateAuthorities

Type: string

PEM-encoded certificate authorities to trust when additional hops are needed. It must be set if the service must reach a service marked as external or must go through an additional TLS termination point like a layer 7 load balancer.

type

Type: enum(HTTP | TCP | KubernetesSecrets | VaultSecrets)

Type of service.

Default value:

"HTTP"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

ServiceDependency

Allows you to define a service dependency where a set of processing units as defined by their tags require access to specific services.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /servicedependencies

Retrieves the list of service dependencies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /servicedependencies

Creates a new service dependency.

DELETE /servicedependencies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /servicedependencies/:id

Retrieves the object with the given ID.

PUT /servicedependencies/:id

Updates the object with the given ID.

GET /servicedependencies/:id/processingunits

Returns the list of processing units that depend on an service.

GET /servicedependencies/:id/services

Returns the list of external services that are targets of service dependency.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Object of the service dependency.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Subject of the service dependency.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

TokenScopePolicy

Defines a set of policies that allow customization of the authorization tokens issued by the Microsegmentation Console. This allows Microsegmentation tokens to be used by external applications.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

Relations

GET /tokenscopepolicies

Retrieves the list of token scope policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /tokenscopepolicies

Creates a new token scope policy.

DELETE /tokenscopepolicies/:id

Deletes the object with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /tokenscopepolicies/:id

Retrieves the object with the given ID.

PUT /tokenscopepolicies/:id

Updates the object with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

allowedAudiences

Type: []string

A list of audience values that are allowed when issuing a service token. An empty list will allow any audience values.

annotations

Type: map[string][]string

Stores additional information about an entity.

assignedAudience

Type: string

The audience that should be assigned to a request if the caller is not requesting any specific audience.

assignedScopes

Type: []string

The list of scopes that the policy will assign.

associatedTags

Type: []string

List of tags attached to an entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the policy will be automatically deleted after the given time.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

inheritedClaimKeys

Type: []string

A list of claim keys that should be inherited from the claims of the caller to the assigned token. In this case, some of the caller claims will be propagated to resolved token.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

subject

Type: [][]string

Defines the selection criteria that this policy must match on identity and scope request information.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

policy/ssh

SSHAuthorizationPolicy

An SSH authorization allows you to define the permissions for the owner of a OpenSSH certificate issued by a Microsegmentation certificate authority. You can define if a user with some claims can connect to an sshd server managed by an instance of enforcerd according to its tags, what permissions he has and for how long delivered certificates are valid.

Example

{
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false,
  "requireSystemAccountMatching": false,
  "validity": "1h"
}

Relations

GET /sshauthorizationpolicies

Retrieves the list of SSH authorizations.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /sshauthorizationpolicies

Creates a new SSH authorizations.

DELETE /sshauthorizationpolicies/:id

Deletes the SSH authorization with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /sshauthorizationpolicies/:id

Retrieves the SSH authorization with the given ID.

Parameters:

  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /sshauthorizationpolicies/:id

Updates the SSH authorization with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

activeDuration [format=^[0-9]+[smh]$]

Type: string

Defines for how long the policy will be active according to the activeSchedule.

activeSchedule

Type: string

Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

authorizedSubnets

Type: []string

If set, the SSH authorization will only be valid if the request comes from one the declared subnets.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

description [max_length=1024]

Type: string

Description of the object.

disabled

Type: boolean

Defines if the property is disabled.

expirationTime

Type: time

If set the SSH authorization will be automatically deleted after the given time.

extensions

Type: []string

The list of permissions to apply to the OpenSSH certificate. You can check the list of standard extensions at https://github.com/openssh/openssh-portable/blob/38e83e4f219c752ebb1560633b73f06f0392018b/PROTOCOL.certkeys#L281.

fallback

Type: boolean

Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.

forceCommand

Type: string

Specify a single command that the user can issue on the remote host. This can be useful for issuing single-purpose certificates; ensuring that users stay in their home directories (internal-sftp); and restricting users to a bash shell (/bin/bash), preventing them from running arbitrary and unlogged commands such as scp, rsync, -essh, and sftp. Refer to the FreeBSD documentation for more information.

metadata [creation_only]

Type: []string

Contains tags that can only be set during creation, must all start with the ‘@’ prefix, and should only be used by external systems.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

object

Type: [][]string

Contains the tag expression identifying the enforcers on the hosts the subject is allowed to access.

principals

Type: []string

On systems without an enforcer, you must provide the name of the Linux user. Otherwise, Microsegmentation will automatically populate this field and adding a value here is optional and not used during the authorization. However, the value becomes a tag associated with the SSH processing unit, which could be useful.

propagate

Type: boolean

Propagates the policy to all of its children.

protected

Type: boolean

Defines if the object is protected.

requireSystemAccountMatching

Type: boolean

If selected, the system account will be used to log into the resource.

subject

Type: [][]string

Contains the tag expression that identifies the user or group of users that should be allowed to access the remote hosts. If the user authenticates against an OIDC provider, these tags correspond to claims in the ID token.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

validity

Type: string

Set the validity of the delivered SSH certificate.

Default value:

"1h"

SSHIdentity

Returns an SSH certificate containing the bearer claims. This SSH certificate can be used to connect to a node where the enforcer is protecting SSH sessions.

Example

{
  "publicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCytT my key"
}

Relations

POST /sshidentities

Creates a new SSH certificate.

Attributes

certificate [autogenerated,read_only]

Type: string

Contains the signed SSH certificate in OpenSSH format.

publicKey [required]

Type: string

Contains the public key to sign in OpenSSH format. You can generate an SSH public key with the standard ssh-keygen tool.

systemAccount

Type: string

Define the targeted system account name.

policy/token

ServiceToken

This API issues a new service token using the namespace certificate that can be used by third-party applications.

Example

{
  "objectID": "5c83035648675400019ab901",
  "sessionID": "5c83035648675400019ab901",
  "type": "Service",
  "validity": "15m"
}

Relations

POST /servicetoken

Creates an OAUTH compatible service token.

Attributes

audience

Type: string

If given, the issued token will only be valid for the audience provided. If empty, the audience will be resolved from the policies. If no audience can be resolved, the request will be rejected with an error.

objectID

Type: string

ID of the object you want to issue a token for.

sessionID

Type: string

Provides the session ID of the enforcer when retrieving a datapath certificate.

token [autogenerated,read_only]

Type: string

Token is the signed JWT service token.

type

Type: enum(ProcessingUnit | Service)

Type of token request.

Default value:

"Service"
validity

Type: string

Validity configures the max validity time for a token. If it is bigger than the configured max validity, it will be capped.

Default value:

"15m"