From e0de85d456a6d99463ff3c04b119cb34464519db Mon Sep 17 00:00:00 2001 From: jakedoublev Date: Tue, 6 Aug 2024 14:38:39 -0700 Subject: [PATCH 1/3] feat(core): add obligations commands --- docs/man/policy/obligations/_index.md | 49 +++++++++++++++++++ docs/man/policy/obligations/create.md | 23 +++++++++ docs/man/policy/obligations/delete.md | 16 ++++++ docs/man/policy/obligations/get.md | 16 ++++++ docs/man/policy/obligations/list.md | 7 +++ docs/man/policy/obligations/update.md | 17 +++++++ docs/man/policy/obligations/values/_index.md | 10 ++++ docs/man/policy/obligations/values/assign.md | 18 +++++++ docs/man/policy/obligations/values/create.md | 25 ++++++++++ docs/man/policy/obligations/values/delete.md | 14 ++++++ docs/man/policy/obligations/values/get.md | 18 +++++++ docs/man/policy/obligations/values/list.md | 7 +++ .../man/policy/obligations/values/unassign.md | 19 +++++++ docs/man/policy/obligations/values/update.md | 17 +++++++ 14 files changed, 256 insertions(+) create mode 100644 docs/man/policy/obligations/_index.md create mode 100644 docs/man/policy/obligations/create.md create mode 100644 docs/man/policy/obligations/delete.md create mode 100644 docs/man/policy/obligations/get.md create mode 100644 docs/man/policy/obligations/list.md create mode 100644 docs/man/policy/obligations/update.md create mode 100644 docs/man/policy/obligations/values/_index.md create mode 100644 docs/man/policy/obligations/values/assign.md create mode 100644 docs/man/policy/obligations/values/create.md create mode 100644 docs/man/policy/obligations/values/delete.md create mode 100644 docs/man/policy/obligations/values/get.md create mode 100644 docs/man/policy/obligations/values/list.md create mode 100644 docs/man/policy/obligations/values/unassign.md create mode 100644 docs/man/policy/obligations/values/update.md diff --git a/docs/man/policy/obligations/_index.md b/docs/man/policy/obligations/_index.md new file mode 100644 index 00000000..f1331050 --- /dev/null +++ b/docs/man/policy/obligations/_index.md @@ -0,0 +1,49 @@ +--- +title: Manage obligations +command: + name: obligations +--- + +Commands to manage obligations within the platform. + +Obligations are requirements that should be fulfilled by a Subject or Environment requesting access to Resource data. Obligations +are distinct from Entitlements because they are a post-entitlement decision. + +For example, if a Subject user is entitled through a Subject Mapping to access data that is considered confidential intellectual +property, an obligation can be utilized to ensure the access path is through a PEP or flow that supports watermarking to enhance +security of the data post-decryption. It is a precondition of an obligation that a Subject requesting access must already be entitled. + +Obligations are represented as platform attributes. They can be either added to TDFs directly, or derived via mapping. + +**Example:** + +As a platform admin, Alice already has the hierarchical attribute `https://namespace.io/attr/card_suits` with high-to-low values `ace, king, queen, jack` +that are successfully entitled to various Subject users at each intended level of access. + +Alice wants to ensure data of the hierarchical attribute `https://namespace.io/attr/card_suits/value/queen` +is accessible to Subjects that are entitled to Queen or King data, but Alice wants an additional protection of `watermarking` when +the TDF'd data is decrypted. + +To add a `watermarking` assurance when a PEP handles decrypted TDF data a `digital rights management` , she can utilize obligations. + +**Option 1: Derived obligations** + +To dynamically tie all TDF data of that attribute value to this new obligation to watermark, she will create an obligation +mapped in platform policy to the `https://namespace.io/attr/card_suits/value/queen` attribute value: + +`policy obligations create --name drm --value watermarking --attr ` + +From this point forward, any time an access request is made on a TDF containing the `/attr/card_suits/value/queen` attribute value, the obligation +will be derived and considered in the decision. + +The same obligation can also be assigned multiple attribute values when derived, so `--attr` can take multiple attribute value IDs, and the +`assign` and `remove` subcommands exist on `obligations` as well to assign attribute values to already-created obligations. + +**Option 2: TDF-only obligations** + +To add this obligation to any TDF data without permanently associating every TDF containing an attribute value to the obligation (see derived above), +Alice can create the obligation without associating it to an attribute value: + +`policy obligations create --name drm --value watermarking` + +Without the derived assocation, the obligation can be added on TDF encrypt as any other attribute FQN. There is nothing stopping a PEP or admin from utilizing obligations in both manners in tandem as appropriate. diff --git a/docs/man/policy/obligations/create.md b/docs/man/policy/obligations/create.md new file mode 100644 index 00000000..3dd52ab7 --- /dev/null +++ b/docs/man/policy/obligations/create.md @@ -0,0 +1,23 @@ +--- +title: Create an obligation +command: + name: create + flags: + - name: name + shorthand: n + description: Name of the obligation (i.e. 'drm' for Digital Rights Management) + required: true + - name: value + shorthand: v + description: Values of the obligation (i.e. 'watermark') + required: false + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: '' +--- + +An obligation, like an attribute definition, is a parent that can contain one or more values. + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values +or when added directly to a TDF, view the parent command documentation with `--help`. \ No newline at end of file diff --git a/docs/man/policy/obligations/delete.md b/docs/man/policy/obligations/delete.md new file mode 100644 index 00000000..283d180d --- /dev/null +++ b/docs/man/policy/obligations/delete.md @@ -0,0 +1,16 @@ +--- +title: Delete an obligation +command: + name: delete + flags: + - name: id + shorthand: i + description: ID of the obligation + required: true +--- + +Because obligations are a post-entitlement decision, they are safe to delete. Upon deletion, any derived obligations as a result of +mappings to platform policy attribute values will be removed, and any TDFs containing obligations within will remain accessible, just +without obligations returned along with an access request to drive PEP behavior. + +Upon deletion, all child values and the entity conditions to satisfy an obligation are cascadingly deleted. diff --git a/docs/man/policy/obligations/get.md b/docs/man/policy/obligations/get.md new file mode 100644 index 00000000..9304765f --- /dev/null +++ b/docs/man/policy/obligations/get.md @@ -0,0 +1,16 @@ +--- +title: Get an obligation +command: + name: get + flags: + - name: id + shorthand: i + description: ID of the obligation +--- + +Retrieves the obligation, comprised of: + +- ID +- name +- child values (values and IDs) +- FQN diff --git a/docs/man/policy/obligations/list.md b/docs/man/policy/obligations/list.md new file mode 100644 index 00000000..dc9f7a11 --- /dev/null +++ b/docs/man/policy/obligations/list.md @@ -0,0 +1,7 @@ +--- +title: List obligations +command: + name: list +--- + +Retrieves all obligations stored in platform policy. diff --git a/docs/man/policy/obligations/update.md b/docs/man/policy/obligations/update.md new file mode 100644 index 00000000..1b8ccfe3 --- /dev/null +++ b/docs/man/policy/obligations/update.md @@ -0,0 +1,17 @@ +--- +title: Update an attribute +command: + name: update + flags: + - name: id + shorthand: i + description: ID of the attribute + required: true + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: "" + - name: force-replace-labels + description: Destructively replace entire set of existing metadata 'labels' with any provided to this command + default: false +--- diff --git a/docs/man/policy/obligations/values/_index.md b/docs/man/policy/obligations/values/_index.md new file mode 100644 index 00000000..0dca7187 --- /dev/null +++ b/docs/man/policy/obligations/values/_index.md @@ -0,0 +1,10 @@ +--- +title: Manage obligation values +command: + name: values +--- + +Commands to manage obligation values within an existing obligation. + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values +or when added directly to a TDF, view the parent command documentation with `--help`. diff --git a/docs/man/policy/obligations/values/assign.md b/docs/man/policy/obligations/values/assign.md new file mode 100644 index 00000000..abd66da7 --- /dev/null +++ b/docs/man/policy/obligations/values/assign.md @@ -0,0 +1,18 @@ +--- +title: Assign an obligation to an attribute value +command: + name: assign + flags: + - name: id + shorthand: i + description: ID of the obligation value + required: true + - name: attr-val + description: ID of the attribute value(s) being assigned for derived obligations + required: true +--- + +Assigns an existing obligation value to one or more attribute values for derived obligations in an access decision. + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values, +see the parent command. diff --git a/docs/man/policy/obligations/values/create.md b/docs/man/policy/obligations/values/create.md new file mode 100644 index 00000000..fad8e2d7 --- /dev/null +++ b/docs/man/policy/obligations/values/create.md @@ -0,0 +1,25 @@ +--- +title: Create an obligation +command: + name: create + flags: + - name: value + shorthand: v + description: Value being added to the existing obligation (i.e. 'watermark') + required: true + - name: obligation + shorthand: o + description: ID of the parent obligation + required: true + - name: attr-val + shorthand: a + description: ID of assigned attribute value(s) for derived obligations + required: false + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: '' +--- + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values +or when added directly to a TDF, see the parent command above. diff --git a/docs/man/policy/obligations/values/delete.md b/docs/man/policy/obligations/values/delete.md new file mode 100644 index 00000000..e73e7ed3 --- /dev/null +++ b/docs/man/policy/obligations/values/delete.md @@ -0,0 +1,14 @@ +--- +title: Delete an obligation +command: + name: delete + flags: + - name: id + shorthand: i + description: ID of the obligation + required: true +--- + +Because obligations are a post-entitlement decision, they are safe to delete. Upon deletion, any derived obligations as a result of +mappings to platform policy attribute values will be removed, and any TDFs containing obligations within will remain accessible, just +without obligations returned along with an access request to drive PEP behavior. \ No newline at end of file diff --git a/docs/man/policy/obligations/values/get.md b/docs/man/policy/obligations/values/get.md new file mode 100644 index 00000000..18991e87 --- /dev/null +++ b/docs/man/policy/obligations/values/get.md @@ -0,0 +1,18 @@ +--- +title: Get an obligation +command: + name: get + flags: + - name: id + shorthand: i + description: ID of the obligation +--- + +Retrieves the obligation, comprised of: + +- ID +- value +- parent obligation (name and ID) +- FQN +- any assigned attribute value FQNs and IDs for derived obligations +- condition sets for mappings to entities that satisfy the obligation diff --git a/docs/man/policy/obligations/values/list.md b/docs/man/policy/obligations/values/list.md new file mode 100644 index 00000000..dc9f7a11 --- /dev/null +++ b/docs/man/policy/obligations/values/list.md @@ -0,0 +1,7 @@ +--- +title: List obligations +command: + name: list +--- + +Retrieves all obligations stored in platform policy. diff --git a/docs/man/policy/obligations/values/unassign.md b/docs/man/policy/obligations/values/unassign.md new file mode 100644 index 00000000..a0c75500 --- /dev/null +++ b/docs/man/policy/obligations/values/unassign.md @@ -0,0 +1,19 @@ +--- +title: Unassign an obligation from an attribute value +command: + name: unassign + flags: + - name: id + shorthand: i + description: ID of the obligation value + required: true + - name: attr-val + description: ID of the attribute value being removed for derived obligation assignment + required: true +--- + +Unassigns an obligation value from an attribute value so that the obligation is no longer considered a derived obligation in an +access decision. + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values, +see the parent command. \ No newline at end of file diff --git a/docs/man/policy/obligations/values/update.md b/docs/man/policy/obligations/values/update.md new file mode 100644 index 00000000..1b8ccfe3 --- /dev/null +++ b/docs/man/policy/obligations/values/update.md @@ -0,0 +1,17 @@ +--- +title: Update an attribute +command: + name: update + flags: + - name: id + shorthand: i + description: ID of the attribute + required: true + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: "" + - name: force-replace-labels + description: Destructively replace entire set of existing metadata 'labels' with any provided to this command + default: false +--- From 423e5e133ddb9846465fb4757d1ecf0f3f45428b Mon Sep 17 00:00:00 2001 From: jakedoublev Date: Wed, 7 Aug 2024 08:14:45 -0700 Subject: [PATCH 2/3] updates --- docs/man/policy/obligations/_index.md | 7 +++++++ docs/man/policy/obligations/values/assign.md | 2 +- docs/man/policy/obligations/values/create.md | 2 +- docs/man/policy/obligations/values/delete.md | 4 ++-- docs/man/policy/obligations/values/get.md | 6 +++--- docs/man/policy/obligations/values/list.md | 16 ++++++++++++++-- docs/man/policy/obligations/values/unassign.md | 4 ++-- docs/man/policy/obligations/values/update.md | 4 ++-- 8 files changed, 32 insertions(+), 13 deletions(-) diff --git a/docs/man/policy/obligations/_index.md b/docs/man/policy/obligations/_index.md index f1331050..1544692d 100644 --- a/docs/man/policy/obligations/_index.md +++ b/docs/man/policy/obligations/_index.md @@ -47,3 +47,10 @@ Alice can create the obligation without associating it to an attribute value: `policy obligations create --name drm --value watermarking` Without the derived assocation, the obligation can be added on TDF encrypt as any other attribute FQN. There is nothing stopping a PEP or admin from utilizing obligations in both manners in tandem as appropriate. + +**Evaluation** + +In either scenario above, resolution of obligation satisfaction is similar to an `anyOf` rule on an attribute definition. If the obligation for `drm` contains +several values, and only one of them is `watermark`, a PEP or environmental entity that successfully meets the admin-defined obligation conditions +for specifically that obligation or any of the other child values of the `drm` obligation parent for the data (derived via attributes or on the TDF) +would result in a permitted access decision. diff --git a/docs/man/policy/obligations/values/assign.md b/docs/man/policy/obligations/values/assign.md index abd66da7..e5b06c17 100644 --- a/docs/man/policy/obligations/values/assign.md +++ b/docs/man/policy/obligations/values/assign.md @@ -1,5 +1,5 @@ --- -title: Assign an obligation to an attribute value +title: Assign an obligation value to an attribute value command: name: assign flags: diff --git a/docs/man/policy/obligations/values/create.md b/docs/man/policy/obligations/values/create.md index fad8e2d7..170c692d 100644 --- a/docs/man/policy/obligations/values/create.md +++ b/docs/man/policy/obligations/values/create.md @@ -1,5 +1,5 @@ --- -title: Create an obligation +title: Create an obligation value command: name: create flags: diff --git a/docs/man/policy/obligations/values/delete.md b/docs/man/policy/obligations/values/delete.md index e73e7ed3..70258e89 100644 --- a/docs/man/policy/obligations/values/delete.md +++ b/docs/man/policy/obligations/values/delete.md @@ -1,11 +1,11 @@ --- -title: Delete an obligation +title: Delete an obligation value command: name: delete flags: - name: id shorthand: i - description: ID of the obligation + description: ID of the obligation value required: true --- diff --git a/docs/man/policy/obligations/values/get.md b/docs/man/policy/obligations/values/get.md index 18991e87..4dc3d6c3 100644 --- a/docs/man/policy/obligations/values/get.md +++ b/docs/man/policy/obligations/values/get.md @@ -1,14 +1,14 @@ --- -title: Get an obligation +title: Get an obligation value command: name: get flags: - name: id shorthand: i - description: ID of the obligation + description: ID of the obligation value --- -Retrieves the obligation, comprised of: +Retrieves the obligation value, comprised of: - ID - value diff --git a/docs/man/policy/obligations/values/list.md b/docs/man/policy/obligations/values/list.md index dc9f7a11..af41ea24 100644 --- a/docs/man/policy/obligations/values/list.md +++ b/docs/man/policy/obligations/values/list.md @@ -1,7 +1,19 @@ --- -title: List obligations +title: List obligation values command: name: list + flags: + - name: obligation-id + shorthand: o + description: The ID of the obligation to list values for + - name: state + shorthand: s + description: Filter by state + enum: + - active + - inactive + - any + default: active --- -Retrieves all obligations stored in platform policy. +Retrieves all obligation valuess stored in platform policy. diff --git a/docs/man/policy/obligations/values/unassign.md b/docs/man/policy/obligations/values/unassign.md index a0c75500..7da11c4a 100644 --- a/docs/man/policy/obligations/values/unassign.md +++ b/docs/man/policy/obligations/values/unassign.md @@ -1,5 +1,5 @@ --- -title: Unassign an obligation from an attribute value +title: Unassign an obligation value from an attribute value command: name: unassign flags: @@ -16,4 +16,4 @@ Unassigns an obligation value from an attribute value so that the obligation is access decision. For more information about the significance of obligations and how they are utilized for derived obligations on attribute values, -see the parent command. \ No newline at end of file +see the parent command. diff --git a/docs/man/policy/obligations/values/update.md b/docs/man/policy/obligations/values/update.md index 1b8ccfe3..f89d08c8 100644 --- a/docs/man/policy/obligations/values/update.md +++ b/docs/man/policy/obligations/values/update.md @@ -1,11 +1,11 @@ --- -title: Update an attribute +title: Update an obligation value command: name: update flags: - name: id shorthand: i - description: ID of the attribute + description: ID of the obligation value required: true - name: label description: "Optional metadata 'labels' in the format: key=value" From edd89c2f4b37d0611e220ed04b9845807177b5b5 Mon Sep 17 00:00:00 2001 From: jakedoublev Date: Fri, 9 Aug 2024 14:39:11 -0700 Subject: [PATCH 3/3] wip --- docs/man/policy/obligations/_index.md | 21 ++++++++++++++--- .../policy/obligations/fulfillments/_index.md | 10 ++++++++ .../policy/obligations/fulfillments/create.md | 23 +++++++++++++++++++ .../policy/obligations/fulfillments/delete.md | 14 +++++++++++ .../policy/obligations/fulfillments/get.md | 18 +++++++++++++++ .../policy/obligations/fulfillments/list.md | 19 +++++++++++++++ .../policy/obligations/fulfillments/update.md | 17 ++++++++++++++ .../policy/subject-condition-sets/create.md | 3 --- 8 files changed, 119 insertions(+), 6 deletions(-) create mode 100644 docs/man/policy/obligations/fulfillments/_index.md create mode 100644 docs/man/policy/obligations/fulfillments/create.md create mode 100644 docs/man/policy/obligations/fulfillments/delete.md create mode 100644 docs/man/policy/obligations/fulfillments/get.md create mode 100644 docs/man/policy/obligations/fulfillments/list.md create mode 100644 docs/man/policy/obligations/fulfillments/update.md diff --git a/docs/man/policy/obligations/_index.md b/docs/man/policy/obligations/_index.md index 1544692d..b3caf0d1 100644 --- a/docs/man/policy/obligations/_index.md +++ b/docs/man/policy/obligations/_index.md @@ -31,7 +31,7 @@ To add a `watermarking` assurance when a PEP handles decrypted TDF data a `digit To dynamically tie all TDF data of that attribute value to this new obligation to watermark, she will create an obligation mapped in platform policy to the `https://namespace.io/attr/card_suits/value/queen` attribute value: -`policy obligations create --name drm --value watermarking --attr ` +`policy obligations create --name drm --value watermarking` From this point forward, any time an access request is made on a TDF containing the `/attr/card_suits/value/queen` attribute value, the obligation will be derived and considered in the decision. @@ -48,9 +48,24 @@ Alice can create the obligation without associating it to an attribute value: Without the derived assocation, the obligation can be added on TDF encrypt as any other attribute FQN. There is nothing stopping a PEP or admin from utilizing obligations in both manners in tandem as appropriate. -**Evaluation** +**Evaluation: Fulfillment Conditions** In either scenario above, resolution of obligation satisfaction is similar to an `anyOf` rule on an attribute definition. If the obligation for `drm` contains -several values, and only one of them is `watermark`, a PEP or environmental entity that successfully meets the admin-defined obligation conditions +several values, and only one of them is `watermark`, a PEP or environmental entity that successfully meets the admin-defined obligation fulfillment conditions for specifically that obligation or any of the other child values of the `drm` obligation parent for the data (derived via attributes or on the TDF) would result in a permitted access decision. + +The fulfillment conditions of an obligation can be thought of as loosely similar to Condition Sets within Subject Mappings that drive entitlements. + +To allow access to data with obligations (derived by assignment to attribute values or directly added to a TDF), an admin must define the conditions +an entity must meet as provided by the Entity Resolution Service (ERS) or OIDC token claims if running the platform without an ERS. + +For example, if `drm:watermark` is a required obligation contextualizing a TDF access decision, a user must first be entitled to the data attributes via subject mappings, +but they must also meet the conditions that they're attempting to access through `Some_Cool_PEP`, which is known to the admin to support watermarking +as a feature and respect it as an obligation on decrypt. The admin should define through the `fulfillments` subcommand the conditions where the obligation +is fulfilled. In plain English, that would be: `if a user's access token indicates they are accessing through Some_Cool_PEP, the obligation has been fulfilled`. + +TODO: fulfillment conditions instruction here that comes from protos + +As you can see in the example above, the user's entity chain indicated they came through `Some_Cool_PEP` and therefore they were granted access alongside the obligation +for `Some_Cool_PEP` to receive in response and drive the watermarking behavior. diff --git a/docs/man/policy/obligations/fulfillments/_index.md b/docs/man/policy/obligations/fulfillments/_index.md new file mode 100644 index 00000000..138c7ef3 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/_index.md @@ -0,0 +1,10 @@ +--- +title: Manage obligation fulfillments +command: + name: fulfillments +--- + +Commands to manage the conditions under which obligations on attributes are fulfilled by subject and environment entities. + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values +or when added directly to a TDF, view the parent command documentation with `--help`. diff --git a/docs/man/policy/obligations/fulfillments/create.md b/docs/man/policy/obligations/fulfillments/create.md new file mode 100644 index 00000000..a7eb3912 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/create.md @@ -0,0 +1,23 @@ +--- +title: Create an obligation fulfillment +command: + name: create + flags: + - name: conditions-json + description: TODO - Conditions as defined by the protos as JSON + required: false + - name: conditions-json-file + description: TODO - Conditions as defined by the protos from a JSON file + required: false + - name: obligation-scope + shorthand: s + description: Scope of the obligation as subject or environment [ SUBJECT, ENV ] + required: true + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: '' +--- + +For more information about the significance of obligations and how they are utilized for derived obligations on attribute values +or when added directly to a TDF, see the parent command above. diff --git a/docs/man/policy/obligations/fulfillments/delete.md b/docs/man/policy/obligations/fulfillments/delete.md new file mode 100644 index 00000000..70258e89 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/delete.md @@ -0,0 +1,14 @@ +--- +title: Delete an obligation value +command: + name: delete + flags: + - name: id + shorthand: i + description: ID of the obligation value + required: true +--- + +Because obligations are a post-entitlement decision, they are safe to delete. Upon deletion, any derived obligations as a result of +mappings to platform policy attribute values will be removed, and any TDFs containing obligations within will remain accessible, just +without obligations returned along with an access request to drive PEP behavior. \ No newline at end of file diff --git a/docs/man/policy/obligations/fulfillments/get.md b/docs/man/policy/obligations/fulfillments/get.md new file mode 100644 index 00000000..4dc3d6c3 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/get.md @@ -0,0 +1,18 @@ +--- +title: Get an obligation value +command: + name: get + flags: + - name: id + shorthand: i + description: ID of the obligation value +--- + +Retrieves the obligation value, comprised of: + +- ID +- value +- parent obligation (name and ID) +- FQN +- any assigned attribute value FQNs and IDs for derived obligations +- condition sets for mappings to entities that satisfy the obligation diff --git a/docs/man/policy/obligations/fulfillments/list.md b/docs/man/policy/obligations/fulfillments/list.md new file mode 100644 index 00000000..af41ea24 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/list.md @@ -0,0 +1,19 @@ +--- +title: List obligation values +command: + name: list + flags: + - name: obligation-id + shorthand: o + description: The ID of the obligation to list values for + - name: state + shorthand: s + description: Filter by state + enum: + - active + - inactive + - any + default: active +--- + +Retrieves all obligation valuess stored in platform policy. diff --git a/docs/man/policy/obligations/fulfillments/update.md b/docs/man/policy/obligations/fulfillments/update.md new file mode 100644 index 00000000..f89d08c8 --- /dev/null +++ b/docs/man/policy/obligations/fulfillments/update.md @@ -0,0 +1,17 @@ +--- +title: Update an obligation value +command: + name: update + flags: + - name: id + shorthand: i + description: ID of the obligation value + required: true + - name: label + description: "Optional metadata 'labels' in the format: key=value" + shorthand: l + default: "" + - name: force-replace-labels + description: Destructively replace entire set of existing metadata 'labels' with any provided to this command + default: false +--- diff --git a/docs/man/policy/subject-condition-sets/create.md b/docs/man/policy/subject-condition-sets/create.md index 6ca47bf4..1362acb0 100644 --- a/docs/man/policy/subject-condition-sets/create.md +++ b/docs/man/policy/subject-condition-sets/create.md @@ -18,7 +18,4 @@ command: description: "Optional metadata 'labels' in the format: key=value" shorthand: l default: '' - - name: force-replace-labels - description: Destructively replace entire set of existing metadata 'labels' with any provided to this command - default: false ---