guardian icon indicating copy to clipboard operation
guardian copied to clipboard
verified publisher icon hashgraph

feat: user managed credentials for external services

Open Neurone opened this issue 4 months ago • 0 comments

Problem description

The Guardian has the ability to call external services via APIs and recently it extended the external integrations with addition of 3rd party services for data sources.

In case external services require credentials, the current implementation requires to set those credentials at the Guardian instance level. Credentials cannot be defined at policy level or user level, or by users or Standard Registries (SR).

Requirements

Core

  • Differentiate external services credentials by-user and by-policy-instance, in addition to the existing by-Guardian-instance feature
  • Allow SRs to set credentials for every imported policy
  • Allow any user (SR, VVB, normal users, etc.) to set their own credentials for all the policies they interact with
  • Allow any user (SR, VVB, normal users, etc.) to set their own credentials for a single policy instance
  • Allow any user (SR, VVB, normal users, etc.) to set different credentials for dry-run and for production executions
  • Implement precedence logic for credentials to be used during policy execution, such as the first credentials found will be used:
    1. User-defined policy level. "Users" here means any user type: SR, VVB, normal, etc.
    2. User-defined global level. "Users" here means any user type: SR, VVB, normal, etc.
    3. SR-defined policy level
    4. Guardian instance level

UI

  • Offer a UI to set the above mentioned credentials globally at user level
  • Offer a UI to set the above mentioned credentials at policy instance level
  • Offer a UI to set the above mentioned credentials at Standard Registry level (all policies imported by that SR will use those credentials)
  • Offer a UI to the SR to check the global overriding levels currently configured for its policies (all levels). The SR will be able for example to see if a user overrides the credentials at policy or instance level, but it will not be able to see the actual credentials.
  • Highlight when a policy allows setting custom credentials (i.e. contains blocks requiring credentials).
  • Highlight when a policy is using custom credentials instead of the Guardian instance level.

API

  • Extend the existing APIs to allow users to set the above mentioned credentials

Neurone avatar Aug 27 '25 11:08 Neurone