Environment Settings

An Environment offers IT Admins a way to manage Identities, Policies, and Applications at various levels during the development and ongoing management of their Policies.

To access the Environment Settings screen:

• Click the three vertical dots and select Settings. The current Environment's Settings screen opens.

Editing Environment Settings

To edit Environment Settings:

1. Click the three vertical dots and select Settings.
2. Click Edit. The fields of the currently displayed tab that can be edited become editable.
3. After you change a setting value, click Save.

When you open the Environment Settings screen, the following tabs are available:

• Details
• Permissions
• Policy Custom Attributes
• API Client Credentials
• Scopes
• Policy Authorization Agent (PAA)
• PIP Settings
• API Authorizers
• Data Authorizers

Details

On the Details tab, you can:

• View and change the Environment name
• View and change the Environment description
• Upload a logo URL (or change an existing one)
• View (and copy) the unique Environment ID
• View (and copy) the unique Tenant ID

At the Environmental Level, there can be both Admin and Viewer users. Admins have full administrative capabilities within the Environment. Users with Viewer permission have access to a full view of all data-related objects managed within the Environment.

Permissions

On the Permissions tab, you can set the access permissions for the Environment. There are two levels of access permissions: Admin and Viewer where Admin gives administrative permissions to create, modify, and delete entities within that level), while Viewer gives permission to view only.

Policy Custom Attributes

Policy Custom Attributes enhance management processes and improve visibility by allowing you to tailor metadata to your specific needs, leveraging the generic custom Attributes for greater flexibility. This feature enables users to define custom Attributes at the Environment level, supporting a more adaptive Policy experience. Refer to Policy Custom Attributes for more information.

Scopes

Scopes are the mechanism by which an Application communicates with the Authorization Platform. Scopes act as the endpoint between the two interfaces, translating the Application's Request into the required API code that is required by the runtime. For each Scope, you can assign a Name, connect it to one or more Applications, and assign a Cache Duration (in minutes). For more information, see About Scopes.

Policy Authorization Agent (PAA)

Environment Admins have the capability to manage and configure PAAs within their specific environment. Managing PAAs at the Environment level supports a segregation of duties and ensures precise control over data integrations and distributed deployments of PAAs across your organization's infrastructure. The ability to segregate PAA management guarantees that individuals are granted appropriate access levels to designated data sources within the organization. Environment Viewers have the ability to see the PAA configuration in a "read-only" mode.
For more information, see Policy Authorization Agent.

Policy Information Point (PIP)

PIPs configured at the Environment level empower Environment Admins to set up Environment-specific data sources serving as information points to a particular Environment, eliminating the need to manage data across multiple Environments. These settings can be customized to accommodate increasing demands and to fetch specific data essential for an organization's unique access control policies, ensuring alignment with their specific requirements. Environment Viewers have the ability to see the PIP Settings in a "read-only" mode.
For more information, see Policy Information Point.

API Authorizers

API Authorizers provide a "plugin" to control access to the Organization's APIs. For each API Authorizer (for example, Apigee, Istio, Amazon API Gateway), you can assign a Name and Description. The Authorization Platform automatically assigns it an Authorizer ID and provides a download bundle. Step-by-step instructions to deploy the API Authorizers are available in the Developer Portal. For more information, see Authorizers.

Data Authorizers

Data Authorizers are used to manage the authorization of data Assets stored in data warehouses such as Google BigQuery, Trino, etc. For more information, see Data Authorizers.

Environment API Client Credentials

API Client Credentials allow administrators to create and manage credentials at the Environment Level. These credentials facilitate integration and automation for Management APIs without the need for traditional IDP accounts by leveraging a standard OAuth2 Flow. Key features include:

• Secure interactions and operations across the Environment and Workspaces.
• Centralized control over management activities and automation flows.
• Enhanced overall security posture of the Platform.

 
To create API Client Credentials:

1. Open the Environment Settings.
2. From the Environment Settings screen, click API Client Credentials to see a list of Clients.
3. Click Create Client. The Details side panel opens.
4. In the Name field, enter the API Client Name.
5. Add a Description for your API Client Credential (optional).
6. Set a Token Duration. The duration can range from 15 minutes to 24 hours (1440 minutes).
7. Select a Permission Type - either Viewer or Admin.
8. Click Generate Client. A Client ID and Secret are automatically assigned and copied as needed.
9. Click Save.

Note: While the API Client ID and Permissions cannot be changed, you can regenerate the Secret.
 

To regenerate a Secret:

1. Open the Environment Settings screen and click API Client Credentials.
2. Select the Client Credentials you want to regenerate a secret for. The Details side panel opens.
3. Next to the Secret field, click Regenerate. You can now copy the new Secret.

Refer to the API Client Key documentation in the Developer Portal for more information and methods on how you can use your API Client Credentials.