Risk Policies
Get All Risk Policies
This endpoint retrieves a list of Risk Policy resources.
GET /api/v2/risk-policies/
Query Parameters
The following parameters may be used to filter the risk policy resources in the response.
| Parameter | Description |
|---|---|
| name | Filter risk policies by name. |
| description | Filter risk policies by description. |
| priority | Filter risk policies by priority. |
| riskclassification__ordinal | Filter risk policies by project classification ordinal. |
GET /api/v2/risk-policies/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json
{
"results": [{
"id": 1,
"is_org_default": true,
"name": "All Risk",
"description": "Applies to all applications",
"filters": {
"phases": ["requirements", "architecture-design", "development", "testing"],
"priority": 7,
"regulations": ["REG1", "REG2"],
"tags": ["tag1", "tag2"]
},
"project_classifications": [1, 4],
"conditions": {
"statuses": [{
"task_status": "TS1",
"minimum_verification_status": "pass"
}]
}
}]
}
Create a New Risk Policy
| Fields | Required | Description |
|---|---|---|
| name | Yes | The name of the new risk policy. |
| description | Yes | The description of the risk policy. |
| is_org_default | No | A boolean field which shows if this is the default risk policy. Defaults to false. |
| filters.priority | No | Tasks in this policy must have a priority greater or equal to this value. Must be a value from 1 to 10. Defaults to 1. |
| filters.phases | No | Tasks in this policy must be in one of these phases. |
| filters.regulations | No | The regulation(s) associated with this policy. |
| filters.tags | No | Tasks in this policy must have one of these tags. |
| conditions.statuses | Yes | To be considered compliant, tasks subject to this risk policy must have a relevant Task Status and an Acceptable Verification Status. |
POST /api/v2/risk-policies/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
{
"name": "Low Risk",
"description": "Applies to all applications",
"filters": {
"phases": ["requirements", "architecture-design", "development", "testing"],
"priority": 7,
"regulations": ["REG1", "REG2"],
"tags": ["tag1", "tag2"]
},
"project_classifications": [],
"conditions": {
"statuses": [{
"task_status": "TS1",
"minimum_verification_status": "pass"
}]
}
}
HTTP/1.1 201 CREATED
Content-Type: application/json
{
"id": 2,
"is_org_default": false,
"name": "Low Risk",
"description": "Applies to all applications",
"filters": {
"phases": ["requirements", "architecture-design", "development", "testing"],
"priority": 7,
"regulations": ["REG1", "REG2"],
"tags": ["tag1", "tag2"]
},
"project_classifications": [],
"conditions": {
"statuses": [{
"task_status": "TS1",
"minimum_verification_status": "pass"
}]
}
}
Update a Risk Policy
Update a single risk policy by specifying a new name and priority. The risk policy to update is identified by the id.
PATCH /api/v2/risk-policies/{risk_policy_id}/
URL Parameters
| Parameter | Description |
|---|---|
| risk_policy_id | The id of the risk policy to edit must be submitted in the request |
Payload
| Fields | Required | Description |
|---|---|---|
| name | No | The name of the new risk policy. |
| description | No | The description of the risk policy. |
| is_org_default | No | A boolean field which shows if this is the default risk policy. Defaults to false. |
| filters.priority | No | Tasks in this policy must have a priority greater or equal to this value. Must be a value from 1 to 10. Defaults to 1. |
| filters.phases | No | Tasks in this policy must be in one of these phases. |
| filters.regulations | No | This policy will include all relevant tasks related to these regulations. |
| filters.tags | No | Tasks in this policy must have one of these tags. |
| conditions.statuses | No | To be considered compliant, tasks subject to this risk policy must have a relevant Task Status and an Acceptable Verification Status. |
| regulations | No | This policy will include all tasks related to relevant regulations. |
PATCH /api/v2/risk-policy/2/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
{
"name": "Max Risk",
"filters": {
"priority": 10
}
}
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": 2,
"is_org_default": false,
"name": "Max Risk",
"description": "Applies to all applications",
"filters": {
"phases": ["requirements", "architecture-design", "development", "testing"],
"priority": 10,
"regulations": ["REG1", "REG2"],
"tags": ["tag1", "tag2"]
},
"project_classifications": [],
"conditions": {
"statuses": [{
"task_status": "TS1",
"minimum_verification_status": "pass"
}]
}
}
Delete a Risk Policy
This endpoint deletes a single Risk Policy resource, as specified by the id parameter.
DELETE /risk-policies/{risk_policy_id}/
URL Parameters
| Parameter | Description |
|---|---|
| risk_policy_id | The id of the risk policy to delete must be submitted in the request. |
Payload
| Fields | Required | Description |
|---|---|---|
| replacement | Yes | The risk policy ID to move the associated projects. |
DELETE /api/v2/risk-policies/1/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
{
"replacement": 2
}
HTTP/1.1 204 NO CONTENT
Get a Specific Risk Policy
This endpoint retrieves a specific risk policy resource, as specified by the id parameter.
GET /api/v2/risk-policies/{risk_policy_id}/
URL Parameters
| Parameter | Description |
|---|---|
| risk_policy_id | The id of the risk policy to retrieve |
GET /api/v2/risk-policies/1/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": 1,
"is_org_default": true,
"name": "All Risk",
"description": "Applies to all applications",
"filters": {
"phases": ["requirements", "architecture-design", "development", "testing"],
"priority": 7,
"regulations": ["pci-dss", "HIPAA"],
"tags": ["tag1", "tag2"]
},
"project_classifications": [1, 4],
"conditions": {
"statuses": [{
"task_status": "TS1",
"minimum_verification_status": "pass"
}]
}
}
Expand Parameters
See the Expand Parameters section for more details.
| Parameter | Description |
|---|---|
| phases | The Phases field is expanded to include Phase names. |
| statuses | The Statuses field is expanded to include Task Status names and Verification Status names, ordinals, and labels. |
| regulations | The Regulations field is expanded to include Regulation names. |
| project_classifications | The Project Classifications field is expanded to include the name, description and last updated time. |
GET /api/v2/risk-policies/1/?expand=phases,conditions,regulations,project_classifications HTTP/1.1
Accept: application/json
Authorization: Token: "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": 1,
"is_org_default": true,
"name": "All Risk",
"description": "Applies to all applications",
"filters": {
"phases": [
{
"name": "Requirements",
"slug": "requirements"
},
{
"name": "Architecture & Design",
"slug": "architecture-design"
},
{
"name": "Development",
"slug": "development"
},
{
"name": "Testing",
"slug": "testing"
}
],
"priority": 7,
"regulations": [
{
"name": "PCI-DSS v2.0",
"item_id": "REG1"
},
{
"name": "HIPAA",
"item_id": "REG2"
}
],
"tags": ["tag1", "tag2"]
},
"project_classifications": [
{
"ordinal": 1,
"name": "Maximum",
"description": "Used for projects with maximum risk.",
"default_risk_policy": 1,
"risk_policies": [1],
"answers": ["A168"],
"last_update_date_time": "2019-05-28T11:34:21.908541-04:00",
"is_unclassified": false
}
],
"conditions": {
"statuses": [{
"task_status": {
"name": "Complete",
"item_id": "TS1"
},
"minimum_verification_status": {
"name": "pass",
"label": "Pass",
"ordinal": 2
}
}]
}
}