Self Service Policies


The Policies page allows you to configure the rules that govern risk alerts and definitions within Arnica. Any risk or definition which has not been configured within the policy page will run using Arnicaโ€™s default settings. These default settings are determined by Arnica defined best practices and are subject to change if the Arnica research team deems necessary due to a change in the threat landscape. User-defined settings override the default settings. The policy configurations page is broken up into two sections: Definitions and Self-Service policies.


The definitions section allows the user to change specific variables used in the logic behind definitions within Arnica. For example: Excessive code contributor permissions are defined by default as any non-Admin user who does not make use of their access within a time frame of 90 days. This date range can be altered to either expand or reduce the amount of time that must pass before a permissions is considered as excessive.

Self Service Policies:

The Self-Service policies section allows you to customize alerts and responses within Arnica. The interface uses a Given Scope (X) When (Y) Then (Z) logic structure, which is defined below.

How Self-Service Policy Logic Works?

Given Scope

Given defines the overall scope of the logic. This functions as a filtering mechanism, telling the policy which assets to include in the policies scope, such as a specific organization or repository.


The When statement defines the specific conditions that the policy should consider when analyzing those assets and identities within the Given scope. The policy will trigger an action only when the condition in the When section is met. For example, If the Given Scope is "Repo1" and the When is "Code Contributor requests permission", this rule will be triggered upon a trigger of any user asking a Write permission to "Repo1".


The Then statement defines the action of the policy. This action will be taken by Arnica only if the When condition is met within the scope set by the Given statement. For example:

  • Given (Repo = "GitGoat")

  • When (Admin requests permission)

  • Then (Notify approver on request via in the slack channel "GitGoat-Managers").

The above policy will notify within a private slack channel any time an admin requests a permission to the repository Lavender. If anyone in this channel approves the request, Arnica will automatically provision the permission and notify the requestor.

Adding more than one policy per scope:

Multiple policies can be created governing logic for the same scope. In this case, the policy logic will be applied in the same order that the policies appear within the Self-Service section. To change the order that the policies run in, select the โ€œMoveโ€ icon on the left side of the policy and drag it up or down to change its position. The number to the left of each policy displays the order that the policy will run in.

If there is more than one rule that matches the Given Scope and When, only the first in order will execute the associated action. For example, the screenshot below has two policies with the same Given Scope, but different When condition.

If Arnica mitigated Write/Maintain/Admin permission in the last 14 days in the repository GitGoat and a Write permission is requested via self-service, the permission will be automatically granted to the requestor and logged for audit purposes.

If the Write/Maintain/Admin permission was mitigated more than 14 days ago, or the permission was never granted, a request will be sent to the channel "arnica-notifications" on Slack.

If there are no other policies where the Given Scope and When conditions match for the users' request, Arnica's Slack bot will return a message stating that there is no matching policy for this condition.

Last updated