30 lines
1.3 KiB
Markdown
30 lines
1.3 KiB
Markdown
# Assistant Tool Lattice Policy Mapping
|
|
|
|
This guide defines the tool lattice rule schema and default scope mapping for assistant tool calls.
|
|
The lattice is evaluated by Policy Gateway and returns allow or deny decisions for each tool request.
|
|
|
|
## Default deny behavior
|
|
- If no rule matches a tool request, the decision is deny.
|
|
- A rule must match tool name, action, and any configured tenant, role, scope, or resource filters to allow access.
|
|
|
|
## Rule fields
|
|
- tool: Tool name or wildcard pattern (for example, "vex.query" or "scanner.*").
|
|
- action: Read or action discriminator (for example, "read" or "action").
|
|
- scopes: Required Authority scopes (one or more).
|
|
- roles: Optional role filters (one or more).
|
|
- tenants: Optional tenant filters (one or more).
|
|
- resource: Optional resource pattern (for example, "sbom:component:*").
|
|
- effect: allow or deny.
|
|
- priority: Integer priority; higher values evaluate first.
|
|
|
|
## Default scope mapping
|
|
| Tool | Action | Required scopes |
|
|
| --- | --- | --- |
|
|
| vex.query | read | vex:read |
|
|
| sbom.read | read | sbom:read |
|
|
| scanner.findings.topk | read | scanner:read or findings:read |
|
|
|
|
## Override guidance
|
|
- Use priority to override default rules.
|
|
- Keep rules deterministic by using stable patterns and avoiding ambiguous overlaps.
|