Governance Workflows

Goal

Create and manage reusable organization templates and policy templates through the Governance section of the Admin Console. Organization templates define property schemas that organizations inherit, while policy templates define authorization policy blueprints that you can instantiate into live policies.

Audience

This guide is for platform administrators and governance officers who need to standardize how organizations and authorization policies are structured across tenants. If you manage multiple organizations that share the same property schema or enforce consistent policy patterns, governance templates reduce manual setup and configuration drift.

Prerequisites

• Access to the Admin Console with permissions for organization templates and policy templates management (read, create, update, and delete scopes as needed)
• At least one tenant configured in the platform

Before You Start

Governance templates serve two purposes:

• Organization templates define a reusable structure that organizations inherit when created. Each template specifies a name, optional alias, a set of property attributes (with a code, name, type, and default value), and role assignments. Templates can reference a parent template, enabling hierarchical structures.

• Policy templates define reusable authorization policy blueprints. Each template captures the full configuration for one of six policy types — RBAC, ABAC, ReBAC, PBAC, RADAC, or Dynamic — including strategy, status, and type-specific fields. When you instantiate a policy from a template, the Admin Console pre-fills the policy creation form with the template values, and you can adjust them before saving.

The following diagram shows how templates relate to live resources:

Steps

1. Navigate to Governance Templates

Open the Admin Console and select Governance from the sidebar. Under Templates, you find two sections:

• Organization Templates at /governance/templates/organization-templates
• Policy Templates at /governance/templates/policy-templates

---

2. Manage organization templates

Organization templates define the structural blueprint that organizations inherit. Each template can include property attributes, role assignments, and a parent template reference for hierarchical nesting.

Browse organization templates

Navigate to Governance > Templates > Organization Templates. The list page displays all templates for the current tenant. A tree-style browser at /governance/templates/organization-templates/browse lets you explore templates and their sub-templates hierarchically.

Select a template from the tree to view its details, including:

• Name and alias
• Attributes — property values assigned from organization property templates (code, name, value)
• Global roles and client roles assigned to the template
• Sub-templates — child templates under the current template
• External IDs — external identifier mappings (name/value pairs)

Create an organization template

1. Select Create (or use the route /governance/templates/organization-templates/create).
2. Enter a Name for the template.
3. Optionally enter an Alias. If you leave this blank, the system generates one from the name (lowercase, hyphens replacing spaces).
4. Assign Global Roles — select realm-level roles that organizations created from this template will inherit.
5. Configure Applications — select client applications and assign client-specific roles.
6. Add Attributes — select attributes from existing organization property templates. Each attribute has a code, name, and value.
7. Add External IDs — add name/value pairs for external system integration.
8. Select Save to create the template.

tip

To create a sub-template under an existing template, navigate to the parent template in the browse view and use the Create Sub-Template action. The system automatically sets the parent reference.

Edit an organization template

1. Navigate to the template in the browse tree or list.
2. Select Edit (or use the route /governance/templates/organization-templates/edit/{id}).
3. Modify the Name, Alias, Global Roles, Client Roles, Attributes, External IDs, or Parent Department as needed.
4. Select Save to apply changes.

Delete an organization template

1. Navigate to the template detail view.
2. Select Delete.
3. Confirm the deletion in the confirmation dialog.

warning

Deleting an organization template does not remove organizations that were already created from it, but new organizations can no longer reference the deleted template.

---

3. Manage organization property templates

Organization property templates define the data schema — the set of typed properties — that organization templates can reference as attributes. You manage property templates under Settings > Tenants > [your tenant] > Organization Property Templates.

Property fields

Each property within a template has the following fields:

Field	Type	Required	Description
code	string	Yes	Unique identifier for the property (max 250 characters)
name	string	Yes	Human-readable label (max 100 characters)
type	enum	Yes	Data type: STRING, NUMERIC, BOOLEAN, or DATE
required	boolean	Yes	Whether organizations must provide a value for this property
defaultValue	string or number	No	Pre-filled value for the property when left unset

Create an organization property template

1. Navigate to Settings > Tenants > [your tenant] > Organization Property Templates.
2. Select Create.
3. Enter a Name for the property template.
4. Add one or more Properties:
   • Set the Code (a machine-readable identifier, for example region).
   • Set the Name (a human-readable label, for example Region).
   • Choose the Type (STRING, NUMERIC, BOOLEAN, or DATE).
   • Toggle Required if the property must be set on every organization using this template.
   • Optionally set a Default Value.
5. Select Save.

---

4. Manage policy templates

Policy templates define reusable authorization policy blueprints. Each template targets one of six policy types and captures all the configuration needed to instantiate a live policy.

Browse policy templates

Navigate to Governance > Templates > Policy Templates. The list page displays all templates with the following columns:

• Name
• Policy Type (displayed as a tag: RBAC, ABAC, REBAC, PBAC, RADAC, or DYNAMIC)
• Description
• Created At
• Updated At

Use the Search field to filter by name and the Policy Type filter to narrow results to a specific type.

Create a policy template

1. Select Create on the policy templates list page.
2. Choose a Policy Type. The form adapts to show type-specific fields based on your selection.
3. Fill in the common fields:

Field	Description	Default
Name	Template name (max 100 characters)	—
Description	Purpose of this template (max 2000 characters)	—
Status	ENABLED or DISABLED	ENABLED
Strategy	Decision strategy: AFFIRMATIVE, UNANIMOUS, or CONSENSUS	AFFIRMATIVE

4. Configure the type-specific policy details (see the following sections).
5. Select Save to create the template.

Type-specific fields

Each policy type requires its own set of configuration fields within the policy section of the template:

RBAC (Role-Based Access Control)

Field	Description
Mode	CONDITIONS (default) or EXPRESSION
Roles	One or more role references (id, name, optional client). At least one required.
Groups	One or more group references (id, name, optional client). At least one required.
Fetch Roles	Whether to fetch roles dynamically at evaluation time (default: false)
Expression	EQL expression (used when mode is EXPRESSION)

ABAC (Attribute-Based Access Control)

Field	Description
Mode	EXPRESSION (default) or CONDITIONS
Expression	EQL expression defining the attribute-based rule
Group Condition	Nested condition tree with BASIC, AND, OR, or GROUP nodes (used when mode is CONDITIONS)

ReBAC (Relationship-Based Access Control)

Field	Description
Mode	CONDITIONS (fixed)
Authorization ID	The FGA authorization model identifier
Relation	The relationship to check (for example, viewer, editor)
Source	Schema name and source field for the requesting entity
Target	Schema name and source field for the target resource
Generic Context	Optional array of context items (name and sourceField)

PBAC (Policy-Based Access Control)

Field	Description
Mode	CONDITIONS (default) or EXPRESSION
Policies	One or more sub-policy references (id, name, policyType). At least one required.
Decision Strategy	How sub-policy results combine: AFFIRMATIVE, UNANIMOUS, or CONSENSUS

RADAC (Risk-Adaptive Access Control)

Field	Description
Mode	EXPRESSION (default) or CONDITIONS
Risk Factor Min	Minimum risk score threshold (0–10, default: 0)
Risk Factor Max	Maximum risk score threshold (0–10, default: 5)
Factor Types	Risk factor identifiers to evaluate (for example, IP_BLACKLISTED, VPN_USAGE, SUSPICIOUS_LOCATION)
Expression	EQL expression (used when mode is EXPRESSION)

Dynamic

Field	Description
Mode	EXPRESSION (fixed)
JS Code	Custom JavaScript code that evaluates the authorization decision (5–10 000 characters)

Edit a policy template

1. Select a template from the list.
2. Navigate to the update route (/governance/templates/policy-templates/update/{id}).
3. Modify any common or type-specific fields.
4. Select Save to apply changes.

Delete policy templates

1. Select one or more templates using the checkboxes in the list.
2. Select Delete from the bulk actions bar.
3. Confirm the deletion in the dialog by typing the template name (for single delete) or the confirmation text (for bulk delete).

You can also delete a single template through the row action menu.

---

5. Create a policy from a template

After you create a policy template, you can instantiate a live policy from it:

1. Navigate to Governance > Templates > Policy Templates.
2. Locate the template you want to use.
3. Open the row action menu and select Create Policy from Template.
4. The Admin Console redirects you to the policy creation form under Authorization > Policies with all fields pre-filled from the template.
5. Review and adjust the pre-filled values as needed (for example, change the name to reflect the specific use case).
6. Select Save to create the live policy.

note

Creating a policy from a template does not link the policy to the template. Changes to the template after instantiation do not affect existing policies.

---

Validation Scenario

Use this scenario to confirm that governance template workflows function correctly.

Scenario

Create an organization property template, an organization template, and an RBAC policy template. Then instantiate a policy from the policy template.

Steps

1. Create an organization property template with two properties:

   • region — type: STRING, required: true, no default value
   • cost-center — type: NUMERIC, required: false, default value: 1000

2. Create an organization template named Standard Department that references the property template above as attributes.

3. Create an RBAC policy template named Default Reader Policy:

   • Status: ENABLED
   • Strategy: AFFIRMATIVE
   • Roles: assign at least one role reference
   • Groups: assign at least one group reference

4. Instantiate a policy from the Default Reader Policy template using the Create Policy from Template action.

Expected Result

• The organization property template appears in the property templates list with two properties.
• The organization template appears in the browse tree and its detail view shows the assigned attributes and roles.
• The RBAC policy template appears in the policy templates list with type tag RBAC.
• The policy creation form opens pre-filled with the template name, strategy, roles, and groups. After saving, the live policy appears under Authorization > Policies.

How to Verify

• UI evidence: Confirm each resource appears in its respective list page with the correct field values.
• API evidence: Use the property templates and policy templates API endpoints to verify the created resources.
• Audit evidence: Check the creator and last-modified-by information on the policy template detail page to confirm the acting user.

Troubleshooting

Symptom	Possible Cause	Resolution
Create button is not visible	Your account lacks the required create permission for organization templates or policy templates.	Ask a platform administrator to grant the required permissions.
Policy template save fails with a validation error	A required field is missing or a value exceeds the character limit.	Review all form fields. Ensure roles and groups arrays contain at least one entry for RBAC templates, and that the JS Code field has at least 5 characters for Dynamic templates.
"Create Policy from Template" does not pre-fill the form	The browser may have blocked the query parameter on redirect.	Verify the URL contains ?fromTemplate={templateId}. Clear the browser cache and retry.
Organization template does not appear in the browse tree	The template may belong to a different tenant.	Confirm you selected the correct tenant context before browsing.
Delete confirmation dialog does not accept input	For bulk deletions, the confirmation text differs from single deletions.	Type the exact confirmation text shown in the dialog.

Next Steps

After creating governance templates, explore these related workflows:

• Manage authorization policies to work with live policies created from templates
• Manage organizations to create organizations that inherit from organization templates

Related Docs

Policy Management

Create and manage live authorization policies.

Organization Management

Create and manage organizations within tenants.

Tenant Management

Configure tenants and their settings.

Permission Management

Manage permissions and resource access.