HashiConf Our community conference is taking place in San Francisco and online October 10-12. Register now
  • Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
Sentinel
  • Intro
  • Docs
Download
    • v0.21.x (latest)
    • v0.20.x
    • v0.19.x
    • v0.18.x
    • v0.17.x
    • v0.16.x
    • v0.15.x
    • v0.14.x
    • v0.13.x
  • Release Notes
    • Overview
    • Policy as Code
    • Policy Language
    • Imports
    • Enforcement Levels
    • Overview
    • Override Files
    • Remote Sources
    • Overview
    • apply
    • fmt
    • test
    • Overview
    • Basics
    • Rules
    • Traces
    • Testing
    • Imports
    • Debugging
    • Overview
    • Modules
    • Plugins
    • Static Imports
    • Internals

    • Overview
    • Variables
    • Values
    • Lists
    • Maps
    • Rules
    • Imports
    • Parameters
    • Boolean Expressions
    • Arithmetic
    • Slices
    • Conditionals
    • Loops
    • Collection Operations
    • Functions
    • Scope
    • Undefined
    • Logging and Errors
    • Specification
    • Overview
    • append
    • delete
    • error
    • keys
    • length
    • print
    • range
    • values
    • Overview
    • base64
    • decimal
    • http
    • json
    • runtime
    • sockaddr
    • strings
    • time
    • types
    • units
    • version

  • Consul
  • Nomad
  • Terraform
  • Vault
Type '/' to Search

»Enforcement Levels

Enforcement levels are a first class concept in Sentinel allowing pass/fail behavior to be associated separately from the policy logic. This enables any policy to be a warning, allow overrides, or be absolutely mandatory. Because this level is not part of the policy body itself, different uses of the same policy can have different enforcement levels.

Sentinel has three enforcement levels:

  • Advisory: The policy is allowed to fail. However, a warning should be shown to the user or logged. Advisory is the default enforcement level.

  • Soft Mandatory: The policy must pass unless an override is specified. The semantics of "override" are specific to each Sentinel-enabled application. The purpose of this level is to provide a level of privilege separation for a behavior. Additionally, the override provides non-repudiation since at least the primary actor was explicitly overriding a failed policy.

  • Hard Mandatory: The policy must pass no matter what. The only way to override a hard mandatory policy is to explicitly remove the policy. It should be used in situations where an override is not possible.

»Configuring Enforcement Levels

Enforcement levels are configured when a policy is deployed to a Sentinel-enabled application. The exact mechanism that the level is specified is determined by each application. Please reference the documentation for your Sentinel-enabled application for more information.

Enforcement levels are not configured and are not known by the policy body itself. All policies should be written to describe exactly the behavior they're attempting to control. For example, a policy that restricts deploys to business hours should be written exactly like so. When that policy is configured on an application, the operator may specify that it is advisory, soft, or hard mandatory.

  • ProvisionMulti-Cloud Infrastructure
  • SecureMulti-Cloud Security
  • ConnectMulti-Cloud Networking
  • RunMulti-Cloud Orchestration
Products
  • Terraform
  • Vault
  • Consul
  • Nomad
  • Vagrant
  • Packer
  • Boundary NEW
  • Waypoint NEW
  • Sentinel
Resources
  • Blog
  • Tutorials
  • Community
  • Events
  • Integrations
  • Library
  • Partners
  • Podcast
  • Support
  • Training
Company
  • About Us
  • JobsWe're Hiring
  • Press Center
  • Brand
  • Contact Us
  • System Status
  • Cookie Manager
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
stdin: is not a tty