What is a one sentence summary of your feature request?
The ability to backup Access Policies and/or make deleting existing policies more difficult
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
At the moment, deleting an access policy involves nothing more than a single click of the delete button. There’s no confirmation, “are you sure you want to delete this policy”, there’s no safeguards in place preventing deletion if existing resource and/or users/groups are tied to the policy. I would like to see one of two things, both if possible:
-
Deletion of an access policy is restricted until users/groups and/or resources are disassociated with the access policy. Additionally, there can be a pop-up “There are currently resources associated with this access policy, are you sure you want to delete it?” If an admin clicks “yes”, existing associations are ignored and the policy is deleted.
-
The ability to backup access policies.
We have to severely restrict access to who has administrative rights to the tool. That’s reasonable, but we have a colossal environment that needs to be administered by more than one or two people, and mistakes happen. Admins are less likely to make a mistake if they have to confirm deletion.
How do you currently solve the challenges you have by not having this feature?
Due to permission segregation in our environment, coupled with its size, we have hundreds of access policies. I keep a spreadsheet detailing all access policies and their associated users/groups & resources in the event another Admin (or myself) mistakenly deletes a policy.