Policies
Policies decide what each connected tool may do. Rules evaluate in order: explicit rule, then server default, then org default.
Test a callas
GitHub
githuballowgrant_repo_accesswhenrole != adminandrepo starts with decawork-
allowadd_outside_collaborator
require approvalremove_collaboratorapprovers: it-admins
blockorg_admin_change
blockdelete_repository
allowlist_repos
allowget_filewhenrepo starts with decawork-
allowcreate_issuewhenrepo starts with decawork-
Server default: default-deny — block anything no rule allows
Org default: allow
Stripe
stripeallowlist_customers
allowget_customer
require approvalcreate_refundapprovers: it-admins
blockcreate_payout
blockcancel_subscription
Server default: default-deny — block anything no rule allows
Org default: allow
Google Workspace
google-workspaceallowcreate_user
allowadd_user_to_group
blocksuspend_user
blockdelete_user
Server default: default-allow — allow anything no rule blocks
Org default: allow
HubSpot
hubspotallowsearch_contacts
blockdelete_contact
Server default: monitor — log everything, block nothing
Org default: allow
Rippling
ripplingallowlist_employees
allowget_employee
Server default: monitor — log everything, block nothing
Org default: allow
No explicit rules
These servers run on their server default alone.
Notion
notionServer default: default-allow — allow anything no rule blocks
Org default: allow
Slack
slackServer default: default-allow — allow anything no rule blocks
Org default: allow