Cloud

Policies

Policies decide what each connected tool may do. Rules evaluate in order: explicit rule, then server default, then org default.

Test a callas

GitHub

github
allowgrant_repo_accesswhenrole != adminandrepo starts with decawork-
allowadd_outside_collaborator
require approvalremove_collaboratorapprovers: it-admins
blockorg_admin_change
blockdelete_repository
allowlist_repos
allowget_filewhenrepo starts with decawork-
allowcreate_issuewhenrepo starts with decawork-
Server default: default-denyblock anything no rule allows
Org default: allow

Stripe

stripe
allowlist_customers
allowget_customer
require approvalcreate_refundapprovers: it-admins
blockcreate_payout
blockcancel_subscription
Server default: default-denyblock anything no rule allows
Org default: allow

Google Workspace

google-workspace
allowcreate_user
allowadd_user_to_group
blocksuspend_user
blockdelete_user
Server default: default-allowallow anything no rule blocks
Org default: allow

HubSpot

hubspot
allowsearch_contacts
blockdelete_contact
Server default: monitorlog everything, block nothing
Org default: allow

Rippling

rippling
allowlist_employees
allowget_employee
Server default: monitorlog everything, block nothing
Org default: allow

No explicit rules

These servers run on their server default alone.

Notion

notion
Server default: default-allowallow anything no rule blocks
Org default: allow

Slack

slack
Server default: default-allowallow anything no rule blocks
Org default: allow