LinkedIn
Twitter
Hello AppSheet Community,
Iโm excited to share three big updates to policies in AppSheet:
- Introducing the โEnforce alwaysโ policy stage, which allows a policy to be enforced the moment it is saved.
- Policy compliance preview is now available when creating or editing any policy. This tool lets policy authors see how existing apps in a policyโs scope might be impacted before that policy is saved.
- Updated default stages for most policy templates. We think โEnforce alwaysโ puts even more governance control in the hands of policy-creators, so weโve made this the template default moving forward.
These features are rolling out now and are available to all users who can edit policies. Check them out in your account, or read on for more information.
Why use Enforce always?
In the world of AppSheet governance, policy โstagesโ specify when AppSheetโs policy engine should check if any non-compliant conditions or behavior exist โ and if found, act against it.
For example, if a policyโs โstageโ is set to โon deploy,โ any non-compliant behavior (e.g. actions that are not allowed per the policyโs condition against its specific component) detected when the app is deployed will be flagged. If the policyโs severity is set to โwarn,โ the app creator deploying the app will see a warning indicating their app is out of compliance but still be allowed to deploy. If the policy is set to โerror,โ the app creator will be unable to deploy their app.
Sounds good - as long as all intended apps reach the โstageโ checkpoint.
But, if an app doesn't reach the โon deployโ checkpoint, the policy will not be enforced until it does. If an app remains in prototype state or the policy was created after the app was deployed, this means that it could possibly exist โ and function โ in a non-compliant state for an indefinite amount of time.
The new โEnforce alwaysโ policy stage launching now was designed to address exactly the case described above. Setting a policyโs stage to โEnforce alwaysโ means that any app - regardless of its component, condition, severity, or otherwise - will come under control of this policy as soon as it is saved, allowing policy-setters maximum confidence in the governance boundaries of their AppSheet systems.
Why use policy compliance preview?
Policies are powerful: Depending on its configuration, creators or users who attempt a noncompliant action can be totally stopped in their tracks. While preventing unwanted actions is often the reason organizations implement them in the first place, there may be some apps that are unintentionally or unknowingly out of compliance with a new policy. And, on the flipside, editing or creating a new policy may introduce checks that block the legitimate use of important applications.
In either case, before now there was little policy creators could do to check whether a policy update would work as intended. The only way to determine if a policy would impact the right set of components, conditions, targets, and stage impacting the right apps in the right way was to test it live ๐ซฃ
Testing potentially breaking changes live, against production applications, isnโt ideal. Itโs actually made even more risky by the addition of the Enforce always policy stage, which makes it relatively simple to deactivate a wide swath of apps as soon as a new error-severity policy is saved. Thatโs why weโve coupled the release of Enforce always with the new policy compliance preview:
Now, when configuring a policy, you can review policy compliance to confirm the results are as expected for each version (latest and stable) of your app.
The policy compliance preview will show all apps this policy would impact โ and whether theyโre currently in or out of compliance with the proposed policyโs rules. Compliant apps will keep running, with no changes to their current functionality. If a policy is saved, apps listed in the Non-compliant section will see their behavior impacted depending on the proposed policyโs severity and stage.
From this list, the policy-setting user can edit (or ask the creator to edit) non-compliant apps โ or, if the policy itself is incorrect, update it accordingly. The compliance check will re-run in real time, so you can see the impact of changes as you make them.
Updated policy templates
Before today, most predefined policy templates used โon app editโ as their default stage. Now, the majority of the predefined policy templates have been updated to use โEnforce alwaysโ as their default stage. We think the enforce now stage makes your AppSheet environment more secure than ever, but remember you can always edit the templated policy to suit your particular organizationโs needs.
As of now, all predefined policy templates EXCEPT "Apps must have documentation,โ "Restrict who can deploy apps,โ and โblock external appsโ now use โenforce alwaysโ as their default stage.
Bringing it all together
Together, Enforce always and the policy compliance preview make it easier than ever for admins to ensure their data is tightly controlled โ while the apps connected to it remain working exactly as intended.
Please share your feedback in the thread below this message!
