Add Default Policies [#624] (#654)

* WIP: Add a data migration that autogenerates a default 'download' and 'delete' policy. * Bump downrev and add logging for data migration steps. * Try importing models from db.base. * Use the connection currently being used to emit SQL to the database. * Skip adding default policies to test database. * Refactor so we're querying in SQL and not relying on SQLAlchemy models. * Add default policies to policy guides and clarify that the TESTING env variable is primarily set by pytest. * Update docs/fidesops/docs/guides/policies.md Co-authored-by: Cole Isaac <82131455+conceptualshark@users.noreply.github.com> Co-authored-by: Cole Isaac <82131455+conceptualshark@users.noreply.github.com>
ethyca · Jun 16, 2022 · 9664c6a · 9664c6a
1 parent a96c4b3
commit 9664c6a
Show file tree

Hide file tree

Showing 4 changed files with 403 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,7 @@ The types of changes are:
 * Adds searching of ConnectionConfigs [#641](https://github.com/ethyca/fidesops/pull/641)
 * Added `AdminUiSettings` to the `log_all_config_values` helper method [#647](https://github.com/ethyca/fidesops/pull/647)
 * Prettier formatting CI check for frontend code [#655](https://github.com/ethyca/fidesops/pull/655)
+* Adds default policies [#654](https://github.com/ethyca/fidesops/pull/654)
 
 ### Changed
 

diff --git a/docs/fidesops/docs/guides/configuration_reference.md b/docs/fidesops/docs/guides/configuration_reference.md
@@ -117,6 +117,8 @@ Please note: The configuration is case-sensitive, so the variables must be speci
 | `FIDESOPS__DEV_MODE` | False | If "True", the fidesops server will log error tracebacks, and log details of third party requests. This variable should always be set to "False" in production systems.|
 | `FIDESOPS__CONFIG_PATH` | None | If this variable is set to a path, that path will be used to load .toml files first. That is, any .toml files on this path will override any installed .toml files. |
 | `FIDESOPS__DATABASE__SQLALCHEMY_DATABASE_URI` | None | An optional override for the URI used for the database connection. |
+| `TESTING` | False | This variable does not need to be set - Pytest will set it to True when running unit tests, so we run against the test database. |
+
 
 ## - Reporting a running application's configuration
 

diff --git a/docs/fidesops/docs/guides/policies.md b/docs/fidesops/docs/guides/policies.md
@@ -1,5 +1,13 @@
 # How-To: Configure Policies
 
+In this section we'll cover:
+
+- What is a Fidesops Policy?
+- How do I create a Policy?
+- How do I add Rules to my Policy?
+- What default Policies ship with Fidesops?
+
+## Policy Definition
 
 A Policy is a set of instructions (or "Rules") that are executed when a user submits a request to retrieve or delete their data (the user makes a "Privacy Request"). Each Rule contains an "execution strategy":
 
@@ -32,7 +40,7 @@ Each operation takes an array of objects, so you can create more than one at a t
     - any objects existing that are not specified in the request will not be deleted
 
 
-## Create a Policy
+## Creating a Policy
 
 Let's say you want to make a Policy that contains rules about a user's email address. You would start by first creating a Policy object:
 
@@ -140,3 +148,10 @@ It's illegal to erase the same data twice within a Policy, so you should take ca
 
 And lastly, access rules will always run before erasure rules. 
 
+## Default Policies
+
+Fidesops ships with two default Policies: `download` (for access requests) and `delete` (for erasure requests).  
+The `download` Policy is configured to retrieve `user.provided.identifiable` data and upload to a local storage location.
+The `delete` Policy is set up to mask `user.provided.identifiable` data with the string: `MASKED`.  
+
+These autogenerated Policies are intended for use in a test environment. In production deployments, you should configure separate Policies with proper storage destinations that target and process the appropriate fields.