Skip to content

Managing Policies

This tutorial explains the Policy section of ntkDeploy and shows you how to create and maintain the ABAC rules, people records, and attribute definitions that gate every deployment.

What is ABAC and why does it matter for deployment?

Attribute-Based Access Control (ABAC) is an access model where permission decisions are computed from attributes — labels attached to both people (subjects) and devices (resources) — rather than from static role membership.

In ntkDeploy, the Policy Manager V2 API enforces ABAC during preflight: before any configuration artifact can be written to a device, the system checks whether that device's owner has all required attributes. If a required attribute is missing or expired, the preflight returns a blocking finding and deployment is prevented.

The practical effect is:

  • A device without a mapped owner (a Peer ID) cannot be deployed to.
  • A person without the required attributes specified in a policy cannot have their devices deployed to.
  • A policy without a valid resource or peer-ID reference will not match any devices.

Managing policies correctly means keeping people records, attribute definitions, and policy rules in sync with your fleet.

Prerequisites

  • The Policy Manager endpoint is configured and reachable. Open Settings from the sidebar, enter the Policy Manager URL, and click Validate. The connectivity badge in the app header should show a healthy status.
  • If the Policy section shows "Policy management is unavailable", configure the endpoint and click Retry.

Click Policy in the sidebar. The section contains four tabs:

Tab Purpose
Policies ABAC rule records — each policy links a resource identifier, a Peer ID, and a list of required attributes
People Person registry — display names, Peer IDs, org identifiers, device fingerprints; includes the Enrollment Queue sub-tab
Attributes Attribute definitions — reusable labels with a TTL that can be assigned to people
Assignments Policy-to-resource assignment records

The Policies tab

Viewing and filtering policies

The Policies tab lists every policy record fetched from the Policy Manager. Columns:

  • Resource — the resource identifier (for example, a device key or device-group identifier) the policy applies to.
  • Peer ID — the person Peer ID this policy is bound to.
  • Required Attributes — comma-separated list of attribute identifiers that the peer must hold.
  • ID — the server-assigned policy ID (may be empty for locally created records not yet synced).
  • Actions — edit and delete buttons.

Filtering: - Type a Peer ID fragment in the Search policies by Peer ID field and press Enter to filter the list. - Use the Has ID chip to show only records that have a server ID. - Use the Has Attributes chip to show only records with at least one required attribute. - Save the current filter combination as a named view using Save view and recall it with the Saved view selector.

Exporting: Click Export CSV to copy a CSV representation of the current page to the clipboard (columns: Resource, Peer ID, Required Attributes, ID).

Creating a policy

  1. Click New (the button with the + icon in the top-right of the Policies tab). A form panel slides in from the right.
  2. Fill in:
  3. Resource — the device or resource identifier this rule applies to.
  4. Peer ID — the person Peer ID to bind. You can copy a Peer ID from the People tab using the copy icon next to any row.
  5. Required Attributes — the attribute identifiers that the peer must hold at deployment time. Select them from the attribute picker that appears. Each attribute must already exist in the Attributes tab.
  6. Click Save. The grid refreshes and the new policy appears.

Tip: If the Peer ID field is unfamiliar, navigate to the People tab first, copy the Peer ID for the relevant person, then return to Policies.

Editing a policy

Click the edit icon (pencil) in the Actions column of any row, or click anywhere on the row to open the detail panel. Inside the panel, click Edit, make changes, and click Save.

Deleting a policy

Click the delete icon (trash) in the Actions column. A confirmation dialog asks:

"Are you sure you want to delete \<resource>?"

Click Delete to confirm. The policy is removed from the Policy Manager and the grid refreshes.

Warning: Deleting a policy that gates active devices will cause those devices to fail preflight on the next deployment. Remove policies only when the corresponding devices are decommissioned or the access requirement has been lifted.

The People tab

Viewing the people registry

The People tab has two sub-tabs: People and Enrollment Queue.

The People sub-tab lists every person record in the Policy Manager. Columns:

  • Display Name — human-readable name.
  • Peer ID — the 32-character hexadecimal identity string. Click the copy icon to copy it.
  • Org Unique ID — organization-specific identifier: login email address.
  • Enrollment — shows Enrolled or Not enrolled with a shield icon. Enrolled means at least one device key fingerprint is associated with this person. A pending enrollment fingerprint appears only in the person detail panel, not as a grid row badge.
  • Statusactive or disabled.
  • Tags — free-form labels.

Filtering: Type a display name in the Search people by display name field and press Enter. Use the Active and Disabled chips to filter by status.

Adding a person

  1. Click Add Person in the toolbar.
  2. The person form slides in. Fill in:
  3. Display Name — required.
  4. Peer ID — a 32-character hex string is generated automatically. You may override it, but it must be exactly 32 hex characters.
  5. Org Unique ID — login email address; used for cross-system correlation.
  6. Statusactive (default) or disabled. Disabled people are excluded from policy evaluation.
  7. Tags — optional comma-separated labels for grouping or reporting.
  8. Click Save. The record is created in the Policy Manager and the grid refreshes.

Note: The Device Key Fingerprint field is read-only in the form — it is populated automatically when a device enrollment request is approved. See Device Enrollment.

Editing a person

Click the edit icon in any row or click the row to open the detail panel. Click Edit, update fields, and click Save.

Deleting a person

Click the delete icon. Confirm in the dialog. Deleting a person removes their Peer ID from all policies that reference it. Audit the Policies tab afterwards for orphaned policy records.

The Attributes tab

Attributes are the labels that policies require. An attribute has a Label (human-readable), an Attribute ID (the identifier used in policy requiredAttributes), and a Default TTL (the number of seconds the attribute remains valid after assignment).

Viewing attributes

Columns: Label, Attribute ID (with copy icon), Default TTL (in seconds), ID, Actions.

Filtering: Search by label using the Search attributes by label field. Use the TTL <= 1h and TTL > 1h chips to filter by duration.

Creating an attribute

  1. Click New in the Attributes toolbar.
  2. Fill in:
  3. Label — human-readable name (for example, corp-device-approved).
  4. Attribute ID — the identifier referenced in policy rules. Once created this cannot be changed without updating every policy that references it.
  5. Default TTL — how long (in seconds) the attribute is valid after being granted to a person. For example, 86400 = 24 hours. Leave blank to use the server default.
  6. Click Save.

Editing and deleting attributes

Use the edit and delete icons in the Actions column. Deleting an attribute that is referenced in active policy records will cause those policies to fail preflight evaluation. Update policies before deleting attributes.

The Assignments tab

The Assignments tab shows policy-to-resource assignment records. These link policy rules to specific deployment contexts. Columns: Resource, Peer ID, Policy ID, ID, Actions.

Use this tab to: - View which policies are assigned to which resources. - Create new assignment records when a policy needs to be explicitly bound to a resource. - Delete stale assignments for decommissioned resources.

How policies gate deployment

When you run the deployment wizard and reach the Review step, ntkDeploy calls the Policy Manager and:

  1. Checks that the connectivity gate is open.
  2. Submits a batch of device key lookups to resolve each device in the selected groups to a Peer ID (via ownership mappings).
  3. Requests a policy plan — the Policy Manager evaluates every policy for the resolved Peer IDs and attributes.
  4. Reports blocking findings (deployment blocked) or warning findings (deployment allowed with notes).

A blocking finding typically means one of: - The Peer ID has no ownership mapping (add one via Device Enrollment or inline in Device Groups). - The Peer ID is missing a required attribute (add the attribute in the Attributes tab, then assign it to the person). - The Policy Manager is unreachable (fix the endpoint in Settings).

Policy status badge

The app header shows a badge indicating the current connectivity gate status:

  • Connected (green) — Policy Manager is reachable; ABAC evaluation is available.
  • Degraded (amber) — Policy Manager is partially available; some capabilities may be missing.
  • Disconnected (red) — Policy Manager is unreachable. Deployment is blocked. Check the endpoint in Settings.

Next Steps