Policy Flag Reset»
Policies can now reset flags they have previously set using the reset_flag
rule.
Basic usage»
1 2 3 4 5 6 7 8 9 10 11 |
|
Multi-owner security»
- Multiple policies can own the same flag when they all set it
- ALL owners must agree to reset a flag for it to be removed
- Prevents malicious policies from hijacking flags set by other policies
Processing order»
Within each policy evaluation:
- Reset flags are processed first
- Add flags are processed second
Legacy policies»
Policies without PolicyULID can set flags but cannot reset any flags.
Use with targeted replans»
Flag reset is particularly useful during targeted replans, where plan and approval policies can be evaluated multiple times within the same run as the plan changes. Policies can dynamically set and reset flags based on the current plan content, allowing for adaptive approval workflows that respond to the actual changes being deployed.