Migration to Policy on Resource

Resource Policies are changing to being directly associated with Resources instead of Groups.

What’s changing

Twingate is changing its Security Policies model so that Resource Policies will be directly associated with Resources instead of Groups. This change is being made in response to feedback on how our model should be Resource-centric, and thus Policies should be configured accordingly.

We are also updating our model so that a specific Group accessing a specific Resource can have a separate Policy than the Resource Policy. This allows admins to ensure that each Group has the right Policy applied when accessing a specific Resource.

No changes are needed from you to make this change; we will be rolling it out in a phased manner for all Twingate customers. For more information on the updated Policy on Resource model, see here.

How this impacts existing Groups, Resources, and Policies

In order to make this change, we are migrating over existing Policies, Groups, and Resources in the following way:

  • If a Resource was previously accessed by Groups using the same Security Policy, we set that Security Policy as the Resource Policy.

  • If a Resource was previously accessed by Groups using different Security Policies, we set the Default Policy as the Resource Policy and maintain each of the individual Policies between the specific Group and Resource.

As an example, imagine that Resource A has two Groups that have access. If today, both Groups have the same Policy (e.g. “Company Policy”), then that Resource Policy will be set as Company Policy after the migration. This means that both Groups will automatically inherit Company Policy and it’ll be applied for all users attempting to access that Resource.

If, however, the Groups currently have two separate Policies (e.g. “Company Policy” and “Contractor Policy”), then the Resource Policy will be set as the Default Policy after the migration. Additionally, the two Groups will have their Policies maintained: Contractor Group will use Contractor Policy and Company Group will use Company Policy.

Impact on APIs and Terraform

We are ensuring backwards compatibility with existing APIs and Terraform. Therefore, if you have existing APIs and Terraform code that are managing your Groups, Resources, and Policies, we will map them to the updated model.

FAQ

We will be rolling out the changes over the next few weeks. To see if you have the updated Policies configuration, you can navigate to a Resource and confirm if there’s a Resource Policy listed in the left-hand column.

In addition, the following pages are also being updated:

  • The Resources table has an optional column to show the Resource Policy
  • On each Group detail page, we list the Policy being applied next to each Resource
  • On the Policy page, we list the Resources using that Policy as the Resource Policy

Last updated 3 months ago