Resources
Audience: Control authors, platform engineers, governance owners Time: ~5 min read Prerequisites: A deployed Control Plane and at least one Bouncer.
In Control Core, resources are the things you protect — APIs, LLM endpoints, MCP servers, AI agents, RAG indexes, datasets, and tools. Every authorization decision evaluates four PBAC dimensions:
- Subject — who is asking (user, agent, service)
- Action — what they're trying to do
- Resource — what they're trying to do it to
- Environment — when, where, under what conditions
This sub-section covers everything you need to manage the Resource side: registering them, enriching them with metadata that controls and SCCA can reason about, monitoring inventory health, and using enrichment to drive better control templates.
Pages in this section
| Page | When to read it |
|---|---|
| Resource Enrichment | What: structured metadata on each protected resource. Why: feeds data.resources, SCCA, suggested controls, and audit context. How: Settings → Resources → Enrich on a row (or PUT /api/resources/{id}/enrich). Full field map and API examples are on that page. |
| Inventory Dashboard | KPI tour of Settings → Resources → Inventory Dashboard — total / protected / classified / AI share |
| Auto-Classification | How the heuristic classifier proposes enrichment values, when SCCA fallback runs |
| Policy Templates from Enrichment | Mapping from enrichment fields → suggested control templates |
How resources show up
Resources arrive in three ways:
- Auto-discovery — when a Bouncer sees first traffic for a host it hasn't registered yet, it creates a resource with
auto_discovered=true. You enrich it from the UI. - Manual registration —
POST /api/resourcesfrom your tooling (terraform, scripts), or the Add resource button. - Bulk auto-classification —
POST /api/resources/auto-classify-bulkruns the heuristic classifier across every unclassified resource in scope.
Troubleshooting: Don't see a resource you expected? Check
Settings → Bouncers → <id> → Recent traffic. If the bouncer is healthy and traffic is flowing but no resource was created, the upstream host is probably already registered under a different name — search by hostname in the table.
Lifecycle at a glance
auto-discovered ──► enriched ──► classification source set
│ │
│ └─► picked up by audit `event_context.resource_snapshot`
│ └─► picked up by SCCA prompt context
│ └─► picked up by `/resources/{id}/suggested-controls`
│
└─► published to the control engine via the `data.resources` data feed
(Rego rules can reference `data.resources[input.resource.id].pii_categories[_]`)