Resource Enrichment

Audience: Control authors, platform engineers Time: ~10 min Prerequisites:

A registered resource (how to register).
A user account with the Resource Manager or Admin role.

What resource enrichment is

Resource enrichment means attaching structured, operator-approved metadata to a protected resource row in the Control Plane (beyond the hostname or URL the Bouncer discovered). That metadata describes what the workload is for the business, how sensitive it is, who owns it, and—when relevant—how it participates in AI or agent flows. It is not a substitute for Rego controls; it is context those controls and tools can consume.

Why enrich resources

Policy and controls: Enrichment fields flow into the data.resources feed so Rego can branch on classification, compliance tags, PII categories, residency, and similar attributes without hardcoding hostnames in policy.
Authoring assistance: SCCA and suggested-controls endpoints use the same metadata to propose templates and safer defaults aligned with how you classified the workload.
Operations and audit: Audit rows and inventory views carry human-meaningful context (owner team, business description, regulation tags) for triage and evidence, without scraping upstream traffic for labels you already know.

How to do it in the Control Plane

Sign in and open Settings → Resources (pick Inventory Dashboard or Manage Resources as needed).
Locate the resource (auto-discovered rows show an Auto-Discovered badge; the inventory Needs attention table surfaces gaps).
Choose Enrich (or Edit for manual resources), complete the form, and Save. Values are validated (for example, owner_email format and business_context length).
Confirm propagation: enrichment is published for policy evaluation through the usual Control Bridge path; use Audit filtered by resource or the inventory Refresh action if you need to confirm downstream picks up the snapshot.

Troubleshooting: If Enrich is missing, your account may lack resources:edit. Ask an admin to confirm Settings → Users & Roles.

When to enrich

Enrich a resource as soon as one of these is true:

It just appeared via auto-discovery (look for the Auto-Discovered badge in Settings → Resources → Manage Resources).
The Inventory Dashboard's Needs attention table flags it.
You're about to author your first control for it — the Visual Builder + SCCA prompts both read enrichment.

Troubleshooting: No Enrich button? Make sure your role grants resources:edit. Re-check via Settings → Users & Roles.

Enrichment field map

Fields fall into three groups. You can fill any subset; empty fields are simply absent from the OPA input.

Operator-curated metadata (used by every surface)

Field	What it controls
`resource_kind`	`api` / `llm_endpoint` / `mcp_server` / `agent` / `rag_index` / `dataset` / `tool` — drives template selection
`data_classification`	`public` / `internal` / `confidential` / `restricted` — drives default strictness
`compliance_tags`	`GDPR` / `HIPAA` / `PCI-DSS` / `SOX` / etc. — populates audit `regulation_tags`
`audit_level`	`none` / `basic` / `detailed` / `comprehensive` — drives audit-row detail and retention
`sla_tier`	`gold` / `silver` / `bronze` — drives monitoring frequency and alert thresholds
`data_residency`	`us` / `eu` / `asia-pacific` / etc. — drives `REGIONAL_ACCESS_LOCK` template
`owner_team`, `owner_email`	Routing target for incidents
`business_context`	Plain-English description (≤500 chars). Used in SCCA prompt context and inventory search

AI / Agentic context (only meaningful for AI surfaces)

Field	What it controls
`ai_provider`	`openai` / `anthropic` / `bedrock` / `vertex` / `azure_openai` / `self_hosted`
`ai_model_family`	Free-text family hint (`gpt-4`, `claude-3`, `mistral-*`)
`mcp_protocol_version`	Meaningful when `resource_kind = mcp_server`
`agent_capabilities`	`tool_use` / `code_exec` / `file_io` / `web_browse` / `memory`
`pii_categories`	`names` / `emails` / `ssn` / `card_numbers` / `health_records` / `addresses`
`egress_destinations`	Observed/declared upstream hostnames — drives `EGRESS_ALLOWLIST` template

Classification metadata (set by the system)

classification_source, classification_confidence, last_classified_at, tags — these are written by Auto-Classification and the manual Apply Classification action; you usually don't edit them by hand.

Step-by-step (Visual Builder)

Open the Enrich modal. Settings → Resources → Manage Resources → click the resource → Enrich. (2 min)
Fill the metadata fields. Use the field map above. The form validates owner_email (regex), business_context length (≤500), and requires at least one compliance tag when classification is confidential or restricted. (5 min)
Save. The modal closes, the row updates in place (no full page reload), and an audit entry is written. (immediate)
Review suggested controls. A panel appears with template suggestions tied to your enrichment. Click any one to open the Policy Builder pre-filled with ?template=<id>&resource_id=<n>. (2 min)
Verify in the audit feed. Audit → Filter by resource = <name>. The newest row carries event_context.resource_snapshot.version = 1 with all the fields you set. (1 min)

Troubleshooting: Save succeeded but suggestions stayed empty? Refresh the inventory summary (Inventory tab → Refresh). Suggestions are deterministic on enrichment input; if a field you expect to drive a template is missing, set it and re-save.

Step-by-step (Bulk via API)

curl -X PUT \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "data_classification":"confidential",
    "compliance_tags":["HIPAA","PCI-DSS"],
    "owner_team":"billing",
    "audit_level":"detailed",
    "ai_provider":"openai",
    "pii_categories":["card_numbers","emails"],
    "resource_kind":"llm_endpoint"
  }' \
  https://controlplane.example.com/api/resources/42/enrich

Returns 200 OK with the updated resource and an impacts array describing what changed. The Control Plane data feed picks up the new values on its next poll (default 30s).

Where enrichment is consumed

Surface	What it reads
`data.resources` PIP feed (OPA)	Every field — Rego rules can reference any attribute
SCCA prompt context	All operator-curated fields except `owner_email` (PII)
`/resources/{id}/suggested-controls`	`resource_kind`, `data_classification`, `compliance_tags`, `pii_categories`, `agent_capabilities`, `egress_destinations`, `audit_level`, `sla_tier`, `data_residency`
`/resources/{id}/smart-suggestions`	Same set, plus `ai_provider`
Audit `event_context.resource_snapshot`	All operator-curated fields except `owner_email`
Inventory Dashboard	Aggregations across all fields

Troubleshooting: Authoring a Rego rule that reads data.resources[input.resource.id].pii_categories returns undefined? The data feed is updated only when at least one resource has the field set. Confirm via curl https://<control-plane>/api/resources/inventory-summary — if the field is missing in the response, the Bouncer hasn't loaded a snapshot that includes it yet (try Refresh on the Inventory tab to force a write that triggers a sync).