๐ก๏ธ Policy Templates Guide
Control Core provides a comprehensive library of pre-built policy templates for common authorization scenarios, regulatory compliance, and industry-specific use cases. This guide will help you use and extend these templates effectively.
๐ Template Overview
Policy templates provide starting points for common authorization scenarios, allowing you to deploy secure policies quickly without writing Rego code from scratch.
๐ Control Templates shipped with every deployment
Control Core ships with a built-in library of Control Templates (policy templates) with every deployment. These templates are designed to help customers instantly bootstrap controls aligned to:
- AI governance and certification readiness (e.g., NIST AI RMF and Canadian AIDA)
- AI guardrails enforced with AI Pilot (prompt injection, input/output filtering, rate limiting, PII protection)
- Regulated industry requirements (privacy, healthcare, financial services)
Each category below matches the same grouping you see in the Control Plane UI.
This catalog is generated from the templates shipped with the platform. Each template is available in the Control Plane UI under Policies โ Templates after deployment.
nist-ai-rmf (NIST AI RMF)
| Control template | What it does / when itโs useful |
|---|---|
ai-accountability-framework | Accountability and responsibility framework for AI systems |
ai-bias-detection-mitigation | NIST AI RMF compliant bias detection and mitigation policy for AI/ML models |
ai-model-monitoring-drift-detection | Continuous monitoring and drift detection policy for AI/ML models aligned with NIST AI RMF |
ai-risk-assessment-classification | NIST AI RMF compliant risk assessment and classification policy for AI systems |
ai-security-resilience | Security and resilience controls for AI systems against attacks |
ai-system-validation-verification | Comprehensive validation and verification policy for AI systems before deployment |
ai-transparency-explainability | Policy ensuring AI decisions are transparent and explainable |
ai-trustworthiness-assessment | Assessment policy for AI system trustworthiness and reliability |
canadian-aida (Canadian AIDA)
| Control template | What it does / when itโs useful |
|---|---|
ai-data-governance-aida | Data governance policy aligned with AIDA requirements |
ai-harm-prevention-mitigation | Policy for preventing and mitigating AI-related harms |
ai-impact-assessment-requirements | Mandatory impact assessment requirements for AI systems |
ai-system-accountability-reporting | Accountability and reporting requirements for AI systems |
high-impact-ai-system-assessment | Assessment policy for high-impact AI systems under Canadian AIDA |
canadian-ai-governance (Canadian AI Governance)
| Control template | What it does / when itโs useful |
|---|---|
algorithmic-impact-assessment | Comprehensive algorithmic impact assessment policy |
directive-automated-decision-making | Compliance with Canadian government directive on automated decision-making |
privacy-enhanced-ai-pipeda | AI systems with enhanced privacy protections aligned with PIPEDA |
responsible-ai-framework | Framework for responsible AI development and deployment |
treasury-board-ai-governance | AI governance aligned with Treasury Board guidelines |
ai-security (AI Security)
| Control template | What it does / when itโs useful |
|---|---|
ai-agent-audit-logging | Comprehensive audit logging for AI agent actions |
ai-agent-authorization | Authorization policy for AI agent actions |
ai-agent-boundary-enforcement | Enforce operational boundaries for AI agents |
ai-agent-data-protection | Policy to enforce data protection for AI Agents This policy ensures sensitive data is properly protected in AI agent implementations Deny by default, require explicit data protection measures |
ai-chat-data-protection | Policy to enforce data protection for Gen AI Chat systems This policy ensures sensitive data is properly protected in AI chat implementations Deny by default, require explicit data protection measures |
ai-collaboration-security | Policy to enforce collaboration security for AI tools This policy ensures secure collaboration when AI tools are used in team environments Deny by default, require explicit collaboration security measures |
ai-model-security | Policy to enforce AI model and agent security requirements This policy ensures AI models and agents operate within secure boundaries Allow AI model deployment if security requirements are met |
ai-rag-data-protection | Policy to enforce data protection for RAG (Retrieval-Augmented Generation) systems This policy ensures sensitive data is properly protected in RAG implementations Deny by default, require explicit data protection measures |
llm-input-sanitization | Sanitize and validate LLM inputs via Control Core Pilot PII redaction |
llm-output-filtering | Filter LLM outputs for sensitive information via Control Core Pilot |
llm-rate-limiting | Token and rate limiting for LLM API calls via Control Core Pilot |
pilot-token-budget-enforcement | Control Core Pilot: daily/monthly token limits per user (429 at AI Gateway) |
prompt-context-isolation | Isolate prompt contexts to prevent data leakage via Control Core Pilot |
prompt-injection-advanced | Advanced prompt injection prevention via Control Core Pilot |
prompt-jailbreak-detection | Detect and prevent LLM jailbreak attempts via Control Core Pilot prompt guard |
rag-access-control | Access control for RAG system queries and data |
rag-data-protection-pii | Protect PII in RAG system retrievals and responses |
rag-data-source-validation | Validate and control RAG data sources |
compliance (Privacy & Compliance)
| Control template | What it does / when itโs useful |
|---|---|
ccpa-non-discrimination | Prevent discrimination for exercising CCPA rights |
ccpa-opt-out-sale | Manage CCPA opt-out of personal information sale |
ccpa-right-to-delete | Enforce CCPA right to deletion |
ccpa-right-to-know | Implement CCPA right to know about data collection |
fintrac-aml-monitoring | FINTRAC AML monitoring requirements for customer onboarding, transaction surveillance, and reporting compliance |
fintrac-str-triggers | FINTRAC Suspicious Transaction Report (STR) triggers monitoring and reporting for Canadian financial institutions |
gdpr-consent-management | Manage user consent for data processing |
gdpr-cross-border-transfer | Control cross-border personal data transfers |
gdpr-data-minimization | Enforce data minimization principles |
gdpr-data-portability | Enable GDPR data portability rights |
gdpr-data-protection | GDPR Data Protection Policy Ensures compliance with GDPR data protection requirements Default deny |
gdpr-right-to-erasure | Implement GDPR right to be forgotten/erasure |
hipaa-authorization-tracking | Track and validate HIPAA authorizations |
hipaa-breach-notification | Automate HIPAA breach notification requirements |
hipaa-business-associate | Control business associate access to PHI |
hipaa-healthcare-privacy | HIPAA Healthcare Privacy Policy Ensures compliance with HIPAA healthcare privacy requirements Default deny |
hipaa-minimum-necessary | Enforce minimum necessary access to PHI |
hipaa-patient-rights | Enforce HIPAA patient rights (access, amendment, accounting) |
kyc-verification | KYC (Know Your Customer) verification requirements for Canadian financial institutions under FINTRAC and OSFI guidelines |
phipa-circle-of-care | PHIPA Circle of Care model for Ontario healthcare provider access to patient records |
phipa-consent-directives | PHIPA consent directives and substitute decision-maker (SDM) rules for Ontario healthcare |
phipa-substitute-decision-maker | PHIPA substitute decision-maker hierarchy for incapable patient health information decisions |
pipeda-access-rights | PIPEDA Principle 9 - Individual right to access personal information held by organizations |
pipeda-accountability | PIPEDA Principle 1 - Organizational accountability for privacy protection programs |
pipeda-breach-notification | PIPEDA breach notification requirements for privacy breaches creating real risk of significant harm |
pipeda-consent-principles | PIPEDA consent principles for collection, use, and disclosure of personal information in Canada |
pipeda-cross-border-safeguards | PIPEDA cross-border data transfer safeguards and accountability for foreign processing |
soc2-access-control | SOC 2 Trust Services Criteria - Common Criteria 6 (CC6) logical and physical access controls |
soc2-change-management | SOC 2 Common Criteria 8 (CC8) change management controls for system modifications |
soc2-monitoring-logging | SOC 2 Common Criteria 7 (CC7) system monitoring, logging, and incident response |
data-governance (Data Governance)
| Control template | What it does / when itโs useful |
|---|---|
anonymization-policy | Irreversible data anonymization for analytics |
attribute-based-access-control | Fine-grained access control based on attributes |
automated-data-archival | Automatic archival of data based on retention rules |
automated-data-classification | Automatic classification of data based on content |
backup-retention-policy | Control retention of data backups |
column-level-security | Column-level access control for sensitive fields |
confidential-data-handling | Special handling for confidential data |
data-access-audit | Comprehensive auditing of data access |
data-deletion-policy | Automated deletion of data past retention period |
data-lineage-tracking | Track data lineage and transformations |
dynamic-data-masking | Real-time data masking based on user context |
format-preserving-encryption | Encryption that maintains data format |
legal-hold-management | Manage legal holds on data deletion |
need-to-know-access | Enforce need-to-know principles for data access |
pii-detection-classification | Detect and classify personally identifiable information |
retention-policy-enforcement | Enforce organizational data retention policies |
row-level-security | Row-level access control for databases |
sensitivity-label-enforcement | Enforce access based on data sensitivity labels |
static-data-masking | Static data masking for non-production environments |
tokenization-policy | Tokenization for sensitive data protection |
security-controls (Security Controls)
| Control template | What it does / when itโs useful |
|---|---|
adaptive-mfa | Risk-based adaptive MFA enforcement |
api-authentication-oauth2 | OAuth 2.0 authentication for APIs |
api-input-validation | Validate and sanitize API inputs |
api-quota-management | Manage API usage quotas per client |
api-rate-limiting-throttling | Comprehensive API rate limiting |
api-threat-detection | Detect and block API-based threats |
authentication-rate-limiting | Rate limiting for authentication attempts |
biometric-authentication | Control biometric authentication usage |
continuous-verification | Continuous trust verification for access |
device-trust-assessment | Assess and verify device trustworthiness |
dynamic-role-assignment | Context-based dynamic role assignment |
emergency-access-override | Controlled emergency access override with audit |
hierarchical-rbac | Hierarchical role inheritance for access control |
least-privilege-access | Enforce least privilege principle |
micro-segmentation | Enforce network micro-segmentation |
passwordless-authentication | Enforce passwordless authentication methods |
permission-review-certification | Periodic review and certification of permissions |
separation-of-duties | Enforce separation of duties policies |
session-timeout-management | Manage session timeouts based on risk |
zero-trust-network-access | Never trust, always verify network access |
jit-access (Just-in-Time Access)
| Control template | What it does / when itโs useful |
|---|---|
approval-based-jit | JIT access requiring manager approval |
automated-privilege-revocation | Automatic revocation of JIT privileges |
emergency-break-glass | Emergency access with enhanced monitoring |
jit-audit-logging | Comprehensive audit logging for JIT access |
jit-mfa-requirement | Require MFA for all JIT access requests |
on-demand-account-provisioning | Just-in-time account creation and provisioning |
privilege-escalation-control | Control and monitor privilege escalation |
privileged-session-monitoring | Real-time monitoring of privileged sessions |
temporary-elevated-access | Grant temporary elevated privileges with time limits |
time-bound-access-windows | Restrict access to specific time windows |
industry-frameworks (Industry Frameworks)
| Control template | What it does / when itโs useful |
|---|---|
cis-controls-basic-hygiene | Basic cyber hygiene controls from CIS |
fedramp-boundary-protection | Boundary protection for FedRAMP compliance |
fedramp-incident-response | Incident response per FedRAMP requirements |
iso27001-access-control | Access control aligned with ISO 27001 |
iso27001-cryptography | Cryptographic controls per ISO 27001 |
nist-csf-detect | Detection controls per NIST CSF |
nist-csf-identify | Asset and risk identification per NIST CSF |
nist-csf-protect | Protective controls per NIST CSF |
pci-dss-cardholder-data | Protect cardholder data per PCI-DSS requirements |
pci-dss-network-segmentation | Network segmentation for cardholder data environment |
cloud-security (Cloud Security)
| Control template | What it does / when itโs useful |
|---|---|
cloud-data-encryption | Encryption controls for cloud data |
cloud-iam-best-practices | Enforce cloud IAM security best practices |
cloud-infrastructure-security | Policy to enforce cloud infrastructure security requirements This policy ensures comprehensive security across cloud environments Allow cloud resource access if security requirements are met |
cloud-workload-protection | Protect cloud workloads and containers |
multi-cloud-security-posture | Consistent security across multiple clouds |
serverless-security | Security controls for serverless functions |
open-banking (Open Banking & Financial)
| Control template | What it does / when itโs useful |
|---|---|
fdx-compliance | Policy to enforce FDX (Financial Data Exchange) compliance requirements This policy ensures compliance with open banking standards and data sharing protocols Allow data sharing if FDX compliance requirements are met |
open-banking-api-security | Secure open banking APIs |
open-banking-consent | Manage open banking consent and permissions |
strong-customer-authentication | Enforce strong customer authentication |
third-party-provider-access | Control third-party provider access to banking data |
transaction-risk-analysis | Real-time transaction risk assessment |
ai-governance (AI Governance)
| Control template | What it does / when itโs useful |
|---|---|
ai-accountability-framework | Policy to establish AI system accountability framework This policy ensures clear accountability for AI system decisions and actions Deny by default, require explicit accountability |
ai-decision-transparency | AI Decision Transparency Policy Ensures AI decisions are transparent and explainable Default allow with transparency requirements |
ai-ethics-compliance | Policy to enforce AI ethics and responsible AI practices This policy ensures AI systems operate within ethical boundaries Deny by default, require explicit ethical compliance |
ai-model-approval | AI model approval and model access control via Control Core Pilot |
pilot-model-access-control | Control Core Pilot: who can call which LLM model (403 at AI Gateway) |
ai-tools (AI Tools & Real-Time Context)
| Control template | What it does / when itโs useful |
|---|---|
ai-agent-real-time-context | AI Agent real-time context; use with Control Core Pilot for agent LLM traffic governance |
ai-tools-integration-context | AI tools integration with real-time context; use with Control Core Pilot for LLM governance |
rag-system-real-time-context | RAG system real-time context; use with Control Core Pilot for LLM and data access governance |
platform-orchestration (Platform Orchestration)
| Control template | What it does / when itโs useful |
|---|---|
feature-orchestration-control | Policy for feature orchestration control in platform environments This policy enables fine-grained control over feature access and orchestration based on user roles, business context, and platform capabilities |
vendor-service-access-control | Policy for platform orchestration with vendor service access control This policy enables platform owners to control access to external vendor services based on company IAM groups and roles without manual cloud infrastructure management |
network-security (Network Security)
| Control template | What it does / when itโs useful |
|---|---|
microservice-security | Policy to enforce network endpoint and microservice security requirements This policy ensures secure communication between microservices and network endpoints Allow microservice communication if security requirements are met |
collaboration (Collaboration Security)
| Control template | What it does / when itโs useful |
|---|---|
sharing-tool-behavior | Policy to enforce collaboration and sharing tool behavior requirements This policy ensures secure and compliant use of collaboration tools Allow file sharing if security requirements are met |
ai-adversarial-pbac
| Control template | What it does / when itโs useful |
|---|---|
agentic-ai-offensive-use-restriction | Agentic AI Offensive Use Restriction โ Restricts use of AI with expert cybersecurity/offensive personas for vulnerability analysis or targeted attack tooling. |
ai-recon-osint-restriction | AI Reconnaissance and OSINT Restriction โ Restricts use of AI for target profiling, credential/email enumeration, and OSINT that supports phishing or intrusion. |
api-key-anomaly-response | API Key Anomaly Response โ Requires step-up auth or blocks access when usage pattern suggests API key compromise (e.g. key stolen via vulnerable AI stack). |
bulk-extraction-rate-limit | Bulk Extraction Pattern Rate Limit โ Rate-limits or flags users/API keys that exhibit bulk extraction patterns (many similar prompts, high volume) to mitigate distillation. |
cross-language-reasoning-extraction-flag | Cross-Language Reasoning Extraction Flag โ Flags or denies prompts that coerce reasoning/thinking output in non-primary languages (extraction campaign pattern). |
data-exfiltration-tooling-restriction | Data Exfiltration Tooling Restriction โ Denies AI assistance for developing or debugging tools used for data exfiltration, C2, or post-compromise data theft. |
email-account-enumeration-block | Email / Account Enumeration Block โ Blocks AI use to enumerate official emails, account identifiers, or contact details for specific entities (used for phishing targeting). |
information-operations-content-restriction | Information Operations Content Restriction โ Restricts bulk generation of political satire, propaganda, or IO-style content for influence campaigns. |
jailbroken-unauthorized-api-block | Jailbroken / Unauthorized API Proxy Block โ Denies or flags traffic from known jailbreak services or underground API proxies (e.g. Xanthorox). |
llm-malware-backend-block | LLM-as-Malware-Backend Block โ Blocks API requests that use the LLM to generate code or instructions functioning as malware components (downloader, launcher). |
malicious-code-auditing-restriction | Malicious Code Auditing Restriction โ Restricts creation or use of AI-integrated code-auditing capabilities when the stated use is for intrusion or offensive operations. |
malicious-code-generation-block | Malicious Code Generation Block โ Blocks prompts that request code to download and execute remote payloads, load assemblies in memory, or implement C2/malware patterns. |
mcp-agent-human-quota-tiering | MCP Agent vs Human Distinction - Applies stricter quota tiers for AI agents than human users. |
mcp-arguments-injection-block | MCP Line Jumping and Injection Block - Rejects MCP/A2A calls containing SSRF, traversal, or SQL/script injection indicators in arguments. |
mcp-penetration-tool-abuse-restriction | MCP / Penetration Tool Abuse Restriction โ Restricts use of MCP or penetration tools (e.g. Hexstrike) for offensive testing against named targets without authorization. |
mcp-trusted-server-allowlist | MCP Trusted Supply Chain Allowlist - Permits MCP/A2A calls only to trusted server URLs from PIP metadata. |
mcp-user-identity-required | MCP User Identity Persistence - Allows MCP/A2A calls only when verified end-user claims are present. |
model-extraction-distillation-detection | Model Extraction / Distillation Detection โ Detects and blocks systematic high-volume API usage aimed at extracting or cloning model capabilities (knowledge distillation). |
persona-scenario-social-engineering-block | Persona / Scenario Generation for Social Engineering Block โ Denies generation of engagement scenarios or personas derived from target biographies. |
phishing-kit-credential-harvest-block | Phishing Kit / Credential Harvest UI Block โ Blocks or flags use of AI to generate credential harvest forms, recovery flows, or crypto-exchange-style phishing kit components. |
phishing-lure-generation-restriction | Phishing Lure and Rapport-Building Content Restriction โ Restricts AI from generating hyper-personalized phishing lures or rapport-building dialogue. |
reasoning-trace-coercion-prevention | Reasoning Trace Coercion Prevention โ Blocks prompts that force the model to output full internal reasoning or thinking content in a specific language. |
shared-ai-content-command-abuse | Shared AI Content Command Abuse (ClickFix) Prevention โ Restricts creation or sharing of AI-generated content that contains copy-paste commands that could deliver malware. |
targeted-vulnerability-research-block | Targeted Vulnerability Research Block โ Denies AI-assisted vulnerability research (RCE, WAF bypass, SQLi) when directed at specific named targets without authorization. |
ai-prompt-security
| Control template | What it does / when itโs useful |
|---|---|
pilot-content-safety-harm-thresholds | Control Core Pilot: content safety harm thresholds and block/redact/annotate |
prompt-injection-prevention | Prompt injection prevention via Control Core Pilot prompt guard |
ai-risk-management
| Control template | What it does / when itโs useful |
|---|---|
ai-bias-detection | AI bias detection and mitigation (NIST); use with Control Core Pilot for model access |
api-gateway
| Control template | What it does / when itโs useful |
|---|---|
business-case-access-control | Policy for business case access control in API Gateway environments This policy handles complex business scenarios with fine-grained access controls for different business cases and use cases |
complex-api-access-control | Policy for complex API Gateway access control scenarios This policy handles fine-grained access controls for internal and external parties with various business case access requirements |
api-security
| Control template | What it does / when itโs useful |
|---|---|
api-governance | Policy to enforce API security and governance requirements This policy ensures APIs are secure, well-governed, and compliant Allow API access if security requirements are met |
canadian-financial-regulation
| Control template | What it does / when itโs useful |
|---|---|
amf-quebec-financial-oversight | AMF Quebec financial institution oversight and Bill 96 French language compliance requirements |
canadian-data-residency | Canadian data residency and sovereignty requirements ensuring customer data remains in Canada |
crypto-asset-custody-controls | Crypto asset custody and wallet security controls for Canadian Virtual Asset Service Providers (VASPs) |
financial-market-abuse-prevention | Market abuse and insider trading prevention controls for Canadian securities firms and investment dealers |
fintrac-beneficial-ownership | FINTRAC Beneficial Ownership identification and verification for corporate and trust accounts |
fintrac-high-risk-jurisdiction | FINTRAC High-Risk Jurisdiction monitoring and enhanced due diligence for international transactions |
fintrac-travel-rule-compliance | FINTRAC Travel Rule compliance for virtual asset transfers โฅ$1,000 CAD requiring originator/beneficiary information |
fsra-ontario-consumer-protection | FSRA Ontario consumer protection and fair treatment requirements for insurance and financial services |
open-banking-consumer-consent | Canadian Open Banking consumer consent framework for financial data sharing with fintechs and third parties |
osfi-b10-third-party-risk | OSFI Guideline B-10 Outsourcing and Third-Party Risk Management for Canadian FRFIs |
osfi-b13-technology-cyber-risk | OSFI Guideline B-13 Technology and Cyber Risk Management compliance for Canadian financial institutions |
osfi-d11-data-governance | OSFI Guideline D-11 Data Governance and Quality Management for regulatory reporting excellence |
osfi-e21-operational-risk | OSFI Guideline E-21 Operational Risk Management framework for Canadian financial institutions |
osfi-incident-response-breach | OSFI incident response and breach notification with PIPEDA privacy breach requirements for Canadian FRFIs |
payments-canada-oversight | Payments Canada oversight and Real-Time Rail (RTR) compliance for payment system participants |
data-security
| Control template | What it does / when itโs useful |
|---|---|
data-lake-security | Policy to enforce data lake and data store security requirements This policy ensures comprehensive data protection across storage systems Allow data access if security requirements are met |
pii-management
| Control template | What it does / when itโs useful |
|---|---|
data-masking-banking-compliance | Policy to enforce data masking for banking compliance requirements This policy implements Basel III, SOX, PCI-DSS, and international banking standards Deny by default, require explicit compliance verification |
data-masking-conditional | Policy to enforce conditional data masking for PII This policy masks sensitive data based on multiple conditions (time, identity, location, context) Allow access by default, but apply masking rules |
data-masking-financial-sensitive | Policy to enforce data masking for financial sensitive information This policy implements real-world banking security frameworks and compliance requirements Deny by default, require explicit masking rules |
data-masking-identity-based | Policy to enforce identity-based data masking for PII This policy masks sensitive data based on user identity, roles, and clearance levels Allow access by default, but apply masking rules |
data-masking-location-based | Policy to enforce location-based data masking for PII This policy masks sensitive data based on user location, network, and geographic restrictions Allow access by default, but apply masking rules |
data-masking-time-based | Policy to enforce time-based data masking for PII This policy masks sensitive data based on time conditions (business hours, after hours, etc.) Allow access by default, but apply masking rules |
security
| Control template | What it does / when itโs useful |
|---|---|
multi-factor-authentication | Policy to enforce Multi-Factor Authentication (MFA) requirements This policy ensures MFA is required for sensitive operations and resources Deny by default, require MFA verification |
role-based-access-control | Policy to enforce Role-Based Access Control (RBAC) This policy ensures users can only access resources based on their assigned roles Deny by default, require explicit role-based authorization |
zero-trust-architecture | Policy to enforce Zero Trust Architecture principles This policy implements the "never trust, always verify" principle Deny by default, require explicit verification |
smart-policy-wizard
| Control template | What it does / when itโs useful |
|---|---|
intelligent-policy-builder | Intelligent Policy Builder - Context-aware policy generation This policy template provides intelligent suggestions and auto-completion for policy creation based on resource analysis and PIP data |
template-manager
| Control template | What it does / when itโs useful |
|---|---|
policy-template-registry | Policy Template Registry - Centralized management of all policy templates This policy ensures all policy template capabilities are managed in one location Deny by default, require explicit template registration |
Benefits of Using Templates
- Faster Deployment: Start with proven patterns
- Best Practices: Templates follow security and compliance best practices
- Tested: All templates include comprehensive test cases
- Customizable: Easy to modify for your specific needs
- Compliant: Compliance templates follow regulatory requirements
Template Categories
- API Protection - Secure REST APIs and microservices
- Financial Compliance - FINTRAC, OSFI, AML, FinCEN regulations
- Healthcare Compliance - HIPAA, PHIPA requirements
- Data Protection - GDPR, PCI-DSS, SOC 2
- AI/LLM Control - AI agent, LLM, and RAG system policies
- Access Control - RBAC, ABAC, time-based, geo-location
- Enterprise Patterns - Resource ownership, organizational access
๐ Using Templates
Browsing Templates
In Policy Administration Console:
- Navigate to Policies โ Templates
- Browse by category or search
- Click template to preview
Via API:
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.controlcore.yourcompany.com/api/v1/templates
Applying a Template
Method 1: Through Console
- Click Policies โ Create from Template
- Select template (e.g., "FINTRAC Large Cash Transaction")
- Click Use This Template
- Customize variables and parameters
- Save and deploy
Method 2: Via API
curl -X POST https://api.controlcore.yourcompany.com/api/v1/policies/from-template \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"template_id": "fintrac-lctr",
"name": "Production FINTRAC LCTR Policy",
"parameters": {
"threshold_amount": 10000,
"threshold_currency": "CAD"
},
"environment": "sandbox"
}'
๐ Template Catalog
Financial Compliance Templates
FINTRAC Large Cash Transaction Report (LCTR)
Template ID: fintrac-lctr
Description: Implements FINTRAC requirements for reporting cash transactions over CAD $10,000
Parameters:
threshold_amount(number): Reporting threshold (default: 10000)threshold_currency(string): Currency code (default: "CAD")allowed_roles(array): Roles that can process transactions
Template Code:
package fintrac.lctr
import rego.v1
default allow := false
default requires_lctr := false
# Configuration
threshold_amount := {{threshold_amount}}
threshold_currency := "{{threshold_currency}}"
allowed_roles := {{allowed_roles}}
# FINTRAC: Large Cash Transaction Reporting
requires_lctr if {
input.transaction.amount >= threshold_amount
input.transaction.currency == threshold_currency
input.transaction.type in ["cash", "cash_equivalent"]
}
allow if {
# User must be authorized and trained
input.user.roles[_] in allowed_roles
input.user.attributes.fintrac_certified == true
# Required transaction details present
input.transaction.customer_id != null
input.transaction.conductor_id != null
input.transaction.purpose != null
input.transaction.source_of_funds != null
# Create LCTR if required
log_lctr_requirement if requires_lctr
}
log_lctr_requirement if {
# Creates audit log entry for LCTR filing
true
}
Use Case: Banks, credit unions, money service businesses in Canada
FINTRAC Suspicious Transaction Report (STR)
Template ID: fintrac-str
Description: Detects and handles suspicious transaction patterns
Template Code:
package fintrac.str
import rego.v1
default allow := false
# STR Detection Indicators
str_indicators[indicator] if {
# Structuring: Multiple transactions under threshold
recent := data.transactions_30days[input.transaction.customer_id]
near_threshold := [t |
t := recent[_]
t.amount >= 9000
t.amount < 10000
]
count(near_threshold) >= 3
indicator := {
"type": "structuring",
"severity": "high",
"description": "Multiple transactions just under reporting threshold",
"transactions": near_threshold
}
}
str_indicators[indicator] if {
# Rapid funds movement
input.transaction.type == "wire_transfer"
input.transaction.time_since_receipt_hours < 24
input.transaction.immediate_withdrawal == true
indicator := {
"type": "rapid_funds_movement",
"severity": "high",
"description": "Funds received and immediately withdrawn"
}
}
str_indicators[indicator] if {
# Unusual transaction pattern
customer := data.customers[input.transaction.customer_id]
input.transaction.amount > (customer.average_transaction * 10)
indicator := {
"type": "unusual_amount",
"severity": "medium",
"description": "Transaction amount significantly higher than normal"
}
}
# Block suspicious transactions for compliance review
allow if {
count(str_indicators) == 0
}
allow if {
count(str_indicators) > 0
input.user.roles[_] == "compliance-officer"
input.transaction.str_review_completed == true
input.transaction.str_filed == true
}
OSFI Segregation of Duties
Template ID: osfi-segregation-duties
Description: Implements OSFI Guideline B-10 segregation of duties requirements
Parameters:
conflicting_pairs(array): Pairs of conflicting roles
Template Code:
package osfi.segregation
import rego.v1
default allow := false
# Conflicting duty pairs (customizable)
conflicting_duty_pairs := {{conflicting_pairs}}
has_conflicting_duties if {
some pair in conflicting_duty_pairs
pair[0] in input.user.roles
pair[1] in input.user.roles
}
# Deny if user has conflicting duties
allow if {
not has_conflicting_duties
input.user.roles[_] in authorized_roles[input.action.name]
}
# Dual authorization for high-value transactions
allow if {
input.transaction.amount >= 100000
count(input.transaction.approvers) >= 2
input.user.id in input.transaction.approvers
input.user.roles[_] in ["senior-manager", "vp", "c-level"]
}
Default Parameters:
{
"conflicting_pairs": [
["transaction-initiator", "transaction-approver"],
["payment-creator", "payment-approver"],
["account-opener", "account-approver"],
["maker", "checker"]
]
}
AML Know Your Customer (KYC)
Template ID: aml-kyc
Description: Implements AML KYC verification requirements for US and Canada
Template Code:
package aml.kyc
import rego.v1
default allow := false
# AML: Customer Due Diligence
allow if {
customer := data.customers[input.resource.attributes.customer_id]
# Basic KYC complete
customer.kyc_status == "verified"
customer.identity_verified == true
# Four key elements present
customer.name != null
customer.date_of_birth != null
customer.address != null
customer.identification_number != null
# KYC is current (less than 12 months old)
kyc_age_days := (time.now_ns() - time.parse_rfc3339_ns(customer.kyc_date)) / (24 * 60 * 60 * 1000000000)
kyc_age_days < 365
# Risk-based requirements satisfied
risk_requirements_met(customer)
}
risk_requirements_met(customer) if {
customer.risk_level == "low"
}
risk_requirements_met(customer) if {
customer.risk_level == "medium"
customer.source_of_funds_verified == true
}
risk_requirements_met(customer) if {
customer.risk_level == "high"
customer.enhanced_due_diligence == true
customer.beneficial_owner_identified == true
customer.source_of_wealth_verified == true
}
# PEP (Politically Exposed Person) handling
allow if {
customer := data.customers[input.resource.attributes.customer_id]
customer.pep_status == true
customer.enhanced_due_diligence == true
customer.senior_management_approval == true
input.user.roles[_] == "compliance-officer"
}
# Sanctions screening
allow if {
customer := data.customers[input.resource.attributes.customer_id]
not customer.id in data.sanctions_lists.ofac
not customer.id in data.sanctions_lists.un
screening_current(customer.last_screening_date)
}
screening_current(date) if {
age_days := (time.now_ns() - time.parse_rfc3339_ns(date)) / (24 * 60 * 60 * 1000000000)
age_days < 30 # Re-screen monthly
}
FinCEN Currency Transaction Report (CTR)
Template ID: fincen-ctr
Description: Implements FinCEN CTR requirements for USD $10,000+ transactions
Template Code:
package fincen.ctr
import rego.v1
default allow := false
default requires_ctr := false
# FinCEN: CTR required for $10,000+ cash transactions
requires_ctr if {
input.transaction.amount >= 10000
input.transaction.currency == "USD"
input.transaction.type in ["cash", "deposit", "withdrawal", "exchange"]
}
allow if {
input.user.roles[_] in ["teller", "financial-officer", "compliance-officer"]
# CTR requirements
input.transaction.customer_identified == true
input.transaction.conductor_identified == true
# Multiple person rule (>$10,000)
multiple_persons_handled if requires_ctr
}
multiple_persons_handled if {
# If multiple persons conducting, document all
count(input.transaction.conductors) > 1
every conductor in input.transaction.conductors {
conductor.identified == true
conductor.id_verified == true
}
}
# File CTR if required
allow if {
requires_ctr
input.transaction.ctr_filed == true
input.transaction.ctr_number != null
}
Healthcare Compliance Templates
HIPAA Minimum Necessary Rule
Template ID: hipaa-minimum-necessary
Description: Implements HIPAA minimum necessary principle for PHI access
Parameters:
care_roles(array): Roles authorized for patient carenecessary_fields(object): Fields necessary by purpose
Template Code:
package hipaa.minimum_necessary
import rego.v1
default allow := false
# Care team roles
care_roles := {{care_roles}}
# Fields necessary for each purpose
necessary_fields := {{necessary_fields}}
# HIPAA: Access only minimum necessary PHI
allow if {
input.user.roles[_] in care_roles
# User is treating this patient
patient_id := input.resource.attributes.patient_id
care_team := data.patient_care_teams[patient_id]
input.user.id in care_team.members
# Purpose is documented and valid
input.context.purpose_of_use in ["treatment", "payment", "healthcare-operations"]
# Fields requested are necessary for purpose
requested := input.query.fields
necessary := necessary_fields[input.context.purpose_of_use]
every field in requested {
field in necessary
}
}
Default Parameters:
{
"care_roles": ["physician", "nurse", "medical-assistant", "pharmacist"],
"necessary_fields": {
"treatment": ["patient_id", "name", "dob", "diagnosis", "medications", "allergies", "vital_signs", "lab_results"],
"payment": ["patient_id", "name", "dob", "insurance_info", "billing_codes", "charges", "payment_history"],
"healthcare-operations": ["patient_id", "encounter_date", "provider_id", "facility", "department"]
}
}
API Protection Templates
API Key Authentication
Template ID: api-key-auth
Description: Basic API key authentication
Template Code:
package api.key_auth
import rego.v1
default allow := false
# API key authentication
allow if {
api_key := input.request.headers["X-API-Key"]
api_key != null
# Verify API key
key_info := data.api_keys[api_key]
key_info != null
key_info.active == true
key_info.expiry > time.now_ns()
# Check rate limiting
rate_limit_ok(key_info.key_id)
}
rate_limit_ok(key_id) if {
usage := data.api_key_usage[key_id]
usage.requests_last_hour < 1000
}
OAuth 2.0 Token Validation
Template ID: oauth-token-validation
Description: Validate OAuth 2.0 Bearer tokens
Template Code:
package api.oauth
import rego.v1
default allow := false
# OAuth token validation
allow if {
auth_header := input.request.headers["Authorization"]
startswith(auth_header, "Bearer ")
token := trim_prefix(auth_header, "Bearer ")
token_valid(token)
}
token_valid(token) if {
# Decode and verify JWT
payload := io.jwt.decode(token)[1]
# Check expiration
payload.exp > time.now_ns() / 1000000000
# Check issuer
payload.iss == "https://auth.yourcompany.com"
# Check audience
payload.aud == "https://api.yourcompany.com"
# Check scopes
required_scope := input.resource.required_scope
required_scope in payload.scopes
}
Data Protection Templates
GDPR Right to Access
Template ID: gdpr-right-to-access
Description: Implements GDPR Article 15 (Right to Access)
Template Code:
package gdpr.access
import rego.v1
default allow := false
# Data subject can access their own data
allow if {
input.action.name == "read"
input.resource.type == "personal_data"
input.resource.attributes.data_subject_id == input.user.id
}
# Data Protection Officer can access for compliance
allow if {
input.user.roles[_] == "data-protection-officer"
input.context.purpose == "compliance_review"
input.context.request_id != null
input.context.audit_enabled == true
}
# Support staff can access with customer consent
allow if {
input.user.roles[_] == "customer-support"
consent := data.customer_consents[input.resource.attributes.data_subject_id]
consent.support_access == true
consent.expiry > time.now_ns()
}
GDPR Right to Erasure
Template ID: gdpr-right-to-erasure
Description: Implements GDPR Article 17 (Right to be Forgotten)
Template Code:
package gdpr.erasure
import rego.v1
default allow := false
# Right to be forgotten
allow if {
input.action.name == "delete"
input.resource.type == "personal_data"
# Verify erasure request exists and is approved
erasure_request := data.erasure_requests[input.resource.attributes.data_subject_id]
erasure_request.status == "approved"
erasure_request.legal_grounds_verified == true
erasure_request.approved_by != null
# Only DPO can execute
input.user.roles[_] == "data-protection-officer"
# Check for legal obligations to retain
not legal_retention_required(input.resource)
}
legal_retention_required(resource) if {
# Tax records: 7 years
resource.attributes.category == "tax_record"
age_days := (time.now_ns() - time.parse_rfc3339_ns(resource.attributes.created_at)) / (24 * 60 * 60 * 1000000000)
age_days < 2555
}
legal_retention_required(resource) if {
# Employment records: 7 years after termination
resource.attributes.category == "employment_record"
employment_end := time.parse_rfc3339_ns(resource.attributes.employment_end_date)
age_since_end := (time.now_ns() - employment_end) / (24 * 60 * 60 * 1000000000)
age_since_end < 2555
}
PCI-DSS Cardholder Data Access
Template ID: pci-cardholder-data
Description: Restricts access to cardholder data per PCI-DSS requirements
Template Code:
package pci.cardholder_data
import rego.v1
default allow := false
# PCI-DSS Requirement 7: Restrict access based on need to know
allow if {
input.resource.attributes.contains_cardholder_data == true
# User must have documented business need
input.user.attributes.pci_access_justification != null
input.user.roles[_] in data.pci_authorized_roles
# Access from CDE (Cardholder Data Environment) only
input.context.network_segment == "cde"
# Strong authentication
input.user.attributes.mfa_verified == true
# Session timeout (15 minutes for PCI)
session_age := (time.now_ns() - time.parse_rfc3339_ns(input.context.session_start)) / 1000000000
session_age < 900
}
# PCI-DSS Requirement 8: No shared accounts
allow if {
input.user.id != null
not is_shared_account(input.user.id)
}
is_shared_account(user_id) if {
user_id in ["admin", "root", "service", "shared", "default"]
}
AI/LLM Templates
AI Agent Basic Access Control
Template ID: ai-agent-access
Description: Basic access control for AI agents with safety checks
Parameters:
allowed_roles(array): Roles authorized to use AImax_tokens(number): Maximum tokens per requestsafety_threshold(number): Minimum safety score (0-1)
Template Code:
package ai.agent
import rego.v1
default allow := false
# Configuration
allowed_roles := {{allowed_roles}}
max_tokens := {{max_tokens}}
safety_threshold := {{safety_threshold}}
# AI agent access with safety checks
allow if {
# User authorization
input.user.roles[_] in allowed_roles
input.user.attributes.ai_safety_trained == true
# Prompt safety
prompt_safe(input.context.prompt)
# Usage limits
within_limits(input.user.id)
# Token limit
input.request.max_tokens <= max_tokens
}
prompt_safe(prompt) if {
# Length check
count(prompt) > 0
count(prompt) < 8000
# No PII
not contains_pii(prompt)
# Safety score
input.context.safety_score > safety_threshold
# No injection attempts
not contains_injection(prompt)
}
contains_pii(text) if {
regex.match(`\d{3}-\d{2}-\d{4}`, text) # SSN
}
contains_pii(text) if {
regex.match(`\d{16}`, text) # Credit card
}
contains_injection(text) if {
lower_text := lower(text)
injection_keywords := ["ignore previous", "disregard", "jailbreak", "bypass"]
some keyword in injection_keywords
contains(lower_text, keyword)
}
within_limits(user_id) if {
usage := data.usage_stats[user_id]
usage.requests_today < 1000
usage.tokens_today < 500000
}
Default Parameters:
{
"allowed_roles": ["developer", "data-scientist", "ai-engineer"],
"max_tokens": 4096,
"safety_threshold": 0.85
}
LLM Content Filtering
Template ID: llm-content-filter
Description: Filter LLM responses for sensitive content
Template Code:
package ai.content_filter
import rego.v1
# Filter response content
filtered_response := masked if {
response := input.response.content
masked := apply_filters(response)
}
apply_filters(text) := result if {
# Step 1: Mask PII
step1 := mask_pii(text)
# Step 2: Remove sensitive keywords
step2 := remove_sensitive_keywords(step1)
# Step 3: Check compliance
result := ensure_compliant(step2)
}
mask_pii(text) := result if {
# Mask SSN
step1 := regex.replace(text, `\d{3}-\d{2}-\d{4}`, "***-**-****")
# Mask credit cards
step2 := regex.replace(step1, `\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}`, "****-****-****-****")
# Mask email addresses
step3 := regex.replace(step2, `([a-zA-Z0-9._%+-]+)@`, "***@")
# Mask phone numbers
result := regex.replace(step3, `\d{3}[-.]?\d{3}[-.]?\d{4}`, "***-***-****")
}
remove_sensitive_keywords(text) := result if {
sensitive := ["password", "api-key", "secret", "private-key", "token"]
result := replace_sensitive(text, sensitive)
}
ensure_compliant(text) := text if {
# Verify no regulatory violations
not contains(lower(text), "money laundering")
not contains(lower(text), "tax evasion")
}
Access Control Templates
Time-Based Access
Template ID: time-based-access
Description: Restrict access to business hours
Parameters:
business_hours_start(number): Start hour (0-23)business_hours_end(number): End hour (0-23)allowed_days(array): Allowed days (0-6, 0=Sunday)
Template Code:
package access.time_based
import rego.v1
default allow := false
# Configuration
business_hours_start := {{business_hours_start}}
business_hours_end := {{business_hours_end}}
allowed_days := {{allowed_days}}
# Business hours access
allow if {
input.user.roles[_] in ["employee", "contractor"]
is_business_hours
is_allowed_day
}
is_business_hours if {
[hour, _, _] := time.clock([time.now_ns()])
hour >= business_hours_start
hour < business_hours_end
}
is_allowed_day if {
weekday := time.weekday([time.now_ns()])
weekday in allowed_days
}
# After-hours access requires approval
allow if {
not is_business_hours
input.user.attributes.after_hours_approved == true
input.user.roles[_] in ["on-call", "manager", "admin"]
input.context.justification != null
}
Default Parameters:
{
"business_hours_start": 9,
"business_hours_end": 17,
"allowed_days": [1, 2, 3, 4, 5]
}
Resource Ownership
Template ID: resource-ownership
Description: Users can access only resources they own
Template Code:
package access.ownership
import rego.v1
default allow := false
# Users can access their own resources
allow if {
input.resource.attributes.owner_id == input.user.id
}
# Users can access resources in their team
allow if {
input.resource.attributes.team_id == input.user.attributes.team_id
input.action.name in ["read", "list"]
}
# Managers can access team members' resources
allow if {
input.user.roles[_] == "manager"
# Check if user manages resource owner
resource_owner := data.users[input.resource.attributes.owner_id]
resource_owner.manager_id == input.user.id
}
# Admin override
allow if {
input.user.roles[_] == "admin"
input.context.admin_justification != null
}
Row-Level Security
Template ID: row-level-security
Description: Filter database query results based on user permissions
Template Code:
package data.row_level_security
import rego.v1
# Filter visible rows
visible_rows[row] if {
some row in input.query.result
# User can see their own rows
row.owner_id == input.user.id
}
visible_rows[row] if {
some row in input.query.result
# User can see department rows
input.user.roles[_] in ["manager", "team-lead"]
row.department == input.user.department
}
visible_rows[row] if {
some row in input.query.result
# Admin can see all
input.user.roles[_] == "admin"
}
# Mask sensitive columns
masked_columns[column] := "***REDACTED***" if {
some column in sensitive_columns
not user_has_clearance_for_column(column)
}
sensitive_columns := ["ssn", "salary", "bank_account", "credit_card"]
user_has_clearance_for_column(column) if {
input.user.attributes.clearance_level >= 3
}
๐ Extending Templates
Customizing Templates
Step 1: Select and Copy Template
# Get template
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.controlcore.yourcompany.com/api/v1/templates/fintrac-lctr > template.json
# Extract Rego code
cat template.json | jq -r '.rego_code' > policy.rego
Step 2: Modify for Your Needs
# Original template
allow if {
input.transaction.amount >= 10000
input.transaction.currency == "CAD"
}
# Customized
allow if {
input.transaction.amount >= 10000
input.transaction.currency == "CAD"
# Add: Branch-specific rules
input.transaction.branch_id in authorized_branches
# Add: Additional validation
input.transaction.verified_by_manager == true
}
authorized_branches := ["branch-001", "branch-002", "branch-005"]
Step 3: Test Your Customization
# Add tests for custom rules
test_branch_restriction if {
not allow with input as {
"transaction": {
"amount": 15000,
"currency": "CAD",
"branch_id": "branch-999" # Unauthorized branch
}
}
}
Creating Custom Templates
Template Structure:
{
"id": "custom-compliance-template",
"name": "Custom Compliance Policy",
"description": "Organization-specific compliance requirements",
"category": "compliance",
"subcategory": "custom",
"parameters": [
{
"name": "threshold_amount",
"type": "number",
"required": true,
"default": 10000,
"description": "Transaction threshold for additional checks"
},
{
"name": "required_approvers",
"type": "number",
"required": true,
"default": 2,
"description": "Number of required approvers"
}
],
"rego_code": "...",
"test_cases": [...],
"documentation": "..."
}
Share Templates with Team:
- Create template in your policy repository
- Test thoroughly
- Document parameters and use cases
- Submit to template library
- Share with organization
๐ Template Best Practices
1. Parameterize Configurable Values
# Good: Parameterized
threshold := {{threshold_amount}} # Configurable
allowed_roles := {{allowed_roles}} # Configurable
allow if {
input.transaction.amount >= threshold
input.user.roles[_] in allowed_roles
}
# Bad: Hard-coded values
allow if {
input.transaction.amount >= 10000 # Hard to change
input.user.roles[_] == "admin" # Hard to customize
}
2. Include Comprehensive Tests
# Include tests for all scenarios
test_below_threshold_allowed if {
allow with input as {
"transaction": {"amount": 5000},
"user": {"roles": ["teller"]}
}
}
test_above_threshold_requires_approval if {
not allow with input as {
"transaction": {"amount": 15000},
"user": {"roles": ["teller"]}
}
}
test_approved_transaction_allowed if {
allow with input as {
"transaction": {"amount": 15000, "approved": true},
"user": {"roles": ["manager"]}
}
}
3. Document Purpose and Usage
package custom.template
import rego.v1
# Template: Custom Compliance Policy
# Purpose: Enforce organization-specific compliance requirements
# Owner: Compliance Team
# Last Updated: 2025-01-25
#
# Parameters:
# - threshold_amount: Transaction amount requiring additional review
# - required_approvers: Number of approvers for high-value transactions
#
# Compliance:
# - FINTRAC: Large transaction reporting
# - OSFI: Segregation of duties
# - Internal: Dual authorization policy
#
# Usage:
# 1. Set threshold_amount to your organization's limit
# 2. Configure required_approvers (typically 2 for high-value)
# 3. Deploy to sandbox for testing
# 4. Promote to production after validation
๐ง Template Catalog Reference
Complete Template List
Financial Compliance:
fintrac-lctr- Large Cash Transaction Reportingfintrac-str- Suspicious Transaction Reportingfintrac-third-party- Third Party Determinationosfi-segregation-duties- Segregation of Duties (B-10)osfi-outsourcing- Third-Party Access Control (B-10)aml-kyc- Know Your Customer Verificationaml-cdd- Customer Due Diligenceaml-edd- Enhanced Due Diligencefincen-ctr- Currency Transaction Reportfincen-sar- Suspicious Activity Reportfincen-cip- Customer Identification Programofac-screening- OFAC Sanctions Screening
Healthcare Compliance:
hipaa-minimum-necessary- Minimum Necessary Rulehipaa-break-glass- Emergency Accesshipaa-audit-log- Audit Logging Requirementsphipa-consent- Patient Consent Verification
Data Protection:
gdpr-right-to-access- Right to Access (Article 15)gdpr-right-to-erasure- Right to be Forgotten (Article 17)gdpr-purpose-limitation- Purpose Limitation (Article 5)gdpr-data-portability- Data Portability (Article 20)pci-cardholder-data- Cardholder Data Accesspci-encryption- Encryption Requirementssoc2-access-control- Access Control (CC6.1, CC6.2)
API Protection:
api-key-auth- API Key Authenticationapi-oauth- OAuth 2.0 Token Validationapi-jwt- JWT Token Validationapi-rate-limiting- Rate Limitingapi-ip-whitelist- IP Whitelisting
AI/LLM:
ai-agent-access- AI Agent Access Controlai-prompt-filter- Prompt Filteringai-content-filter- Response Content Filteringllm-context-aware- LLM Context-Aware Policyrag-authorization- RAG System Authorizationai-usage-limits- AI Usage Quotas
Access Control:
rbac-basic- Basic Role-Based Accessrbac-hierarchy- Role Hierarchyabac-attributes- Attribute-Based Accesstime-based-access- Time-Restricted Accessgeo-location- Geographic Restrictionsresource-ownership- Resource Ownershiprow-level-security- Database Row Filteringcolumn-masking- Sensitive Column Masking
๐งญ Quick Start with Templates
Example: Deploy FINTRAC Template
# 1. List available templates
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.controlcore.yourcompany.com/api/v1/templates?category=financial
# 2. Get FINTRAC LCTR template
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.controlcore.yourcompany.com/api/v1/templates/fintrac-lctr
# 3. Create policy from template
curl -X POST https://api.controlcore.yourcompany.com/api/v1/policies/from-template \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"template_id": "fintrac-lctr",
"name": "Production FINTRAC LCTR",
"parameters": {
"threshold_amount": 10000,
"threshold_currency": "CAD",
"allowed_roles": ["teller", "financial-advisor", "branch-manager"]
},
"environment": "sandbox"
}'
# 4. Test in sandbox
# Use Console UI or API to test
# 5. Promote to production
curl -X POST https://api.controlcore.yourcompany.com/api/v1/policies/123/promote \
-H "Authorization: Bearer YOUR_TOKEN"
๐ ๏ธ Troubleshooting
| Issue | What to check |
|---|---|
| Template not applying or validation fails | Ensure required parameters are set and match the template schema; check policy syntax in the editor. |
| Template missing from catalog | Confirm you have access to the template (e.g. subscription or bundle); refresh the template list. |
| Promotion or deployment fails | Verify Control Plane connectivity and API key; ensure policies are enabled and assigned to the correct resource/environment. |
For more, see the Troubleshooting Guide.
๐ Support
- User Guide: Learn to create policies
- Rego Guidelines: Master the policy language
- PBAC Best Practices: Advanced patterns
- Template Requests: Request new templates at support@controlcore.io
Start with templates, customize for your needs, and deploy secure policies faster!