GUIDELINES TO MERGE PR FOR API OR CONSUMER CREATIONS/UPDATIONS.

Review For API Onboarding

Anyone who is authorized to merge the PR for any API related changes has to make sure that the below mentioned standards are met.

The API has the correct name as the functionality of the API is concerned.
request PATH and UPSTREAM url is variablized and using the correct prefix for that service as mentioned in this document.
It is having correct authorization, rate limits, request-size as mentioned in this document.
It has the correct ACL and is not violating the roles and entities as mentioned in table of this document.
Check if there is any impact on the ACL which is applied to the existing consumers which are onboarded specifically for external consumers. Make sure the ACL for the API will not provide elevated permission to the existing consumers.

Anyone who is authorized to merge the PR for any CONSUMER related changes has to make sure that the below mentioned standards are met.

Make sure you have a list of all the consumers onboarded in the system and are tracked.
Any New consumer which will be onboarded should be taken approval from higher authorities.
Make sure you analyze the risk of providing access to consumers and soley trust them with ACL’s you are attaching to them.
Never Give access to an APP for the SuperAdmin ACL
Have your consumers are categorized as mentioned in this document.
You Must not provide access to SuperAdmin role to Any Consumer whether be it internal/Application. Only rare case we will be providing Access to Consumers with SuperAdmin roles and with approval from atleast 2 higher authorities who are responsible for the environment.
Make sure you perform an audit of all the consumers every release and remove unused consumers.