Configuring governance in the API Manager

How to add custom governance rulesets to your API development process, to validate and enforce organizational governance policies and best practices in your provider organization.

Before you begin

One of the following roles is required to be able to configure governance:
  • Organization Administrator
  • Owner
  • Custom role with the Settings: Manage permission.

About this task

The governance service is an add-on to IBM® API Connect that can be used to validate and enforce organizational governance policies and best practices in your API development process. You configure governance by creating one or more custom rulesets that contain a collection of rules that can then be used to check Swagger, OpenAPI, and AsyncAPI documents, as well as product documents. You can also run validation scans on your catalogs and spaces; for more information, see Scanning your catalogs and spaces.

The governance service contains the following types of rulesets:
API
  • Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating APIs.
  • Global rulesets - these are pre-configured IBM and Spectral rulesets that contain the rules that are shared with your provider organization for validating APIs, and cannot be edited. Note that the Spectral ruleset names are prefixed with spectral-, and that their version matches the version of that ruleset that's available in Spectral.
Product
  • Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating products.
  • Global rulesets - these are pre-configured custom rulesets that contain the rules that are shared with your provider organization for validating products, and cannot be edited.

Governance in API Connect is based on the open source Spectral linter; for more information about Spectral, see https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview.

Tags can be added to API rulesets that, when matched with the same tag in an API, help ensure that the appropriate rulesets are preselected for your validation scans. In this way, the governance process can be run more quickly and effectively. These preselected rulesets can be deselected from the scan if required.

Note:
  • Governance in API Connect supports the creation of custom rulesets that contain rules that use only the built-in Spectral core functions, as defined in https://docs.stoplight.io/docs/spectral/cb95cf0d26b83-core-functions. The use of custom functions, for example rules that use functions that you created yourself in JavaScript files, is not supported. Also note that the following Spectral OpenAPI rules aren't supported as they might identify false positives:
    • oas2-unused-definition
    • oas3-unused-component
  • Some of the Spectral rules within the Global rulesets contain the property recommended: false, which means that those rules are ignored during validation. However, if you create a new ruleset from one of these rulesets by using the Save as new ruleset option, the recommended property isn't transferred to the new ruleset. Therefore, all the rules are used in the validation, unless you delete those rules from the ruleset. The Spectral ruleset names are prefixed with spectral-.
  • Dereferencing, which means not introspecting a referenced definition within an API, is not supported in the governance service. Instead, a referenced object can be explicitly validated by using custom rules.
The following methods can be used to configure both API and product rulesets:

Procedure

  • To create a new API or product ruleset by using the API Manager or API Designer UI, complete the following steps.
    1. In the side menu bar, click The governance icon is the outline of a shield in white, on a black background. Governance.
      The Governance page is displayed.
    2. If you want to create an API ruleset, click the API tab. If you want to create a product ruleset, click the Product tab.
      The manage rulesets page is displayed.
    3. In the Provider organization rulesets section, click Add > Create from scratch.
      The Create provider organization ruleset wizard opens.
    4. Provide the following Ruleset info details.
      Property label Required Description Data type
      Title Yes A short descriptive name for the ruleset. This name is displayed in the list of global rulesets. String
      Name Yes An auto-generated, sluggified, string that is based on the title. It is not editable. String
      Version Yes The version number defaults to 1.0.0, but can be edited. You can have rulesets with the same name, but with different version numbers. The version number must be in the format major.minor.patch. String
      Description No An optional description of the ruleset. String
    5. Optional: For API rulesets, you can add one or more tags to your ruleset by clicking Add, and completing the tag Name and Description.
      Adding matching tags to your rulesets and APIs, means that validation scans can preselect which rulesets to use for the scan. However, you can override this preselection with rulesets of your choice. For information about how to add tags to APIs, see Adding tags to an API.
    6. Click Next, and then add an initial rule to your ruleset.
    7. Provide the following Rule info details.
      Property label Required Description Data type
      Title Yes A short descriptive name for the rule. String
      Name Yes An auto-generated, sluggified, string that is based on the title. It is not editable. String
      Description Yes A description of the rule. String
      Message No Provide a message to help users understand what the goal of the rule is. If no message is provided, the value of the Description property is used for the message output of the validation scan. String
      Severity Yes Select a severity level from the following options:
      • error
      • warn
      • info
      • hint
      • off
      error is selected by default.
      String
    8. In the Given section, specify one or more values for the parts of the API or product document to target. To add more values, click Add. Values must be written in JSONPath.
    9. In the Then section, specify the function type and options that will be used to evaluate the target values in the API or product document. Write this section in YAML syntax.
      In the following API rule example, for a Given value of $ (which means root level of the document), the Then section uses the Spectral core truthy function to check that the info.contact property value is not false, "", 0, null, or undefined.
      - field: info.contact
        function: truthy
      The Then section can also contain a list of functions to be applied to the Given part of the document. In the following API rule example, for a Given value of $.info.version (which refers to the version property inside the info property at the root level of the document), the Then section uses both the truthy function, and the Spectral core pattern function that checks that the info.value matches the regex expression that is given by functionOptions.match.
      - function: truthy
      - function: pattern
        functionOptions:
          match: "^[0-9]+.[0-9]+.[0-9]+(-[a-z0-9+.-]+)?"
      For a complete list of the Spectral core functions that you can use in your custom API rules, along with examples of these functions, see https://docs.stoplight.io/docs/spectral/cb95cf0d26b83-core-functions.
    10. Click Create to create your draft ruleset.
      Your draft ruleset opens in design form view. Note that you can switch to the OpenAPI YAML source view by clicking the Source icon OpenAPI Source icon. To return to the design form view, click the Form icon Form icon.
    11. You now have the following options:
      • You can continue to edit your ruleset. For example, you can add more rules by clicking the Create rule icon Small circle containing a plus sign for adding rules. alongside Rules in the navigation pane. Remember to click Save when you finish editing.
      • If you don't want to edit your ruleset further now, click Governance in the breadcrumb trail to return to the API governance overview page.
  • To import an existing API or product ruleset, complete the following steps. Remember that the rules in your imported ruleset can contain only built-in Spectral core functions, as defined in https://docs.stoplight.io/docs/spectral/cb95cf0d26b83-core-functions.
    1. In the side menu bar, click The governance icon is the outline of a shield in white, on a black background. Governance.
      The Governance page is displayed.
    2. If you want to create an API ruleset, click the API tab. If you want to create a product ruleset, click the Product tab.
      The manage rulesets page is displayed.
    3. In the Provider organization rulesets section, click Add > Import.
      The Import ruleset wizard opens.
    4. Drag a file into the Upload file box, or click in the Upload file box to select a file to upload. The maximum file size is 100 kb, and the supported file types are YAML, YML, and JSON.
    5. Click Next.
    6. Edit the Ruleset info details as required, and click Import.
      Your draft ruleset opens in design form view. Note that you can switch to the OpenAPI YAML source view by clicking the Source icon OpenAPI Source icon. To return to the design form view, click the Form icon Form icon.
    7. You now have the following options:
      • You can continue to edit your ruleset. For example, you can add more rules by clicking the Create rule icon Small circle containing a plus sign for adding rules. alongside Rules in the navigation pane. Remember to click Save when you finish editing.
      • If you don't want to edit your ruleset further now, click Governance in the breadcrumb trail to return to the API governance overview page.
  • To create an API or product ruleset by using the toolkit CLI, complete the following steps.
    1. Create a JSON file that contains the new ruleset.

      The following JSON shows the contents of an example API document Spectral ruleset file:

      {
          "name": "short-draft-ootb",
          "title": "short-draft-ootb",
          "description": "short ruleset",
          "ruleset_type": "custom",
          "tags": [
            {
              "name": "general",
              "description": "general work"
            }
          ]
          "rules": [
            {
              "name": "sec-array-boundaries-2",
              "description": "Array size should be limited to mitigate resource exhaustion attacks.\nThis can be done using `maxItems` and `minItems`, like in the example\nbelow.\n\n```\nLimited:\n  type: array\n  maxItems: 10\n  items:\n    type: string\n    format: date\n```\n\nYou should ensure that the schema referenced in  `items` is constrained too.\n\nIf you delegate input validation to a library or framework,\nbe sure to test it thoroughly and ensure that it verifies `maxItems`.",
              "message": "Schema of type array must specify maxItems and minItems. {{path}} {{error}}",
              "formats": [
                "oas3"
              ],
              "severity": "warn",
              "recommended": true,
              "given": [
                "$..[?(@.type==\"array\")]"
              ],
              "then": [
                {
                  "field": "maxItems",
                  "function": "defined"
                }
              ]
            }
          ]
        }
      The following JSON shows the contents of an example product document ruleset file:
      {
        "type": "ruleset",
        "ruleset_type": "custom",
        "api_version": "2.0.0",
        "id": "dbb5f400-e707-412e-b081-ac36f5afbbb9",
        "name": "test-product",
        "title": "Test Product",
        "description": "",
        "ruleset_version": "1.0.0",
        "ruleset_state": "draft",
        "ruleset_format_type": "2",
        "rule_urls": [
          "https://my.manager.com/governance/orgs/myorg/rulesets/1.0.0-test-product/rules/ca6ef7d9-a503-498e-8f53-4e3aa35d086b"
        ],
        "created_at": "2024-05-22T17:19:02.820Z",
        "updated_at": "2024-05-22T17:24:59.000Z",
        "url": "https://my.manager.com/governance/orgs/myorg/rulesets/dbb5f400-e707-412e-b081-ac36f5afbbb9",
        "rules": [
          {
            "api_version": "2.0.0",
            "id": "ca6ef7d9-a503-498e-8f53-4e3aa35d086b",
            "name": "subscribe",
            "version": "1.0.0",
            "title": "subscribe",
            "description": "subscribe enabled",
            "message": "subscribe not enabled",
            "given": [
              "$.visibility.subscribe.enabled"
            ],
            "severity": "error",
            "created_at": "2024-05-22T17:19:02.000Z",
            "updated_at": "2024-05-22T17:24:59.000Z",
            "url": "https://my.manager.com/governance/orgs/myorg/rulesets/1.0.0-test-product/rules/ca6ef7d9-a503-498e-8f53-4e3aa35d086b",
            "then": [
              {
                "function": "pattern",
                "functionOptions": {
                  "notMatch": "/true"
                }
              }
            ]
          }
        ]
      }
      
    2. Log in to the toolkit as the owner or admin of the provider organization that owns the new ruleset.
    3. Run the rulesets:create toolkit command in governance mode:
      apic -m governance rulesets:create --org <target_org> --server <server_url> RULESET_FILE
      Where:
      • <target_org> is the name of the organization that owns the new ruleset.
      • <server_url> is the management server URL that you use for logging in to the toolkit.
      • RULESET_FILE is the path and file name of the JSON file that contains the ruleset.

Results

Your draft API or product ruleset is now listed in the table of Provider organization rulesets.

What to do next

When you finish editing your ruleset, you can publish it to your provider organization. Click the options menu icon options menu icon of three vertical dots either next to the ruleset that you want to publish, or from within the ruleset viewer. Select Publish, and then click Publish again to confirm. The status of your ruleset changes from Draft to Published, and can now be used by developers to validate their API and product documents. For more information, see Validating an API document by using governance.

To validate an API or product document by using a published ruleset, click Validate, select the APIs or products to validate, then select the rulesets and rules that you want to use, and click Validate again. If the API that you want to validate includes a tag that has a matching tag in one or more rulesets, then those rulesets are automatically selected for the scan. However, you can edit the ruleset selection to your requirements. The results of the validation are displayed in a scorecard.

You can also run validation scans on your catalogs and spaces; for more information, see Scanning your catalogs and spaces.

Note:
  • After a ruleset is published, the ruleset information and rules can no longer be edited. If you need to update this information, you must create a new version by clicking the options menu icon options menu icon of three vertical dots either next to the ruleset that you want to edit, or from within the ruleset viewer, and selecting Save as new ruleset.