An application scope consists of one or more terms: [category, resource type, attribute, value]. The value is a free-text (non-case-sensitive) character string that identifies specific resources. The value can incorporate an asterisk (*) for use as a wildcard (representing zero or more characters).

Special rules concern the use of more than one term. For a detailed information about Aqua Enterprise resources, see RBAC resources.

Single term 

The simplest form of application scope consists of just one term. For example, the following would include all container images from the nginx repository in Aqua:

CategoryResource typeAttributeValue
ArtifactsImage Repositorynginx

More than one term specifying the same [category, resource type] -- AND logic

The various terms are logically joined with AND (intersection). For example, the following terms, ANDed together, might specify all containers named payroll* running on VMs whose host names are Prod*.

Attribute values are not case-sensitive! Therefore, payroll* would match containers named Payroll, payroll56, and PAYROLL-now.

CategoryResource TypeAttributeValue
WorkloadsNo OrchestratorContainer Namepayroll*
WorkloadsNo OrchestratorHost NameProd*

When the attribute is the same across terms, you will generally get an empty set.
Example: Specifying both [Artifacts, Image, Repository, nginx] and [Artifacts, Image, Repository, alpine]; no images are found in both repos.

More than one term specifying different resource types -- OR logic

This is common usage; all sets of resources are simply joined together. For example, the following would result in an application scope consisting of all of the following:

  • All container images from the elasticsearch repo
  • All serverless functions named payroll*, whose owner tag is set to BernieM
  • All containers running on the Kubernetes cluster cluster02

CategoryResource typeAttributeValue(s)
ArtifactsFunctionTagowner, BernieM
WorkloadsKubernetesCluster Namecluster02

This application scope would appear as such in the UI:

The Global application scope

An application scope named Global is predefined in Aqua. It includes all system resources (artifacts, workloads, and infrastructure). You cannot edit or delete it.


Add an application scope

  1. In the Aqua UI, navigate to Account Management > User Management > Application Scopes.
  2. Click Add Scope.

    5. Enter the name of the application scope (and optionally) its description.

    6. (Optional) Enter the email address of the application scope's owner.

    7. Using the drop-down menus, select a resource type and attribute. Then enter its value (both values in the case of a function tag). As you enter text, the UI provides a dynamically filtered set of entries that correspond to your text string. You can select any of them from the drop-down list provided.

    8. Remember: Values are case-insensitive, and you can use the asterisk wildcard character. 

    9. Click Add to add each term.

    10. Repeat the previous step as necessary until the application scope is fully defined. 

The screenshot below corresponds to the example given in More than one term specifying different resource types above:

11. You can remove any part of the scope specification by clicking the x on its box.

    12. Click Save to save the policy.

Modify an application scope

  1. Login to the Aqua Platform.
  2. Select Workload Protection from the mega menu at the top of the page.
  3. Navigate to Administration > Application Scopes.
  4. Click the name of the application scope you want to modify.
  5. Follow the instructions in the Add an application scope section.

Delete application scope(s)

  1. Login to the Aqua Platform.
  2. Select Workload Protection from the mega menu at the top of the page.
  3. Navigate to Administration > Application Scopes.
  4. Select the application scope(s) you want to delete (other than Global).
  5. Click the delete icon.