Value Statement

As a policy user, I need to ensure that the compliance history can only be written by authorized service accounts and viewed by users with appropriate ACM access.

Definition of Done for Engineering Story Owner (Checklist)

• The read API endpoint is restricted based on a user's "get" access to corresponding ManagedCluster objects. This result will filter the requests returned in the SQL queries.
• The write API endpoint must require the service account to have "patch" access to the "status" subresource of a policy in the corresponding managed cluster namespace.

See the design for more information.

Development Complete

• The code is complete.
• Functionality is working.
• Any required downstream Docker file changes are made.

Tests Automated

• [ ] Unit/function tests have been automated and incorporated into the
  build.
• [ ] 100% automated unit/function test coverage for new or changed APIs.

Secure Design

• [ ] Security has been assessed and incorporated into your threat model.

Multidisciplinary Teams Readiness

• [ ] Create an informative documentation issue using the [Customer
  Portal_doc_issue template](
  https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
  and ensure doc acceptance criteria is met. Link the development issue to
  the doc issue.
• [ ] Provide input to the QE team, and ensure QE acceptance criteria
  (established between story owner and QE focal) are met.

Support Readiness

• [ ] The must-gather script has been updated.