Scope language guidelines
Use scope language consistently so policy behavior and UI state are predictable.
Allowed scope states
inScopeoutOfScopenotAssessed
Authoring principles
1. Scope should drive policy behavior explicitly.
2. Use notAssessed as unresolved state, not as a synonym for out-of-scope.
3. Scope-triggered rules should use _SCOPE naming.
4. Keep scope keys and values consistent across entities and environments.
Recommended wording in docs/rules
Use:
- "in scope"
- "out of scope"
- "not assessed"
Avoid:
- legacy concern terminology for new/updated scope rules
Scope parity rule
If a behavior should apply to multiple entity types (for example api and webApplication), author both paths explicitly unless a shared condition safely covers both.
Troubleshooting scope issues
If expected controls do not appear:
- verify exact scope key name
- verify value is
inScope(case-sensitive) - verify rule target/entity alignment
- verify rule is in the correct environment file