Connector Policies and Sharing
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Connector Policies and Sharing in Custom Connectors
Introduction: The Architecture of Connectivity
In the modern landscape of cloud-based automation and data integration, custom connectors act as the bridge between your proprietary internal systems and the broader ecosystem of low-code platforms. While building a connector is the first step, managing how that connector behaves—its limitations, its security posture, and its availability to your team—is what truly defines a professional integration strategy. This lesson focuses on two critical pillars of connector management: Connector Policies and Connector Sharing.
Connector policies allow you to define rules that intercept traffic between your connector and the underlying API. Think of these as a layer of governance that you can apply without changing a single line of code in your API or your connector definition. By using policies, you can enforce rate limits, mask sensitive data, or route traffic dynamically. Without these, your connectors are essentially "open pipes," which can lead to performance degradation, security vulnerabilities, or accidental overuse of expensive API endpoints.
Sharing, on the other hand, is about collaboration and lifecycle management. It determines who has the rights to view, edit, or utilize a connector within an organization. If you build a high-quality, reusable connector but fail to share it correctly, you create a silo that forces others to reinvent the wheel, leading to technical debt and fragmented logic across your organization. Understanding how to balance accessibility with administrative control is essential for scaling automation efforts effectively.
Understanding Connector Policies
Connector policies are specialized instructions that the platform executes during the request-response lifecycle of a connector action. They act as a middleware layer. When a user triggers an action in a flow or an app, the request travels through your connector definition, hits the policy engine, and then proceeds to the destination API.
Why Use Policies?
The primary driver for using policies is to enforce constraints that you might not want to bake into the core application logic. For example, if you have a legacy API that does not support throttling, you can use a "Rate Limit" policy on your custom connector to prevent your platform from overwhelming that API. Policies are declarative, meaning you define the "what" and the "how," and the platform handles the execution.
Types of Policies
There are several standard policy templates available for custom connectors. Understanding the nuances of each is vital for building a stable integration environment:
- Rate Limiting: This policy restricts the number of calls that can be made to an API within a specific timeframe. This is critical for protecting downstream services that have strict consumption quotas.
- Set Header: This policy allows you to inject static or dynamic headers into every request. It is commonly used for passing API keys, correlation IDs, or custom security tokens that should not be visible to the end-user.
- Masking: This policy hides specific fields in the request or response body. If your API returns sensitive data like social security numbers or clear-text passwords, you can mask these fields to ensure they do not appear in platform logs.
- Routing: This policy allows you to change the destination URL based on the environment or specific request parameters. This is particularly useful for switching between sandbox and production endpoints without changing the connector code.
Callout: Policies vs. Code Logic A common question is whether to handle logic in your API code or in the connector policy. The rule of thumb is: use code for business logic (data transformation, complex calculations) and use policies for infrastructure governance (security, throttling, logging). Policies are easier to update and apply globally across different versions of a connector, whereas changing code requires a full redeployment and testing cycle.
Implementing Connector Policies: A Step-by-Step Guide
To implement a policy, you generally work within the connector definition portal. Let’s walk through the process of creating a simple "Set Header" policy to ensure all requests include a custom X-Organization-ID header.
Step 1: Navigate to the Definition
Open your custom connector in the portal and navigate to the Definition tab. Ensure that you have already defined your actions and triggers. Policies are applied at the connector level, but they can be scoped to specific actions.
Step 2: Access the Policies Section
On the left-hand navigation pane, select the Policies tab. Click on New Policy. You will be presented with a list of templates. Select the Set Header template.
Step 3: Configure the Policy
- Name: Give the policy a descriptive name, such as
Inject-Org-ID. - Header Name: Enter
X-Organization-ID. - Header Value: Enter the static value (e.g.,
MY-CORP-123) or use an expression if the platform supports it. - Action Scope: Select the specific actions to which this policy should apply. If you want it to apply to all actions, leave it as "All."
Step 4: Validate and Save
Save the policy. Once saved, the policy engine will immediately begin intercepting requests. To test this, use the "Test" tab in the connector editor. Perform an action and examine the raw request headers. You should see the X-Organization-ID header present, even though you did not explicitly define it in the action input fields.
Note: When testing policies, ensure that you are not using a cached version of the connector. Sometimes, the platform may hold onto the previous configuration for a few minutes. If you do not see the effect of your policy, wait a moment or refresh your browser session.
Advanced Policy Management: Masking Sensitive Data
Data privacy is a major concern in enterprise environments. Often, an API response might contain PII (Personally Identifiable Information) that should not be stored in the platform’s execution history. A masking policy effectively replaces the sensitive data with a placeholder string (e.g., ****).
Configuring a Masking Policy
- Navigate back to the Policies section.
- Select Masking from the list of available templates.
- Define the path to the field you wish to mask. For JSON responses, this is usually a dot-notation path (e.g.,
body.user.email). - Specify the replacement string.
By implementing this, you ensure that even if an administrator looks at the run history of a flow, the sensitive information remains protected. This is a standard requirement for compliance with regulations like GDPR or HIPAA.
Connector Sharing: Best Practices for Collaboration
Connector sharing is the mechanism by which you grant other users or teams access to your custom connector. In most enterprise platforms, a custom connector is private to the creator by default. To make it available to others, you must explicitly share it.
Levels of Access
Sharing is not a binary "on/off" switch. It usually involves granular permissions:
- View Access: The user can see the connector details but cannot make changes. They can use the connector in their own flows.
- Edit Access: The user can modify the connector definition, update policies, and change the underlying API endpoints.
- Ownership: The user has full control, including the ability to delete the connector or change permissions for other users.
The Lifecycle of a Shared Connector
Sharing a connector should follow a standard software development lifecycle (SDLC). Do not share a "work-in-progress" connector with the entire organization.
- Draft Phase: The creator builds the connector in a private environment.
- Review Phase: The creator shares the connector with a small group of stakeholders for user acceptance testing (UAT).
- Production Phase: Once validated, the connector is shared with the relevant teams or the entire organization.
- Deprecation Phase: When the connector is no longer needed, revoke access and delete the source to prevent future use of insecure or outdated integrations.
Warning: The Dangers of Over-Sharing Avoid sharing connectors at the "Organization" level unless absolutely necessary. If you share a connector with everyone, you lose the ability to audit who is using it effectively. It is better to share with specific security groups or teams that have a legitimate business need to access the API.
Comparison: Policies vs. API Gateway
It is common for developers to ask why they need connector policies if they already have an API Gateway in front of their services. The table below highlights the differences:
| Feature | Connector Policy | API Gateway |
|---|---|---|
| Scope | Limited to the specific connector | Global to all services |
| Visibility | Inside the integration platform | External facing |
| Complexity | Simple, declarative rules | High, handles complex traffic |
| Maintenance | Managed by integration team | Managed by infrastructure team |
| Use Case | Per-connector governance | Enterprise-wide security/traffic |
Use connector policies when you need to handle specific integration needs (like hiding a header from a specific app) that the broader API Gateway is not configured to handle.
Common Pitfalls and How to Avoid Them
Even with a solid understanding of policies and sharing, several common mistakes can derail your integration strategy.
1. Hardcoding Values in Policies
A common mistake is hardcoding environment-specific values (like a production URL or a specific API key) into a policy. If you move your connector from a sandbox environment to a production environment, the policy will fail or point to the wrong destination.
- Solution: Use environment variables or parameters within your connector definition. If the platform does not support this, create separate versions of the policy for each environment.
2. Ignoring Error Handling
When you apply a policy, you are changing the flow of data. If you apply a rate-limiting policy that is too strict, your flows will start failing with "429 Too Many Requests" errors.
- Solution: Always monitor the "Failure Rate" metric for your connector after applying a new policy. If failures spike, adjust your policy settings immediately.
3. Lack of Documentation
A shared connector is useless if other team members do not know what it does or how to pass the correct parameters.
- Solution: Always populate the "Description" field in the connector definition. Include details about the required inputs, the expected output format, and any specific policies that have been applied.
4. Fragmented Connector Versions
If you share a connector and then make changes, the users of that connector might experience unexpected behavior.
- Solution: Use a versioning strategy. If you need to make a breaking change (e.g., changing a parameter name), create a new version of the connector rather than overwriting the existing one. This allows existing flows to continue working while you migrate users to the new version.
Security Considerations
When sharing connectors, security should be the primary concern. Since custom connectors often handle authentication, they can be a target for malicious actors.
Authentication Best Practices
- Principle of Least Privilege: If a connector only needs to read data, ensure the authentication token it uses has read-only permissions on the API side.
- Secret Management: Never store credentials in the connector definition. Always use the built-in authentication schemes (like OAuth 2.0 or API Key) provided by the platform.
- Rotate Credentials: Periodically update the credentials used by your connectors. If a connector is shared with many users, ensure that the authentication mechanism is robust enough to handle high-frequency access without locking out the service account.
Auditing and Monitoring
Most enterprise platforms provide logs for custom connector usage. You should regularly review these logs to look for:
- Unauthorized Access: Look for users who are using the connector in ways that weren't intended.
- Policy Violations: Identify if any policies are being triggered frequently, which could indicate a misconfiguration or a potential abuse of the API.
- Error Patterns: Identify if certain actions are failing consistently, which might require a policy update or an API fix.
Callout: The "Human" Aspect of Sharing Sharing is not just a technical permission setting; it is a communication process. Before you share a connector, reach out to the potential users and explain what the connector does, what the limitations are (via the policies you applied), and how they should report issues. This proactive approach significantly reduces the support burden on the connector creator.
Advanced Topic: Programmatic Policy Management
For large organizations with hundreds of connectors, managing policies through a graphical user interface (GUI) is not scalable. Most modern integration platforms offer an API or command-line interface (CLI) to manage connector definitions and policies.
Example: Using a CLI to Update a Policy
If your platform supports a CLI, you can automate the deployment of policies as part of your CI/CD pipeline. Here is a conceptual example of how a configuration file for a policy might look:
{
"policyName": "Limit-Requests-To-100",
"policyType": "RateLimit",
"settings": {
"requests": 100,
"period": "1m",
"scope": "AllActions"
}
}
By storing these configurations in a version control system like Git, you can track changes to your policies over time. This provides an audit trail and allows for easy rollbacks if a policy deployment causes unexpected behavior.
Why Automate?
- Consistency: Every environment (Dev, Test, Prod) receives the exact same policy configuration.
- Speed: Deployments take seconds rather than minutes of manual clicking.
- Reliability: Eliminates the human error associated with manual configuration.
Troubleshooting Common Issues
Even with careful planning, things can go wrong. Here is a quick troubleshooting guide for common connector policy issues:
| Symptom | Potential Cause | Action |
|---|---|---|
| "Access Denied" | Missing permissions on the shared connector | Verify the user has at least "View" access |
| "Policy Execution Error" | Incorrect path or syntax in the policy | Re-check the JSON path or header value |
| "429 Too Many Requests" | Rate limit policy is too strict | Increase the limit or duration in the policy settings |
| "Data not appearing" | Masking policy is too broad | Review the masking path and refine it |
| "Header missing" | Policy is not active or scoped incorrectly | Check the policy status and scope |
If you encounter an issue that you cannot resolve, the first step is always to disable the policy temporarily. If the connector works without the policy, you know the issue is within the policy configuration itself. If it still fails, the issue likely resides in the connector definition or the destination API.
Key Takeaways
To conclude this lesson, let’s summarize the most important points to remember when managing custom connector policies and sharing:
- Policies are Governance: Think of policies as your primary tool for enforcing rules on API traffic, including rate limiting, header injection, and data masking. Use them to keep your integrations secure and stable without modifying your base code.
- Scope Appropriately: Always apply policies to the narrowest scope necessary. If a policy only needs to apply to a single action, do not apply it to the entire connector.
- Prioritize Privacy: Use masking policies to ensure that PII and other sensitive data are not exposed in logs or history, helping your organization stay compliant with data protection regulations.
- Control Access: Share connectors with intent. Use the principle of least privilege, providing "View" access where possible and "Edit" or "Owner" access only to those who truly need it.
- Document Everything: A well-documented connector is easier to maintain and share. Use descriptions and versioning to ensure that users understand how to use your tool effectively.
- Automate for Scale: If you find yourself managing many connectors, move toward a CI/CD approach for your policies. Automating the deployment of policies ensures consistency and reduces the risk of human error.
- Monitor and Audit: Regularly check the usage logs and failure rates for your connectors. This proactive monitoring allows you to catch issues before they impact the business.
By mastering these concepts, you transition from being a simple connector builder to an integration architect who can design, deploy, and govern high-quality integrations that support the long-term needs of the organization. Remember that the goal is not just to make things work, but to make them work securely, consistently, and maintainably over the long term.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons