Skip to content
PainScaler

Blast radius

Pick a target. Get the full impact: every policy that depends on it, every SCIM group whose access is funneled through it, every segment that becomes unreachable.

Endpoint

GET /api/v1/analytics/blast-radius?id={id}&type={connector_group|server_group}

Returns

type BlastRadiusReport struct {
    TargetID   string
    TargetName string
    TargetType string     // "connector_group" or "server_group"
    Policies   []NamedRef // policies that reference this target
    ScimGroups []NamedRef // user groups whose access flows through it
    Segments   []NamedRef // segments served by this target
}

How

Connector group target:

  1. Look up ConnectorGroupToPolicies[id].
  2. For each policy, walk PolicyToScimGroups for the user side and policySegmentIDs(pol) for the segment side.
  3. Dedupe and sort.

Server group target:

  1. Resolve the server group’s AppConnectorGroups[].
  2. Run the connector group flow above for each.

Use it for

  • Pre-change impact analysis. Before draining a connector for maintenance: who notices?
  • Capacity planning. A connector group with 200 policies and 5000 segments behind it is a single point of failure. Spread the load.
  • Auditing critical paths. The CFO’s SCIM group should not depend on a connector group named lab-rack-3-temporary.

Edge cases

  • Unnamed targets are returned with Name = ID. Index might be stale, or the target was deleted between the fetch and the query.
  • Empty result set for a known-good target ID means the target exists but no policies reference it. Either it is unused, or you typed the wrong ID.