Scope Management

Scopes control which GCP resources SmartSRE scans and what operations are permitted on those resources.

What Are Scopes?

A Scope is a filter that defines:

1. What to scan — Which projects, regions, and services to include
2. What operations are allowed — Which remediation actions can be executed
3. Risk profile — How aggressively to act on findings

Creating a Scope

1. Navigate to Settings → Scopes
2. Click Create Scope
3. Configure the scope:
   • Name — Human-readable label (e.g., "Production Cloud Run")
   • Service — Which GCP service to target
   • Projects — Which projects to include
   • Regions — Optionally limit to specific regions
4. Click Create

Multi-Target Scopes

Scopes can target multiple combinations:

• Multiple projects for the same service
• Multiple regions within a project
• Multiple services (separate scope per service recommended)

Scope Policies

Allowed Operations

Restrict which operations SmartSRE can execute:

1. Edit a scope
2. Under Policy, configure Allowed Operations
3. Select specific operations to allow (e.g., scale_memory, scale_cpu)
4. Operations not in the list will be blocked

If an operation is not in the allowed list, SmartSRE will:

• Still detect and report the finding
• Block execution of that specific fix
• Show a message explaining the blocking policy

Risk Profile Override

Override the tenant-wide risk profile for this scope:

1. Edit a scope
2. Under Policy, select Risk Profile
3. Choose: Conservative, Balanced, or Aggressive

Scope Coverage

View which resources are covered by scopes:

1. Navigate to Settings → Scopes
2. Click the Coverage tab
3. See breakdown by service:
   • Covered — Resource matches at least one scope
   • Uncovered — Resource exists but no scope matches

Team-Owned Scopes

Scopes can be assigned to teams for access control:

1. Create a Team in Settings → Team
2. When creating/editing a scope, select Owner Team
3. Only team members can edit or delete that scope

Scheduler Configuration

Enable automated scans for a scope:

1. Edit a scope
2. Under Scheduler, toggle Enable Scheduled Scans
3. Configure:
   • Interval — How often to scan (e.g., every 6 hours)
   • Time Window — Optional restriction (e.g., business hours only)
4. Save the scope

Default Scopes

Set a scope as the default for a service:

1. Navigate to Settings → Scopes
2. Find the scope to make default
3. Click the menu (⋮) and select Set as Default

The default scope is used when no scope is explicitly selected during a scan.

Best Practices

Separate Production and Non-Production

Create separate scopes for:

• Production (conservative risk profile, limited operations)
• Development (aggressive profile, all operations allowed)

Start Restrictive

Begin with only safe operations allowed:

• Cloud Run: scale_memory, scale_cpu
• GCS: set_lifecycle_rule

Expand as you gain confidence.

Use Team Ownership

Assign scopes to the teams responsible for those resources.

Next Steps

• Risk Guardrails — Configure cost and impact limits
• Running Scans — Execute scans with scopes
• Team Management — Assign scopes to teams