App Governance

👥 Who It Applies To

📖 Key Concepts

• App Governance: Defines how apps are managed within Cakewalk, from ownership and permissions to status and lifecycle.

• Statuses: Apps can be Managed, Restricted, Discovered, or Archived. Each status unlocks different governance actions.

• App Owners: Every managed app should have one owner accountable for access decisions and reviews.

• Permissions: Define levels of access within apps (e.g. admin, member). Policies determine who approves each level.

• Provisioning: Determines how user accounts are created, updated, or removed. By default, provisioning is manual, but Cakewalk also supports automated provisioning via IdP workflows and through Agent Cake.

• Template vs Custom Apps: Template apps come pre-configured with standard metadata; custom apps let you govern any application (incl. internal tools) manually.

• Custom Layouts: Extend app metadata with fields tailored to your organization (finance, compliance, vendor details, etc.).

💡Why this matters: Governance turns discovered apps into controlled assets, reducing risk, supporting least privilege and ensuring compliance.

🛠 App Governance Workflows

Import and Add New Apps

• Definition: New apps can be created in Cakewalk either from our template library or as fully custom apps. You can also convert discovered apps into Managed apps (see Change App Status). Additionally, apps can be imported directly from Google Workspace or Entra, pulling in apps already connected to your identity provider (see 🔍 Discovery Sources).

• Navigation: App Governance → + New App.

• Actions:

  • Add Template Apps:

    • Select an app from Cakewalk’s pre-configured library.

    • Includes standard fields and workflows such as permissions, certifications, server location, AI risk level and default policies.

    • Assign an App Owner during setup.

  • Add Custom Apps:

    • Choose Custom App when no template exists.

    • Define all key properties manually, including permissions, metadata, policies and ownership.

  • Import from Google Workspace or Entra:

    • Sync apps already connected to your IdP into Cakewalk.

    • Apply governance (Managed, Tracked, Restricted, Ignored) and assign ownership.

• Outcome: The app is added to your App Governance catalog as a governed asset, ready for reviews, policies and access management.

• Why this matters: Template Apps let you import and govern apps quickly with best-practice defaults. Custom Apps give you flexibility to govern any application.

Change App Status

• Navigation: App Governance table → Select an app → Track/Manage/Ignore/Restrict.

• Actions:

  • Track: App activity is monitored and visible in governance views, but no access requests or provisioning are enabled.

  • Manage: App is fully governed in Cakewalk. Admins and App Owners can approve requests, assign policies, manage permissions, and include the app in reviews.

  • Ignore: App is excluded from governance and removed from the active catalog. Usage is no longer monitored or surfaced in dashboards/reviews.

  • Restrict: App remains visible but new access requests are blocked. Any access triggers alerts to Admins via Slack and notifies users in the extension. Existing accesses are still tracked for auditing.

• Why this matters: Changing app status lets you decide the right level of governance for each application. You can fully manage critical apps, track usage of secondary ones or restrict risky tools while maintaining visibility and auditability.

Assign/Change App Owners

• Definition: Every Managed app should have at least one App Owner.

• Responsibilities: Owners approve/reject access requests, review permissions and participate in access reviews.

• Navigation: App Governance table → Select an app → Assign or change the App Owner.

• Why this matters: Ownership ensures accountability and speeds up access decisions.

Review User Access

• Navigation: App Governance table → Click into an app → Users table.

• Actions:

  • Review current users and their assigned permission levels to spot over-permissioned access.

  • Review last access times for each user to identify dormant accounts.

• Why this matters: Reviewing user access not only supports audits and compliance but also helps spot dormant accounts (users with no recent activity) and over-permissioned users (employees holding privileged roles they don’t actively use). This enables admins and app owners to right-size access and enforce least-privilege policies.

Manage Permissions per App

• Navigation: App detail view → Permissions.

• Actions:

  • Edit/create permissions: Configure existing permissions (e.g., Viewer, Editor) or create new ones to match how the app grants access.

  • Assign default permissions: Mark one permission level as the default. This level is automatically assigned to new users when access is approved, unless a different level is explicitly requested.

  • Define privileged permissions: Mark specific permission levels (e.g., Admin, Superuser) as privileged. Requests for these permissions are highlighted in approvals and reviews. Users with access to privileged permissions can also be assigned tasks via custom policies.

  • Combine with policies to define who approves each permission level.

• Why this matters: Privileged toggles ensure high-risk access is never granted without oversight. Default toggles standardize baseline permissions, reducing request errors and maintaining least-privilege access by default.

Manage Provisioning

• Definition: Provisioning defines how user accounts are created, updated or removed in apps.

• Default: Manual provisioning is the default in Cakewalk. Admins or App Owners act on requests and provision/revoke access directly.

• Automation:

  • Connect your IdP (e.g., Entra, Okta) to sync existing automation workflows with Cakewalk.

  • Enable auto-provisioning via Agent Cake to create accounts automatically in supported apps.

• Navigation: App Governance → Select app → Provisioning Settings.

• Reference: See the Auto Provisioning documentation for details on setup and supported apps.

• Why this matters: Automating provisioning reduces IT workload, ensures consistency and closes gaps in onboarding and offboarding.

Edit Apps & Properties

• Definition: Apps in Cakewalk come with a set of standard fields and metadata. You can extend these with custom layouts, adding groups and properties tailored to your organization (e.g., finance, vendor, compliance details).

• Navigation: App Governance → Select app → Edit app.

• Template Apps: Pre-configured from Cakewalk’s library. Only custom properties can be amended while standard properties are fixed.

• Custom Apps: Created manually. All properties, including permissions, metadata, policies and ownership, can be defined and edited.

• Reference: See the https://github.com/this-thing-about-cakes/gitbook-documentation/blob/main/how-to-guides/apps/broken-reference/README.md to learn how to create custom layouts.

• Why this matters: Ensures every app record reflects the exact details your organization needs while balancing flexibility (custom apps) with governance consistency (template apps).

Custom App Layouts & Properties

• Definition: Extend app metadata with groups and custom fields.

• Navigation: Settings → Custom Layouts.

• Custom Property: Field types include short text, number, percentage, currency, person, single/multi-select. Examples:

  • Finance data (contract value, renewal dates).

  • Security info (data residency, SOC 2 status).

  • Procurement details (business owner, cost center).

• Custom Group: Properties grouped together for easier management.

• Configuration options:

  • Visibility: Control who sees and edits a property (Admins / App Owners / App Users / All Users).

  • Show in Request: Determine if the property should be highlighted to requesters during the request process. This is helpful for gathering additional context, such as business justification in Add New App requests or for promoting cost awareness at the time of the request.

  • Required / Optional: Mark properties as mandatory for data completeness.

• Outcome: Custom fields appear in the app detail view, Add New App flow, Edit App view and request forms.

• Why this matters: Makes Cakewalk your single source of truth for app metadata, tailored to your organization.

Archive or Delete Apps

• Navigation: App Governance table → Select an app → Archive app/Permanently delete app.

• Archive App: Moves the app into an archived state. Access is removed during offboarding; request logs are retained for audits.

• Delete App: Permanently removes the app from Cakewalk; data may be lost.

• Why this matters: Archiving preserves historical context while cleaning up your catalog; deletion is for full removal.

📋 Governance Actions at a Glance