Add a control to a risk scenario
Associate a control with a risk scenario.
Body: { controlId, controlType? }. controlType is TREATMENT_PLAN
for a control that is part of the risk’s treatment plan; omit it (or pass
EXISTING) to associate the control as a plain existing control.
controlId may be a Vanta control shorthand, custom-control shorthand,
or object ID; it resolves to a single canonical control before any write.
Behavior on conflict with an existing association:
-
Same resolved control already associated with the same
controlType:the request is a no-op and the existing relationship is returned (200).
-
Same resolved control associated with the other
controlType: therequest is rejected with a hint to use
PATCHinstead (422).
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
Body
Control to associate with the risk scenario. Accepts Vanta control
shorthands (e.g. "A.12.2.1"), custom-control shorthand names, or
object IDs.
TREATMENT_PLAN for a control that is part of the risk's treatment plan.
Omit (or pass "EXISTING") to associate the control without a
treatment-plan designation — the default "existing control" relationship.
EXISTING, TREATMENT_PLAN Response
Ok
A control's association with a risk scenario.
The relationship identity is (riskScenarioId, controlId); controlType
is mutable state on that relationship. A given control can have at most one
association per risk scenario.
The control's shorthand identifier (e.g. "A.12.2.1") when it has one,
falling back to the canonical Vanta control id (Mongo object id) otherwise.
TREATMENT_PLAN for controls that are part of the risk's treatment plan
(planned mitigations); EXISTING for controls linked to the risk without a
treatment-plan designation.
EXISTING, TREATMENT_PLAN