Query Documents
Documents are the manual evidence your team uploads into the platform. Example requirements include your Company Organization Chart and Network Diagram.
Let's look at an example query that requests a couple of Document requirements.
query GetDocuments {
organization {
evidenceRequests(first: 2) {
edges {
node {
evidenceRequestId
title
description
}
}
}
}
}
{
"data": {
"organization": {
"evidenceRequests": {
"edges": [
{
"node": {
"evidenceRequestId": "access-approval-required",
"title": "Access to cardholder data and cardholder data environment require explicit management approval",
"description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff."
}
},
{
"node": {
"evidenceRequestId": "database-access-restricted",
"title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
"description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation."
}
}
]
}
}
}
}
We can go one step deeper and see if there are any pieces of evidence that have already been uploaded for a particular Document requirement:
query GetDocuments {
organization {
evidenceRequests(first: 2) {
edges {
node {
evidenceRequestId
title
description
evidence(first: 2) {
edges {
node {
displayName
description
effectiveAt
}
}
}
}
}
}
}
}
{
"data": {
"organization": {
"evidenceRequests": {
"edges": [
{
"node": {
"evidenceRequestId": "access-approval-required",
"title": "Access to cardholder data and cardholder data environment require explicit management approval",
"description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
"evidence": {
"edges": [
{
"node": {
"displayName": "access_approval.pdf",
"description": "Access approval evidence for those that need access to the CDE and CHD.",
"effectiveAt": "2023-02-17T09:12:09.781Z"
}
}
]
}
}
},
{
"node": {
"evidenceRequestId": "database-access-restricted",
"title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
"description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
"evidence": {
"edges": [
{
"node": {
"displayName": "db_restricted.csv",
"description": "Evidence demonstrating database access restricted.",
"effectiveAt": "2023-03-08T21:04:49.514Z"
}
}
]
}
}
}
]
}
}
}
}
We can add an argument to search for specific evidence requests:
query GetDocuments {
organization {
evidenceRequests(first: 2, evidenceRequestIds: ["access-approval-required", "database-access-restricted"]) {
edges {
node {
evidenceRequestId
title
description
evidence(first: 2) {
edges {
node {
displayName
description
effectiveAt
}
}
}
}
}
}
}
}
{
"data": {
"organization": {
"evidenceRequests": {
"edges": [
{
"node": {
"evidenceRequestId": "access-approval-required",
"title": "Access to cardholder data and cardholder data environment require explicit management approval",
"description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
"evidence": {
"edges": [
{
"node": {
"displayName": "access_approval.pdf",
"description": "Access approval evidence for those that need access to the CDE and CHD.",
"effectiveAt": "2023-02-17T09:12:09.781Z"
}
}
]
}
}
},
{
"node": {
"evidenceRequestId": "database-access-restricted",
"title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
"description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
"evidence": {
"edges": [
{
"node": {
"displayName": "db_restricted_03-08.csv",
"description": "Evidence demonstrating database access restricted.",
"effectiveAt": "2023-03-08T21:04:49.514Z"
}
},
{
"node": {
"displayName": "db_restricted_03-28.csv",
"description": "Updated evidence containing new database resources.",
"effectiveAt": "2023-03-28T21:52:12.333Z"
}
}
]
}
}
}
]
}
}
}
}
We can also query the external URL (preSignedURL field) where our evidence is hosted to share:
query GetDocuments {
organization {
evidenceRequests(first: 2, evidenceRequestIds: ["access-approval-required", "database-access-restricted"]) {
edges {
node {
evidenceRequestId
title
description
evidence(first: 2) {
edges {
node {
preSignedURL
}
}
}
}
}
}
}
}
{
"data": {
"organization": {
"evidenceRequests": {
"edges": [
{
"node": {
"evidenceRequestId": "access-approval-required",
"title": "Access to cardholder data and cardholder data environment require explicit management approval",
"description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
"evidence": {
"edges": [
{
"node": {
"preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com"
}
}
]
}
}
},
{
"node": {
"evidenceRequestId": "database-access-restricted",
"title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
"description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
"evidence": {
"edges": [
{
"node": {
"preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com" }
},
{
"node": {
"preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com" }
}
]
}
}
}
]
}
}
}
}
Updated about 1 year ago