Query Documents

Documents are the manual evidence your team uploads into the platform. Example requirements include your Company Organization Chart and Network Diagram.

Let's look at an example query that requests a couple of Document requirements.

Try it now!

query GetDocuments {
  organization {
    evidenceRequests(first: 2) {
      edges {
        node {
          evidenceRequestId
          title
          description
        }
      }
    }
  }
}
{
  "data": {
    "organization": {
      "evidenceRequests": {
        "edges": [
          {
            "node": {
              "evidenceRequestId": "access-approval-required",
              "title": "Access to cardholder data and cardholder data environment require explicit management approval",
              "description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff."
            }
          },
          {
            "node": {
              "evidenceRequestId": "database-access-restricted",
              "title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
              "description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation."
            }
          }
        ]
      }
    }
  }
}

We can go one step deeper and see if there are any pieces of evidence that have already been uploaded for a particular Document requirement:

Try it now!

query GetDocuments {
  organization {
    evidenceRequests(first: 2) {
      edges {
        node {
          evidenceRequestId
          title
          description
          evidence(first: 2) {
            edges {
              node {
                displayName
                description
                effectiveAt
              }
            }
          }
        }
      }
    }
  }
}
{
  "data": {
    "organization": {
      "evidenceRequests": {
        "edges": [
          {
            "node": {
              "evidenceRequestId": "access-approval-required",
              "title": "Access to cardholder data and cardholder data environment require explicit management approval",
              "description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "displayName": "access_approval.pdf",
                      "description": "Access approval evidence for those that need access to the CDE and CHD.",
                      "effectiveAt": "2023-02-17T09:12:09.781Z"
                    }
                  }
                ]
              }
            }
          },
          {
            "node": {
              "evidenceRequestId": "database-access-restricted",
              "title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
              "description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "displayName": "db_restricted.csv",
                      "description": "Evidence demonstrating database access restricted.",
                      "effectiveAt": "2023-03-08T21:04:49.514Z"
                    }
                  }
                ]
              }
            }
          }
        ]
      }
    }
  }
}

We can add an argument to search for specific evidence requests:

Try it now!

query GetDocuments {
  organization {
    evidenceRequests(first: 2, evidenceRequestIds: ["access-approval-required", "database-access-restricted"]) {
      edges {
        node {
          evidenceRequestId
          title
          description
          evidence(first: 2) {
            edges {
              node {
                displayName
                description
                effectiveAt
              }
            }
          }
        }
      }
    }
  }
}
{
  "data": {
    "organization": {
      "evidenceRequests": {
        "edges": [
          {
            "node": {
              "evidenceRequestId": "access-approval-required",
              "title": "Access to cardholder data and cardholder data environment require explicit management approval",
              "description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "displayName": "access_approval.pdf",
                      "description": "Access approval evidence for those that need access to the CDE and CHD.",
                      "effectiveAt": "2023-02-17T09:12:09.781Z"
                    }
                  }
                ]
              }
            }
          },
          {
            "node": {
              "evidenceRequestId": "database-access-restricted",
              "title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
              "description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "displayName": "db_restricted_03-08.csv",
                      "description": "Evidence demonstrating database access restricted.",
                      "effectiveAt": "2023-03-08T21:04:49.514Z"
                    }
                  },
                  {
                    "node": {
                      "displayName": "db_restricted_03-28.csv",
                      "description": "Updated evidence containing new database resources.",
                      "effectiveAt": "2023-03-28T21:52:12.333Z"
                    }
                  }
                ]
              }
            }
          }
        ]
      }
    }
  }
}

We can also query the external URL (preSignedURL field) where our evidence is hosted to share:

Try it now!

query GetDocuments {
  organization {
    evidenceRequests(first: 2, evidenceRequestIds: ["access-approval-required", "database-access-restricted"]) {
      edges {
        node {
          evidenceRequestId
          title
          description
          evidence(first: 2) {
            edges {
              node {
                preSignedURL
              }
            }
          }
        }
      }
    }
  }
}
{
  "data": {
    "organization": {
      "evidenceRequests": {
        "edges": [
          {
            "node": {
              "evidenceRequestId": "access-approval-required",
              "title": "Access to cardholder data and cardholder data environment require explicit management approval",
              "description": "Evidence that shows approval granted for those with access to the CDE and CHD.\n\nGuidance: Provide screenshot or sample tickets showing approval workflows and management signoff.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com"
                    }
                  }
                ]
              }
            }
          },
          {
            "node": {
              "evidenceRequestId": "database-access-restricted",
              "title": "Access to databases is restricted to authorized DBA accounts or programmatic methods",
              "description": "Evidence that no direct access for non-DBA users is allowed to databases. \n\nGuidance: Provide screenshot of user access lists or roles and permissions for database access demonstrating:\n- No users outside of authorized DBAs can directly query databases containing cardholder data.\n- All access is restricted to authorized DBAs, and is only done through programmatic methods such as stored procedures or applications\n\nIf no cardholder data is stored in databases, use the 'Mark as not relevant' button and include an explanation.",
              "evidence": {
                "edges": [
                  {
                    "node": {
                      "preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com"                    }
                  },
                  {
                    "node": {
                      "preSignedURL": "https://some-s3-bucket.us-east-1.amazonaws.com"                    }
                  }
                ]
              }
            }
          }
        ]
      }
    }
  }
}

What’s Next

Let's look at a few examples of retrieving policies from the API.