Policy types for @turbot/turbot-iam
- Turbot > IAM > Access Key > Expiration
- Turbot > IAM > Access Key > Expiration > Days
- Turbot > IAM > Access Key > GA Schema Migration
- Turbot > IAM > Group Profile > LDAP Synchronization
- Turbot > IAM > Local Directory > User > GA Schema Migration
- Turbot > IAM > Local Directory > User > Password Minimum Length
- Turbot > IAM > Local Directory > User > Password Minimum Lowercase Characters
- Turbot > IAM > Local Directory > User > Password Minimum Numeric Characters
- Turbot > IAM > Local Directory > User > Password Minimum Symbolic Characters
- Turbot > IAM > Local Directory > User > Password Minimum Uppercase Characters
- Turbot > IAM > Local Directory > User > Password expiration period in hours
- Turbot > IAM > Permissions
- Turbot > IAM > Permissions > Compiled
- Turbot > IAM > Permissions > Compiled > Levels
- Turbot > IAM > Permissions > Compiled > Levels > Turbot
- Turbot > IAM > Profile > Expiration
- Turbot > IAM > Profile > Expiration > Days
- Turbot > IAM > Profile > Grants
- Turbot > IAM > Profile > Grants > Deactivate
- Turbot > IAM > Profile > Grants > Delete
- Turbot > IAM > Profile > LDAP Synchronization
- Turbot > IAM > SAML Directory > Group Synchronization
- Turbot > Workspace > Console Session Timeout
Turbot > IAM > Access Key > Expiration
Check if the access key has expired and provide a configurable warning period before enforcement.Deactivate expired will deactivate the key on the expiration day.Delete expired will delete the key on the expiration day.
During the warning period, this control will be in Alarm, but the access
key remains enabled and functional.
URI
tmod:@turbot/turbot-iam#/policy/types/accessKeyExpirationCategory
Targets
Valid Value
[ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning" ], "example": [ "Enforce: Delete expired with 7 days warning" ], "default": "Skip"}Turbot > IAM > Access Key > Expiration > Days
Define the maximum age in days for profile access keys.
Default is 365 days, per the CIS Password Policy
Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/accessKeyExpirationDaysCategory
Targets
Schema
{ "type": "integer", "minimum": 0, "default": 365, "tests": [ { "description": "Valid expiration", "input": 7 }, { "description": "Invalid expiration", "input": -1, "expected": false } ]}Turbot > IAM > Access Key > GA Schema Migration
Migrate access key schema to the required format for GA of Turbot v5.
URI
tmod:@turbot/turbot-iam#/policy/types/accessKeyGASchemaMigrationCategory
Targets
Valid Value
[ "Skip", "Check: Migrated", "Enforce: Migrated"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Migrated", "Enforce: Migrated" ], "default": "Check: Migrated"}Turbot > IAM > Group Profile > LDAP Synchronization
LDAP synchronizaton for Group Profiles enables synchronization of LDAP Groups in certain intervals of time
from Active Directory.
The policy can be set on the LDAP Directory as a whole, or on individual Groups Profiles if exceptions are needed.
URI
tmod:@turbot/turbot-iam#/policy/types/groupLdapSynchronizationCategory
Targets
Valid Value
[ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}Turbot > IAM > Local Directory > User > GA Schema Migration
Migrate local directory user schema to the required format for GA of Turbot v5.
URI
tmod:@turbot/turbot-iam#/policy/types/localDirectoryUserGASchemaMigrationCategory
Valid Value
[ "Skip", "Check: Migrated", "Enforce: Migrated"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Migrated", "Enforce: Migrated" ], "default": "Check: Migrated"}Turbot > IAM > Local Directory > User > Password Minimum Length
Minimum password length for Local Directory Users.
Default is 14 characters, per the CIS Password Policy Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumLengthCategory
Schema
{ "type": "integer", "minimum": 1, "default": 14, "tests": [ { "input": 12 }, { "input": 0, "expected": false } ]}Turbot > IAM > Local Directory > User > Password Minimum Lowercase Characters
Minimum number of lowercase characters required in passwords for Local Directory Users.
Default is 1, per the CIS Password Policy Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumLowercaseCharactersCategory
Schema
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}Turbot > IAM > Local Directory > User > Password Minimum Numeric Characters
Minimum number of numeric characters required in passwords for Local Directory Users.
Default is 1 character, per the CIS Password Policy Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumNumericCharactersCategory
Schema
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}Turbot > IAM > Local Directory > User > Password Minimum Symbolic Characters
Minimum number of symbolic characters required in passwords for Local Directory Users.
Default is 1 character, per the CIS Password Policy Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumSymbolicCharactersCategory
Schema
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}Turbot > IAM > Local Directory > User > Password Minimum Uppercase Characters
Minimum number of uppercase characters required in passwords for Local Directory Users.
Default is 1, per the CIS Password Policy Guide.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumUppercaseCharactersCategory
Schema
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}Turbot > IAM > Local Directory > User > Password expiration period in hours
The period in hours after which the password for a Local Directory User is
considered expired. For example, a period of 2160 (90x24) hours will allow
the password to be used for up to 90 days before it must be changed.
Default is 8760 hours (365 days), per the CIS Password Policy
Guide.
The maximum allowed value is 8760 hours i.e 365 days.
Note: Setting the value to -1 will never expire the password where as setting the value to 0 will expire the password.
URI
tmod:@turbot/turbot-iam#/policy/types/passwordExpirationPeriodInHoursCategory
Schema
{ "type": "number", "minimum": -1, "maximum": 8760, "default": 8760, "tests": [ { "input": 720 }, { "input": 0, "expected": true }, { "input": -2, "expected": false } ]}Turbot > IAM > Permissions
URI
tmod:@turbot/turbot-iam#/policy/types/permissionsCategory
Parent
Targets
Turbot > IAM > Permissions > Compiled
URI
tmod:@turbot/turbot-iam#/policy/types/permissionsCompiledCategory
Targets
Turbot > IAM > Permissions > Compiled > Levels
A calculated policy that Turbot uses to create a single list of ALL effective permissions levels for all services.
URI
tmod:@turbot/turbot-iam#/policy/types/permissionsCompiledLevelsCategory
Targets
Turbot > IAM > Permissions > Compiled > Levels > Turbot
A list of turbot permissions that Turbot may use to grant permissions on folders and above.
URI
tmod:@turbot/turbot-iam#/policy/types/turbotPermissionsCompiledLevelsCategory
Targets
Schema
{ "type": "array", "default": [ { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/user" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/metadata" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/readonly" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/operator" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/admin" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/owner" } ], "items": { "description": "Internal format for Turbot Levels.", "type": "object", "properties": { "level": { "type": "string", "format": "uri-reference", ".turbot": { "uri": "tmod:@turbot/turbot#/definitions/$ref", "modUri": "tmod:@turbot/turbot" }, "pattern": "user|metadata|readonly|admin|owner|operator" }, "type": { "type": "string", "format": "uri-reference", ".turbot": { "uri": "tmod:@turbot/turbot#/definitions/$ref", "modUri": "tmod:@turbot/turbot" }, "pattern": "^tmod:@turbot/turbot" } }, "required": [ "level", "type" ], "additionalProperties": false, "tests": [ { "description": "Valid level definition", "input": { "level": "tmod:@turbot/turbot-iam#/permission/levels/admin", "type": "tmod:@turbot/turbot-iam#/permission/types/turbot" } }, { "description": "invalid type definition", "input": { "level": "tmod:@turbot/turbot-iam#/permission/levels/admin", "type": "tmod:@turbot/azure-s3#/permission/types/s3" }, "expected": false }, { "description": "Invalid - Levels includes a non #/permission/levels/* path", "expected": false, "input": { "level": "#/definitions/foo", "type": "#/permission/types/foo" } }, { "description": "Invalid - Types includes a non #/permission/types/* path", "expected": false, "input": { "level": "#/permission/levels/user", "type": "#/definitions/bar" } } ], ".turbot": { "uri": "tmod:@turbot/turbot-iam#/definitions/turbotLevelDefinition", "modUri": "tmod:@turbot/turbot-iam" } }}Turbot > IAM > Profile > Expiration
Check if a profile has expired and provide a configurable warning period before deactivation. After profile dectivation, any active access keys linked to the profile will no longer be treated as active. To reactivate a profile, a user simply needs to log into the Turbot Console again via their Directory source.
URI
tmod:@turbot/turbot-iam#/policy/types/profileExpirationCategory
Parent
Targets
Valid Value
[ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning" ], "example": [ "Check: Does not expire in next 7 days" ], "default": "Skip"}Turbot > IAM > Profile > Expiration > Days
Define the maximum age in days allowed for profiles since last login.
URI
tmod:@turbot/turbot-iam#/policy/types/profileExpirationDaysCategory
Targets
Schema
{ "type": "integer", "minimum": 0, "tests": [ { "description": "Valid expiration", "input": 7 }, { "description": "Invalid expiration", "input": -1, "expected": false } ], "default": 0}Turbot > IAM > Profile > Grants
URI
tmod:@turbot/turbot-iam#/policy/types/profileGrantsCategory
Parent
Targets
Turbot > IAM > Profile > Grants > Deactivate
Check if a profile has expired and provide a configurable warning period before deactivating the grants.Deactivate grants will deactivate the grants on the profile.
URI
tmod:@turbot/turbot-iam#/policy/types/profileGrantsDeactivateCategory
Targets
Valid Value
[ "Skip", "Check: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile with 1 day warning", "Enforce: Deactivate grants for expired profile with 3 days warning", "Enforce: Deactivate grants for expired profile with 14 days warning", "Enforce: Deactivate grants for expired profile with 30 days warning", "Enforce: Deactivate grants for expired profile with 60 days warning", "Enforce: Deactivate grants for expired profile with 90 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile with 1 day warning", "Enforce: Deactivate grants for expired profile with 3 days warning", "Enforce: Deactivate grants for expired profile with 14 days warning", "Enforce: Deactivate grants for expired profile with 30 days warning", "Enforce: Deactivate grants for expired profile with 60 days warning", "Enforce: Deactivate grants for expired profile with 90 days warning" ], "example": [ "Check: Deactivate grants for expired profile" ], "default": "Skip"}Turbot > IAM > Profile > Grants > Delete
Check if a profile has expired and provide a configurable warning period before deleting the grants.Delete grants will delete the grants on the profile.
URI
tmod:@turbot/turbot-iam#/policy/types/profileGrantsDeleteCategory
Targets
Valid Value
[ "Skip", "Check: Delete grants for expired profile", "Enforce: Delete grants for expired profile", "Enforce: Delete grants for expired profile with 1 day warning", "Enforce: Delete grants for expired profile with 3 days warning", "Enforce: Delete grants for expired profile with 14 days warning", "Enforce: Delete grants for expired profile with 30 days warning", "Enforce: Delete grants for expired profile with 60 days warning", "Enforce: Delete grants for expired profile with 90 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Delete grants for expired profile", "Enforce: Delete grants for expired profile", "Enforce: Delete grants for expired profile with 1 day warning", "Enforce: Delete grants for expired profile with 3 days warning", "Enforce: Delete grants for expired profile with 14 days warning", "Enforce: Delete grants for expired profile with 30 days warning", "Enforce: Delete grants for expired profile with 60 days warning", "Enforce: Delete grants for expired profile with 90 days warning" ], "example": [ "Check: Delete grants for expired profile" ], "default": "Skip"}Turbot > IAM > Profile > LDAP Synchronization
LDAP synchronizaton for Profiles enables synchronization of LDAP Users in certain intervals of time
from Active Directory.
The policy can be set on the LDAP Directory as a whole, or on individual Profiles if exceptions are needed.
URI
tmod:@turbot/turbot-iam#/policy/types/profileLdapSynchronizationCategory
Parent
Targets
Valid Value
[ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]Schema
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}Turbot > IAM > SAML Directory > Group Synchronization
Synchronize the profile groups in SAML during login.
URI
tmod:@turbot/turbot-iam#/policy/types/samlGroupSyncCategory
Valid Value
[ "Skip", "Enforce: Enabled"]Schema
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled" ], "example": [ "Enforce: Enabled" ], "default": "Skip"}Turbot > Workspace > Console Session Timeout
Session timeout (in minutes) for Turbot authentication tokens used in the user
interface and other API sessions. The default is 12 hours.
While using the user interface your token will be automatically refreshed on a
regular basis, so in practice this timeout reflects the period of inactivity
rather than a fixed session length.
Access keys are not subject to this timeout. Access keys are long lived tokens
(with their own expiration) that may used to initiate a session, which then
has this timeout.
URI
tmod:@turbot/turbot-iam#/policy/types/turbotConsoleSessionTimeoutMinsCategory
Parent
Targets
Schema
{ "type": "integer", "minimum": 15, "default": 720, "tests": [ { "input": 90 }, { "input": 10, "expected": false } ]}