Policy types for @turbot/turbot-iam
- Turbot > IAM > Access Key > Expiration
- Turbot > IAM > Access Key > Expiration > Days
- Turbot > IAM > Access Key > GA Schema Migration
- Turbot > IAM > Group Profile > LDAP Synchronization
- Turbot > IAM > Local Directory > User > GA Schema Migration
- Turbot > IAM > Local Directory > User > Password Minimum Length
- Turbot > IAM > Local Directory > User > Password Minimum Lowercase Characters
- Turbot > IAM > Local Directory > User > Password Minimum Numeric Characters
- Turbot > IAM > Local Directory > User > Password Minimum Symbolic Characters
- Turbot > IAM > Local Directory > User > Password Minimum Uppercase Characters
- Turbot > IAM > Local Directory > User > Password expiration period in hours
- Turbot > IAM > Permissions
- Turbot > IAM > Permissions > Compiled
- Turbot > IAM > Permissions > Compiled > Levels
- Turbot > IAM > Permissions > Compiled > Levels > Turbot
- Turbot > IAM > Profile > Expiration
- Turbot > IAM > Profile > Expiration > Days
- Turbot > IAM > Profile > Grants
- Turbot > IAM > Profile > Grants > Deactivate
- Turbot > IAM > Profile > Grants > Delete
- Turbot > IAM > Profile > LDAP Synchronization
- Turbot > IAM > SAML Directory > Group Synchronization
- Turbot > Workspace > Console Session Timeout
Turbot > IAM > Access Key > Expiration
Check if the access key has expired and provide a configurable warning period before enforcement.Deactivate expired
will deactivate the key on the expiration day.Delete expired
will delete the key on the expiration day.
During the warning period, this control will be in Alarm, but the access
key remains enabled and functional.
tmod:@turbot/turbot-iam#/policy/types/accessKeyExpiration
[ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning" ], "example": [ "Enforce: Delete expired with 7 days warning" ], "default": "Skip"}
Turbot > IAM > Access Key > Expiration > Days
Define the maximum age in days for profile access keys.
Default is 365
days, per the CIS Password Policy
Guide.
tmod:@turbot/turbot-iam#/policy/types/accessKeyExpirationDays
{ "type": "integer", "minimum": 0, "default": 365, "tests": [ { "description": "Valid expiration", "input": 7 }, { "description": "Invalid expiration", "input": -1, "expected": false } ]}
Turbot > IAM > Access Key > GA Schema Migration
Migrate access key schema to the required format for GA of Turbot v5.
tmod:@turbot/turbot-iam#/policy/types/accessKeyGASchemaMigration
[ "Skip", "Check: Migrated", "Enforce: Migrated"]
{ "type": "string", "enum": [ "Skip", "Check: Migrated", "Enforce: Migrated" ], "default": "Check: Migrated"}
Turbot > IAM > Group Profile > LDAP Synchronization
LDAP synchronizaton for Group Profiles enables synchronization of LDAP Groups in certain intervals of time
from Active Directory.
The policy can be set on the LDAP Directory as a whole, or on individual Groups Profiles if exceptions are needed.
tmod:@turbot/turbot-iam#/policy/types/groupLdapSynchronization
[ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Turbot > IAM > Local Directory > User > GA Schema Migration
Migrate local directory user schema to the required format for GA of Turbot v5.
tmod:@turbot/turbot-iam#/policy/types/localDirectoryUserGASchemaMigration
[ "Skip", "Check: Migrated", "Enforce: Migrated"]
{ "type": "string", "enum": [ "Skip", "Check: Migrated", "Enforce: Migrated" ], "default": "Check: Migrated"}
Turbot > IAM > Local Directory > User > Password Minimum Length
Minimum password length for Local Directory Users.
Default is 14
characters, per the CIS Password Policy Guide.
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumLength
{ "type": "integer", "minimum": 1, "default": 14, "tests": [ { "input": 12 }, { "input": 0, "expected": false } ]}
Turbot > IAM > Local Directory > User > Password Minimum Lowercase Characters
Minimum number of lowercase characters required in passwords for Local Directory Users.
Default is 1
, per the CIS Password Policy Guide.
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumLowercaseCharacters
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}
Turbot > IAM > Local Directory > User > Password Minimum Numeric Characters
Minimum number of numeric characters required in passwords for Local Directory Users.
Default is 1
character, per the CIS Password Policy Guide.
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumNumericCharacters
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}
Turbot > IAM > Local Directory > User > Password Minimum Symbolic Characters
Minimum number of symbolic characters required in passwords for Local Directory Users.
Default is 1
character, per the CIS Password Policy Guide.
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumSymbolicCharacters
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}
Turbot > IAM > Local Directory > User > Password Minimum Uppercase Characters
Minimum number of uppercase characters required in passwords for Local Directory Users.
Default is 1
, per the CIS Password Policy Guide.
tmod:@turbot/turbot-iam#/policy/types/passwordMinimumUppercaseCharacters
{ "type": "integer", "minimum": 0, "default": 1, "tests": [ { "input": 2 }, { "input": -1, "expected": false } ]}
Turbot > IAM > Local Directory > User > Password expiration period in hours
The period in hours after which the password for a Local Directory User is
considered expired. For example, a period of 2160 (90x24) hours will allow
the password to be used for up to 90 days before it must be changed.
Default is 8760
hours (365 days), per the CIS Password Policy
Guide.
The maximum allowed value is 8760
hours i.e 365
days.
Note: Setting the value to -1
will never expire the password where as setting the value to 0
will expire the password.
tmod:@turbot/turbot-iam#/policy/types/passwordExpirationPeriodInHours
{ "type": "number", "minimum": -1, "maximum": 8760, "default": 8760, "tests": [ { "input": 720 }, { "input": 0, "expected": true }, { "input": -2, "expected": false } ]}
Turbot > IAM > Permissions
tmod:@turbot/turbot-iam#/policy/types/permissions
Turbot > IAM > Permissions > Compiled
tmod:@turbot/turbot-iam#/policy/types/permissionsCompiled
Turbot > IAM > Permissions > Compiled > Levels
A calculated policy that Turbot uses to create a single list of ALL effective permissions levels for all services.
tmod:@turbot/turbot-iam#/policy/types/permissionsCompiledLevels
Turbot > IAM > Permissions > Compiled > Levels > Turbot
A list of turbot permissions that Turbot may use to grant permissions on folders and above.
tmod:@turbot/turbot-iam#/policy/types/turbotPermissionsCompiledLevels
{ "type": "array", "default": [ { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/user" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/metadata" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/readonly" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/operator" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/admin" }, { "type": "tmod:@turbot/turbot-iam#/permission/types/turbot", "level": "tmod:@turbot/turbot-iam#/permission/levels/owner" } ], "items": { "description": "Internal format for Turbot Levels.", "type": "object", "properties": { "level": { "type": "string", "format": "uri-reference", ".turbot": { "uri": "tmod:@turbot/turbot#/definitions/$ref", "modUri": "tmod:@turbot/turbot" }, "pattern": "user|metadata|readonly|admin|owner|operator" }, "type": { "type": "string", "format": "uri-reference", ".turbot": { "uri": "tmod:@turbot/turbot#/definitions/$ref", "modUri": "tmod:@turbot/turbot" }, "pattern": "^tmod:@turbot/turbot" } }, "required": [ "level", "type" ], "additionalProperties": false, "tests": [ { "description": "Valid level definition", "input": { "level": "tmod:@turbot/turbot-iam#/permission/levels/admin", "type": "tmod:@turbot/turbot-iam#/permission/types/turbot" } }, { "description": "invalid type definition", "input": { "level": "tmod:@turbot/turbot-iam#/permission/levels/admin", "type": "tmod:@turbot/azure-s3#/permission/types/s3" }, "expected": false }, { "description": "Invalid - Levels includes a non #/permission/levels/* path", "expected": false, "input": { "level": "#/definitions/foo", "type": "#/permission/types/foo" } }, { "description": "Invalid - Types includes a non #/permission/types/* path", "expected": false, "input": { "level": "#/permission/levels/user", "type": "#/definitions/bar" } } ], ".turbot": { "uri": "tmod:@turbot/turbot-iam#/definitions/turbotLevelDefinition", "modUri": "tmod:@turbot/turbot-iam" } }}
Turbot > IAM > Profile > Expiration
Check if a profile has expired and provide a configurable warning period before deactivation. After profile dectivation, any active access keys linked to the profile will no longer be treated as active. To reactivate a profile, a user simply needs to log into the Turbot Console again via their Directory source.
tmod:@turbot/turbot-iam#/policy/types/profileExpiration
[ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Not expired", "Check: Does not expire in next 1 day", "Check: Does not expire in next 3 days", "Check: Does not expire in next 7 days", "Check: Does not expire in next 14 days", "Check: Does not expire in next 30 days", "Check: Does not expire in next 60 days", "Check: Does not expire in next 90 days", "Enforce: Deactivate expired", "Enforce: Deactivate expired with 1 day warning", "Enforce: Deactivate expired with 3 days warning", "Enforce: Deactivate expired with 7 days warning", "Enforce: Deactivate expired with 14 days warning", "Enforce: Deactivate expired with 30 days warning", "Enforce: Deactivate expired with 60 days warning", "Enforce: Deactivate expired with 90 days warning", "Enforce: Delete expired", "Enforce: Delete expired with 1 day warning", "Enforce: Delete expired with 3 days warning", "Enforce: Delete expired with 7 days warning", "Enforce: Delete expired with 14 days warning", "Enforce: Delete expired with 30 days warning", "Enforce: Delete expired with 60 days warning", "Enforce: Delete expired with 90 days warning" ], "example": [ "Check: Does not expire in next 7 days" ], "default": "Skip"}
Turbot > IAM > Profile > Expiration > Days
Define the maximum age in days allowed for profiles since last login.
tmod:@turbot/turbot-iam#/policy/types/profileExpirationDays
{ "type": "integer", "minimum": 0, "tests": [ { "description": "Valid expiration", "input": 7 }, { "description": "Invalid expiration", "input": -1, "expected": false } ], "default": 0}
Turbot > IAM > Profile > Grants
tmod:@turbot/turbot-iam#/policy/types/profileGrants
Turbot > IAM > Profile > Grants > Deactivate
Check if a profile has expired and provide a configurable warning period before deactivating the grants.Deactivate grants
will deactivate the grants on the profile.
tmod:@turbot/turbot-iam#/policy/types/profileGrantsDeactivate
[ "Skip", "Check: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile with 1 day warning", "Enforce: Deactivate grants for expired profile with 3 days warning", "Enforce: Deactivate grants for expired profile with 14 days warning", "Enforce: Deactivate grants for expired profile with 30 days warning", "Enforce: Deactivate grants for expired profile with 60 days warning", "Enforce: Deactivate grants for expired profile with 90 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile", "Enforce: Deactivate grants for expired profile with 1 day warning", "Enforce: Deactivate grants for expired profile with 3 days warning", "Enforce: Deactivate grants for expired profile with 14 days warning", "Enforce: Deactivate grants for expired profile with 30 days warning", "Enforce: Deactivate grants for expired profile with 60 days warning", "Enforce: Deactivate grants for expired profile with 90 days warning" ], "example": [ "Check: Deactivate grants for expired profile" ], "default": "Skip"}
Turbot > IAM > Profile > Grants > Delete
Check if a profile has expired and provide a configurable warning period before deleting the grants.Delete grants
will delete the grants on the profile.
tmod:@turbot/turbot-iam#/policy/types/profileGrantsDelete
[ "Skip", "Check: Delete grants for expired profile", "Enforce: Delete grants for expired profile", "Enforce: Delete grants for expired profile with 1 day warning", "Enforce: Delete grants for expired profile with 3 days warning", "Enforce: Delete grants for expired profile with 14 days warning", "Enforce: Delete grants for expired profile with 30 days warning", "Enforce: Delete grants for expired profile with 60 days warning", "Enforce: Delete grants for expired profile with 90 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Delete grants for expired profile", "Enforce: Delete grants for expired profile", "Enforce: Delete grants for expired profile with 1 day warning", "Enforce: Delete grants for expired profile with 3 days warning", "Enforce: Delete grants for expired profile with 14 days warning", "Enforce: Delete grants for expired profile with 30 days warning", "Enforce: Delete grants for expired profile with 60 days warning", "Enforce: Delete grants for expired profile with 90 days warning" ], "example": [ "Check: Delete grants for expired profile" ], "default": "Skip"}
Turbot > IAM > Profile > LDAP Synchronization
LDAP synchronizaton for Profiles enables synchronization of LDAP Users in certain intervals of time
from Active Directory.
The policy can be set on the LDAP Directory as a whole, or on individual Profiles if exceptions are needed.
tmod:@turbot/turbot-iam#/policy/types/profileLdapSynchronization
[ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Turbot > IAM > SAML Directory > Group Synchronization
Synchronize the profile groups in SAML during login.
tmod:@turbot/turbot-iam#/policy/types/samlGroupSync
[ "Skip", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled" ], "example": [ "Enforce: Enabled" ], "default": "Skip"}
Turbot > Workspace > Console Session Timeout
Session timeout (in minutes) for Turbot authentication tokens used in the user
interface and other API sessions. The default is 12 hours.
While using the user interface your token will be automatically refreshed on a
regular basis, so in practice this timeout reflects the period of inactivity
rather than a fixed session length.
Access keys are not subject to this timeout. Access keys are long lived tokens
(with their own expiration) that may used to initiate a session, which then
has this timeout.
tmod:@turbot/turbot-iam#/policy/types/turbotConsoleSessionTimeoutMins
{ "type": "integer", "minimum": 15, "default": 720, "tests": [ { "input": 90 }, { "input": 10, "expected": false } ]}