2022-02-09 14:01:19 +00:00
Log :
2022-10-03 13:20:16 +00:00
Level : info
2022-02-09 14:01:19 +00:00
Formatter :
2022-02-11 10:02:47 +00:00
Format : text
2022-07-18 08:42:32 +00:00
# Exposes metrics on /debug/metrics
Metrics :
# Select type otel (OpenTelemetry) or none (disables collection and endpoint)
Type : otel
2022-11-03 11:22:17 +00:00
Tracing :
# Choose one in "otel", "google", "log" and "none"
Type : none
2023-02-17 14:32:52 +00:00
Fraction : 1.0
2022-11-03 11:22:17 +00:00
MetricPrefix : zitadel
2023-07-06 06:38:13 +00:00
Telemetry :
# As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints.
# Data is projected by ZITADEL even if Enabled is false.
# This means that switching this to true makes ZITADEL try to send past data.
Enabled : false
# Push telemetry data to all these endpoints at least once using an HTTP POST request.
# If one endpoint returns an unsuccessful response code or times out,
# ZITADEL retries to push the data point to all configured endpoints until it succeeds.
# Configure delivery guarantees and intervals in the section Projections.Customizations.Telemetry
# The endpoints can be reconfigured at runtime.
# Ten redirects are followed.
# If you change this configuration at runtime, remaining data that is not successfully delivered to the old endpoints is sent to the new endpoints.
Endpoints :
- https://httpbin.org/post
# These headers are sent with every request to the configured endpoints.
Headers :
# single-value: "single-value"
# multi-value:
# - "multi-value-1"
# - "multi-value-2"
# The maximum number of data points that are queried before they are sent to the configured endpoints.
Limit : 100 # ZITADEL_TELEMETRY_LIMIT
2022-06-24 12:38:22 +00:00
# Port ZITADEL will listen on
2022-02-14 16:22:30 +00:00
Port : 8080
2022-06-24 12:38:22 +00:00
# Port ZITADEL is exposed on, it can differ from port e.g. if you proxy the traffic
# !!! Changing this after initial setup breaks your system !!!
2022-02-14 16:22:30 +00:00
ExternalPort : 8080
2022-06-24 12:38:22 +00:00
# Domain / hostname ZITADEL is exposed externally
# !!! Changing this after initial setup breaks your system !!!
2022-05-17 17:23:51 +00:00
ExternalDomain : localhost
2022-06-24 12:38:22 +00:00
# specifies if ZITADEL is exposed externally through TLS
# this must be set to true even if TLS is not enabled on ZITADEL itself
# but TLS traffic is terminated on a reverse proxy
# !!! Changing this after initial setup breaks your system !!!
2022-02-14 16:22:30 +00:00
ExternalSecure : true
2022-06-24 12:38:22 +00:00
TLS :
# if enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
# you must then also provide a private key and certificate to be used for the connection
# either directly or by a path to the corresponding file
Enabled : true
# Path to the private key of the TLS certificate, it will be loaded into the Key
# and overwrite any exising value
KeyPath : #/path/to/key/file.pem
# Private key of the TLS certificate (KeyPath will this overwrite, if specified)
Key : #<bas64 encoded content of a pem file>
# Path to the certificate for the TLS connection, it will be loaded into the Cert
# and overwrite any exising value
CertPath : #/path/to/cert/file.pem
# Certificate for the TLS connection (CertPath will this overwrite, if specified)
Cert : #<bas64 encoded content of a pem file>
# Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched
2022-03-29 09:53:19 +00:00
HTTP2HostHeader : ":authority"
2022-06-24 12:38:22 +00:00
# Header name of HTTP1 calls from which the instance will be matched
2022-03-29 09:53:19 +00:00
HTTP1HostHeader : "host"
2022-02-14 16:22:30 +00:00
2022-04-25 08:01:17 +00:00
WebAuthNName : ZITADEL
2022-02-14 16:22:30 +00:00
Database :
2022-08-31 07:52:43 +00:00
# CockroachDB is the default datbase of ZITADEL
2022-07-28 14:25:42 +00:00
cockroach :
Host : localhost
Port : 26257
Database : zitadel
MaxOpenConns : 20
2022-12-08 15:22:39 +00:00
MaxIdleConns : 10
2022-07-28 14:25:42 +00:00
MaxConnLifetime : 30m
2022-12-08 15:22:39 +00:00
MaxConnIdleTime : 5m
2022-07-28 14:25:42 +00:00
Options : ""
User :
Username : zitadel
Password : ""
SSL :
Mode : disable
RootCert : ""
Cert : ""
Key : ""
Admin :
Username : root
Password : ""
SSL :
Mode : disable
RootCert : ""
Cert : ""
Key : ""
2022-08-31 07:52:43 +00:00
# Postgres is used as soon as a value is set
# The values describe the possible fields to set values
postgres :
2022-09-27 10:53:49 +00:00
Host :
2022-08-31 07:52:43 +00:00
Port :
Database :
MaxOpenConns :
2022-12-08 15:22:39 +00:00
MaxIdleConns :
2022-08-31 07:52:43 +00:00
MaxConnLifetime :
MaxConnIdleTime :
Options :
User :
Username :
Password :
SSL :
Mode :
RootCert :
Cert :
Key :
Admin :
Username :
Password :
SSL :
Mode :
RootCert :
Cert :
Key :
2022-02-14 16:22:30 +00:00
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 14:57:57 +00:00
Machine :
# Cloud hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.
Identification :
# Use private IP to identify machines uniquely
PrivateIp :
Enabled : true
# Use hostname to identify machines uniquely
# You want the process to be identified uniquely, so this works well in k8s where each pod gets its own
# unique host name, but not as well in some other hosting environments.
Hostname :
Enabled : false
# Use a webhook response to identify machines uniquely
# Google Cloud Configuration
Webhook :
Enabled : true
Url : "http://metadata.google.internal/computeMetadata/v1/instance/id"
Headers :
"Metadata-Flavor": "Google"
#
# AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
# Webhook:
# Url: "http://169.254.169.254/latest/meta-data/ami-id"
#
# AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html
# Webhook:
# Url: "${ECS_CONTAINER_METADATA_URI_V4}"
# JPath: "$.DockerId"
#
# Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux
# Webhook:
# Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# JPath: "$.compute.vmId"
2022-08-16 05:04:36 +00:00
# Storage for assets like user avatar, organization logo, icon, font, ...
AssetStorage :
Type : db
# HTTP cache control settings for serving assets in the assets API and login UI
# the assets will also be served with an etag and last-modified header
Cache :
MaxAge : 5s
SharedMaxAge : 168h #7d
2023-03-27 12:34:01 +00:00
# The Projections section defines the behaviour for the scheduled and synchronous events projections.
2022-02-14 16:22:30 +00:00
Projections :
2023-03-27 12:34:01 +00:00
# Time interval between scheduled projections
2022-07-22 10:08:39 +00:00
RequeueEvery : 60s
2023-03-27 12:34:01 +00:00
# Time between retried database statements resulting from projected events
2022-03-28 08:05:09 +00:00
RetryFailedAfter : 1s
2023-03-27 12:34:01 +00:00
# Retried execution number of database statements resulting from projected events
2022-03-28 08:05:09 +00:00
MaxFailureCount : 5
2023-03-27 12:34:01 +00:00
# Number of concurrent projection routines. Values of 0 and below are overwritten to 1
2022-09-02 14:05:13 +00:00
ConcurrentInstances : 1
2023-03-27 12:34:01 +00:00
# Limit of returned events per query
2022-03-28 08:05:09 +00:00
BulkLimit : 200
2023-03-30 11:01:27 +00:00
# Only instance are projected, for which at least a projection relevant event exists withing the timeframe
# from HandleActiveInstances duration in the past until the projections current time
# Defaults to twice the RequeueEvery duration
HandleActiveInstances : 120s
2023-03-27 12:34:01 +00:00
# In the Customizations section, all settings from above can be overwritten for each specific projection
2022-03-28 08:05:09 +00:00
Customizations :
2023-03-27 12:34:01 +00:00
Projects :
2022-03-28 08:05:09 +00:00
BulkLimit : 2000
2023-03-27 12:34:01 +00:00
# The Notifications projection is used for sending emails and SMS to users
Notifications :
2023-07-06 06:38:13 +00:00
# As notification projections don't result in database statements, retries don't have any effects
2023-03-27 12:34:01 +00:00
MaxFailureCount : 0
2023-03-28 22:09:06 +00:00
# The NotificationsQuotas projection is used for calling quota webhooks
NotificationsQuotas :
2023-07-06 06:38:13 +00:00
# In case of failed deliveries, ZITADEL retries to send the data points to the configured endpoints, but only for active instances.
# An instance is active, as long as there are projected events on the instance, that are not older than the HandleActiveInstances duration.
# Delivery guarantee requirements are higher for quota webhooks
2023-03-30 11:01:27 +00:00
# Defaults to 45 days
HandleActiveInstances : 1080h
2023-07-06 06:38:13 +00:00
# As quota notification projections don't result in database statements, retries don't have any effects
2023-03-28 22:09:06 +00:00
MaxFailureCount : 0
2023-07-06 06:38:13 +00:00
# Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the database too much.
2023-03-28 22:09:06 +00:00
RequeueEvery : 300s
2023-07-06 06:38:13 +00:00
Telemetry :
# In case of failed deliveries, ZITADEL retries to send the data points to the configured endpoints, but only for active instances.
# An instance is active, as long as there are projected events on the instance, that are not older than the HandleActiveInstances duration.
# Telemetry delivery guarantee requirements are a bit higher than normal data projections, as they are not interactively retryable.
# Defaults to 15 days
HandleActiveInstances : 360h
# As sending telemetry data doesn't result in database statements, retries don't have any effects
MaxFailureCount : 0
# Telemetry data synchronization is not time critical. Setting RequeueEvery to 55 minutes doesn't annoy the database too much.
RequeueEvery : 3300s
2022-02-14 16:22:30 +00:00
Auth :
SearchLimit : 1000
Spooler :
ConcurrentWorkers : 1
2022-11-22 06:36:48 +00:00
ConcurrentInstances : 1
2022-02-14 16:22:30 +00:00
BulkLimit : 10000
FailureCountUntilSkip : 5
Admin :
SearchLimit : 1000
Spooler :
ConcurrentWorkers : 1
2022-11-22 06:36:48 +00:00
ConcurrentInstances : 1
2022-02-14 16:22:30 +00:00
BulkLimit : 10000
FailureCountUntilSkip : 5
UserAgentCookie :
Name : zitadel.useragent
MaxAge : 8760h #365*24h (1 year)
OIDC :
CodeMethodS256 : true
AuthMethodPost : true
AuthMethodPrivateKeyJWT : true
GrantTypeRefreshToken : true
RequestObjectSupported : true
SigningKeyAlgorithm : RS256
2022-09-27 10:53:49 +00:00
# Sets the default values for lifetime and expiration for OIDC
# This default can be overwritten in the default instance configuration and for each instance during runtime
# !!! Changing this after initial setup will have no impact without a restart !!!
2022-02-14 16:22:30 +00:00
DefaultAccessTokenLifetime : 12h
DefaultIdTokenLifetime : 12h
DefaultRefreshTokenIdleExpiration : 720h #30d
DefaultRefreshTokenExpiration : 2160h #90d
Cache :
MaxAge : 12h
SharedMaxAge : 168h #7d
CustomEndpoints :
2022-06-07 08:04:51 +00:00
Auth :
Path : /oauth/v2/authorize
Token :
Path : /oauth/v2/token
Introspection :
Path : /oauth/v2/introspect
Userinfo :
Path : /oidc/v1/userinfo
Revocation :
Path : /oauth/v2/revoke
EndSession :
Path : /oidc/v1/end_session
Keys :
Path : /oauth/v2/keys
2023-04-19 08:46:02 +00:00
DeviceAuth :
Path : /oauth/v2/device_authorization
2023-07-10 13:27:00 +00:00
DefaultLoginURLV2 : "/login?authRequest="
2022-02-14 16:22:30 +00:00
2022-09-12 16:18:08 +00:00
SAML :
ProviderConfig :
MetadataConfig :
Path : "/metadata"
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
IDPConfig :
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
WantAuthRequestsSigned : true
Endpoints :
#Organisation:
# Name: ZITADEL
# URL: https://zitadel.com
#ContactPerson:
# ContactType: "technical"
# Company: ZITADEL
# EmailAddress: hi@zitadel.com
2022-02-14 16:22:30 +00:00
Login :
LanguageCookieName : zitadel.login.lang
2022-03-14 06:55:09 +00:00
CSRFCookieName : zitadel.login.csrf
2022-02-14 16:22:30 +00:00
Cache :
MaxAge : 12h
SharedMaxAge : 168h #7d
Console :
ShortCache :
2022-05-13 12:06:44 +00:00
MaxAge : 0m
SharedMaxAge : 5m
2022-02-14 16:22:30 +00:00
LongCache :
MaxAge : 12h
2022-08-16 05:04:36 +00:00
SharedMaxAge : 168h #7d
2023-05-11 07:24:44 +00:00
InstanceManagementURL : ""
2022-02-14 16:22:30 +00:00
Notification :
Repository :
Spooler :
ConcurrentWorkers : 1
2022-07-22 10:08:39 +00:00
ConcurrentInstances : 10
2022-02-14 16:22:30 +00:00
BulkLimit : 10000
FailureCountUntilSkip : 5
Handlers :
2022-03-14 06:55:09 +00:00
EncryptionKeys :
DomainVerification :
EncryptionKeyID : "domainVerificationKey"
DecryptionKeyIDs :
IDPConfig :
EncryptionKeyID : "idpConfigKey"
DecryptionKeyIDs :
OIDC :
EncryptionKeyID : "oidcKey"
DecryptionKeyIDs :
2022-09-12 16:18:08 +00:00
SAML :
EncryptionKeyID : "samlKey"
DecryptionKeyIDs :
2022-03-14 06:55:09 +00:00
OTP :
EncryptionKeyID : "otpKey"
DecryptionKeyIDs :
SMS :
EncryptionKeyID : "smsKey"
DecryptionKeyIDs :
SMTP :
EncryptionKeyID : "smtpKey"
DecryptionKeyIDs :
User :
EncryptionKeyID : "userKey"
DecryptionKeyIDs :
CSRFCookieKeyID : "csrfCookieKey"
UserAgentCookieKeyID : "userAgentCookieKey"
2022-05-30 11:38:30 +00:00
SystemAPIUsers :
2022-09-27 10:53:49 +00:00
# add keys for authentication of the systemAPI here:
# you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT:
# - superuser:
# Path: /path/to/superuser/key.pem # you can provide the key either by reference with the path
# - superuser2:
# KeyData: <base64 encoded key> # or you can directly embed it as base64 encoded value
2022-05-30 11:38:30 +00:00
2022-02-14 16:22:30 +00:00
#TODO: remove as soon as possible
SystemDefaults :
SecretGenerators :
PasswordSaltCost : 14
MachineKeySize : 2048
ApplicationKeySize : 2048
2023-07-14 06:49:57 +00:00
PasswordHasher :
# Set hasher configuration for user passwords.
# Passwords previously hashed with a different algorithm
# or cost are automatically re-hashed using this config,
# upon password validation or update.
Hasher :
Algorithm : "bcrypt"
Cost : 14
# Other supported Hasher configs:
# Hasher:
# Algorithm: "argon2i"
# Time: 3
# Memory: 32768
# Threads: 4
# Hasher:
# Algorithm: "argon2id"
# Time: 1
# Memory: 65536
# Threads: 4
# Hasher:
# Algorithm: "scrypt"
# Cost: 15
# Verifiers enable the possibility of verifying
# passwords that are previously hashed using another
# algorithm then the Hasher.
# This can be used when migrating from one algorithm to another,
# or when importing users with hashed passwords.
# There is no need to enable a Verifier of the same algorithm
# as the Hasher.
#
# The format of the encoded hash strings must comply
# with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
# https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
#
# Supported verifiers: (uncomment to enable)
# Verifiers:
# - "argon2" # verifier for both argon2i and argon2id.
# - "bcrypt"
# - "md5"
# - "scrypt"
2022-02-14 16:22:30 +00:00
Multifactors :
OTP :
2023-04-26 05:17:23 +00:00
# If this is empty, the issuer is the requested domain
# This is helpful in scenarios with multiple ZITADEL environments or virtual instances
2022-04-29 08:25:12 +00:00
Issuer : "ZITADEL"
2022-02-14 16:22:30 +00:00
DomainVerification :
VerificationGenerator :
Length : 32
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
Notifications :
2022-04-29 08:25:12 +00:00
FileSystemPath : ".notifications/"
2022-02-14 16:22:30 +00:00
KeyConfig :
Size : 2048
2022-09-12 16:18:08 +00:00
CertificateSize : 4096
2022-02-14 16:22:30 +00:00
PrivateKeyLifetime : 6h
PublicKeyLifetime : 30h
2022-09-12 16:18:08 +00:00
CertificateLifetime : 8766h
2022-03-29 09:53:19 +00:00
2022-10-06 12:23:59 +00:00
Actions :
HTTP :
# wildcard sub domains are currently unsupported
DenyList :
- localhost
2022-11-17 07:43:53 +00:00
- "127.0.0.1"
2022-10-06 12:23:59 +00:00
2023-02-15 01:52:11 +00:00
LogStore :
Access :
Database :
# If enabled, all access logs are stored in the database table logstore.access
Enabled : false
# Logs that are older than the keep duration are cleaned up continuously
Keep : 2160h # 90 days
# CleanupInterval defines the time between cleanup iterations
CleanupInterval : 4h
# Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
# Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
Debounce :
MinFrequency : 2m
MaxBulkSize : 100
Stdout :
# If enabled, all access logs are printed to the binaries standard output
Enabled : false
# Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
# Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
Debounce :
MinFrequency : 0s
MaxBulkSize : 0
Execution :
Database :
# If enabled, all action execution logs are stored in the database table logstore.execution
Enabled : false
# Logs that are older than the keep duration are cleaned up continuously
Keep : 2160h # 90 days
# CleanupInterval defines the time between cleanup iterations
CleanupInterval : 4h
# Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
# Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
Debounce :
MinFrequency : 0s
MaxBulkSize : 0
Stdout :
# If enabled, all execution logs are printed to the binaries standard output
Enabled : true
# Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
# Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
Debounce :
MinFrequency : 0s
MaxBulkSize : 0
Quotas :
Access :
ExhaustedCookieKey : "zitadel.quota.exhausted"
ExhaustedCookieMaxAge : "300s"
2022-12-15 09:40:13 +00:00
Eventstore :
PushTimeout : 15s
2023-04-28 14:56:51 +00:00
AllowOrderByCreationDate : false
2022-12-15 09:40:13 +00:00
2022-04-21 10:37:39 +00:00
DefaultInstance :
InstanceName :
2022-05-03 13:58:38 +00:00
DefaultLanguage : en
2022-04-21 10:37:39 +00:00
Org :
Name :
Human :
2022-09-23 12:08:10 +00:00
# in case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
# it will be suffixed by the org domain (org-name + domain from config).
# for example: zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
2022-04-21 10:37:39 +00:00
UserName : zitadel-admin
FirstName : ZITADEL
LastName : Admin
NickName :
DisplayName :
Email :
Address :
Verified : false
2022-04-28 08:30:41 +00:00
PreferredLanguage : en
2022-04-21 10:37:39 +00:00
Gender :
Phone :
Number :
Verified :
Password :
2022-12-09 13:04:33 +00:00
Machine :
Machine :
Username :
Name :
MachineKey :
ExpirationDate :
Type :
Pat :
ExpirationDate :
2022-04-21 10:37:39 +00:00
SecretGenerators :
PasswordSaltCost : 14
ClientSecret :
Length : 64
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
InitializeUserCode :
Length : 6
2022-04-29 08:25:12 +00:00
Expiry : "72h"
2022-04-21 10:37:39 +00:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
EmailVerificationCode :
Length : 6
2022-04-29 08:25:12 +00:00
Expiry : "1h"
2022-04-21 10:37:39 +00:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PhoneVerificationCode :
Length : 6
2022-04-29 08:25:12 +00:00
Expiry : "1h"
2022-04-21 10:37:39 +00:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordVerificationCode :
Length : 6
2022-04-29 08:25:12 +00:00
Expiry : "1h"
2022-04-21 10:37:39 +00:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordlessInitCode :
Length : 12
2022-04-29 08:25:12 +00:00
Expiry : "1h"
2022-04-21 10:37:39 +00:00
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
DomainVerification :
Length : 32
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordComplexityPolicy :
MinLength : 8
HasLowercase : true
HasUppercase : true
HasNumber : true
HasSymbol : true
PasswordAgePolicy :
ExpireWarnDays : 0
MaxAgeDays : 0
DomainPolicy :
2022-09-23 12:08:10 +00:00
UserLoginMustBeDomain : false
2022-04-21 10:37:39 +00:00
ValidateOrgDomains : true
2022-09-02 07:04:29 +00:00
SMTPSenderAddressMatchesInstanceDomain : false
2022-04-21 10:37:39 +00:00
LoginPolicy :
AllowUsernamePassword : true
AllowRegister : true
AllowExternalIDP : true
ForceMFA : false
HidePasswordReset : false
2022-05-16 13:39:09 +00:00
IgnoreUnknownUsernames : false
2022-10-06 11:30:14 +00:00
AllowDomainDiscovery : false
2022-04-21 10:37:39 +00:00
PasswordlessType: 1 #1: allowed 0 : not allowed
2022-05-16 13:39:09 +00:00
DefaultRedirectURI : #empty because we use the Console UI
2022-04-21 10:37:39 +00:00
PasswordCheckLifetime : 240h #10d
ExternalLoginCheckLifetime : 240h #10d
MfaInitSkipLifetime : 720h #30d
SecondFactorCheckLifetime : 18h
MultiFactorCheckLifetime : 12h
PrivacyPolicy :
2022-12-06 23:09:50 +00:00
TOSLink : https://zitadel.com/docs/legal/terms-of-service
PrivacyLink : https://zitadel.com/docs/legal/privacy-policy
2022-04-29 08:25:12 +00:00
HelpLink : ""
2023-03-28 19:36:52 +00:00
SupportEmail : ""
2023-01-25 08:49:41 +00:00
NotificationPolicy :
PasswordChange : true
2022-04-21 10:37:39 +00:00
LabelPolicy :
2022-04-29 08:25:12 +00:00
PrimaryColor : "#5469d4"
BackgroundColor : "#fafafa"
WarnColor : "#cd3d56"
FontColor : "#000000"
2022-11-17 07:43:53 +00:00
PrimaryColorDark : "#2073c4"
2022-04-29 08:25:12 +00:00
BackgroundColorDark : "#111827"
WarnColorDark : "#ff3b5b"
FontColorDark : "#ffffff"
2022-04-21 10:37:39 +00:00
HideLoginNameSuffix : false
ErrorMsgPopup : false
DisableWatermark : false
LockoutPolicy :
MaxAttempts : 0
ShouldShowLockoutFailure : true
2022-05-16 07:52:10 +00:00
EmailTemplate : CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgIC
2022-09-27 10:53:49 +00:00
# Sets the default values for lifetime and expiration for OIDC in each newly created instance
# This default can be overwritten for each instance during runtime
# Overwrites the system defaults
# If defined but not all durations are set it will result in an error
OIDCSettings :
AccessTokenLifetime : 12h
IdTokenLifetime : 12h
RefreshTokenIdleExpiration : 720h #30d
RefreshTokenExpiration : 2160h #90d
2022-05-30 15:39:18 +00:00
# this configuration sets the default email configuration
SMTPConfiguration :
# configuration of the host
SMTP :
2023-01-17 09:20:16 +00:00
# must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
2022-05-30 15:39:18 +00:00
Host :
User :
Password :
TLS :
# if the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false
From :
FromName :
2022-04-21 10:37:39 +00:00
MessageTexts :
- MessageTextType : InitCode
Language : de
Title : Zitadel - User initialisieren
PreHeader : User initialisieren
Subject : User initialisieren
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen <br><strong>{{.PreferredLoginName}}</strong><br> kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.
ButtonText : Initialisierung abschliessen
- MessageTextType : PasswordReset
Language : de
Title : Zitadel - Passwort zurücksetzen
PreHeader : Passwort zurücksetzen
Subject : Passwort zurücksetzen
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.
ButtonText : Passwort zurücksetzen
- MessageTextType : VerifyEmail
Language : de
Title : Zitadel - Email verifizieren
PreHeader : Email verifizieren
Subject : Email verifizieren
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren <br>(Code <strong>{{.Code}}</strong>).<br> Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.
ButtonText : Email verifizieren
- MessageTextType : VerifyPhone
Language : de
Title : Zitadel - Telefonnummer verifizieren
PreHeader : Telefonnummer verifizieren
Subject : Telefonnummer verifizieren
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}})
ButtonText : Telefon verifizieren
- MessageTextType : DomainClaimed
Language : de
Title : Zitadel - Domain wurde beansprucht
PreHeader : Email / Username ändern
Subject : Domain wurde beansprucht
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt.
ButtonText : Login
2023-01-25 08:49:41 +00:00
- MessageTextType : PasswordChange
Language : de
Title : ZITADEL - Passwort von Benutzer wurde geändert
PreHeader : Passwort Änderung
Subject : Passwort von Benutzer wurde geändert
2023-04-11 15:56:51 +00:00
Greeting : Hallo {{.DisplayName}},
2023-01-25 08:49:41 +00:00
Text : Das Password vom Benutzer wurde geändert. Wenn diese Änderung von jemand anderem gemacht wurde, empfehlen wir die sofortige Zurücksetzung ihres Passworts.
ButtonText : Login
2022-04-21 10:37:39 +00:00
- MessageTextType : InitCode
Language : en
Title : Zitadel - Initialize User
PreHeader : Initialize User
Subject : Initialize User
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Finish initialization
- MessageTextType : PasswordReset
Language : en
Title : Zitadel - Reset password
PreHeader : Reset password
Subject : Reset password
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Reset password
- MessageTextType : VerifyEmail
Language : en
Title : Zitadel - Verify email
PreHeader : Verify email
Subject : Verify email
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you din't add a new email, please ignore this email.
ButtonText : Verify email
- MessageTextType : VerifyPhone
Language : en
Title : Zitadel - Verify phone
PreHeader : Verify phone
Subject : Verify phone
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : A new phonenumber has been added. Please use the following code to verify it {{.Code}}.
ButtonText : Verify phone
- MessageTextType : DomainClaimed
Language : en
Title : Zitadel - Domain has been claimed
PreHeader : Change email / username
Subject : Domain has been claimed
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2022-04-21 10:37:39 +00:00
Text : The domain {{.Domain}} has been claimed by an organisation. Your current user {{.UserName}} is not part of this organisation. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login.
ButtonText : Login
2023-01-25 08:49:41 +00:00
- MessageTextType : PasswordChange
Language : en
Title : ZITADEL - Password of user has changed
PreHeader : Change password
Subject : Password of user has changed
2023-04-11 15:56:51 +00:00
Greeting : Hello {{.DisplayName}},
2023-01-25 08:49:41 +00:00
Text : The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password.
ButtonText : Login
2022-04-21 10:37:39 +00:00
2023-02-15 01:52:11 +00:00
Quotas :
# Items takes a slice of quota configurations, whereas for each unit type and instance, one or zero quotas may exist.
# The following unit types are supported
# "requests.all.authenticated"
# The sum of all requests to the ZITADEL API with an authorization header,
# excluding the following exceptions
# - Calls to the System API
# - Calls that cause internal server errors
# - Failed authorizations
# - Requests after the quota already exceeded
# "actions.all.runs.seconds"
# The sum of all actions run durations in seconds
Items :
# - Unit: "requests.all.authenticated"
# # From defines the starting time from which the current quota period is calculated from.
# # This is relevant for querying the current usage.
# From: "2023-01-01T00:00:00Z"
# # ResetInterval defines the quota periods duration
# ResetInterval: 720h # 30 days
# # Amount defines the number of units for this quota
# Amount: 25000
# # Limit defines whether ZITADEL should block further usage when the configured amount is used
# Limit: false
# # Notifications are emitted by ZITADEL when certain quota percentages are reached
# Notifications:
# # Percent defines the relative amount of used units, after which a notification should be emitted.
# - Percent: 100
# # Repeat defines, whether a notification should be emitted each time when a multitude of the configured Percent is used.
# Repeat: true
# # CallURL is called when a relative amount of the quota is used.
# CallURL: "https://httpbin.org/post"
2023-03-17 09:14:06 +00:00
AuditLogRetention : 0s
2022-03-29 09:53:19 +00:00
InternalAuthZ :
RolePermissionMappings :
2022-04-29 08:25:12 +00:00
- Role : "IAM_OWNER"
2022-03-29 09:53:19 +00:00
Permissions :
- "iam.read"
- "iam.write"
- "iam.policy.read"
- "iam.policy.write"
- "iam.policy.delete"
- "iam.member.read"
- "iam.member.write"
- "iam.member.delete"
- "iam.idp.read"
- "iam.idp.write"
- "iam.idp.delete"
- "iam.action.read"
- "iam.action.write"
- "iam.action.delete"
- "iam.flow.read"
- "iam.flow.write"
- "iam.flow.delete"
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
2022-11-30 16:01:17 +00:00
- "org.delete"
2022-03-29 09:53:19 +00:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 10:22:00 +00:00
- "user.passkey.write"
2022-03-29 09:53:19 +00:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2023-01-16 11:30:03 +00:00
- "events.read"
2022-04-29 08:25:12 +00:00
- Role : "IAM_OWNER_VIEWER"
2022-03-29 09:53:19 +00:00
Permissions :
- "iam.read"
- "iam.policy.read"
- "iam.member.read"
- "iam.idp.read"
- "iam.action.read"
- "iam.flow.read"
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2023-01-16 11:30:03 +00:00
- "events.read"
2022-04-29 08:25:12 +00:00
- Role : "IAM_ORG_MANAGER"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
2022-11-30 16:01:17 +00:00
- "org.delete"
2022-03-29 09:53:19 +00:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 10:22:00 +00:00
- "user.passkey.write"
2022-03-29 09:53:19 +00:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2022-04-29 08:25:12 +00:00
- Role : "IAM_USER_MANAGER"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.global.read"
- "org.member.read"
- "org.member.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2023-05-24 10:22:00 +00:00
- "user.passkey.write"
2022-03-29 09:53:19 +00:00
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2022-04-29 08:25:12 +00:00
- Role : "ORG_OWNER"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.global.read"
- "org.write"
2022-11-30 16:01:17 +00:00
- "org.delete"
2022-03-29 09:53:19 +00:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 10:22:00 +00:00
- "user.passkey.write"
2022-03-29 09:53:19 +00:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2022-04-29 08:25:12 +00:00
- Role : "ORG_USER_MANAGER"
2022-03-29 09:53:19 +00:00
Permissions :
2023-02-21 08:31:35 +00:00
- "org.read"
2022-03-29 09:53:19 +00:00
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2023-02-21 08:31:35 +00:00
- "policy.read"
2022-03-29 09:53:19 +00:00
- "project.read"
- "project.role.read"
2022-04-29 08:25:12 +00:00
- Role : "ORG_OWNER_VIEWER"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.user.grant.read"
2022-07-12 08:03:44 +00:00
- Role : "ORG_SETTINGS_MANAGER"
Permissions :
- "org.read"
- "org.write"
- "org.member.read"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "policy.read"
- "policy.write"
- "policy.delete"
2022-04-29 08:25:12 +00:00
- Role : "ORG_USER_PERMISSION_EDITOR"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2022-04-29 08:25:12 +00:00
- Role : "ORG_PROJECT_PERMISSION_EDITOR"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2022-04-29 08:25:12 +00:00
- Role : "ORG_PROJECT_CREATOR"
2022-03-29 09:53:19 +00:00
Permissions :
- "user.global.read"
- "policy.read"
- "project.read:self"
- "project.create"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_OWNER"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_OWNER_VIEWER"
2022-03-29 09:53:19 +00:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 08:25:12 +00:00
- Role : "SELF_MANAGEMENT_GLOBAL"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.create"
- "policy.read"
- "user.self.delete"
2023-07-07 20:14:07 +00:00
- Role : "ORG_USER_SELF_MANAGER"
Permissions :
- "policy.read"
- "user.self.delete"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_OWNER_GLOBAL"
2022-03-29 09:53:19 +00:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_OWNER_VIEWER_GLOBAL"
2022-03-29 09:53:19 +00:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_GRANT_OWNER"
2022-03-29 09:53:19 +00:00
Permissions :
- "policy.read"
- "org.global.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 08:25:12 +00:00
- Role : "PROJECT_GRANT_OWNER_VIEWER"
2022-03-29 09:53:19 +00:00
Permissions :
- "policy.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"