Log: Level: info Formatter: Format: text # Exposes metrics on /debug/metrics Metrics: # Select type otel (OpenTelemetry) or none (disables collection and endpoint) Type: otel Tracing: # Choose one in "otel", "google", "log" and "none" Type: none Fraction: 1.0 MetricPrefix: zitadel Telemetry: # As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints. # Data is projected by ZITADEL even if Enabled is false. # This means that switching this to true makes ZITADEL try to send past data. Enabled: false # Push telemetry data to all these endpoints at least once using an HTTP POST request. # If one endpoint returns an unsuccessful response code or times out, # ZITADEL retries to push the data point to all configured endpoints until it succeeds. # Configure delivery guarantees and intervals in the section Projections.Customizations.Telemetry # The endpoints can be reconfigured at runtime. # Ten redirects are followed. # If you change this configuration at runtime, remaining data that is not successfully delivered to the old endpoints is sent to the new endpoints. Endpoints: - https://httpbin.org/post # These headers are sent with every request to the configured endpoints. Headers: # single-value: "single-value" # multi-value: # - "multi-value-1" # - "multi-value-2" # The maximum number of data points that are queried before they are sent to the configured endpoints. Limit: 100 # ZITADEL_TELEMETRY_LIMIT # Port ZITADEL will listen on Port: 8080 # Port ZITADEL is exposed on, it can differ from port e.g. if you proxy the traffic # !!! Changing this after initial setup breaks your system !!! ExternalPort: 8080 # Domain / hostname ZITADEL is exposed externally # !!! Changing this after initial setup breaks your system !!! ExternalDomain: localhost # specifies if ZITADEL is exposed externally through TLS # this must be set to true even if TLS is not enabled on ZITADEL itself # but TLS traffic is terminated on a reverse proxy # !!! Changing this after initial setup breaks your system !!! ExternalSecure: true TLS: # if enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC) # you must then also provide a private key and certificate to be used for the connection # either directly or by a path to the corresponding file Enabled: true # Path to the private key of the TLS certificate, it will be loaded into the Key # and overwrite any exising value KeyPath: #/path/to/key/file.pem # Private key of the TLS certificate (KeyPath will this overwrite, if specified) Key: # # Path to the certificate for the TLS connection, it will be loaded into the Cert # and overwrite any exising value CertPath: #/path/to/cert/file.pem # Certificate for the TLS connection (CertPath will this overwrite, if specified) Cert: # # Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched HTTP2HostHeader: ":authority" # Header name of HTTP1 calls from which the instance will be matched HTTP1HostHeader: "host" WebAuthNName: ZITADEL Database: # CockroachDB is the default datbase of ZITADEL cockroach: Host: localhost Port: 26257 Database: zitadel MaxOpenConns: 20 MaxIdleConns: 10 MaxConnLifetime: 30m MaxConnIdleTime: 5m Options: "" User: Username: zitadel Password: "" SSL: Mode: disable RootCert: "" Cert: "" Key: "" Admin: Username: root Password: "" SSL: Mode: disable RootCert: "" Cert: "" Key: "" # Postgres is used as soon as a value is set # The values describe the possible fields to set values postgres: Host: Port: Database: MaxOpenConns: MaxIdleConns: MaxConnLifetime: MaxConnIdleTime: Options: User: Username: Password: SSL: Mode: RootCert: Cert: Key: Admin: Username: Password: SSL: Mode: RootCert: Cert: Key: Machine: # Cloud hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified. Identification: # Use private IP to identify machines uniquely PrivateIp: Enabled: true # Use hostname to identify machines uniquely # You want the process to be identified uniquely, so this works well in k8s where each pod gets its own # unique host name, but not as well in some other hosting environments. Hostname: Enabled: false # Use a webhook response to identify machines uniquely # Google Cloud Configuration Webhook: Enabled: true Url: "http://metadata.google.internal/computeMetadata/v1/instance/id" Headers: "Metadata-Flavor": "Google" # # AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html # Webhook: # Url: "http://169.254.169.254/latest/meta-data/ami-id" # # AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html # Webhook: # Url: "${ECS_CONTAINER_METADATA_URI_V4}" # JPath: "$.DockerId" # # Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux # Webhook: # Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01" # JPath: "$.compute.vmId" # Storage for assets like user avatar, organization logo, icon, font, ... AssetStorage: Type: db # HTTP cache control settings for serving assets in the assets API and login UI # the assets will also be served with an etag and last-modified header Cache: MaxAge: 5s SharedMaxAge: 168h #7d # The Projections section defines the behaviour for the scheduled and synchronous events projections. Projections: # Time interval between scheduled projections RequeueEvery: 60s # Time between retried database statements resulting from projected events RetryFailedAfter: 1s # Retried execution number of database statements resulting from projected events MaxFailureCount: 5 # Number of concurrent projection routines. Values of 0 and below are overwritten to 1 ConcurrentInstances: 1 # Limit of returned events per query BulkLimit: 200 # Only instance are projected, for which at least a projection relevant event exists withing the timeframe # from HandleActiveInstances duration in the past until the projections current time # Defaults to twice the RequeueEvery duration HandleActiveInstances: 120s # In the Customizations section, all settings from above can be overwritten for each specific projection Customizations: Projects: BulkLimit: 2000 # The Notifications projection is used for sending emails and SMS to users Notifications: # As notification projections don't result in database statements, retries don't have any effects MaxFailureCount: 0 # The NotificationsQuotas projection is used for calling quota webhooks NotificationsQuotas: # In case of failed deliveries, ZITADEL retries to send the data points to the configured endpoints, but only for active instances. # An instance is active, as long as there are projected events on the instance, that are not older than the HandleActiveInstances duration. # Delivery guarantee requirements are higher for quota webhooks # Defaults to 45 days HandleActiveInstances: 1080h # As quota notification projections don't result in database statements, retries don't have any effects MaxFailureCount: 0 # Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the database too much. RequeueEvery: 300s Telemetry: # In case of failed deliveries, ZITADEL retries to send the data points to the configured endpoints, but only for active instances. # An instance is active, as long as there are projected events on the instance, that are not older than the HandleActiveInstances duration. # Telemetry delivery guarantee requirements are a bit higher than normal data projections, as they are not interactively retryable. # Defaults to 15 days HandleActiveInstances: 360h # As sending telemetry data doesn't result in database statements, retries don't have any effects MaxFailureCount: 0 # Telemetry data synchronization is not time critical. Setting RequeueEvery to 55 minutes doesn't annoy the database too much. RequeueEvery: 3300s Auth: SearchLimit: 1000 Spooler: ConcurrentWorkers: 1 ConcurrentInstances: 1 BulkLimit: 10000 FailureCountUntilSkip: 5 Admin: SearchLimit: 1000 Spooler: ConcurrentWorkers: 1 ConcurrentInstances: 1 BulkLimit: 10000 FailureCountUntilSkip: 5 UserAgentCookie: Name: zitadel.useragent MaxAge: 8760h #365*24h (1 year) OIDC: CodeMethodS256: true AuthMethodPost: true AuthMethodPrivateKeyJWT: true GrantTypeRefreshToken: true RequestObjectSupported: true SigningKeyAlgorithm: RS256 # Sets the default values for lifetime and expiration for OIDC # This default can be overwritten in the default instance configuration and for each instance during runtime # !!! Changing this after initial setup will have no impact without a restart !!! DefaultAccessTokenLifetime: 12h DefaultIdTokenLifetime: 12h DefaultRefreshTokenIdleExpiration: 720h #30d DefaultRefreshTokenExpiration: 2160h #90d Cache: MaxAge: 12h SharedMaxAge: 168h #7d CustomEndpoints: Auth: Path: /oauth/v2/authorize Token: Path: /oauth/v2/token Introspection: Path: /oauth/v2/introspect Userinfo: Path: /oidc/v1/userinfo Revocation: Path: /oauth/v2/revoke EndSession: Path: /oidc/v1/end_session Keys: Path: /oauth/v2/keys DeviceAuth: Path: /oauth/v2/device_authorization DefaultLoginURLV2: "/login?authRequest=" DefaultLogoutURLV2: "/logout?post_logout_redirect=" SAML: ProviderConfig: MetadataConfig: Path: "/metadata" SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" IDPConfig: SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" WantAuthRequestsSigned: true Endpoints: #Organisation: # Name: ZITADEL # URL: https://zitadel.com #ContactPerson: # ContactType: "technical" # Company: ZITADEL # EmailAddress: hi@zitadel.com Login: LanguageCookieName: zitadel.login.lang CSRFCookieName: zitadel.login.csrf Cache: MaxAge: 12h SharedMaxAge: 168h #7d Console: ShortCache: MaxAge: 0m SharedMaxAge: 5m LongCache: MaxAge: 12h SharedMaxAge: 168h #7d InstanceManagementURL: "" Notification: Repository: Spooler: ConcurrentWorkers: 1 ConcurrentInstances: 10 BulkLimit: 10000 FailureCountUntilSkip: 5 Handlers: EncryptionKeys: DomainVerification: EncryptionKeyID: "domainVerificationKey" DecryptionKeyIDs: IDPConfig: EncryptionKeyID: "idpConfigKey" DecryptionKeyIDs: OIDC: EncryptionKeyID: "oidcKey" DecryptionKeyIDs: SAML: EncryptionKeyID: "samlKey" DecryptionKeyIDs: OTP: EncryptionKeyID: "otpKey" DecryptionKeyIDs: SMS: EncryptionKeyID: "smsKey" DecryptionKeyIDs: SMTP: EncryptionKeyID: "smtpKey" DecryptionKeyIDs: User: EncryptionKeyID: "userKey" DecryptionKeyIDs: CSRFCookieKeyID: "csrfCookieKey" UserAgentCookieKeyID: "userAgentCookieKey" SystemAPIUsers: # add keys for authentication of the systemAPI here: # you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT: # - superuser: # Path: /path/to/superuser/key.pem # you can provide the key either by reference with the path # - superuser2: # KeyData: # or you can directly embed it as base64 encoded value #TODO: remove as soon as possible SystemDefaults: SecretGenerators: PasswordSaltCost: 14 MachineKeySize: 2048 ApplicationKeySize: 2048 PasswordHasher: # Set hasher configuration for user passwords. # Passwords previously hashed with a different algorithm # or cost are automatically re-hashed using this config, # upon password validation or update. Hasher: Algorithm: "bcrypt" Cost: 14 # Other supported Hasher configs: # Hasher: # Algorithm: "argon2i" # Time: 3 # Memory: 32768 # Threads: 4 # Hasher: # Algorithm: "argon2id" # Time: 1 # Memory: 65536 # Threads: 4 # Hasher: # Algorithm: "scrypt" # Cost: 15 # Verifiers enable the possibility of verifying # passwords that are previously hashed using another # algorithm then the Hasher. # This can be used when migrating from one algorithm to another, # or when importing users with hashed passwords. # There is no need to enable a Verifier of the same algorithm # as the Hasher. # # The format of the encoded hash strings must comply # with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html # # Supported verifiers: (uncomment to enable) # Verifiers: # - "argon2" # verifier for both argon2i and argon2id. # - "bcrypt" # - "md5" # - "scrypt" Multifactors: OTP: # If this is empty, the issuer is the requested domain # This is helpful in scenarios with multiple ZITADEL environments or virtual instances Issuer: "ZITADEL" DomainVerification: VerificationGenerator: Length: 32 IncludeLowerLetters: true IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false Notifications: FileSystemPath: ".notifications/" KeyConfig: Size: 2048 CertificateSize: 4096 PrivateKeyLifetime: 6h PublicKeyLifetime: 30h CertificateLifetime: 8766h Actions: HTTP: # wildcard sub domains are currently unsupported DenyList: - localhost - "127.0.0.1" LogStore: Access: Database: # If enabled, all access logs are stored in the database table logstore.access Enabled: false # Logs that are older than the keep duration are cleaned up continuously Keep: 2160h # 90 days # CleanupInterval defines the time between cleanup iterations CleanupInterval: 4h # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets. Debounce: MinFrequency: 2m MaxBulkSize: 100 Stdout: # If enabled, all access logs are printed to the binaries standard output Enabled: false # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets. Debounce: MinFrequency: 0s MaxBulkSize: 0 Execution: Database: # If enabled, all action execution logs are stored in the database table logstore.execution Enabled: false # Logs that are older than the keep duration are cleaned up continuously Keep: 2160h # 90 days # CleanupInterval defines the time between cleanup iterations CleanupInterval: 4h # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets. Debounce: MinFrequency: 0s MaxBulkSize: 0 Stdout: # If enabled, all execution logs are printed to the binaries standard output Enabled: true # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets. Debounce: MinFrequency: 0s MaxBulkSize: 0 Quotas: Access: ExhaustedCookieKey: "zitadel.quota.exhausted" ExhaustedCookieMaxAge: "300s" Eventstore: PushTimeout: 15s AllowOrderByCreationDate: false DefaultInstance: InstanceName: DefaultLanguage: en Org: Name: Human: # in case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email, # it will be suffixed by the org domain (org-name + domain from config). # for example: zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld UserName: zitadel-admin FirstName: ZITADEL LastName: Admin NickName: DisplayName: Email: Address: Verified: false PreferredLanguage: en Gender: Phone: Number: Verified: Password: Machine: Machine: Username: Name: MachineKey: ExpirationDate: Type: Pat: ExpirationDate: SecretGenerators: PasswordSaltCost: 14 ClientSecret: Length: 64 IncludeLowerLetters: true IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false InitializeUserCode: Length: 6 Expiry: "72h" IncludeLowerLetters: false IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false EmailVerificationCode: Length: 6 Expiry: "1h" IncludeLowerLetters: false IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false PhoneVerificationCode: Length: 6 Expiry: "1h" IncludeLowerLetters: false IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false PasswordVerificationCode: Length: 6 Expiry: "1h" IncludeLowerLetters: false IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false PasswordlessInitCode: Length: 12 Expiry: "1h" IncludeLowerLetters: true IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false DomainVerification: Length: 32 IncludeLowerLetters: true IncludeUpperLetters: true IncludeDigits: true IncludeSymbols: false PasswordComplexityPolicy: MinLength: 8 HasLowercase: true HasUppercase: true HasNumber: true HasSymbol: true PasswordAgePolicy: ExpireWarnDays: 0 MaxAgeDays: 0 DomainPolicy: UserLoginMustBeDomain: false ValidateOrgDomains: true SMTPSenderAddressMatchesInstanceDomain: false LoginPolicy: AllowUsernamePassword: true AllowRegister: true AllowExternalIDP: true ForceMFA: false HidePasswordReset: false IgnoreUnknownUsernames: false AllowDomainDiscovery: false PasswordlessType: 1 #1: allowed 0: not allowed DefaultRedirectURI: #empty because we use the Console UI PasswordCheckLifetime: 240h #10d ExternalLoginCheckLifetime: 240h #10d MfaInitSkipLifetime: 720h #30d SecondFactorCheckLifetime: 18h MultiFactorCheckLifetime: 12h PrivacyPolicy: TOSLink: https://zitadel.com/docs/legal/terms-of-service PrivacyLink: https://zitadel.com/docs/legal/privacy-policy HelpLink: "" SupportEmail: "" NotificationPolicy: PasswordChange: true LabelPolicy: PrimaryColor: "#5469d4" BackgroundColor: "#fafafa" WarnColor: "#cd3d56" FontColor: "#000000" PrimaryColorDark: "#2073c4" BackgroundColorDark: "#111827" WarnColorDark: "#ff3b5b" FontColorDark: "#ffffff" HideLoginNameSuffix: false ErrorMsgPopup: false DisableWatermark: false LockoutPolicy: MaxAttempts: 0 ShouldShowLockoutFailure: true EmailTemplate: CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7IgogICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICA8dGQ+CgoKICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBhbGlnbj0iY2VudGVyIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgY2xhc3M9IiIgc3R5bGU9IndpZHRoOjgwMHB4OyIgd2lkdGg9IjgwMCIgPjx0cj48dGQgc3R5bGU9ImxpbmUtaGVpZ2h0OjBweDtmb250LXNpemU6MHB4O21zby1saW5lLWhlaWdodC1ydWxlOmV4YWN0bHk7Ij48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgICAgPGRpdiAgc3R5bGU9Im1hcmdpbjowcHggYXV0bzttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHN0eWxlPSJ3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImRpcmVjdGlvbjpsdHI7Zm9udC1zaXplOjBweDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiBzdHlsZT0id2lkdGg6ODAwcHg7IiA+PCFbZW5kaWZdLS0+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2xhc3M9Im1qLWNvbHVtbi1wZXItMTAwIG1qLW91dGxvb2stZ3JvdXAtZml4IiBzdHlsZT0iZm9udC1zaXplOjA7bGluZS1oZWlnaHQ6MDt0ZXh0LWFsaWduOmxlZnQ7ZGlzcGxheTppbmxpbmUtYmxvY2s7d2lkdGg6MTAwJTtkaXJlY3Rpb246bHRyOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiA+PHRyPjx0ZCBzdHlsZT0idmVydGljYWwtYWxpZ246dG9wO3dpZHRoOjgwMHB4OyIgPjwhW2VuZGlmXS0tPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjbGFzcz0ibWotY29sdW1uLXBlci0xMDAgbWotb3V0bG9vay1ncm91cC1maXgiIHN0eWxlPSJmb250LXNpemU6MHB4O3RleHQtYWxpZ246bGVmdDtkaXJlY3Rpb246bHRyO2Rpc3BsYXk6aW5saW5lLWJsb2NrO3ZlcnRpY2FsLWFsaWduOnRvcDt3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHdpZHRoPSIxMDAlIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjp0b3A7cGFkZGluZzowOyI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7e2lmIC5Mb2dvVVJMfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRib2R5PgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzo1MHB4IDAgMzBweCAwO3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO2JvcmRlci1zcGFjaW5nOjBweDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCAgc3R5bGU9IndpZHRoOjE4MHB4OyI+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGltZwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoZWlnaHQ9ImF1dG8iIHNyYz0ie3suTG9nb1VSTH19IiBzdHlsZT0iYm9yZGVyOjA7Ym9yZGVyLXJhZGl1czo4cHg7ZGlzcGxheTpibG9jaztvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7aGVpZ2h0OmF1dG87d2lkdGg6MTAwJTtmb250LXNpemU6MTNweDsiIHdpZHRoPSIxODAiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAge3tlbmR9fQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KCgogICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CgoKICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7IgogICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICA8dGQ+CgoKICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBhbGlnbj0iY2VudGVyIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgY2xhc3M9IiIgc3R5bGU9IndpZHRoOjgwMHB4OyIgd2lkdGg9IjgwMCIgPjx0cj48dGQgc3R5bGU9ImxpbmUtaGVpZ2h0OjBweDtmb250LXNpemU6MHB4O21zby1saW5lLWhlaWdodC1ydWxlOmV4YWN0bHk7Ij48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgICAgPGRpdiAgc3R5bGU9Im1hcmdpbjowcHggYXV0bzttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHN0eWxlPSJ3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImRpcmVjdGlvbjpsdHI7Zm9udC1zaXplOjBweDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiBzdHlsZT0idmVydGljYWwtYWxpZ246dG9wO3dpZHRoOjQ4MHB4OyIgPjwhW2VuZGlmXS0tPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNsYXNzPSJtai1jb2x1bW4tcGVyLTYwIG1qLW91dGxvb2stZ3JvdXAtZml4IiBzdHlsZT0iZm9udC1zaXplOjBweDt0ZXh0LWFsaWduOmxlZnQ7ZGlyZWN0aW9uOmx0cjtkaXNwbGF5OmlubGluZS1ibG9jazt2ZXJ0aWNhbC1hbGlnbjp0b3A7d2lkdGg6MTAwJTsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCAgc3R5bGU9InZlcnRpY2FsLWFsaWduOnRvcDtwYWRkaW5nOjA7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhbGlnbj0iY2VudGVyIiBzdHlsZT0iZm9udC1zaXplOjBweDtwYWRkaW5nOjEwcHggMjVweDt3b3JkLWJyZWFrOmJyZWFrLXdvcmQ7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0eWxlPSJmb250LWZhbWlseTp7ey5Gb250RmFtaWx5fX07Zm9udC1zaXplOjI0cHg7Zm9udC13ZWlnaHQ6NTAwO2xpbmUtaGVpZ2h0OjE7dGV4dC1hbGlnbjpjZW50ZXI7Y29sb3I6e3suRm9udENvbG9yfX07IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID57ey5HcmVldGluZ319PC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJmb250LXNpemU6MHB4O3BhZGRpbmc6MTBweCAyNXB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5Ont7LkZvbnRGYW1pbHl9fTtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpsaWdodDtsaW5lLWhlaWdodDoxLjU7dGV4dC1hbGlnbjpjZW50ZXI7Y29sb3I6e3suRm9udENvbG9yfX07IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID57ey5UZXh0fX08L2Rpdj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIHZlcnRpY2FsLWFsaWduPSJtaWRkbGUiIGNsYXNzPSJzaGFkb3ciIHN0eWxlPSJmb250LXNpemU6MHB4O3BhZGRpbmc6MTBweCAyNXB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iYm9yZGVyLWNvbGxhcHNlOnNlcGFyYXRlO2xpbmUtaGVpZ2h0OjEwMCU7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0ie3suUHJpbWFyeUNvbG9yfX0iIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1yYWRpdXM6NnB4O2N1cnNvcjphdXRvO21zby1wYWRkaW5nLWFsdDoxMHB4IDI1cHg7YmFja2dyb3VuZDp7ey5QcmltYXJ5Q29sb3J9fTsiIHZhbGlnbj0ibWlkZGxlIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGEKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhyZWY9Int7LlVSTH19IiByZWw9Im5vb3BlbmVyIG5vcmVmZXJyZXIgbm90cmFjayIgc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJsb2NrO2JhY2tncm91bmQ6e3suUHJpbWFyeUNvbG9yfX07Y29sb3I6I2ZmZmZmZjtmb250LWZhbWlseTp7ey5Gb250RmFtaWx5fX07Zm9udC1zaXplOjE0cHg7Zm9udC13ZWlnaHQ6NTAwO2xpbmUtaGVpZ2h0OjEyMCU7bWFyZ2luOjA7dGV4dC1kZWNvcmF0aW9uOm5vbmU7dGV4dC10cmFuc2Zvcm06bm9uZTtwYWRkaW5nOjEwcHggMjVweDttc28tcGFkZGluZy1hbHQ6MHB4O2JvcmRlci1yYWRpdXM6NnB4OyIgdGFyZ2V0PSJfYmxhbmsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAge3suQnV0dG9uVGV4dH19CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9hPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7e2lmIC5JbmNsdWRlRm9vdGVyfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzoxMHB4IDI1cHg7cGFkZGluZy10b3A6MjBweDtwYWRkaW5nLXJpZ2h0OjIwcHg7cGFkZGluZy1ib3R0b206MjBweDtwYWRkaW5nLWxlZnQ6MjBweDt3b3JkLWJyZWFrOmJyZWFrLXdvcmQ7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYm9yZGVyLXRvcDpzb2xpZCAycHggI2RiZGJkYjtmb250LXNpemU6MXB4O21hcmdpbjowcHggYXV0bzt3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9wPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHN0eWxlPSJib3JkZXItdG9wOnNvbGlkIDJweCAjZGJkYmRiO2ZvbnQtc2l6ZToxcHg7bWFyZ2luOjBweCBhdXRvO3dpZHRoOjQ0MHB4OyIgcm9sZT0icHJlc2VudGF0aW9uIiB3aWR0aD0iNDQwcHgiID48dHI+PHRkIHN0eWxlPSJoZWlnaHQ6MDtsaW5lLWhlaWdodDowOyI+ICZuYnNwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzoxNnB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5Ont7LkZvbnRGYW1pbHl9fTtmb250LXNpemU6MTNweDtsaW5lLWhlaWdodDoxO3RleHQtYWxpZ246Y2VudGVyO2NvbG9yOnt7LkZvbnRDb2xvcn19OyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+e3suRm9vdGVyVGV4dH19PC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHt7ZW5kfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PC90YWJsZT48IVtlbmRpZl0tLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgoKCiAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PC90YWJsZT48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgogICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICA8L2Rpdj4KCgogICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgoKCiAgICAgIDwvdGQ+CiAgICA8L3RyPgogICAgPC90Ym9keT4KICA8L3RhYmxlPgoKPC9kaXY+Cgo8L2JvZHk+CjwvaHRtbD4K # Sets the default values for lifetime and expiration for OIDC in each newly created instance # This default can be overwritten for each instance during runtime # Overwrites the system defaults # If defined but not all durations are set it will result in an error OIDCSettings: AccessTokenLifetime: 12h IdTokenLifetime: 12h RefreshTokenIdleExpiration: 720h #30d RefreshTokenExpiration: 2160h #90d # this configuration sets the default email configuration SMTPConfiguration: # configuration of the host SMTP: # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525 Host: User: Password: TLS: # if the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false From: FromName: MessageTexts: - MessageTextType: InitCode Language: de Title: Zitadel - User initialisieren PreHeader: User initialisieren Subject: User initialisieren Greeting: Hallo {{.DisplayName}}, Text: Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen <br><strong>{{.PreferredLoginName}}</strong><br> kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren. ButtonText: Initialisierung abschliessen - MessageTextType: PasswordReset Language: de Title: Zitadel - Passwort zurücksetzen PreHeader: Passwort zurücksetzen Subject: Passwort zurücksetzen Greeting: Hallo {{.DisplayName}}, Text: Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren. ButtonText: Passwort zurücksetzen - MessageTextType: VerifyEmail Language: de Title: Zitadel - Email verifizieren PreHeader: Email verifizieren Subject: Email verifizieren Greeting: Hallo {{.DisplayName}}, Text: Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren <br>(Code <strong>{{.Code}}</strong>).<br> Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren. ButtonText: Email verifizieren - MessageTextType: VerifyPhone Language: de Title: Zitadel - Telefonnummer verifizieren PreHeader: Telefonnummer verifizieren Subject: Telefonnummer verifizieren Greeting: Hallo {{.DisplayName}}, Text: Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}}) ButtonText: Telefon verifizieren - MessageTextType: DomainClaimed Language: de Title: Zitadel - Domain wurde beansprucht PreHeader: Email / Username ändern Subject: Domain wurde beansprucht Greeting: Hallo {{.DisplayName}}, Text: Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt. ButtonText: Login - MessageTextType: PasswordChange Language: de Title: ZITADEL - Passwort von Benutzer wurde geändert PreHeader: Passwort Änderung Subject: Passwort von Benutzer wurde geändert Greeting: Hallo {{.DisplayName}}, Text: Das Password vom Benutzer wurde geändert. Wenn diese Änderung von jemand anderem gemacht wurde, empfehlen wir die sofortige Zurücksetzung ihres Passworts. ButtonText: Login - MessageTextType: InitCode Language: en Title: Zitadel - Initialize User PreHeader: Initialize User Subject: Initialize User Greeting: Hello {{.DisplayName}}, Text: This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it. ButtonText: Finish initialization - MessageTextType: PasswordReset Language: en Title: Zitadel - Reset password PreHeader: Reset password Subject: Reset password Greeting: Hello {{.DisplayName}}, Text: We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it. ButtonText: Reset password - MessageTextType: VerifyEmail Language: en Title: Zitadel - Verify email PreHeader: Verify email Subject: Verify email Greeting: Hello {{.DisplayName}}, Text: A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you din't add a new email, please ignore this email. ButtonText: Verify email - MessageTextType: VerifyPhone Language: en Title: Zitadel - Verify phone PreHeader: Verify phone Subject: Verify phone Greeting: Hello {{.DisplayName}}, Text: A new phonenumber has been added. Please use the following code to verify it {{.Code}}. ButtonText: Verify phone - MessageTextType: DomainClaimed Language: en Title: Zitadel - Domain has been claimed PreHeader: Change email / username Subject: Domain has been claimed Greeting: Hello {{.DisplayName}}, Text: The domain {{.Domain}} has been claimed by an organisation. Your current user {{.UserName}} is not part of this organisation. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login. ButtonText: Login - MessageTextType: PasswordChange Language: en Title: ZITADEL - Password of user has changed PreHeader: Change password Subject: Password of user has changed Greeting: Hello {{.DisplayName}}, Text: The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password. ButtonText: Login Quotas: # Items takes a slice of quota configurations, whereas for each unit type and instance, one or zero quotas may exist. # The following unit types are supported # "requests.all.authenticated" # The sum of all requests to the ZITADEL API with an authorization header, # excluding the following exceptions # - Calls to the System API # - Calls that cause internal server errors # - Failed authorizations # - Requests after the quota already exceeded # "actions.all.runs.seconds" # The sum of all actions run durations in seconds Items: # - Unit: "requests.all.authenticated" # # From defines the starting time from which the current quota period is calculated from. # # This is relevant for querying the current usage. # From: "2023-01-01T00:00:00Z" # # ResetInterval defines the quota periods duration # ResetInterval: 720h # 30 days # # Amount defines the number of units for this quota # Amount: 25000 # # Limit defines whether ZITADEL should block further usage when the configured amount is used # Limit: false # # Notifications are emitted by ZITADEL when certain quota percentages are reached # Notifications: # # Percent defines the relative amount of used units, after which a notification should be emitted. # - Percent: 100 # # Repeat defines, whether a notification should be emitted each time when a multitude of the configured Percent is used. # Repeat: true # # CallURL is called when a relative amount of the quota is used. # CallURL: "https://httpbin.org/post" AuditLogRetention: 0s InternalAuthZ: RolePermissionMappings: - Role: "IAM_OWNER" Permissions: - "iam.read" - "iam.write" - "iam.policy.read" - "iam.policy.write" - "iam.policy.delete" - "iam.member.read" - "iam.member.write" - "iam.member.delete" - "iam.idp.read" - "iam.idp.write" - "iam.idp.delete" - "iam.action.read" - "iam.action.write" - "iam.action.delete" - "iam.flow.read" - "iam.flow.write" - "iam.flow.delete" - "org.read" - "org.global.read" - "org.create" - "org.write" - "org.delete" - "org.member.read" - "org.member.write" - "org.member.delete" - "org.idp.read" - "org.idp.write" - "org.idp.delete" - "org.action.read" - "org.action.write" - "org.action.delete" - "org.flow.read" - "org.flow.write" - "org.flow.delete" - "user.read" - "user.global.read" - "user.write" - "user.delete" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - "user.credential.write" - "user.passkey.write" - "policy.read" - "policy.write" - "policy.delete" - "project.read" - "project.create" - "project.write" - "project.delete" - "project.member.read" - "project.member.write" - "project.member.delete" - "project.role.read" - "project.role.write" - "project.role.delete" - "project.app.read" - "project.app.write" - "project.app.delete" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" - "events.read" - Role: "IAM_OWNER_VIEWER" Permissions: - "iam.read" - "iam.policy.read" - "iam.member.read" - "iam.idp.read" - "iam.action.read" - "iam.flow.read" - "org.read" - "org.member.read" - "org.idp.read" - "org.action.read" - "org.flow.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.membership.read" - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.member.read" - "events.read" - Role: "IAM_ORG_MANAGER" Permissions: - "org.read" - "org.global.read" - "org.create" - "org.write" - "org.delete" - "org.member.read" - "org.member.write" - "org.member.delete" - "org.idp.read" - "org.idp.write" - "org.idp.delete" - "org.action.read" - "org.action.write" - "org.action.delete" - "org.flow.read" - "org.flow.write" - "org.flow.delete" - "user.read" - "user.global.read" - "user.write" - "user.delete" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - "user.credential.write" - "user.passkey.write" - "policy.read" - "policy.write" - "policy.delete" - "project.read" - "project.create" - "project.write" - "project.delete" - "project.member.read" - "project.member.write" - "project.member.delete" - "project.role.read" - "project.role.write" - "project.role.delete" - "project.app.read" - "project.app.write" - "project.app.delete" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" - Role: "IAM_USER_MANAGER" Permissions: - "org.read" - "org.global.read" - "org.member.read" - "org.member.delete" - "user.read" - "user.global.read" - "user.write" - "user.delete" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - "user.passkey.write" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - Role: "ORG_OWNER" Permissions: - "org.read" - "org.global.read" - "org.write" - "org.delete" - "org.member.read" - "org.member.write" - "org.member.delete" - "org.idp.read" - "org.idp.write" - "org.idp.delete" - "org.action.read" - "org.action.write" - "org.action.delete" - "org.flow.read" - "org.flow.write" - "org.flow.delete" - "user.read" - "user.global.read" - "user.write" - "user.delete" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - "user.credential.write" - "user.passkey.write" - "policy.read" - "policy.write" - "policy.delete" - "project.read" - "project.create" - "project.write" - "project.delete" - "project.member.read" - "project.member.write" - "project.member.delete" - "project.role.read" - "project.role.write" - "project.role.delete" - "project.app.read" - "project.app.write" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" - Role: "ORG_USER_MANAGER" Permissions: - "org.read" - "user.read" - "user.global.read" - "user.write" - "user.delete" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - "policy.read" - "project.read" - "project.role.read" - Role: "ORG_OWNER_VIEWER" Permissions: - "org.read" - "org.member.read" - "org.idp.read" - "org.action.read" - "org.flow.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.membership.read" - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.member.read" - "project.grant.user.grant.read" - Role: "ORG_SETTINGS_MANAGER" Permissions: - "org.read" - "org.write" - "org.member.read" - "org.idp.read" - "org.idp.write" - "org.idp.delete" - "policy.read" - "policy.write" - "policy.delete" - Role: "ORG_USER_PERMISSION_EDITOR" Permissions: - "org.read" - "org.member.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.member.read" - Role: "ORG_PROJECT_PERMISSION_EDITOR" Permissions: - "org.read" - "org.member.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - Role: "ORG_PROJECT_CREATOR" Permissions: - "user.global.read" - "policy.read" - "project.read:self" - "project.create" - Role: "PROJECT_OWNER" Permissions: - "org.global.read" - "policy.read" - "project.read" - "project.write" - "project.delete" - "project.member.read" - "project.member.write" - "project.member.delete" - "project.role.read" - "project.role.write" - "project.role.delete" - "project.app.read" - "project.app.write" - "project.app.delete" - "project.grant.read" - "project.grant.write" - "project.grant.delete" - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" - "user.read" - "user.global.read" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - Role: "PROJECT_OWNER_VIEWER" Permissions: - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.member.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.membership.read" - Role: "SELF_MANAGEMENT_GLOBAL" Permissions: - "org.create" - "policy.read" - "user.self.delete" - Role: "ORG_USER_SELF_MANAGER" Permissions: - "policy.read" - "user.self.delete" - Role: "PROJECT_OWNER_GLOBAL" Permissions: - "org.global.read" - "policy.read" - "project.read" - "project.write" - "project.delete" - "project.member.read" - "project.member.write" - "project.member.delete" - "project.role.read" - "project.role.write" - "project.role.delete" - "project.app.read" - "project.app.write" - "project.app.delete" - "user.global.read" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - Role: "PROJECT_OWNER_VIEWER_GLOBAL" Permissions: - "policy.read" - "project.read" - "project.member.read" - "project.role.read" - "project.app.read" - "project.grant.read" - "project.grant.member.read" - "user.global.read" - "user.grant.read" - "user.membership.read" - Role: "PROJECT_GRANT_OWNER" Permissions: - "policy.read" - "org.global.read" - "project.read" - "project.grant.read" - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" - "user.read" - "user.global.read" - "user.grant.read" - "user.grant.write" - "user.grant.delete" - "user.membership.read" - Role: "PROJECT_GRANT_OWNER_VIEWER" Permissions: - "policy.read" - "project.read" - "project.grant.read" - "project.grant.member.read" - "user.read" - "user.global.read" - "user.grant.read" - "user.membership.read"