ef3b7482cd
* chore: cleanup old docs folder * remove docs path trigger * wip docs structure * chore: ignore site changes in ci * add manuals route * new structure * structure * Use correct title * remove trigger for code scan for static site generator * change names * add lorem ipsum to test styling * use h3 to deeplink * add site to dependabot * lint readme.md * remove not needed file * ignore site on pull request code scan * add initial contrib * Minor correction * Added section Developer & Integration * Changed link list layout, added labels, added translations * Added missing <li> tags * Added correct link to section Developer & Integration * Fixing list style * Overhauling description texts and translations * outline * teaser go * outline * wip * rework * wip * wip * wip * hop * wip * first draft for "administrate" done * init outline * fix deploy step * lint * commit wip * commit wip * md lint * Link * fix: path to edit (#711) * wip * wip * wip * what are... * use only features * wip docs * Update 00-user.en.md * project * uppercase en * wip * wip * wip * policies rework * improve text * correct typo * update readme * correct styling * add link to docs guides * make the linter happy * rename * wip * move api to own file * correct links and lint * wip roles and integration * add pkce * reduce padding and margin * wip scope and claims * wip claim & scopes * make the linter happy * insert links where possible * wip * wip roles & providers * Update README.md * Update 00-user.en.md * minor text improvements * use master branch to deploy * use proper ci file * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Matthias M. Schneider <mati@matimax.info> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2.0 KiB
| title |
|---|
| System Administration |
What is meant by system
System describes the root of ZITADEL and includes all other elements like organisations, users and so on. Most of the time this part is managed by an user with the role IAM_OWNER.
Default Policies
When ZITADEL is setup for the first time we establish certain default polices for the whole system.
TODO Document default policy settings
Manage Read Models
Read Models are a way to normalize data out of the event stream for certain aspects. For example there is a model which consist of logonname and the password hash so that the login process can query that data.
All read models are eventual consistent by nature and sometimes an administrator would like to verify they are still up-to date. In the ZITADEL Console is a section called administration available where the admin can check all read models and there current state. There is even a possibility to regenerate a read model.
When a read model is regenerated it might take up some time to be fully operational again Depending on the model which is regenerated this might have a operational impact for the end-users
Screenshot here
Secret Handling
ZITADEL store secrets always encrypted or hashed in it's storage. Whenever feasible we try to utilize public / private key mechanics to handle secrets.
Encryption
We use AES256 as default mechanic for storing secrets.
Password Hashing
By default bcrypt is used with a salt of 14.
This mechanic is used for user passwords and client secrets
Signing Keys These keys are randomly generated within ZITADEL and are rotated on a regular basis (e.g all 6h).
Signing keys are stored with AES256 encryption
TLS Under normal operations ZITADEL's API nodes are located behind a reverse proxy. So the TLS Key handlings is out of context in this regard. However ZITADEL can use TLS keys at runtime level.
TODO Document TLS config
IAM Configuration
TODO Document ZITADEL config
Audit system changes
Screenshot here