IAM configuration file reference

Learn about the IAM configuration file structure

Identity and access management users, roles, and policies are defined using a TOML file loaded using the Set IAM configuration REST API endpoint or CLI command.

The TOML file must contain three sections, in any order.

Users

Users are defined with the [users] keyword like this:

[users.<name>]
    role = "<role_name>"

Where <role_name> is any valid string.

Roles

Users are defined with the [roles] keyword like this:

[roles.<role_name>]
    capabilities = [<capabilities-list>]
    policies = [<policies-list>]

Where:

• <role_name> is any valid string.

• <capabilities-list> is a comma-separated list of capabilities or "*" to indicate that all capabilities are included. These are the capabilities by scope:

  Scope	Prefix	Methods	Capability
  Data	/api/pvlt/1.0/data	GET	"CapDataReader"
  		POST, PATCH, and DELETE	"CapDataWriter"
  Identity and access management	/api/pvlt/1.0/data	GET	"CapIAMReader"
  		POST	"CapIAMWriter"
  Schema	/api/pvlt/1.0/schema	GET	"CapCollectionsReader"
  		POST, PATCH, and DELETE	"CapCollectionsWriter"
  Version	/api/pvlt/1.0/system/info/version	All	Not required
  Health	/api/pvlt/1.0/data/info/health	All	Not required
  	/api/pvlt/1.0/ctl/info/health	All	Not required

• <policies-list> is a comma-separated list of policies or "*" to indicate that all policies are included.

Policies

Policies are defined with the [policies] keyword like this:

[policies.<policy-name>]
    policy_type = "allow"|"deny"
    operations = [<operations-list>]
    reasons = [<reasons-list>]
    resources = [<resources-list>]

Where:

• operations-list is a comma-separated list of one or more of these values or "*" to indicate that all operations are included:

  • "read"
  • "write"
  • "delete"
  • "search"
  • "tokenize"
  • "detokenize"

• reasons-list is a comma-separated list of one or more of these values or "*" to indicate that all reasons are included:

  • AppFunctionality
  • Analytics
  • Notifications
  • Marketing
  • ThirdPartyMarketing
  • FraudPreventionSecurityAndCompliance
  • AccountManagement
  • Maintenance
  • DataSubjectRequest
  • Other, used when an ad-hoc reason is specified.

• resources-list is a comma-separated list of one or more collection data types, properties, or transformations specified as:

  • <collection–name>/properties/<property–name> for properties.
  • <collection–name>/transformations/<transformation–name> for transformations.
  • <collection–name>/types/<type-name> for data types, <type-name> must be in lowercase.

  <collection–name>, <type-name>, <property–name>, or |<transformation–name>] can be specified as "*" to indicate that all collections, data types, properties, or transformations are included. For example:

  • "employees/properties/email" refers to the email property of the employees collection.
  • "*/properties/email" refers to the email property in any collection.
  • "buyers/types/email" refers to the all the properties in the buyers collection based on the EMAIL data type.
  • "customers/transformations/ssn.mask" refers to the mask transformation of the ssn property of the customers collection.

Example

This example shows the specification of:

• A CollectionsManager user.
• A CollectionsReaderWriter role. The CollectionsReaderWriter role has the capabilities to enable it to maintain the schema of collections.
• Two policies allowing read and write for all properties and transformations for any reason.

[users]

    [users.CollectionsManager]
        role = "CollectionsReaderWriter"

[roles]

    [roles.CollectionsReaderWriter]
        capabilities = ["CapCollectionsReader", "CapCollectionsWriter"]
        policies = ["PolReadAll","PolWriteAll"]

[policies]

    [policies.PolReadAll]
        policy_type = "allow"
        operations = ["read"]
        reasons = ["*"]
        resources = ["*"]
    
    [policies.PolWriteAll]
        policy_type = "allow"
        operations = ["write"]
        reasons = ["*"]
        resources = ["*"]