Skip to main content

IAM configuration file reference

Learn about the IAM configuration file structure.

Identity and access management users, roles, and policies are defined using a TOML file loaded using the Set IAM configuration REST API endpoint or CLI command.

The TOML file must contain three sections, in any order.

Users

Users are defined with the [users] keyword like this:

[users.<name>]
role = "<role_name>"

Where <role_name> is any valid string.

Roles

Users are defined with the [roles] keyword like this:

[roles.<role_name>]
capabilities = [<capabilities-list>]
policies = [<policies-list>]

Where:

  • <role_name> is any valid string.

  • <capabilities-list> is a comma-separated list of capabilities or "*" to indicate that all capabilities are included. These are the capabilities by scope:

    ScopePrefixMethodsCapability
    Data/api/pvlt/1.0/dataGET"CapDataReader"
    POST, PATCH, and DELETE"CapDataWriter"
    Identity and access management/api/pvlt/1.0/dataGET"CapIAMReader"
    POST"CapIAMWriter"
    Schema/api/pvlt/1.0/schemaGET"CapCollectionsReader"
    POST, PATCH, and DELETE"CapCollectionsWriter"
    Version/api/pvlt/1.0/system/info/versionAllNot required
    Health/api/pvlt/1.0/data/info/healthAllNot required
    /api/pvlt/1.0/ctl/info/healthAllNot required
  • <policies-list> is a comma-separated list of policies or "*" to indicate that all policies are included.

Policies

Policies are defined with the [policies] keyword like this:

[policies.<policy-name>]
policy_type = "allow"|"deny"
operations = [<operations-list>]
reasons = [<reasons-list>]
resources = [<resources-list>]

Where:

  • operations-list is a comma-separated list of one or more of these values or "*" to indicate that all operations are included:

    • "read"
    • "write"
    • "delete"
    • "search"
    • "tokenize"
    • "detokenize"
  • reasons-list is a comma-separated list of one or more of these values or "*" to indicate that all reasons are included:

    • AppFunctionality
    • Analytics
    • Notifications
    • Marketing,
    • ThirdPartyMarketing
    • FraudPreventionSecurityAndCompliance
    • AccountManagement
    • Maintenance
    • DataSubjectRequest
    • `Other
  • resources-list is a comma-separated list of one or more collection data types, properties, or transformations specified as:

    • <collection–name>/properties/<property–name> for properties.
    • <collection–name>/transformations/<transformation–name> for transformations.
    • <collection–name>/types/<type-name> for data types, <type-name> must be in lowercase.

    <collection–name>, <type-name>, <property–name>, or |<transformation–name>] can be specified as "*" to indicate that all collections, data types, properties, or transformations are included. For example:

    • "employees/properties/email" refers to the email property of the employees collection.
    • "*/properties/email" refers to the email property in any collection.
    • "buyers/types/email" refers to the all the properties in the buyers collection based on the EMAIL data type.
    • "customers/transformations/ssn.mask" refers to the mask transformation of the ssn property of the customers collection.

Example

This example shows the specification of:

  • A CollectionsManager user.
  • A CollectionsReaderWriter role. The CollectionsReaderWriter role has the capabilities to enable it to maintain the schema of collections.
  • Two policies allowing read and write for all properties and transformations for any reason.
[users]

[users.CollectionsManager]
role = "CollectionsReaderWriter"

[roles]

[roles.CollectionsReaderWriter]
capabilities = ["CapCollectionsReader", "CapCollectionsWriter"]
policies = ["PolReadAll","PolWriteAll"]

[policies]

[policies.PolReadAll]
policy_type = "allow"
operations = ["read"]
reasons = ["*"]
resources = ["*"]

[policies.PolWriteAll]
policy_type = "allow"
operations = ["write"]
reasons = ["*"]
resources = ["*"]

On this page