IAM Module Resources
The Identity and Access Management (IAM) module provides a set of resources for managing user authentication, authorization, and access control within the Aidbox.
Overview
IAM module includes the following resource types:
AccessPolicy
AuthConfig
Client
Grant
IdentityProvider
Notification
NotificationTemplate
Registration
Role
Scope
Session
TokenIntrospector
User
AccessPolicy
_source
0..1
string
System Property. DO NOT USE IT.
and
0..*
Object
A list of conditions that must all be satisfied for the policy to grant access.
clj
0..1
string
Clojure code that defines access policy rules. DEPRECATED. DO NOT USE IT.
description
0..1
string
A textual description of the access policy.
engine
0..1
string
Specifies the evaluation engine used for the policy.
Allowed values: json-schema
| allow
| sql
| complex
| matcho
| clj
| matcho-rpc
| allow-rpc
| signed-rpc
| smart-on-fhir
link
0..*
Reference
References to resources associated with this policy.
Allowed references: Client, User, Operation
matcho
0..1
Object
Defines rules using the Matcho pattern-matching syntax.
module
0..1
string
Module that this policy belongs to.
or
0..*
Object
A list of conditions where at least one must be satisfied for the policy to grant access.
roleName
0..1
string
Symbolic link to Role by name
rpc
0..1
Object
Defines rules for Remote Procedure Calls (RPCs).
schema
0..1
Object
JSON Schema used to validate requests against the policy.
source
0..1
string
Source identifier for the policy.
sql
0..1
BackboneElement
SQL-based policy definition.
sql.query
0..1
string
SQL query used to evaluate access conditions.
type
0..1
string
The type or category of the access policy.
Allowed values: scope
| rest
| rpc
AuthConfig
_source
0..1
string
System Property. DO NOT USE IT.
asidCookieMaxAge
0..1
integer
In Aidbox version v:2402 and later, sessions created through the Aidbox UI log-in are not infinite.The default session expiration time is set to 432000 seconds (5 days).
theme
0..1
BackboneElement
theme.brand
0..1
string
Brand for auth page
theme.title
0..1
string
Title for auth page
theme.styleUrl
0..1
uri
URL to external stylesheet
theme.forgotPasswordUrl
0..1
uri
URL to forgot password page
twoFactor
0..1
BackboneElement
twoFactor.webhook
0..1
BackboneElement
twoFactor.webhook.headers
0..1
Map
Map of HTTP header key-value pairs
twoFactor.webhook.timeout
0..1
integer
Timeout in milliseconds
twoFactor.webhook.endpoint
1..1
string
URL to webhook that supports POST method
twoFactor.issuerName
0..1
string
Issuer name for OTP authenticator app
twoFactor.validPastTokensCount
0..1
integer
Number of past tokens considered valid (useful with webhook since OTP lives ~30s)
Client
_source
0..1
string
System Property. DO NOT USE IT.
active
0..1
boolean
Indicates whether this client is active and can be used for authentication.
allowed-scopes
0..*
Reference
References to specific Scope resources this client is allowed to request.
Allowed references: Scope
allowedIssuers
0..*
string
List of authorized token issuers for this client.
allowed_origins
0..*
uri
Allowed Origins are URLs that will be allowed to make requests.
auth
0..1
BackboneElement
Authentication configuration for different OAuth flows.
auth.client_credentials
0..1
BackboneElement
Configuration for the client credentials grant type.
auth.client_credentials.token_format
0..1
string
Format of the access token.
Allowed values: jwt
auth.client_credentials.access_token_expiration
0..1
integer
Expiration time for access tokens in seconds.
auth.client_credentials.refresh_token_expiration
0..1
integer
Expiration time for refresh tokens in seconds.
auth.client_credentials.audience
0..*
string
Intended audience for issued tokens. Shows what resource server access is intended for. Aidbox compares the audience of the Client to the audience it receives within aJWT and decides if the access should be granted. The audience attribute can be defined in 2 ways: As a plain string, e.g. https://cmpl.aidbox.app/smart As a Regex. In that case, the audience value should start with the # symbol. For example, #https://cmpl.aidbox.app/tenant/[^\]/smart That validation of the audience happens when SMART on FHIR app launches
auth.client_credentials.client_assertion_types
0..*
string
Supported client assertion types.
Allowed values: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
auth.client_credentials.refresh_token
0..1
boolean
Whether to issue refresh tokens with this grant type.
auth.implicit
0..1
BackboneElement
Configuration for the implicit grant type.
auth.implicit.redirect_uri
0..1
url
Redirect URI for the implicit flow.
auth.implicit.token_format
0..1
string
Format of the access token.
Allowed values: jwt
auth.implicit.audience
0..*
string
Intended audience for issued tokens.
auth.implicit.access_token_expiration
0..1
integer
Expiration time for access tokens in seconds.
auth.password
0..1
BackboneElement
Configuration for the password grant type.
auth.password.secret_required
0..1
boolean
Whether client secret is required for password grant.
auth.password.audience
0..*
string
Intended audience for issued tokens.
auth.password.refresh_token
0..1
boolean
Whether to issue refresh tokens with this grant type.
auth.password.redirect_uri
0..1
url
If present, turn on redirect protection
auth.password.token_format
0..1
string
Format of the access token.
Allowed values: jwt
auth.password.access_token_expiration
0..1
integer
Expiration time for access tokens in seconds.
auth.password.refresh_token_expiration
0..1
integer
Expiration time for refresh tokens in seconds.
auth.authorization_code
0..1
BackboneElement
Configuration for the authorization code grant type.
auth.authorization_code.token_format
0..1
string
Format of the access token.
Allowed values: jwt
auth.authorization_code.audience
0..*
string
Intended audience for issued tokens.
auth.authorization_code.secret_required
0..1
boolean
Whether client secret is required for token exchange.
auth.authorization_code.pkce
0..1
boolean
Whether PKCE (Proof Key for Code Exchange) is required.
auth.authorization_code.redirect_uri
0..1
url
Redirect URI for the authorization code flow.
auth.authorization_code.access_token_expiration
0..1
integer
Expiration time for access tokens in seconds.
auth.authorization_code.refresh_token_expiration
0..1
integer
Expiration time for refresh tokens in seconds.
auth.authorization_code.refresh_token
0..1
boolean
Whether to issue refresh tokens with this grant type.
auth.token_exchange
0..1
BackboneElement
Configuration for the token exchange grant type.
auth.token_exchange.token_format
0..1
string
Format of the access token.
Allowed values: jwt
auth.token_exchange.access_token_expiration
0..1
integer
Expiration time for access tokens in seconds.
auth.token_exchange.refresh_token_expiration
0..1
integer
Expiration time for refresh tokens in seconds.
auth.token_exchange.audience
0..*
string
Intended audience for issued tokens.
auth.token_exchange.refresh_token
0..1
boolean
Whether to issue refresh tokens with this grant type.
description
0..1
string
A description of the client application for administrative purposes.
details
0..1
Object
Additional client details or configuration options.
fhir-base-url
0..1
string
Base URL of the FHIR server this client interacts with.
first_party
0..1
boolean
Indicates whether this is a first-party client.
grant_types
0..*
string
OAuth 2.0 grant types this client is authorized to use.
Allowed values: basic
| authorization_code
| code
| password
| client_credentials
| implicit
| refresh_token
| urn:ietf:params:oauth:grant-type:token-exchange
jwks
0..*
BackboneElement
JSON Web Key Set for client authentication and/or verification.
jwks.kid
0..1
string
Key ID that identifies this key.
jwks.kty
0..1
string
Key type.
Allowed values: RSA
jwks.alg
0..1
string
Algorithm used with this key.
Allowed values: RS384
jwks.e
0..1
string
Exponent value for RSA key.
jwks.n
0..1
string
Modulus value for RSA key.
jwks.use
0..1
string
Key usage.
Allowed values: sig
jwks_uri
0..1
url
URI where the client's JSON Web Key Set can be retrieved.
name
0..1
string
Human-readable name of the client application.
scope
0..*
string
List of scopes this client is authorized to request.
scopes
0..*
BackboneElement
Detailed scope configurations with associated policies.
scopes.policy
0..1
Reference
Reference to an AccessPolicy resource for this scope.
Allowed references: AccessPolicy
scopes.parameters
0..1
Object
Parameters to be applied with the scope's policy.
secret
0..1
sha256Hash
Hashed client secret for authentication.
smart
0..1
BackboneElement
SMART on FHIR configuration for this client.
smart.launch_uri
0..1
string
URI to launch the SMART app.
smart.name
0..1
string
Name of the SMART app.
smart.description
0..1
string
Description of the SMART app.
trusted
0..1
boolean
Indicates whether this client is trusted and given special privileges.
type
0..1
string
The type of client application.
Grant
_source
0..1
string
System Property. DO NOT USE IT.
client
0..1
Reference
Reference to the client application being granted access.
Allowed references: Client
patient
0..1
Reference
Reference to the patient this grant is for (in SMART on FHIR scenarios).
Allowed references: Patient
provided-scope
0..*
string
List of scopes that were actually granted by the user.
requested-scope
0..*
string
List of scopes that were requested by the client.
scope
0..1
string
Space-separated list of granted scopes.
start
0..1
dateTime
Time when this grant was created.
user
0..1
Reference
Reference to the user who granted the access.
Allowed references: User
IdentityProvider
_source
0..1
string
System Property. DO NOT USE IT.
active
0..1
boolean
Indicates whether this identity provider is active and can be used for authentication.
authorize_endpoint
0..1
string
The URL of the authorization endpoint.
base_url
0..1
uri
client
0..1
BackboneElement
Client configuration for this identity provider.
client.id
0..1
string
Client identifier used for authentication with the identity provider.
client.redirect_uri
0..1
uri
URI where the provider will redirect after authentication.
client.auth-method
0..1
string
Client authentication method.
Allowed values: symmetric
| asymmetric
client.secret
0..1
string
Client secret for symmetric authentication.
client.private-key
0..1
string
Private key for asymmetric authentication.
client.certificate
0..1
string
Certificate
client.certificate-thumbprint
0..1
string
Certificate thumbprint.
client.creds-ts
0..1
string
introspection_endpoint
0..1
string
The URL of the token introspection endpoint.
isEmailUniqueness
0..1
boolean
Indicates whether email uniqueness should be enforced for this provider.
isScim
0..1
boolean
Indicates whether this provider supports SCIM protocol.
jwks_uri
0..1
string
URI where the provider's JSON Web Key Set can be retrieved.
kid
0..1
string
Key identifier used for token verification.
organizations
0..*
string
Organizations associated with this identity provider.
registration_endpoint
0..1
string
The URL of the registration endpoint.
revocation_endpoint
0..1
string
The URL of the token revocation endpoint.
scopes
0..*
string
OAuth scopes that should be requested during authentication.
system
0..1
string
System identifier for the identity provider.
team_id
0..1
string
title
0..1
string
A human-readable name for the identity provider.
toScim
0..1
Object
Mapping rules for transforming identity provider data.
token_endpoint
0..1
string
The URL of the token endpoint.
type
0..1
string
The type of identity provider.
Allowed values: aidbox
| github
| google
| OIDC
| OAuth
| az-dev
| yandex
| okta
| apple
userinfo-source
0..1
string
Source of userinfo details.
Allowed values: id-token
| userinfo-endpoint
userinfo_endpoint
0..1
string
The URL of the userinfo endpoint.
userinfo_header
0..1
string
Header to be used when calling the userinfo endpoint.
Notification
_source
0..1
string
System Property. DO NOT USE IT.
provider
0..1
string
providerData
0..1
Object
status
0..1
string
Status of the notification delivery (delivered or error).
Allowed values: delivered
| error
NotificationTemplate
_source
0..1
string
System Property. DO NOT USE IT.
subject
0..1
string
Subject line for the notification template.
template
0..1
string
Template content used to generate the notification message.
Registration
_source
0..1
string
System Property. DO NOT USE IT.
params
0..1
Object
resource
0..1
Object
Registration form data
status
0..1
string
Status of the registration process.
Allowed values: activated
| active
Role
User role
_source
0..1
string
System Property. DO NOT USE IT.
context
0..1
Object
description
0..1
string
Text description of the role
links
0..1
BackboneElement
You may list resources here, which can later be granted access for the user with this role via an AccessPolicy resource.
links.patient
0..1
Reference
Reference to Patient resource
Allowed references: Patient
links.practitionerRole
0..1
Reference
Reference to PractitionerRole resource
Allowed references: PractitionerRole
links.practitioner
0..1
Reference
Reference to Practitioner resource
Allowed references: Practitioner
links.organization
0..1
Reference
Reference to Organization resource
Allowed references: Organization
links.person
0..1
Reference
Reference to Person resource
Allowed references: Person
links.relatedPerson
0..1
Reference
Reference to RelatedPerson resource
Allowed references: RelatedPerson
name
1..1
string
Role name is a string that defines role. To assign the same role to multiple users, create multiple Role resources with the same "name". [Search param: name => type string]
user
1..1
Reference
Reference to a User resource for which the role will be applied. [Search param: user => type reference]
Allowed references: User
Scope
_source
0..1
string
System Property. DO NOT USE IT.
description
0..1
string
When provided, the scope definition is additionally displayed on the consent screen
scope
1..1
string
The value of the scope
title
1..1
string
A user-friendly name for the scope that appears on the consent screen
Session
_source
0..1
string
System Property. DO NOT USE IT.
access_token
0..1
sha256Hash
Access token hash associated with this session.
active
0..1
boolean
Indicates whether this session is currently active.
audience
0..1
string
Intended audience for tokens issued in this session.
authorization_code
0..1
sha256Hash
Authorization code used to obtain this session.
client
0..1
Reference
Reference to the client application associated with this session.
Allowed references: Client
ctx
0..1
Object
end
0..1
dateTime
Time when the session ended or will end.
exp
0..1
integer
Expiration time for the access token (in seconds since epoch).
jti
0..1
string
on-behalf
0..1
Reference
Reference to a user on whose behalf this session is operating.
Allowed references: User
parent
0..1
Reference
Reference to a parent session if this is a child session.
Allowed references: Session
patient
0..1
Reference
Reference to the patient associated with this session.
Allowed references: Patient
refresh_token
0..1
sha256Hash
Refresh token hash associated with this session.
refresh_token_exp
0..1
integer
Expiration time for the refresh token (in seconds since epoch).
scope
0..*
string
List of OAuth scopes authorized for this session.
start
0..1
dateTime
Time when the session started.
type
0..1
string
Type of session (e.g., authorization_code, password, client_credentials).
user
0..1
Reference
Reference to the user associated with this session.
Allowed references: User
TokenIntrospector
_source
0..1
string
System Property. DO NOT USE IT.
identity_provider
0..1
Reference
Link to Identity provider associated with the token introspector.
Allowed references: IdentityProvider
introspection_endpoint
0..1
BackboneElement
introspection_endpoint.url
0..1
string
The fully qualified URL of the remote introspection endpoint.
introspection_endpoint.authorization
0..1
string
The authorization header value (e.g. a Basic Auth or Bearer token) used when calling the introspection endpoint. If present it will be included in the request headers.
jwks_uri
0..1
string
A URL pointing to a JSON Web Key Set (JWKS). When type is jwt the introspector retrieves public keys from this URI to validate token signatures.
jwt
0..1
BackboneElement
Configuration for local JWT validation used when type is jwt.
jwt.iss
0..1
string
The expected issuer (iss) claim value for JWTs. The TokenIntrospector ensures that tokens it validates come from this issuer.
jwt.secret
0..1
string
A shared secret key or other signing key material used to verify the JWT's signature.
type
1..1
string
Specifies the type of token to introspect.
Allowed values: opaque
| jwt
| aspxauth
User
_source
0..1
string
System Property. DO NOT USE IT.
active
0..1
boolean
NB: this attr is ignored. Indicates the User's administrative status.
addresses
0..*
BackboneElement
A physical mailing address for this User (e.g. 'work', 'home').
addresses.formatted
0..1
string
Full address, formatted for display or mailing label.
addresses.streetAddress
0..1
string
Street address component (may contain newlines).
addresses.locality
0..1
string
City or locality component.
addresses.region
0..1
string
State or region component.
addresses.postalCode
0..1
string
Zip code or postal code.
addresses.country
0..1
string
Country name component.
addresses.type
0..1
string
A label indicating the address type, e.g. 'work' or 'home'.
costCenter
0..1
string
Identifies the name of a cost center.
data
0..1
Object
Arbitrary user-related data.
department
0..1
string
Identifies the name of a department.
displayName
0..1
string
The name of the User, suitable for display to end-users.
division
0..1
string
Identifies the name of a division.
0..1
Primary email for the user.
emails
0..*
BackboneElement
Email addresses for the user. Values should be canonicalized (e.g. 'bjensen@example.com').
emails.value
0..1
string
An individual email address (canonicalized).
emails.display
0..1
string
A human-readable name for display purposes (READ-ONLY).
emails.type
0..1
string
A label indicating the attribute's function, e.g. 'work', 'home'.
emails.primary
0..1
boolean
Indicates if this is the primary email. Only one primary may be 'true'.
employeeNumber
0..1
string
Numeric or alphanumeric identifier assigned to a person by the organization.
entitlements
0..*
BackboneElement
A list of entitlements for the User that represent a thing the User has.
entitlements.value
0..1
string
The value of an entitlement.
entitlements.display
0..1
string
A human-readable name, primarily used for display purposes (READ-ONLY).
entitlements.type
0..1
string
A label indicating the attribute's function.
entitlements.primary
0..1
boolean
Indicates if this is the primary entitlement. Only one may be 'true'.
fhirUser
0..1
Reference
A reference to a related FHIR resource
Allowed references: Patient, Practitioner, Person
gender
0..1
string
The user's gender.
identifier
0..*
Identifier
A list of identifiers for the user.
ims
0..*
BackboneElement
Instant messaging addresses for the User.
ims.value
0..1
string
Instant messaging address.
ims.display
0..1
string
A human-readable name, primarily for display (READ-ONLY).
ims.type
0..1
string
A label indicating the IM type, e.g. 'aim', 'gtalk'.
ims.primary
0..1
boolean
Indicates if this is the primary IM. Only one may be 'true'.
inactive
0..1
boolean
A Boolean value indicating the User's administrative status.
link
0..*
BackboneElement
A collection of references or links associated with the user.
link.link
0..1
Reference
A referenced resource link.
link.type
0..1
string
A label indicating the link's function.
locale
0..1
string
Indicates the User's default location for localization (e.g., currency, date format).
manager
0..1
Reference
Another User resource who is this User's manager.
Allowed references: User
name
0..1
BackboneElement
The components of the user's real name (formatted, family, given, etc.).
name.formatted
0..1
string
Full name, including titles and suffixes, formatted for display.
name.familyName
0..1
string
Family name (last name in Western languages).
name.givenName
0..1
string
Given name (first name in Western languages).
name.middleName
0..1
string
The middle name(s) of the User.
name.honorificPrefix
0..1
string
Honorific prefix (title), e.g. 'Ms.'.
name.honorificSuffix
0..1
string
Honorific suffix, e.g. 'III'.
organization
0..1
Reference
Identifies the name of an organization.
Allowed references: Organization
password
0..1
password
The User's cleartext password, used for initial or reset scenarios.
phoneNumber
0..1
string
Primary phone number.
phoneNumbers
0..*
BackboneElement
Phone numbers for the User, e.g. 'tel:+1-201-555-0123'.
phoneNumbers.value
0..1
string
The user's phone number.
phoneNumbers.display
0..1
string
A human-readable name for display purposes (READ-ONLY).
phoneNumbers.type
0..1
string
A label for the phone number's function, e.g. 'home', 'work'.
phoneNumbers.primary
0..1
boolean
Indicates if this is the primary phone number. Only one may be 'true'.
photo
0..1
uri
Primary photo for the user.
photos
0..*
BackboneElement
URLs of photos of the user.
photos.value
0..1
uri
URL of a photo of the User.
photos.display
0..1
string
A human-readable name, primarily used for display purposes (READ-ONLY).
photos.type
0..1
string
A label indicating 'photo' or 'thumbnail'.
photos.primary
0..1
boolean
Indicates if this is the primary photo. Only one may be 'true'.
preferredLanguage
0..1
string
The User's preferred written or spoken language, e.g. 'en_US'.
profileUrl
0..1
uri
A fully qualified URL pointing to a page representing the User's online profile.
roles
0..*
BackboneElement
A list of roles for the User that collectively represent who the User is (e.g. 'Student', 'Faculty').
roles.value
0..1
string
The value of a role.
roles.display
0..1
string
A human-readable name, primarily used for display purposes (READ-ONLY).
roles.type
0..1
string
A label indicating the attribute's function.
roles.primary
0..1
boolean
Indicates if this is the primary role. Only one may be 'true'.
securityLabel
0..*
BackboneElement
List of security labes associated to the user
securityLabel.system
0..1
string
Code system
securityLabel.code
0..1
string
Code value
timezone
0..1
string
The User's time zone in the 'Olson' format, e.g. 'America/Los_Angeles'.
title
0..1
string
The user's title, e.g. 'Vice President'.
twoFactor
0..1
BackboneElement
Two factor settings for user
twoFactor.enabled
1..1
boolean
Defines whether two-factor auth is currently enabled.
twoFactor.transport
0..1
string
Transport of 2FA confirmation code (if used).
twoFactor.secretKey
1..1
string
TOTP Secret key.
userName
0..1
string
Unique identifier for the User, typically used to directly authenticate. Must be unique across the service provider's Users.
userType
0..1
string
Identifies the relationship between the organization and the user (e.g. 'Employee', 'Contractor').
x509Certificates
0..*
BackboneElement
A list of certificates issued to the User.
x509Certificates.value
0..1
base64Binary
The value of an X.509 certificate (base64).
x509Certificates.display
0..1
string
A human-readable name, primarily used for display purposes (READ-ONLY).
x509Certificates.type
0..1
string
A label indicating the certificate's function.
x509Certificates.primary
0..1
boolean
Indicates if this is the primary certificate. Only one may be 'true'.
Last updated
Was this helpful?