Base Types#

NameDescription
stringRegular string
uint88 bit unsigned integer
uint1616 bit unsigned integer
uint3232 bit unsigned integer
uint6464 bit unsigned integer
int88 bit signed integer
int1616 bit signed integer
int3232 bit signed integer
int6464 bit signed integer
leafrefA reference to a configuration parameter somewhere else in the configuration tree. The leafref must point to an existing parameter.

Types#

NameBase TypeRestrictionsDescription
alarm-textstringThe string used to inform operators about the alarm. This MUST contain enough information for an operator to be able to understand the problem and how to resolve it. If this string contains structure, this format should be clearly documented for programs to be able to parse that information.
alarm-type-idIdentifies an alarm type. The description of the alarm type id MUST indicate whether or not the alarm type is abstract. An abstract alarm type is used as a base for other alarm type ids and will not be used as a value for an alarm or be present in the alarm inventory.
alarm-type-qualifierstringIf an alarm type cannot be fully specified at design time by ‘alarm-type-id’, this string qualifier is used in addition to fully define a unique alarm type. The definition of alarm qualifiers is considered to be part of the instrumentation and is out of scope for this module. An empty string is used when this is part of a key.
allowed-asymmetric-key-management-algorithmsenumerationRSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KWAlgorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header
allowed-content-encryption-algorithmsenumerationA128CBC-HS256 A192CBC-HS384 A256CBC-HS512 A128GCM A192GCM A256GCMSupported content encryption algorithms, present as ‘enc’ in JWE header
allowed-key-management-algorithmsenumerationRSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW A128KW A192KW A256KW A128GCMKW A192GCMKW A256GCMKWAlgorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header
any-scope-including-nonestring0 to unboundedAn empty string which can be helpful for defining ‘catch-all’ rules
asymmetric-key-typeenumerationrsa elliptic-curve dsa eddsa
attribute-locationenumerationsubject-attributes context-attributes action-attributesA location from where to retrieve or add attributes
attribute-name
attribute-path
base64-encoded-stringstring1 to max
basic-claim-typeenumerationany string number boolean object arrayDefines a basic type for claims values
conf-timeoutuint81 to 20Valid configuration operation timeout in seconds
cultureenumerationsv-SE en-US en-GB
delegation-claim-nameenumerationowner created expires scope claims clientId redirectUri status authorizationCodeHash authenticationAttributes requestedClaims mtlsClientCertificate mtlsClientCertificateThumbprintS256 mtlsClientCertificateDN
disablable-token-time-to-liveA type that defines token time-to-live values. If set to ‘disabled’, then the token type to’ which this setting refers will not be issued at all.
eddsa-curve-nameenumerationEd25519 Ed448Supported EdDSA curve names (curves taken from supported algorithms, see https://tools.ietf.org/html/rfc8037#section-3.1)
elliptic-curve-nameenumerationP-256 P-384 P-521Supported elliptic curve names (see https://tools.ietf.org/html/rfc7518#section-3.4)
endpoint-typesenumerationoauth-token oauth-authorize oauth-revoke oauth-introspect oauth-assisted-token oauth-anonymous oauth-userinfo oauth-dynamic-client-registration oauth-device-authorization oauth-session oauth-backchannel-authentication oauth-client-graphql-api oauth-granted-authorization-graphql-api oauth-verifiable-credential auth-authentication auth-registration auth-anonymous um-api um-graphql-api apps-anonymous saml-sso
jwt-algorithmenumerationRS256 RS384 RS512 PS256 PS384 PS512 HS256 HS384 HS512 ES256 ES384 ES512 EdDSAAvailable JWT signing algorithms (ref rfc7518, https://tools.ietf.org/html/rfc7518)
non-empty-stringstring1 to max
operator-stateOperator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.
profile-type
resourceThis is an identification of the alarming resource, such as an interface. It should be as fine-grained as possible to both guide the operator and guarantee uniqueness of the alarms. If the alarming resource is modeled in YANG, this type will be an instance-identifier. If the resource is an SNMP object, the type will be an ‘object-identifier’. If the resource is anything else, for example, a distinguished name or a Common Information Model (CIM) path, this type will be a string. If the alarming object is identified by a Universally Unique Identifier (UUID), use the uuid type. Be cautious when using this type, since a UUID is hard to use for an operator. If the server supports several models, the precedence should be in the order as given in the union definition.
resource-matchThis type is used to match resources of type ‘resource’. Since the type ‘resource’ is a union of different types, the ‘resource-match’ type is also a union of corresponding types. If the type is given as an XPath 1.0 expression, a resource of type ‘instance-identifier’ matches if the instance is part of the node set that is the result of evaluating the XPath 1.0 expression. For example, the XPath 1.0 expression: /ietf-interfaces:interfaces/ietf-interfaces:interface [ietf-interfaces:type=‘ianaift:ethernetCsmacd’] would match the resource instance-identifier: /if:interfaces/if:interface[if:name=‘eth1’], assuming that the interface ‘eth1’ is of type ‘ianaift:ethernetCsmacd’. If the type is given as an object identifier, a resource of type ‘object-identifier’ matches if the match object identifier is a prefix of the resource’s object identifier. For example, the value: 1.3.6.1.2.1.2.2 would match the resource object identifier: 1.3.6.1.2.1.2.2.1.1.5 If the type is given as an UUID or a string, it is interpreted as an XML Schema regular expression, which matches a resource of type ‘yang:uuid’ or ‘string’ if the given regular expression matches the resource string. If the type is given as an XPath expression, it is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the ‘namespace’ statement in the YANG module. If a leaf of this type is encoded in XML, all namespace declarations in scope on the leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is the core function library, and the functions are defined in Section 10 of RFC 7950. o The context node is the root node in the data tree.
scope
scriptstring
severityenumerationindeterminate warning minor major criticalThe severity level of the alarm. Note well that the value ‘clear’ is not included. Whether or not an alarm is cleared is a separate boolean flag.
severity-with-clearThe severity level of the alarm including clear. This is used only in notifications reporting state changes for an alarm.
system-access-token-claim-nameenumerationaud client_id delegationId exp iat iss nbf scope sub purpose cnf jti dcrm_client authorization_details
system-id-token-claim-nameenumerationiss sub aud exp iat auth_time nonce acr amr azp nbf client_id delegationId purpose
system-user-info-endpoint-claim-nameenumerationsub
system-wrapper-token-claim-nameenumerationiss iat exp azp jti aud
token-credential-verifier-typeenumerationstatic sql ldapA type for a credential-verifier
token-issuer-typeenumerationjwt opaque wrapped-opaque sd-jwtDefines the type of tokens this issuer produces (format)
token-purpose-typeenumerationaccess_token refresh_token id_token nonce generic userinfo verifiable_credential
token-time-to-liveuint3210 to 4294967295A type that defines valid token time-to-live values
writable-operator-stateenumerationnone ack closedOperator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.

Identities#

NameBaseDescription
al:alarm-type-idBase identity for alarm types. A unique identification of the alarm, not including the resource. Different resources can share alarm types. If the resource reports the same alarm type, it is considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP Alarm IRP correlation mechanisms, and it allows for hierarchical extensions. A string-based qualifier can be used in addition to the identity in order to have different alarm types based on information not known at design time, such as values in textual SNMP Notification varbinds. Standards and vendors can define sub-identities to clearly identify specific alarm types. This identity is abstract and MUST NOT be used for alarms.
alde:deprecated-configurationalde:systemUsage of deprecated configuration
alde:expiryalde:systemExpiry (i.e., expiration) of some resource has or will soon occur
alde:external-serviceal:alarm-type-idAlarms related to usages of external services
alde:failed-authenticationalde:external-serviceAuthentication failed when establishing a connection to the external service
alde:failed-communicationalde:external-serviceA failure to communicate with an external service
alde:failed-connectionalde:external-serviceA failure to connect to an external service
alde:slow-connectionalde:external-serviceCommunication with the external service is slower than acceptable
alde:systemal:alarm-type-idAlarms related to the internals of Curity
apps:apps-servicesc:profile-identityThe Applications service identity
as:authorization-actions.oauthsc:authorization-actionsAll oauth-related actions that can be authorized by an authorization manager
as:authorization-actions.oauth.user-readas:authorization-actions.oauthThe action that is used for all user read operations in the user info endpoint that an authorization manager may authorize
as:oauth-servicesc:profile-identityThe OAuth service identity
auth:authentication-servicesc:profile-identityThe Authentication service identity
base:assisted-token-endpoint-identitybase:flow-identityThis is the base identity for all assisted token endpoint flows
base:authorize-endpoint-identitybase:flow-identityThis is the base identity for all authorize endpoint flows
base:backchannel-authentication-identitybase:flow-identityThe is the base identity for backchannel authentication (CIBA) flow endpoints
base:device-authorization-identitybase:flow-identityThis is the base identity for device authorization flow endpoints
base:flow-identityThis is the base for all oauth flows
base:introspect-endpoint-identitybase:flow-identityThis is the base identity for all introspection endpoint flows
base:oauth-assisted-tokenbase:assisted-token-endpoint-identityThe Assisted token flow on the assisted token endpoint
base:oauth-authorize-authorization-codebase:authorize-endpoint-identityThe Authorization Code flow on the authorization endpoint
base:oauth-authorize-implicitbase:authorize-endpoint-identityThe Implicit flow on the authorization endpoint
base:oauth-backchannel-authenticationbase:backchannel-authentication-identityThe backchannel authentication endpoint for initiating a CIBA flow
base:oauth-device-authorizationbase:device-authorization-identityThe device code issuance flow of device verification
base:oauth-introspectbase:introspect-endpoint-identityThe introspect token flow on the introspection endpoint
base:oauth-introspect-application-jwtbase:introspect-endpoint-identityThe introspect token flow on the introspection endpoint (serving Content-Type ‘application/jwt’)
base:oauth-token-assertionbase:token-endpoint-identityThe Assertion grant type on the token endpoint
base:oauth-token-authorization-codebase:token-endpoint-identityThe Authorization Code flow grant type on the token endpoint
base:oauth-token-backchannel-authenticationbase:token-endpoint-identityThe Backchannel Authentication (CIBA) grant type on the token endpoint
base:oauth-token-client-credentialsbase:token-endpoint-identityThe Client Credentials grant type on the token endpoint
base:oauth-token-device-codebase:token-endpoint-identityThe Device Code grant type on the token endpoint
base:oauth-token-oauth-token-exchangebase:token-endpoint-identityThe OAuth 2.0 Token Exchange grant type on the token endpoint
base:oauth-token-pre-authorized-codebase:token-endpoint-identityThe Pre-Authorized Code flow grant type on the token endpoint
base:oauth-token-refreshbase:token-endpoint-identityThe Refresh token grant type on the token endpoint
base:oauth-token-resource-owner-password-credentialsbase:token-endpoint-identityThe OAuth Resource Owner Password credentials grant type on the token endpoint
base:oauth-token-token-exchangebase:token-endpoint-identityThe Token Exchange grant type on the token endpoint
base:openid-authorize-hybridbase:authorize-endpoint-identityThe Hybrid flow on the authorization endpoint
base:openid-session-logoutbase:session-endpoint-identityThe Logout token flow on the session endpoint
base:openid-userinfobase:userinfo-endpoint-identityThe UserInfo flow on the userinfo endpoint
base:session-endpoint-identitybase:flow-identityThis is the base identity for all the session endpoint flows
base:token-endpoint-identitybase:flow-identityThis is the base identity for all token endpoint flows
base:userinfo-endpoint-identitybase:flow-identityThis is the base identity for all userinfo endpoint flows
base:verifiable-credential-endpoint-identitybase:flow-identityThis is the base identity for all verifiable credential issuance endpoint flows
base:verifiable-credential-issuance-jwt_vc_jsonbase:verifiable-credential-endpoint-identityVerifiable credential issuance using the ‘jwt_vc_json’ format
base:verifiable-credential-issuance-vc_sd_jwtbase:verifiable-credential-endpoint-identityVerifiable credential issuance using the ‘vc+sd-jwt’ format
sc:authorization-actionsAll actions that can be authorized by an authorization manager
sc:profile-identityThis is the base identity for all profiles
si:saml-idp-servicesc:profile-identityThe SAML IDP service
um:authorization-actions.user-managementsc:authorization-actionsAll user-management-related actions that can be authorized by an authorization manager
um:authorization-actions.user-management.adminum:authorization-actions.user-managementThe actions that an admin may perform in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.admin.readum:authorization-actions.user-management.adminThe action that is used for all read-only operations in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.admin.writeum:authorization-actions.user-management.adminThe action that is used for all write operations in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.delegationsum:authorization-actions.user-managementThe actions that may be performed in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.adminum:authorization-actions.user-management.delegationsThe actions that an admin may perform in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.admin.readum:authorization-actions.user-management.delegations.adminThe actions that is used for all admin read operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.admin.writeum:authorization-actions.user-management.delegations.adminThe actions that is used for all admin write operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.userum:authorization-actions.user-management.delegationsThe action that is used for all read-only operations in the delegations endpoint service that an authorization manager may authorize
um:authorization-actions.user-management.delegations.user.readum:authorization-actions.user-management.delegations.userThe actions that is used for all user read operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.user.writeum:authorization-actions.user-management.delegations.userThe actions that is used for all user write operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.readsc:authorization-actionsThe action that is used for read-only operations for any type of user
um:authorization-actions.user-management.usersum:authorization-actions.user-managementThe actions that may be performed in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.adminum:authorization-actions.user-management.usersThe actions that an admin may perform in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.admin.readum:authorization-actions.user-management.users.adminThe actions that is used for all admin read operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.admin.writeum:authorization-actions.user-management.users.adminThe actions that is used for all admin write operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.userum:authorization-actions.user-management.usersThe action that is used for all read-only operations in the users endpoint service that an authorization manager may authorize
um:authorization-actions.user-management.users.user.readum:authorization-actions.user-management.users.userThe actions that is used for all user read operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.user.writeum:authorization-actions.user-management.users.userThe actions that is used for all user write operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.writesc:authorization-actionsThe action that is used for write-only operations for any type of user
um:user-management-servicesc:profile-identityThe User Management service identity

Was this helpful?