any-scope-including-none
An empty string which can be helpful for defining ‘catch-all’ rules
resource
This is an identification of the alarming resource, such as an interface. It should be as fine-grained as possible to both guide the operator and guarantee uniqueness of the alarms. If the alarming resource is modeled in YANG, this type will be an instance-identifier. If the resource is an SNMP object, the type will be an ‘object-identifier’. If the resource is anything else, for example, a distinguished name or a Common Information Model (CIM) path, this type will be a string. If the alarming object is identified by a Universally Unique Identifier (UUID), use the uuid type. Be cautious when using this type, since a UUID is hard to use for an operator. If the server supports several models, the precedence should be in the order as given in the union definition.
resource-match
This type is used to match resources of type ‘resource’. Since the type ‘resource’ is a union of different types, the ‘resource-match’ type is also a union of corresponding types. If the type is given as an XPath 1.0 expression, a resource of type ‘instance-identifier’ matches if the instance is part of the node set that is the result of evaluating the XPath 1.0 expression. For example, the XPath 1.0 expression: /ietf-interfaces:interfaces/ietf-interfaces:interface [ietf-interfaces:type=’ianaift:ethernetCsmacd’] would match the resource instance-identifier: /if:interfaces/if:interface[if:name=’eth1’], assuming that the interface ‘eth1’ is of type ‘ianaift:ethernetCsmacd’. If the type is given as an object identifier, a resource of type ‘object-identifier’ matches if the match object identifier is a prefix of the resource’s object identifier. For example, the value: 1.3.6.1.2.1.2.2 would match the resource object identifier: 1.3.6.1.2.1.2.2.1.1.5 If the type is given as an UUID or a string, it is interpreted as an XML Schema regular expression, which matches a resource of type ‘yang:uuid’ or ‘string’ if the given regular expression matches the resource string. If the type is given as an XPath expression, it is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the ‘namespace’ statement in the YANG module. If a leaf of this type is encoded in XML, all namespace declarations in scope on the leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is the core function library, and the functions are defined in Section 10 of RFC 7950. o The context node is the root node in the data tree.
alarm-text
The string used to inform operators about the alarm. This MUST contain enough information for an operator to be able to understand the problem and how to resolve it. If this string contains structure, this format should be clearly documented for programs to be able to parse that information.
severity
The severity level of the alarm. Note well that the value ‘clear’ is not included. Whether or not an alarm is cleared is a separate boolean flag.
severity-with-clear
The severity level of the alarm including clear. This is used only in notifications reporting state changes for an alarm.
writable-operator-state
Operator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.
operator-state
alarm-type-id
Identifies an alarm type. The description of the alarm type id MUST indicate whether or not the alarm type is abstract. An abstract alarm type is used as a base for other alarm type ids and will not be used as a value for an alarm or be present in the alarm inventory.
alarm-type-qualifier
If an alarm type cannot be fully specified at design time by ‘alarm-type-id’, this string qualifier is used in addition to fully define a unique alarm type. The definition of alarm qualifiers is considered to be part of the instrumentation and is out of scope for this module. An empty string is used when this is part of a key.
asymmetric-key-type
allowed-key-management-algorithms
Algorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header
allowed-asymmetric-key-management-algorithms
allowed-content-encryption-algorithms
Supported content encryption algorithms, present as ‘enc’ in JWE header
script
scope
endpoint-types
profile-type
base64-encoded-string
basic-claim-type
Defines a basic type for claims values
token-issuer-type
Defines the type of tokens this issuer produces (format)
token-purpose-type
token-credential-verifier-type
A type for a credential-verifier
jwt-algorithm
Available JWT signing algorithms (ref rfc7518, https://tools.ietf.org/html/rfc7518)
elliptic-curve-name
Supported elliptic curve names (see https://tools.ietf.org/html/rfc7518#section-3.4)
eddsa-curve-name
Supported EdDSA curve names (curves taken from supported algorithms, see https://tools.ietf.org/html/rfc8037#section-3.1)
culture
conf-timeout
Valid configuration operation timeout in seconds
token-time-to-live
A type that defines valid token time-to-live values
disablable-token-time-to-live
A type that defines token time-to-live values. If set to ‘disabled’, then the token type to’ which this setting refers will not be issued at all.
non-empty-string
attribute-path
attribute-name
system-access-token-claim-name
system-id-token-claim-name
system-user-info-endpoint-claim-name
system-wrapper-token-claim-name
delegation-claim-name
attribute-location
A location from where to retrieve or add attributes
al:alarm type id
al:alarm-type-id
Base identity for alarm types. A unique identification of the alarm, not including the resource. Different resources can share alarm types. If the resource reports the same alarm type, it is considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP Alarm IRP correlation mechanisms, and it allows for hierarchical extensions. A string-based qualifier can be used in addition to the identity in order to have different alarm types based on information not known at design time, such as values in textual SNMP Notification varbinds. Standards and vendors can define sub-identities to clearly identify specific alarm types. This identity is abstract and MUST NOT be used for alarms.
alde:external-service
Alarms related to usages of external services
alde:failed-communication
A failure to communicate with an external service
alde:failed-connection
A failure to connect to an external service
alde:slow-connection
Communication with the external service is slower than acceptable
alde:failed-authentication
Authentication failed when establishing a connection to the external service
alde:system
Alarms related to the internals of Curity
alde:expiry
Expiry (i.e., expiration) of some resource has or will soon occur
alde:deprecated-configuration
Usage of deprecated configuration
base:flow identity
base:flow-identity
This is the base for all oauth flows
base:token-endpoint-identity
This is the base identity for all token endpoint flows
base:oauth-token-authorization-code
The Authorization Code flow grant type on the token endpoint
base:oauth-token-pre-authorized-code
The Pre-Authorized Code flow grant type on the token endpoint
base:oauth-token-client-credentials
The Client Credentials grant type on the token endpoint
base:oauth-token-refresh
The Refresh token grant type on the token endpoint
base:oauth-token-resource-owner-password-credentials
The OAuth Resource Owner Password credentials grant type on the token endpoint
base:oauth-token-token-exchange
The Token Exchange grant type on the token endpoint
base:oauth-token-oauth-token-exchange
The OAuth 2.0 Token Exchange grant type on the token endpoint
base:oauth-token-device-code
The Device Code grant type on the token endpoint
base:oauth-token-assertion
The Assertion grant type on the token endpoint
base:oauth-token-backchannel-authentication
The Backchannel Authentication (CIBA) grant type on the token endpoint
base:authorize-endpoint-identity
This is the base identity for all authorize endpoint flows
base:oauth-authorize-authorization-code
The Authorization Code flow on the authorization endpoint
base:oauth-authorize-implicit
The Implicit flow on the authorization endpoint
base:openid-authorize-hybrid
The Hybrid flow on the authorization endpoint
base:introspect-endpoint-identity
This is the base identity for all introspection endpoint flows
base:oauth-introspect
The introspect token flow on the introspection endpoint
base:oauth-introspect-application-jwt
The introspect token flow on the introspection endpoint (serving Content-Type ‘application/jwt’)
base:device-authorization-identity
This is the base identity for device authorization flow endpoints
base:oauth-device-authorization
The device code issuance flow of device verification
base:userinfo-endpoint-identity
This is the base identity for all userinfo endpoint flows
base:openid-userinfo
The UserInfo flow on the userinfo endpoint
base:verifiable-credential-endpoint-identity
This is the base identity for all verifiable credential issuance endpoint flows
base:verifiable-credential-issuance-jwt_vc_json
Verifiable credential issuance using the ‘jwt_vc_json’ format
base:verifiable-credential-issuance-vc_sd_jwt
Verifiable credential issuance using the ‘vc+sd-jwt’ format
base:assisted-token-endpoint-identity
This is the base identity for all assisted token endpoint flows
base:oauth-assisted-token
The Assisted token flow on the assisted token endpoint
base:session-endpoint-identity
This is the base identity for all the session endpoint flows
base:openid-session-logout
The Logout token flow on the session endpoint
base:backchannel-authentication-identity
The is the base identity for backchannel authentication (CIBA) flow endpoints
base:oauth-backchannel-authentication
The backchannel authentication endpoint for initiating a CIBA flow
sc:profile identity
sc:profile-identity
This is the base identity for all profiles
um:user-management-service
The User Management service identity
apps:apps-service
The Applications service identity
as:oauth-service
The OAuth service identity
auth:authentication-service
The Authentication service identity
sc:authorization actions
sc:authorization-actions
All actions that can be authorized by an authorization manager
um:authorization-actions.user-management
All user-management-related actions that can be authorized by an authorization manager
um:authorization-actions.user-management.admin
The actions that an admin may perform in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.admin.read
The action that is used for all read-only operations in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.admin.write
The action that is used for all write operations in the user management service that an authorization manager may authorize
um:authorization-actions.user-management.delegations
The actions that may be performed in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.admin
The actions that an admin may perform in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.admin.write
The actions that is used for all admin write operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.admin.read
The actions that is used for all admin read operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.user
The action that is used for all read-only operations in the delegations endpoint service that an authorization manager may authorize
um:authorization-actions.user-management.delegations.user.read
The actions that is used for all user read operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.delegations.user.write
The actions that is used for all user write operations in the delegations endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users
The actions that may be performed in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.admin
The actions that an admin may perform in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.admin.write
The actions that is used for all admin write operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.admin.read
The actions that is used for all admin read operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.user
The action that is used for all read-only operations in the users endpoint service that an authorization manager may authorize
um:authorization-actions.user-management.users.user.read
The actions that is used for all user read operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.users.user.write
The actions that is used for all user write operations in the users endpoint that an authorization manager may authorize
um:authorization-actions.user-management.read
The action that is used for read-only operations for any type of user
um:authorization-actions.user-management.write
The action that is used for write-only operations for any type of user
as:authorization-actions.oauth
All oauth-related actions that can be authorized by an authorization manager
as:authorization-actions.oauth.user-read
The action that is used for all user read operations in the user info endpoint that an authorization manager may authorize