Type Reference

Types

resource

This is an identification of the alarming resource, such as an interface. It should be as fine-grained as possible to both guide the operator and guarantee uniqueness of the alarms. If the alarming resource is modeled in YANG, this type will be an instance-identifier. If the resource is an SNMP object, the type will be an ‘object-identifier’. If the resource is anything else, for example, a distinguished name or a Common Information Model (CIM) path, this type will be a string. If the alarming object is identified by a Universally Unique Identifier (UUID), use the uuid type. Be cautious when using this type, since a UUID is hard to use for an operator. If the server supports several models, the precedence should be in the order as given in the union definition.

resource-match

This type is used to match resources of type ‘resource’. Since the type ‘resource’ is a union of different types, the ‘resource-match’ type is also a union of corresponding types. If the type is given as an XPath 1.0 expression, a resource of type ‘instance-identifier’ matches if the instance is part of the node set that is the result of evaluating the XPath 1.0 expression. For example, the XPath 1.0 expression: /ietf-interfaces:interfaces/ietf-interfaces:interface [ietf-interfaces:type=’ianaift:ethernetCsmacd’] would match the resource instance-identifier: /if:interfaces/if:interface[if:name=’eth1’], assuming that the interface ‘eth1’ is of type ‘ianaift:ethernetCsmacd’. If the type is given as an object identifier, a resource of type ‘object-identifier’ matches if the match object identifier is a prefix of the resource’s object identifier. For example, the value: 1.3.6.1.2.1.2.2 would match the resource object identifier: 1.3.6.1.2.1.2.2.1.1.5 If the type is given as an UUID or a string, it is interpreted as an XML Schema regular expression, which matches a resource of type ‘yang:uuid’ or ‘string’ if the given regular expression matches the resource string. If the type is given as an XPath expression, it is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the ‘namespace’ statement in the YANG module. If a leaf of this type is encoded in XML, all namespace declarations in scope on the leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is the core function library, and the functions are defined in Section 10 of RFC 7950. o The context node is the root node in the data tree.

alarm-text
Base Type :string

The string used to inform operators about the alarm. This MUST contain enough information for an operator to be able to understand the problem and how to resolve it. If this string contains structure, this format should be clearly documented for programs to be able to parse that information.

severity
Base Type :enumeration
Values :indeterminate, warning, minor, major, critical

The severity level of the alarm. Note well that the value ‘clear’ is not included. Whether or not an alarm is cleared is a separate boolean flag.

severity-with-clear

The severity level of the alarm including clear. This is used only in notifications reporting state changes for an alarm.

writable-operator-state
Base Type :enumeration
Values :none, ack, closed

Operator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.

operator-state

Operator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.

alarm-type-id

Identifies an alarm type. The description of the alarm type id MUST indicate whether or not the alarm type is abstract. An abstract alarm type is used as a base for other alarm type ids and will not be used as a value for an alarm or be present in the alarm inventory.

alarm-type-qualifier
Base Type :string

If an alarm type cannot be fully specified at design time by ‘alarm-type-id’, this string qualifier is used in addition to fully define a unique alarm type. The definition of alarm qualifiers is considered to be part of the instrumentation and is out of scope for this module. An empty string is used when this is part of a key.

allowed-key-management-algorithms
Base Type :enumeration
Values :RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW

Algorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header

allowed-asymmetric-key-management-algorithms
Base Type :enumeration
Values :RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW

Algorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header

allowed-content-encryption-algorithms
Base Type :enumeration
Values :A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

Supported content encryption algorithms, present as ‘enc’ in JWE header

any-scope-including-none

An empty string which can be helpful for defining ‘catch-all’ rules

script
Base Type :string
scope
endpoint-types
Base Type :enumeration
Values :oauth-token, oauth-authorize, oauth-revoke, oauth-introspect, oauth-assisted-token, oauth-anonymous, oauth-userinfo, oauth-dynamic-client-registration, oauth-device-authorization, oauth-session, oauth-backchannel-authentication, oauth-client-graphql-api, oauth-verifiable-credential, auth-authentication, auth-registration, auth-anonymous, um-api, um-graphql-api
profile-type
base64-encoded-string
token-issuer-type
Base Type :enumeration
Values :jwt, opaque, wrapped-opaque

Defines the type of tokens this issuer produces (format)

token-purpose-type
Base Type :enumeration
Values :access_token, refresh_token, id_token, nonce, generic, userinfo, verifiable_credential
token-credential-verifier-type
Base Type :enumeration
Values :static, sql, ldap

A type for a credential-verifier

jwt-algorithm
Base Type :enumeration
Values :RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, EdDSA

Available JWT signing algorithms (ref rfc7518, https://tools.ietf.org/html/rfc7518)

elliptic-curve-name
Base Type :enumeration
Values :P-256, P-384, P-521

Supported elliptic curve names (see https://tools.ietf.org/html/rfc7518#section-3.4)

eddsa-curve-name
Base Type :enumeration
Values :Ed25519, Ed448

Supported EdDSA curve names (curves taken from supported algorithms, see https://tools.ietf.org/html/rfc8037#section-3.1)

culture
Base Type :enumeration
Values :sv-SE, en-US, en-GB
conf-timeout
Base Type :uint8
Values :1 to 20

Valid configuration operation timeout in seconds

token-time-to-live
Base Type :uint32
Values :10 to 4294967295

A type that defines valid token time-to-live values

disablable-token-time-to-live

A type that defines token time-to-live values. If set to ‘disabled’, then the token type to’ which this setting refers will not be issued at all.

non-empty-string
attribute-path
attribute-name
system-access-token-claim-name
Base Type :enumeration
Values :aud, client_id, delegationId, exp, iat, iss, nbf, scope, sub, purpose, cnf, jti, dcrm_client, authorization_details
system-id-token-claim-name
Base Type :enumeration
Values :iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose
system-user-info-endpoint-claim-name
Base Type :enumeration
Values :sub
system-wrapper-token-claim-name
Base Type :enumeration
Values :iss, iat, exp, azp, jti, aud
delegation-claim-name
Base Type :enumeration
Values :owner, created, expires, scope, claims, clientId, redirectUri, status, authorizationCodeHash, authenticationAttributes, requestedClaims, mtlsClientCertificate, mtlsClientCertificateThumbprintS256, mtlsClientCertificateDN
attribute-location
Base Type :enumeration
Values :subject-attributes, context-attributes, action-attributes

A location from where to retrieve or add attributes

asymmetric-key-type
Base Type :enumeration
Values :rsa, elliptic-curve, dsa, eddsa

Identities

al:alarm type id

al:alarm-type-id

Base identity for alarm types. A unique identification of the alarm, not including the resource. Different resources can share alarm types. If the resource reports the same alarm type, it is considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP Alarm IRP correlation mechanisms, and it allows for hierarchical extensions. A string-based qualifier can be used in addition to the identity in order to have different alarm types based on information not known at design time, such as values in textual SNMP Notification varbinds. Standards and vendors can define sub-identities to clearly identify specific alarm types. This identity is abstract and MUST NOT be used for alarms.

alde:external-service
Base Type :al:alarm-type-id

Alarms related to usages of external services

alde:failed-communication
Base Type :alde:external-service

A failure to communicate with an external service

alde:failed-connection
Base Type :alde:external-service

A failure to connect to an external service

alde:slow-connection
Base Type :alde:external-service

Communication with the external service is slower than acceptable

alde:failed-authentication
Base Type :alde:external-service

Authentication failed when establishing a connection to the external service

alde:system
Base Type :al:alarm-type-id

Alarms related to the internals of Curity

alde:expiry
Base Type :alde:system

Expiry (i.e., expiration) of some resource has or will soon occur

sc:profile identity

sc:profile-identity

This is the base identity for all profiles

auth:authentication-service
Base Type :sc:profile-identity

The Authentication service identity

um:user-management-service
Base Type :sc:profile-identity

The User Management service identity

as:oauth-service
Base Type :sc:profile-identity

The OAuth service identity

sc:authorization actions

sc:authorization-actions

All actions that can be authorized by an authorization manager

um:authorization-actions.user-management
Base Type :sc:authorization-actions

All user-management-related actions that can be authorized by an authorization manager

um:authorization-actions.user-management.admin
Base Type :um:authorization-actions.user-management

The actions that an admin may perform in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.admin.read
Base Type :um:authorization-actions.user-management.admin

The action that is used for all read-only operations in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.admin.write
Base Type :um:authorization-actions.user-management.admin

The action that is used for all write operations in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.delegations
Base Type :um:authorization-actions.user-management

The actions that may be performed in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin
Base Type :um:authorization-actions.user-management.delegations

The actions that an admin may perform in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin.write
Base Type :um:authorization-actions.user-management.delegations.admin

The actions that is used for all admin write operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin.read
Base Type :um:authorization-actions.user-management.delegations.admin

The actions that is used for all admin read operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user
Base Type :um:authorization-actions.user-management.delegations

The action that is used for all read-only operations in the delegations endpoint service that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user.read
Base Type :um:authorization-actions.user-management.delegations.user

The actions that is used for all user read operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user.write
Base Type :um:authorization-actions.user-management.delegations.user

The actions that is used for all user write operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users
Base Type :um:authorization-actions.user-management

The actions that may be performed in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin
Base Type :um:authorization-actions.user-management.users

The actions that an admin may perform in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin.write
Base Type :um:authorization-actions.user-management.users.admin

The actions that is used for all admin write operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin.read
Base Type :um:authorization-actions.user-management.users.admin

The actions that is used for all admin read operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.user
Base Type :um:authorization-actions.user-management.users

The action that is used for all read-only operations in the users endpoint service that an authorization manager may authorize

um:authorization-actions.user-management.users.user.read
Base Type :um:authorization-actions.user-management.users.user

The actions that is used for all user read operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.user.write
Base Type :um:authorization-actions.user-management.users.user

The actions that is used for all user write operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.read
Base Type :sc:authorization-actions

The action that is used for read-only operations for any type of user

um:authorization-actions.user-management.write
Base Type :sc:authorization-actions

The action that is used for write-only operations for any type of user

as:authorization-actions.oauth
Base Type :sc:authorization-actions

All oauth-related actions that can be authorized by an authorization manager

as:authorization-actions.oauth.user-read
Base Type :as:authorization-actions.oauth

The action that is used for all user read operations in the user info endpoint that an authorization manager may authorize

base:flow identity

base:flow-identity

This is the base for all oauth flows

base:token-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all token endpoint flows

base:oauth-token-authorization-code
Base Type :base:token-endpoint-identity

The Authorization Code flow grant type on the token endpoint

base:oauth-token-pre-authorized-code
Base Type :base:token-endpoint-identity

The Pre-Authorized Code flow grant type on the token endpoint

base:oauth-token-client-credentials
Base Type :base:token-endpoint-identity

The Client Credentials grant type on the token endpoint

base:oauth-token-refresh
Base Type :base:token-endpoint-identity

The Refresh token grant type on the token endpoint

base:oauth-token-resource-owner-password-credentials
Base Type :base:token-endpoint-identity

The OAuth Resource Owner Password credentials grant type on the token endpoint

base:oauth-token-token-exchange
Base Type :base:token-endpoint-identity

The Token Exchange grant type on the token endpoint

base:oauth-token-device-code
Base Type :base:token-endpoint-identity

The Device Code grant type on the token endpoint

base:oauth-token-assertion
Base Type :base:token-endpoint-identity

The Assertion grant type on the token endpoint

base:oauth-token-backchannel-authentication
Base Type :base:token-endpoint-identity

The Backchannel Authentication (CIBA) grant type on the token endpoint

base:authorize-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all authorize endpoint flows

base:oauth-authorize-authorization-code
Base Type :base:authorize-endpoint-identity

The Authorization Code flow on the authorization endpoint

base:oauth-authorize-implicit
Base Type :base:authorize-endpoint-identity

The Implicit flow on the authorization endpoint

base:openid-authorize-hybrid
Base Type :base:authorize-endpoint-identity

The Hybrid flow on the authorization endpoint

base:introspect-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all introspection endpoint flows

base:oauth-introspect
Base Type :base:introspect-endpoint-identity

The introspect token flow on the introspection endpoint

base:oauth-introspect-application-jwt
Base Type :base:introspect-endpoint-identity

The introspect token flow on the introspection endpoint (serving Content-Type ‘application/jwt’)

base:device-authorization-identity
Base Type :base:flow-identity

This is the base identity for device authorization flow endpoints

base:oauth-device-authorization
Base Type :base:device-authorization-identity

The device code issuance flow of device verification

base:userinfo-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all userinfo endpoint flows

base:openid-userinfo
Base Type :base:userinfo-endpoint-identity

The UserInfo flow on the userinfo endpoint

base:verifiable-credential-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all verifiable credential issuance endpoint flows

base:verifiable-credential-issuance-jwt_vc_json
Base Type :base:verifiable-credential-endpoint-identity

Verifiable credential issuance using the ‘jwt_vc_json’ format

base:assisted-token-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all assisted token endpoint flows

base:oauth-assisted-token
Base Type :base:assisted-token-endpoint-identity

The Assisted token flow on the assisted token endpoint

base:session-endpoint-identity
Base Type :base:flow-identity

This is the base identity for all the session endpoint flows

base:openid-session-logout
Base Type :base:session-endpoint-identity

The Logout token flow on the session endpoint

base:backchannel-authentication-identity
Base Type :base:flow-identity

The is the base identity for backchannel authentication (CIBA) flow endpoints

base:oauth-backchannel-authentication
Base Type :base:backchannel-authentication-identity

The backchannel authentication endpoint for initiating a CIBA flow