diff --git a/services/keycloak/lagoon-realm-2.16.0.json b/services/keycloak/lagoon-realm-2.16.0.json index 5ddf6c58db..02fc0556a3 100644 --- a/services/keycloak/lagoon-realm-2.16.0.json +++ b/services/keycloak/lagoon-realm-2.16.0.json @@ -40,6 +40,32 @@ "failureFactor": 30, "roles": { "realm": [ + { + "name": "default-roles-lagoon", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "attributes": {} + }, + { + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "attributes": {} + }, { "name": "admin", "composite": true, @@ -107,12 +133,6 @@ "clientRole": false, "attributes": {} }, - { - "name": "guest", - "composite": false, - "clientRole": false, - "attributes": {} - }, { "name": "uma_authorization", "description": "${role_uma_authorization}", @@ -121,102 +141,67 @@ "attributes": {} }, { - "name": "default-roles-lagoon", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "view-profile", - "manage-account" - ] - } - }, + "name": "guest", + "composite": false, "clientRole": false, "attributes": {} } ], "client": { + "lagoon-opendistro-security": [], "realm-management": [ { - "name": "view-realm", - "description": "${role_view-realm}", + "name": "query-realms", + "description": "${role_query-realms}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "view-realm", - "impersonation", - "manage-events", - "query-users", - "view-authorization", - "manage-clients", - "view-events", - "view-users", - "query-groups", - "view-identity-providers", - "view-clients", - "query-clients", - "manage-realm", - "manage-authorization", - "manage-users", - "manage-identity-providers", - "query-realms", - "create-client" - ] - } - }, + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, "clientRole": true, "attributes": {} }, { - "name": "impersonation", - "description": "${role_impersonation}", + "name": "view-realm", + "description": "${role_view-realm}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-events", - "description": "${role_manage-events}", + "name": "create-client", + "description": "${role_create-client}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "query-users", - "description": "${role_query-users}", + "name": "manage-authorization", + "description": "${role_manage-authorization}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "uma_protection", + "name": "manage-clients", + "description": "${role_manage-clients}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "view-authorization", - "description": "${role_view-authorization}", + "name": "query-groups", + "description": "${role_query-groups}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-clients", - "description": "${role_manage-clients}", + "name": "view-authorization", + "description": "${role_view-authorization}", "composite": false, "clientRole": true, "attributes": {} @@ -229,23 +214,15 @@ "attributes": {} }, { - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-groups", - "query-users" - ] - } - }, + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, "clientRole": true, "attributes": {} }, { - "name": "query-groups", - "description": "${role_query-groups}", + "name": "query-users", + "description": "${role_query-users}", "composite": false, "clientRole": true, "attributes": {} @@ -272,91 +249,138 @@ "attributes": {} }, { - "name": "query-clients", - "description": "${role_query-clients}", + "name": "impersonation", + "description": "${role_impersonation}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-realm", - "description": "${role_manage-realm}", + "name": "manage-events", + "description": "${role_manage-events}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-authorization", - "description": "${role_manage-authorization}", + "name": "manage-realm", + "description": "${role_manage-realm}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", + "name": "manage-users", + "description": "${role_manage-users}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-realm", + "impersonation", + "manage-events", + "query-users", + "view-authorization", + "manage-clients", + "view-events", + "view-users", + "query-groups", + "view-identity-providers", + "view-clients", + "query-clients", + "manage-realm", + "manage-authorization", + "manage-users", + "manage-identity-providers", + "query-realms", + "create-client" + ] + } + }, "clientRole": true, "attributes": {} }, { - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, "clientRole": true, "attributes": {} - }, + } + ], + "security-admin-console": [], + "auth-server": [], + "admin-cli": [], + "lagoon-opensearch-sync": [], + "account-console": [], + "api": [ { - "name": "create-client", - "description": "${role_create-client}", + "name": "uma_protection", "composite": false, "clientRole": true, "attributes": {} } ], - "account": [ + "broker": [ { - "name": "view-groups", - "description": "${role_view-groups}", + "name": "read-token", + "description": "${role_read-token}", "composite": false, "clientRole": true, "attributes": {} - }, + } + ], + "account": [ { - "name": "view-applications", - "description": "${role_view-applications}", + "name": "manage-account-links", + "description": "${role_manage-account-links}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-account-links", - "description": "${role_manage-account-links}", + "name": "view-profile", + "description": "${role_view-profile}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-consent", - "description": "${role_manage-consent}", + "name": "manage-account", + "description": "${role_manage-account}", "composite": true, "composites": { "client": { "account": [ - "view-consent" + "manage-account-links" ] } }, "clientRole": true, "attributes": {} }, + { + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "attributes": {} + }, { "name": "view-consent", "description": "${role_view-consent}", @@ -365,20 +389,20 @@ "attributes": {} }, { - "name": "view-profile", - "description": "${role_view-profile}", + "name": "delete-account", + "description": "${role_delete-account}", "composite": false, "clientRole": true, "attributes": {} }, { - "name": "manage-account", - "description": "${role_manage-account}", + "name": "manage-consent", + "description": "${role_manage-consent}", "composite": true, "composites": { "client": { "account": [ - "manage-account" + "view-consent" ] } }, @@ -386,13 +410,15 @@ "attributes": {} }, { - "name": "delete-account", - "description": "${role_delete-account}", + "name": "view-groups", + "description": "${role_view-groups}", "composite": false, "clientRole": true, "attributes": {} } - ] + ], + "lagoon-ui": [], + "service-api": [] } }, "defaultRole": { @@ -438,6 +464,74 @@ "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "username": "service-account-api", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "api", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-lagoon" + ], + "clientRoles": { + "api": [ + "uma_protection" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "username": "service-account-auth-server", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "auth-server", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-lagoon" + ], + "notBefore": 0, + "groups": [] + }, + { + "username": "service-account-lagoon-opensearch-sync", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "lagoon-opensearch-sync", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-lagoon" + ], + "clientRoles": { + "realm-management": [ + "query-groups" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "username": "service-account-service-api", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "service-api", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-lagoon" + ], + "notBefore": 0, + "groups": [] + } + ], "scopeMappings": [ { "clientScope": "offline_access", @@ -469,7 +563,9 @@ "redirectUris": [ "/realms/lagoon/account/*" ], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -486,8 +582,8 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -509,7 +605,9 @@ "redirectUris": [ "/realms/lagoon/account/*" ], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -537,8 +635,8 @@ ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -556,7 +654,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -573,8 +673,8 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -591,7 +691,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -650,8 +752,8 @@ ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -665,161 +767,119 @@ "policyEnforcementMode": "ENFORCING", "resources": [ { - "name": "openshift", + "name": "env_var", "ownerManagedAccess": false, - "displayName": "openshift", + "displayName": "env_var", "attributes": {}, "uris": [], "scopes": [ { - "name": "add" + "name": "environment:delete:production" }, { - "name": "view" + "name": "environment:viewValue:development" }, { - "name": "view:token" + "name": "environment:add:development" }, { - "name": "update" + "name": "project:delete" }, { - "name": "viewAll" + "name": "delete" }, { - "name": "deleteAll" + "name": "environment:viewValue:production" }, { - "name": "delete" - } - ] - }, - { - "name": "ssh_key", - "ownerManagedAccess": false, - "displayName": "ssh_key", - "attributes": {}, - "uris": [], - "scopes": [ - { - "name": "add" + "name": "environment:add:production" }, { - "name": "removeAll" + "name": "project:add" }, { - "name": "update" + "name": "environment:delete:development" }, { - "name": "deleteAll" + "name": "environment:view:production" }, { - "name": "view:user" + "name": "project:viewValue" }, { - "name": "delete" + "name": "environment:view:development" }, { - "name": "view:project" + "name": "project:view" } ] }, { - "name": "backup", + "name": "project", "ownerManagedAccess": false, - "displayName": "backup", + "displayName": "project", "attributes": {}, "uris": [], "scopes": [ { - "name": "add" + "name": "addNotification" }, { - "name": "view" + "name": "add" }, { - "name": "deleteAll" + "name": "removeNotification" }, { - "name": "delete" - } - ] - }, - { - "name": "harbor_scan_match", - "ownerManagedAccess": false, - "displayName": "Harbor scan match", - "attributes": {}, - "uris": [], - "scopes": [ + "name": "view" + }, { - "name": "add" + "name": "removeGroup" }, { - "name": "view" + "name": "update" }, { - "name": "delete" - } - ] - }, - { - "name": "deployment", - "ownerManagedAccess": false, - "displayName": "deployment", - "attributes": {}, - "uris": [], - "scopes": [ + "name": "viewAll" + }, { - "name": "view" + "name": "deleteAll" }, { - "name": "cancel" + "name": "delete" }, { - "name": "update" + "name": "viewPrivateKey" }, { - "name": "delete" + "name": "addGroup" } ] }, { - "name": "advanced_task", + "name": "group", "ownerManagedAccess": false, - "displayName": "advanced_task", + "displayName": "group", "attributes": {}, "uris": [], "scopes": [ { - "name": "invoke:developer" + "name": "addUser" }, { - "name": "invoke:guest" + "name": "add" }, { - "name": "delete:advanced" + "name": "removeUser" }, { - "name": "create:advanced" + "name": "update" }, { - "name": "invoke:maintainer" - } - ] - }, - { - "name": "problem", - "ownerManagedAccess": false, - "displayName": "problem", - "attributes": {}, - "uris": [], - "scopes": [ - { - "name": "add" + "name": "viewAll" }, { - "name": "view" + "name": "deleteAll" }, { "name": "delete" @@ -827,104 +887,44 @@ ] }, { - "name": "environment", + "name": "harbor_scan_match", "ownerManagedAccess": false, - "displayName": "environment", + "displayName": "Harbor scan match", "attributes": {}, "uris": [], "scopes": [ { - "name": "deploy:production" - }, - { - "name": "addOrUpdate:production" - }, - { - "name": "viewAll" - }, - { - "name": "storage" - }, - { - "name": "deleteAll" - }, - { - "name": "addOrUpdate:development" - }, - { - "name": "update:development" - }, - { - "name": "ssh:development" - }, - { - "name": "delete:development" + "name": "add" }, { "name": "view" }, { - "name": "deploy:development" - }, - { - "name": "deleteNoExec" - }, - { - "name": "ssh:production" - }, - { - "name": "delete:production" - }, - { - "name": "update:production" + "name": "delete" } ] }, { - "name": "env_var", + "name": "advanced_task", "ownerManagedAccess": false, - "displayName": "env_var", + "displayName": "advanced_task", "attributes": {}, "uris": [], "scopes": [ { - "name": "environment:delete:production" - }, - { - "name": "environment:viewValue:development" - }, - { - "name": "environment:add:development" - }, - { - "name": "project:delete" - }, - { - "name": "delete" - }, - { - "name": "environment:viewValue:production" - }, - { - "name": "environment:add:production" - }, - { - "name": "project:add" - }, - { - "name": "environment:delete:development" + "name": "invoke:developer" }, { - "name": "environment:view:production" + "name": "invoke:guest" }, { - "name": "project:viewValue" + "name": "delete:advanced" }, { - "name": "environment:view:development" + "name": "create:advanced" }, { - "name": "project:view" + "name": "invoke:maintainer" } ] }, @@ -1016,9 +1016,9 @@ ] }, { - "name": "user", + "name": "notification", "ownerManagedAccess": false, - "displayName": "user", + "displayName": "notification", "attributes": {}, "uris": [], "scopes": [ @@ -1026,13 +1026,13 @@ "name": "add" }, { - "name": "getBySshKey" + "name": "removeAll" }, { - "name": "update" + "name": "view" }, { - "name": "viewAll" + "name": "update" }, { "name": "deleteAll" @@ -1043,9 +1043,9 @@ ] }, { - "name": "fact", + "name": "backup", "ownerManagedAccess": false, - "displayName": "fact", + "displayName": "backup", "attributes": {}, "uris": [], "scopes": [ @@ -1055,43 +1055,97 @@ { "name": "view" }, + { + "name": "deleteAll" + }, { "name": "delete" } ] }, { - "name": "Default Resource", - "type": "urn:api:resources:default", - "ownerManagedAccess": false, - "attributes": {}, - "uris": [ - "/*" - ] - }, - { - "name": "project", + "name": "fact", "ownerManagedAccess": false, - "displayName": "project", + "displayName": "fact", "attributes": {}, "uris": [], "scopes": [ - { - "name": "addNotification" - }, { "name": "add" }, - { - "name": "removeNotification" - }, { "name": "view" }, { - "name": "removeGroup" - }, - { + "name": "delete" + } + ] + }, + { + "name": "deployment", + "ownerManagedAccess": false, + "displayName": "deployment", + "attributes": {}, + "uris": [], + "scopes": [ + { + "name": "view" + }, + { + "name": "cancel" + }, + { + "name": "update" + }, + { + "name": "delete" + } + ] + }, + { + "name": "ssh_key", + "ownerManagedAccess": false, + "displayName": "ssh_key", + "attributes": {}, + "uris": [], + "scopes": [ + { + "name": "add" + }, + { + "name": "removeAll" + }, + { + "name": "update" + }, + { + "name": "deleteAll" + }, + { + "name": "view:user" + }, + { + "name": "delete" + }, + { + "name": "view:project" + } + ] + }, + { + "name": "user", + "ownerManagedAccess": false, + "displayName": "user", + "attributes": {}, + "uris": [], + "scopes": [ + { + "name": "add" + }, + { + "name": "getBySshKey" + }, + { "name": "update" }, { @@ -1102,15 +1156,90 @@ }, { "name": "delete" + } + ] + }, + { + "name": "problem", + "ownerManagedAccess": false, + "displayName": "problem", + "attributes": {}, + "uris": [], + "scopes": [ + { + "name": "add" }, { - "name": "viewPrivateKey" + "name": "view" }, { - "name": "addGroup" + "name": "delete" + } + ] + }, + { + "name": "environment", + "ownerManagedAccess": false, + "displayName": "environment", + "attributes": {}, + "uris": [], + "scopes": [ + { + "name": "deploy:production" + }, + { + "name": "addOrUpdate:production" + }, + { + "name": "viewAll" + }, + { + "name": "storage" + }, + { + "name": "deleteAll" + }, + { + "name": "addOrUpdate:development" + }, + { + "name": "update:development" + }, + { + "name": "ssh:development" + }, + { + "name": "delete:development" + }, + { + "name": "view" + }, + { + "name": "deploy:development" + }, + { + "name": "deleteNoExec" + }, + { + "name": "ssh:production" + }, + { + "name": "delete:production" + }, + { + "name": "update:production" } ] }, + { + "name": "Default Resource", + "type": "urn:api:resources:default", + "ownerManagedAccess": false, + "attributes": {}, + "uris": [ + "/*" + ] + }, { "name": "organization", "ownerManagedAccess": false, @@ -1190,47 +1319,20 @@ ] }, { - "name": "notification", + "name": "openshift", "ownerManagedAccess": false, - "displayName": "notification", + "displayName": "openshift", "attributes": {}, "uris": [], "scopes": [ { "name": "add" }, - { - "name": "removeAll" - }, { "name": "view" }, { - "name": "update" - }, - { - "name": "deleteAll" - }, - { - "name": "delete" - } - ] - }, - { - "name": "group", - "ownerManagedAccess": false, - "displayName": "group", - "attributes": {}, - "uris": [], - "scopes": [ - { - "name": "addUser" - }, - { - "name": "add" - }, - { - "name": "removeUser" + "name": "view:token" }, { "name": "update" @@ -1267,33 +1369,41 @@ ], "policies": [ { - "name": "[Lagoon] Users role for project is Developer", - "description": "Checks the users role for a project is Developer or higher", - "type": "script-policies/users-role-for-project-is-developer.js", + "name": "[Lagoon] Users role for group is Reporter", + "description": "Checks the users role for a group is Reporter or higher", + "type": "script-policies/users-role-for-group-is-reporter.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for group is Guest", - "description": "Checks the users role for a group is Guest or higher", - "type": "script-policies/users-role-for-group-is-guest.js", + "name": "[Lagoon] User is owner of organization", + "description": "Checks that the user is owner of an organization via attribute", + "type": "script-policies/user-is-owner-of-organization.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] User is owner of organization", - "description": "Checks that the user is owner of an organization via attribute", - "type": "script-policies/user-is-owner-of-organization.js", + "name": "Default Policy", + "description": "A policy that grants access only for users within this realm", + "type": "script-policies/default-policy.js", + "logic": "POSITIVE", + "decisionStrategy": "AFFIRMATIVE", + "config": {} + }, + { + "name": "[Lagoon] Users role for project is Maintainer", + "description": "Checks the users role for a project is Maintainer or higher", + "type": "script-policies/users-role-for-project-is-maintainer.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for group is Reporter", - "description": "Checks the users role for a group is Reporter or higher", - "type": "script-policies/users-role-for-group-is-reporter.js", + "name": "[Lagoon] User is viewer of organization", + "description": "Checks that the user is viewer of an organization via attribute", + "type": "script-policies/user-is-viewer-of-organization.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} @@ -1307,41 +1417,41 @@ "config": {} }, { - "name": "[Lagoon] Users role for realm is Platform Owner", - "description": "Checks the users role for the realm is Platform Owner or higher", - "type": "script-policies/users-role-for-realm-is-platform-owner.js", + "name": "[Lagoon] Users role for project is Owner", + "description": "Checks the users role for a project is Owner or higher", + "type": "script-policies/users-role-for-project-is-owner.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] User has access to project", - "description": "Checks that the user has access to a project via groups", - "type": "script-policies/user-has-access-to-project.js", + "name": "[Lagoon] Users role for project is Guest", + "description": "Checks the users role for a project is Guest or higher", + "type": "script-policies/users-role-for-project-is-guest.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for group is Developer", - "description": "Checks the users role for a group is Developer or higher", - "type": "script-policies/users-role-for-group-is-developer.js", + "name": "[Lagoon] User has access to project", + "description": "Checks that the user has access to a project via groups", + "type": "script-policies/user-has-access-to-project.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for group is Owner", - "description": "Checks the users role for a group is Owner or higher", - "type": "script-policies/users-role-for-group-is-owner.js", + "name": "[Lagoon] Users role for project is Developer", + "description": "Checks the users role for a project is Developer or higher", + "type": "script-policies/users-role-for-project-is-developer.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] User is viewer of organization", - "description": "Checks that the user is viewer of an organization via attribute", - "type": "script-policies/user-is-viewer-of-organization.js", + "name": "[Lagoon] Users role for project is Reporter", + "description": "Checks the users role for a project is Reporter or higher", + "type": "script-policies/users-role-for-project-is-reporter.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} @@ -1355,480 +1465,483 @@ "config": {} }, { - "name": "[Lagoon] Users role for project is Guest", - "description": "Checks the users role for a project is Guest or higher", - "type": "script-policies/users-role-for-project-is-guest.js", + "name": "[Lagoon] Users role for realm is Platform Owner", + "description": "Checks the users role for the realm is Platform Owner or higher", + "type": "script-policies/users-role-for-realm-is-platform-owner.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for project is Maintainer", - "description": "Checks the users role for a project is Maintainer or higher", - "type": "script-policies/users-role-for-project-is-maintainer.js", + "name": "[Lagoon] Users role for group is Developer", + "description": "Checks the users role for a group is Developer or higher", + "type": "script-policies/users-role-for-group-is-developer.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for project is Reporter", - "description": "Checks the users role for a project is Reporter or higher", - "type": "script-policies/users-role-for-project-is-reporter.js", + "name": "[Lagoon] Users role for group is Maintainer", + "description": "Checks the users role for a group is Maintainer or higher", + "type": "script-policies/users-role-for-group-is-maintainer.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for group is Maintainer", - "description": "Checks the users role for a group is Maintainer or higher", - "type": "script-policies/users-role-for-group-is-maintainer.js", + "name": "[Lagoon] Users role for group is Owner", + "description": "Checks the users role for a group is Owner or higher", + "type": "script-policies/users-role-for-group-is-owner.js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "Default Policy", - "description": "A policy that grants access only for users within this realm", - "type": "script-policies/default-policy.js", + "name": "[Lagoon] Users role for group is Guest", + "description": "Checks the users role for a group is Guest or higher", + "type": "script-policies/users-role-for-group-is-guest.js", "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", + "decisionStrategy": "UNANIMOUS", "config": {} }, { - "name": "[Lagoon] Users role for project is Owner", - "description": "Checks the users role for a project is Owner or higher", - "type": "script-policies/users-role-for-project-is-owner.js", + "name": "View Environment Variable for Development Environment", + "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", - "config": {} + "config": { + "resources": "[\"env_var\"]", + "scopes": "[\"environment:view:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + } }, { - "name": "Add SSH Key", + "name": "Add Environment Variable to Development Environment", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", + "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"ssh_key\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:add:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete All Groups", + "name": "Add or Update Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"environment\"]", + "scopes": "[\"addOrUpdate:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Run Drush sql-sync to Development Environment", + "name": "Add Task to Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"task\"]", - "scopes": "[\"drushSqlSync:destination:development\"]", + "scopes": "[\"add:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "View Organization", + "name": "Invoke Task Developer", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", + "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"organization\"]", - "scopes": "[\"view\",\"viewProject\",\"viewGroup\",\"viewNotification\",\"viewUser\",\"viewUsers\"]", - "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\",\"[Lagoon] User is viewer of organization\"]" + "resources": "[\"advanced_task\"]", + "scopes": "[\"invoke:developer\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "View Deployments", + "name": "View Project Private Key", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"deployment\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"project\"]", + "scopes": "[\"viewPrivateKey\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" } }, { - "name": "Delete All Backups", + "name": "Delete Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"backup\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"task\"]", + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Get SSH Keys for User", + "name": "Update SSH Key", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "resources": "[\"ssh_key\"]", - "scopes": "[\"view:user\"]", + "scopes": "[\"update\"]", "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "View Environment Metrics", + "name": "Manage Openshift", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"storage\"]", + "resources": "[\"openshift\"]", + "scopes": "[\"delete\",\"view:token\",\"update\",\"add\",\"deleteAll\"]", "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Update Group", + "name": "Add Problem", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"update\"]", - "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" + "resources": "[\"problem\"]", + "scopes": "[\"add\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete Environment Variable from Production Environment", + "name": "Remove User from Group", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:delete:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"group\"]", + "scopes": "[\"removeUser\"]", + "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" } }, { - "name": "Add Notification to Project", + "name": "Cancel Production Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"addNotification\"]", + "resources": "[\"task\"]", + "scopes": "[\"cancel:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Delete Environment Variable from Project", + "name": "View Openshift", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"project:delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"openshift\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Cancel Development Task", + "name": "Run Drush sql-sync to Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"task\"]", - "scopes": "[\"cancel:development\"]", + "scopes": "[\"drushSqlSync:destination:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete All SSH Keys", + "name": "Cancel Deployment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"ssh_key\"]", - "scopes": "[\"removeAll\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"deployment\"]", + "scopes": "[\"cancel\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View All Groups", + "name": "Run Drush cron", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"viewAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" - } - }, - { - "name": "Delete SSH Key", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", - "config": { - "resources": "[\"ssh_key\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"task\"]", + "scopes": "[\"drushCron:development\",\"drushCron:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Cancel Production Task", + "name": "View Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"task\"]", - "scopes": "[\"cancel:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "View Environment Variable Value for Development Environment", + "name": "Update Group", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:viewValue:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"group\"]", + "scopes": "[\"update\"]", + "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" } }, { - "name": "Add or Update Development Environment", + "name": "View Deployments", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"addOrUpdate:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"deployment\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "View All Organizations", + "name": "Delete Group", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"organization\"]", - "scopes": "[\"viewAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"group\"]", + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" } }, { - "name": "View Environment Variable for Project", + "name": "Delete Environment Variable", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"env_var\"]", - "scopes": "[\"project:view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Manage Openshift", + "name": "Get SSH Keys for User", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", + "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"openshift\"]", - "scopes": "[\"delete\",\"view:token\",\"update\",\"add\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"ssh_key\"]", + "scopes": "[\"view:user\"]", + "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Delete All Projects", + "name": "Add Task to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"task\"]", + "scopes": "[\"add:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View Harbor Scan Match", + "name": "Delete Environment Variable from Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"harbor_scan_match\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:delete:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Run Drush cache-clear", + "name": "Update Organization", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", + "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushCacheClear:production\",\"drushCacheClear:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"organization\"]", + "scopes": "[\"updateOrganization\"]", + "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Add Deployment to Development Environment", + "name": "Delete Problem", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"deploy:development\"]", + "resources": "[\"problem\"]", + "scopes": "[\"delete\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Remove User from Group", + "name": "Run Drush sql-dump", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"removeUser\"]", - "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" + "resources": "[\"task\"]", + "scopes": "[\"drushSqlDump:production\",\"drushSqlDump:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Manage Organization", + "name": "View Organization", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "resources": "[\"organization\"]", - "scopes": "[\"addNotification\",\"removeNotification\",\"addProject\",\"updateNotification\",\"updateProject\",\"removeGroup\",\"deleteProject\",\"addViewer\",\"addOwner\",\"addGroup\"]", - "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "scopes": "[\"view\",\"viewProject\",\"viewGroup\",\"viewNotification\",\"viewUser\",\"viewUsers\"]", + "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\",\"[Lagoon] User is viewer of organization\"]" } }, { - "name": "Invoke Task Developer", + "name": "Delete All SSH Keys", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"advanced_task\"]", - "scopes": "[\"invoke:developer\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"ssh_key\"]", + "scopes": "[\"removeAll\",\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Run Drush uli on Production Environment", + "name": "Update Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushUserLogin:production\"]", + "resources": "[\"project\"]", + "scopes": "[\"update\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Delete Deployment", + "name": "View Problems", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"deployment\"]", + "resources": "[\"problem\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + } + }, + { + "name": "Delete SSH Key", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "AFFIRMATIVE", + "config": { + "resources": "[\"ssh_key\"]", "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "User can SSH to Development Environment", + "name": "Delete All Notifications", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"ssh:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"notification\"]", + "scopes": "[\"removeAll\",\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Add Deployment to Production Environment", + "name": "View Facts", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"deploy:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"fact\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Cancel Deployment", + "name": "Delete Environment Variable from Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"deployment\"]", - "scopes": "[\"cancel\"]", + "resources": "[\"env_var\"]", + "scopes": "[\"project:delete\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Add Group", + "name": "Delete All Projects", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"Default Policy\"]" + "resources": "[\"project\"]", + "scopes": "[\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "View Project Private Key", + "name": "Delete Deployment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"viewPrivateKey\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" + "resources": "[\"deployment\"]", + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View All Openshifts", + "name": "Platform Owner Manage Organizations and Owners", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"openshift\"]", - "scopes": "[\"viewAll\"]", + "resources": "[\"organization\"]", + "scopes": "[\"delete\",\"update\",\"add\",\"deleteAll\"]", "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Delete Problem", + "name": "View Environment Variable Value for Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"problem\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:viewValue:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Run Drush cron", + "name": "Update Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"task\"]", - "scopes": "[\"drushCron:development\",\"drushCron:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "scopes": "[\"update\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { @@ -1843,157 +1956,157 @@ } }, { - "name": "Get User By SSH Key", + "name": "View Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"user\"]", - "scopes": "[\"getBySshKey\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"project\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Delete Task", + "name": "Manage Organization", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", + "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"task\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"organization\"]", + "scopes": "[\"addNotification\",\"removeNotification\",\"addProject\",\"updateNotification\",\"updateProject\",\"removeGroup\",\"deleteProject\",\"addViewer\",\"addOwner\",\"addGroup\"]", + "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "View Backups", + "name": "Delete User", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", + "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"backup\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"user\"]", + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Update Organization", + "name": "Update User", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"organization\"]", - "scopes": "[\"updateOrganization\"]", - "applyPolicies": "[\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"user\"]", + "scopes": "[\"update\"]", + "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Add User to Group", + "name": "View All Organizations", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", - "scopes": "[\"addUser\"]", - "applyPolicies": "[\"[Lagoon] Users role for group is Owner\"]" + "resources": "[\"organization\"]", + "scopes": "[\"viewAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Delete Environment Variable", + "name": "Delete Environment Variable from Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"env_var\"]", - "scopes": "[\"delete\"]", + "scopes": "[\"environment:delete:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Platform Owner Manage Organizations and Owners", + "name": "Delete All Groups", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"organization\"]", - "scopes": "[\"delete\",\"update\",\"add\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"group\"]", + "scopes": "[\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "View Environment Variable Value for Production Environment", + "name": "User can SSH to Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:viewValue:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"environment\"]", + "scopes": "[\"ssh:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "User can SSH to Production Environment", + "name": "Run Drush uli on Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"ssh:production\"]", + "resources": "[\"task\"]", + "scopes": "[\"drushUserLogin:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Delete User", + "name": "View Environment Variable for Project", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", + "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"user\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"project:view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Add Harbor Scan Match", + "name": "View Environment Variable for Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"harbor_scan_match\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:view:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Run Drush archive-dump", + "name": "Delete All Users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushArchiveDump:production\",\"drushArchiveDump:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"user\"]", + "scopes": "[\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Add Environment Variable to Project", + "name": "Get User By SSH Key", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"project:add\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"user\"]", + "scopes": "[\"getBySshKey\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Add User", + "name": "Add Harbor Scan Match", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"user\"]", + "resources": "[\"harbor_scan_match\"]", "scopes": "[\"add\"]", - "applyPolicies": "[\"Default Policy\"]" + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { @@ -2019,267 +2132,234 @@ } }, { - "name": "Delete Environment", + "name": "Delete Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", + "resources": "[\"project\"]", "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" } }, { - "name": "Update Production Environment", + "name": "Add Group", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"update:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"group\"]", + "scopes": "[\"add\"]", + "applyPolicies": "[\"Default Policy\"]" } }, { - "name": "Delete Development Environment", + "name": "View Backups", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"delete:development\"]", + "resources": "[\"backup\"]", + "scopes": "[\"view\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete Backup", + "name": "Remove Groups from Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"backup\"]", - "scopes": "[\"delete\"]", + "resources": "[\"project\"]", + "scopes": "[\"removeGroup\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Update Development Environment", + "name": "View All Environments", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"environment\"]", - "scopes": "[\"update:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "scopes": "[\"viewAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Add Restore", + "name": "View Environment Metrics", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"restore\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"environment\"]", + "scopes": "[\"storage\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Delete Group", + "name": "Delete Backup", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"group\"]", + "resources": "[\"backup\"]", "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] Users role for group is Maintainer\"]" + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Add Problem", + "name": "Add Deployment to Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"problem\"]", - "scopes": "[\"add\"]", + "resources": "[\"environment\"]", + "scopes": "[\"deploy:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "View Environment Variable for Development Environment", + "name": "Run Drush rsync to Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:view:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"task\"]", + "scopes": "[\"drushRsync:destination:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Add Task to Production Environment", + "name": "Delete All Environments", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"add:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"environment\"]", + "scopes": "[\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Delete Project", + "name": "Add Environment Variable to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:add:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Add Backup", + "name": "Run Drush archive-dump", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"backup\"]", - "scopes": "[\"add\"]", + "resources": "[\"task\"]", + "scopes": "[\"drushArchiveDump:production\",\"drushArchiveDump:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Update Project", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"project\"]", - "scopes": "[\"update\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" - } - }, - { - "name": "Invoke Task Guest", + "name": "Create Image Based Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"advanced_task\"]", - "scopes": "[\"invoke:guest\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\"]" + "scopes": "[\"create:advanced\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Delete Harbor Scan Match", + "name": "Delete Fact", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"harbor_scan_match\"]", + "resources": "[\"fact\"]", "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, - { - "name": "Add Task to Development Environment", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"task\"]", - "scopes": "[\"add:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" - } - }, - { - "name": "View Notification", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"notification\"]", - "scopes": "[\"view\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Run Drush rsync to Development Environment", + "name": "View All Groups", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushRsync:destination:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"group\"]", + "scopes": "[\"viewAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "View All Environments", + "name": "Invoke Task Guest", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"environment\"]", - "scopes": "[\"viewAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"advanced_task\"]", + "scopes": "[\"invoke:guest\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\"]" } }, { - "name": "Delete All Notifications", + "name": "Add Backup", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"notification\"]", - "scopes": "[\"removeAll\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "resources": "[\"backup\"]", + "scopes": "[\"add\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Update Deployment", + "name": "Run Drush rsync to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"deployment\"]", - "scopes": "[\"update\"]", + "resources": "[\"task\"]", + "scopes": "[\"drushRsync:destination:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View Environment Variable for Production Environment", + "name": "View All Users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:view:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"user\"]", + "scopes": "[\"viewAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Add or Update Production Environment", + "name": "Delete Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"environment\"]", - "scopes": "[\"addOrUpdate:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "scopes": "[\"delete:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete All Environments", + "name": "Delete Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"environment\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { @@ -2305,256 +2385,256 @@ } }, { - "name": "Run Drush uli on Development Environment", + "name": "Cancel Development Task", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"task\"]", - "scopes": "[\"drushUserLogin:development\"]", + "scopes": "[\"cancel:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Delete All Users", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"user\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, - { - "name": "Update SSH Key", + "name": "Add SSH Key", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "resources": "[\"ssh_key\"]", - "scopes": "[\"update\"]", + "scopes": "[\"add\"]", "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Update Task", + "name": "Delete Harbor Scan Match", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"update\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"harbor_scan_match\"]", + "scopes": "[\"delete\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Update User", + "name": "View All Openshifts", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", + "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"user\"]", - "scopes": "[\"update\"]", - "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"openshift\"]", + "scopes": "[\"viewAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "Run Drush rsync from Any Environment", + "name": "Update Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushRsync:source:development\",\"drushRsync:source:production\"]", + "resources": "[\"environment\"]", + "scopes": "[\"update:development\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "View Openshift", + "name": "User can SSH to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"openshift\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"environment\"]", + "scopes": "[\"ssh:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View Environment", + "name": "Update Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"environment\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "scopes": "[\"update:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View All Users", + "name": "Advanced Task Delete", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"user\"]", - "scopes": "[\"viewAll\"]", + "resources": "[\"advanced_task\"]", + "scopes": "[\"delete:advanced\"]", "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, { - "name": "View Task", + "name": "View Environment Variable Value for Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"environment:viewValue:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Add Groups to Project", + "name": "Add or Update Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"addGroup\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" + "resources": "[\"environment\"]", + "scopes": "[\"addOrUpdate:production\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Add Environment Variable to Development Environment", + "name": "View Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:add:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"environment\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "View Environment Variable Value for Project", + "name": "Run Drush cache-clear", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"project:viewValue\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"task\"]", + "scopes": "[\"drushCacheClear:production\",\"drushCacheClear:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Run Drush sql-dump", + "name": "View Environment Variable Value for Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushSqlDump:production\",\"drushSqlDump:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"env_var\"]", + "scopes": "[\"project:viewValue\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View Problems", + "name": "View Notification", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"problem\"]", + "resources": "[\"notification\"]", "scopes": "[\"view\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Add Environment Variable to Production Environment", + "name": "Add User to Group", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:add:production\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"group\"]", + "scopes": "[\"addUser\"]", + "applyPolicies": "[\"[Lagoon] Users role for group is Owner\"]" } }, { - "name": "Delete Fact", + "name": "Add Fact", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"fact\"]", - "scopes": "[\"delete\"]", + "scopes": "[\"add\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "View Facts", + "name": "Run Drush rsync from Any Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"fact\"]", - "scopes": "[\"view\"]", + "resources": "[\"task\"]", + "scopes": "[\"drushRsync:source:development\",\"drushRsync:source:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Create Image Based Task", + "name": "Run Drush uli on Development Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"advanced_task\"]", - "scopes": "[\"create:advanced\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "resources": "[\"task\"]", + "scopes": "[\"drushUserLogin:development\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, { - "name": "Advanced Task Delete", + "name": "Invoke Task Maintainer", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"advanced_task\"]", - "scopes": "[\"delete:advanced\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" + "scopes": "[\"invoke:maintainer\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Run Drush sql-sync to Production Environment", + "name": "Remove Notification from Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushSqlSync:destination:production\"]", + "resources": "[\"project\"]", + "scopes": "[\"removeNotification\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Add Fact", + "name": "Add Notification to Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"fact\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"project\"]", + "scopes": "[\"addNotification\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Delete Environment Variable from Development Environment", + "name": "Add Groups to Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"env_var\"]", - "scopes": "[\"environment:delete:development\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" + "resources": "[\"project\"]", + "scopes": "[\"addGroup\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" + } + }, + { + "name": "Delete All Backups", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"backup\"]", + "scopes": "[\"deleteAll\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { @@ -2569,59 +2649,81 @@ } }, { - "name": "Run Drush rsync to Production Environment", + "name": "Update Deployment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"task\"]", - "scopes": "[\"drushRsync:destination:production\"]", + "resources": "[\"deployment\"]", + "scopes": "[\"update\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "View Project", + "name": "Add Environment Variable to Project", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"view\"]", + "resources": "[\"env_var\"]", + "scopes": "[\"project:add\"]", + "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + } + }, + { + "name": "Add Restore", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"restore\"]", + "scopes": "[\"add\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, { - "name": "Remove Groups from Project", + "name": "View Harbor Scan Match", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"removeGroup\"]", - "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" + "resources": "[\"harbor_scan_match\"]", + "scopes": "[\"view\"]", + "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" } }, { - "name": "Invoke Task Maintainer", + "name": "Run Drush sql-sync to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"advanced_task\"]", - "scopes": "[\"invoke:maintainer\"]", + "resources": "[\"task\"]", + "scopes": "[\"drushSqlSync:destination:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, { - "name": "Remove Notification from Project", + "name": "Add Deployment to Production Environment", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"project\"]", - "scopes": "[\"removeNotification\"]", + "resources": "[\"environment\"]", + "scopes": "[\"deploy:production\"]", "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } + }, + { + "name": "Add User", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"user\"]", + "scopes": "[\"add\"]", + "applyPolicies": "[\"Default Policy\"]" + } } ], "scopes": [ @@ -2888,7 +2990,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -2905,49 +3009,49 @@ "nodeReRegistrationTimeout": -1, "protocolMappers": [ { - "name": "Client ID", + "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientId", + "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientId", + "claim.name": "clientAddress", "jsonType.label": "String" } }, { - "name": "Client Host", + "name": "Client ID", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientHost", + "user.session.note": "clientId", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientHost", + "claim.name": "clientId", "jsonType.label": "String" } }, { - "name": "Client IP Address", + "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientAddress", + "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientAddress", + "claim.name": "clientHost", "jsonType.label": "String" } } ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -2965,7 +3069,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": true, "consentRequired": false, @@ -2982,8 +3088,8 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3037,8 +3143,8 @@ ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3055,7 +3161,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -3072,49 +3180,49 @@ "nodeReRegistrationTimeout": -1, "protocolMappers": [ { - "name": "Client ID", + "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientId", + "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientId", + "claim.name": "clientAddress", "jsonType.label": "String" } }, { - "name": "Client Host", + "name": "Client ID", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientHost", + "user.session.note": "clientId", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientHost", + "claim.name": "clientId", "jsonType.label": "String" } }, { - "name": "Client IP Address", + "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientAddress", + "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientAddress", + "claim.name": "clientHost", "jsonType.label": "String" } } ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3168,8 +3276,8 @@ ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3187,7 +3295,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": true, "consentRequired": false, @@ -3205,8 +3315,8 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3220,58 +3330,58 @@ "policyEnforcementMode": "ENFORCING", "resources": [ { - "name": "client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", - "type": "Client", + "name": "Users", "ownerManagedAccess": false, "attributes": {}, "uris": [], "scopes": [ { - "name": "view" - }, - { - "name": "map-roles-client-scope" + "name": "user-impersonated" }, { - "name": "map-roles" + "name": "view" }, { - "name": "configure" + "name": "manage-group-membership" }, { - "name": "manage" + "name": "impersonate" }, { - "name": "map-roles-composite" + "name": "map-roles" }, { - "name": "token-exchange" + "name": "manage" } ] }, { - "name": "Users", + "name": "client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "type": "Client", "ownerManagedAccess": false, "attributes": {}, "uris": [], "scopes": [ - { - "name": "user-impersonated" - }, { "name": "view" }, { - "name": "manage-group-membership" + "name": "map-roles-client-scope" }, { - "name": "impersonate" + "name": "map-roles" }, { - "name": "map-roles" + "name": "configure" }, { "name": "manage" + }, + { + "name": "map-roles-composite" + }, + { + "name": "token-exchange" } ] }, @@ -3308,71 +3418,71 @@ ], "policies": [ { - "name": "Client service-api Policy", + "name": "Client auth-server Policy", "type": "client", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "clients": "[\"service-api\"]" + "clients": "[\"auth-server\"]" } }, { - "name": "Client auth-server Policy", + "name": "Client service-api Policy", "type": "client", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "clients": "[\"auth-server\"]" + "clients": "[\"service-api\"]" } }, { - "name": "manage.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "configure.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"manage\"]" + "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", + "scopes": "[\"configure\"]" } }, { - "name": "user-impersonated.permission.users", + "name": "map-roles-composite.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"Users\"]", - "scopes": "[\"user-impersonated\"]" + "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", + "scopes": "[\"map-roles-composite\"]" } }, { - "name": "map-roles-composite.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "manage.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"map-roles-composite\"]" + "scopes": "[\"manage\"]" } }, { - "name": "configure.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", + "name": "map-roles-composite.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", - "scopes": "[\"configure\"]" + "scopes": "[\"map-roles-composite\"]" } }, { - "name": "map-roles-client-scope.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", + "name": "configure.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", - "scopes": "[\"map-roles-client-scope\"]" + "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", + "scopes": "[\"configure\"]" } }, { @@ -3386,44 +3496,33 @@ } }, { - "name": "admin-impersonating.permission.users", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", - "config": { - "resources": "[\"Users\"]", - "scopes": "[\"impersonate\"]", - "applyPolicies": "[\"Client service-api Policy\",\"Client auth-server Policy\"]" - } - }, - { - "name": "map-roles-client-scope.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "view.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"map-roles-client-scope\"]" + "scopes": "[\"view\"]" } }, { - "name": "token-exchange.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "view.permission.users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"token-exchange\"]" + "resources": "[\"Users\"]", + "scopes": "[\"view\"]" } }, { - "name": "view.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "map-roles-client-scope.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"view\"]" + "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", + "scopes": "[\"map-roles-client-scope\"]" } }, { @@ -3437,23 +3536,23 @@ } }, { - "name": "map-roles-composite.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", + "name": "map-roles-client-scope.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", - "scopes": "[\"map-roles-composite\"]" + "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", + "scopes": "[\"map-roles-client-scope\"]" } }, { - "name": "manage-group-membership.permission.users", + "name": "user-impersonated.permission.users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Users\"]", - "scopes": "[\"manage-group-membership\"]" + "scopes": "[\"user-impersonated\"]" } }, { @@ -3467,63 +3566,74 @@ } }, { - "name": "configure.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "admin-impersonating.permission.users", "type": "scope", "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", + "decisionStrategy": "AFFIRMATIVE", "config": { - "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"configure\"]" + "resources": "[\"Users\"]", + "scopes": "[\"impersonate\"]", + "applyPolicies": "[\"Client service-api Policy\",\"Client auth-server Policy\"]" } }, { - "name": "map-roles.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "name": "manage-group-membership.permission.users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", - "scopes": "[\"map-roles\"]" + "resources": "[\"Users\"]", + "scopes": "[\"manage-group-membership\"]" } }, { - "name": "map-roles.permission.users", + "name": "view.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"Users\"]", - "scopes": "[\"map-roles\"]" + "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", + "scopes": "[\"view\"]" } }, { - "name": "view.permission.users", + "name": "manage.permission.users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Users\"]", - "scopes": "[\"view\"]" + "scopes": "[\"manage\"]" } }, { - "name": "manage.permission.users", + "name": "map-roles.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", + "type": "scope", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", + "scopes": "[\"map-roles\"]" + } + }, + { + "name": "map-roles.permission.users", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Users\"]", - "scopes": "[\"manage\"]" + "scopes": "[\"map-roles\"]" } }, { - "name": "view.permission.client.dfed8377-a5b0-47bb-a878-775a13d47806", + "name": "token-exchange.permission.client.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "resources": "[\"client.resource.dfed8377-a5b0-47bb-a878-775a13d47806\"]", - "scopes": "[\"view\"]" + "resources": "[\"client.resource.be3aa27a-12ad-4ab8-b43b-3aaf9192d10a\"]", + "scopes": "[\"token-exchange\"]" } } ], @@ -3611,8 +3721,8 @@ ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3629,7 +3739,9 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [], - "webOrigins": [], + "webOrigins": [ + "*" + ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -3646,57 +3758,57 @@ "nodeReRegistrationTimeout": -1, "protocolMappers": [ { - "name": "Client IP Address", + "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientAddress", + "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientAddress", + "claim.name": "clientHost", "jsonType.label": "String" } }, { - "name": "Group Lagoon Project IDs", + "name": "User Realm Roles", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-realm-role-mapper", "consentRequired": false, "config": { - "aggregate.attrs": "true", - "multivalued": "true", - "userinfo.token.claim": "false", - "user.attribute": "group-lagoon-project-ids", "id.token.claim": "false", "access.token.claim": "true", - "claim.name": "group_lagoon_project_ids", - "jsonType.label": "String" + "claim.name": "realm_roles", + "multivalued": "true", + "userinfo.token.claim": "false" } }, { - "name": "Group Membership", + "name": "Group Lagoon Project IDs", "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "full.path": "true", + "aggregate.attrs": "true", + "multivalued": "true", + "userinfo.token.claim": "false", + "user.attribute": "group-lagoon-project-ids", "id.token.claim": "false", "access.token.claim": "true", - "claim.name": "group_membership", - "userinfo.token.claim": "false" + "claim.name": "group_lagoon_project_ids", + "jsonType.label": "String" } }, { - "name": "Client Host", + "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { - "user.session.note": "clientHost", + "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "clientHost", + "claim.name": "clientAddress", "jsonType.label": "String" } }, @@ -3714,23 +3826,23 @@ } }, { - "name": "User Realm Roles", + "name": "Group Membership", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", + "protocolMapper": "oidc-group-membership-mapper", "consentRequired": false, "config": { + "full.path": "true", "id.token.claim": "false", "access.token.claim": "true", - "claim.name": "realm_roles", - "multivalued": "true", + "claim.name": "group_membership", "userinfo.token.claim": "false" } } ], "defaultClientScopes": [ "web-origins", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -3743,178 +3855,260 @@ ], "clientScopes": [ { - "name": "phone", - "description": "OpenID Connect built-in scope: phone", + "name": "email", + "description": "OpenID Connect built-in scope: email", "protocol": "openid-connect", "attributes": { "include.in.token.scope": "true", "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" + "consent.screen.text": "${emailScopeConsentText}" }, "protocolMappers": [ { - "name": "phone number verified", + "name": "email verified", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", + "user.attribute": "emailVerified", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "phone_number_verified", + "claim.name": "email_verified", "jsonType.label": "boolean" } }, { - "name": "phone number", + "name": "email", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", + "user.attribute": "email", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "phone_number", + "claim.name": "email", "jsonType.label": "String" } } ] }, { - "name": "profile", - "description": "OpenID Connect built-in scope: profile", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", "protocol": "openid-connect", "attributes": { - "include.in.token.scope": "true", + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" + "consent.screen.text": "${rolesScopeConsentText}" }, "protocolMappers": [ { - "name": "picture", + "name": "audience resolve", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-audience-resolve-mapper", "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } + "config": {} }, { - "name": "website", + "name": "realm roles", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-realm-role-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", + "user.attribute": "foo", "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" } }, { - "name": "zoneinfo", + "name": "client roles", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-client-role-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", + "user.attribute": "foo", "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" } - }, + } + ] + }, + { + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ { - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" } - }, + } + ] + }, + { + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ { - "name": "gender", + "name": "upn", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "gender", + "user.attribute": "username", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "gender", + "claim.name": "upn", "jsonType.label": "String" } }, { - "name": "locale", + "name": "groups", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-realm-role-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", + "multivalued": "true", + "user.attribute": "foo", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "locale", + "claim.name": "groups", "jsonType.label": "String" } - }, + } + ] + }, + { + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ { - "name": "middle name", + "name": "address", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-address-mapper", "consentRequired": false, "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", "userinfo.token.claim": "true", - "user.attribute": "middleName", + "user.attribute.street": "street", "id.token.claim": "true", + "user.attribute.region": "region", "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" + "user.attribute.locality": "locality" + } + } + ] + }, + { + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" } }, { - "name": "username", + "name": "phone number", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "username", + "user.attribute": "phoneNumber", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "preferred_username", + "claim.name": "phone_number", "jsonType.label": "String" } - }, + } + ] + }, + { + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ { - "name": "nickname", + "name": "picture", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "nickname", + "user.attribute": "picture", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "nickname", + "claim.name": "picture", "jsonType.label": "String" } }, @@ -3930,253 +4124,171 @@ } }, { - "name": "profile", + "name": "zoneinfo", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "profile", + "user.attribute": "zoneinfo", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "profile", + "claim.name": "zoneinfo", "jsonType.label": "String" } }, { - "name": "birthdate", + "name": "family name", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "birthdate", + "user.attribute": "lastName", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "birthdate", + "claim.name": "family_name", "jsonType.label": "String" } }, { - "name": "family name", + "name": "nickname", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "lastName", + "user.attribute": "nickname", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "family_name", + "claim.name": "nickname", "jsonType.label": "String" } }, { - "name": "given name", + "name": "username", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "firstName", + "user.attribute": "username", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "given_name", + "claim.name": "preferred_username", "jsonType.label": "String" } - } - ] - }, - { - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ + }, { - "name": "groups", + "name": "middle name", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "multivalued": "true", - "user.attribute": "foo", + "userinfo.token.claim": "true", + "user.attribute": "middleName", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "groups", + "claim.name": "middle_name", "jsonType.label": "String" } }, { - "name": "upn", + "name": "updated at", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "username", + "user.attribute": "updatedAt", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "upn", + "claim.name": "updated_at", "jsonType.label": "String" } - } - ] - }, - { - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ + }, { - "name": "email", + "name": "website", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "email", + "user.attribute": "website", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "email", + "claim.name": "website", "jsonType.label": "String" } }, { - "name": "email verified", + "name": "profile", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", - "user.attribute": "emailVerified", + "user.attribute": "profile", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" + "claim.name": "profile", + "jsonType.label": "String" } - } - ] - }, - { - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} }, { - "name": "realm roles", + "name": "birthdate", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "user.attribute": "foo", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" + "claim.name": "birthdate", + "jsonType.label": "String" } }, { - "name": "client roles", + "name": "gender", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "user.attribute": "foo", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" + "claim.name": "gender", + "jsonType.label": "String" } - } - ] - }, - { - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ + }, { - "name": "address", + "name": "locale", "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", "userinfo.token.claim": "true", - "user.attribute.street": "street", + "user.attribute": "locale", "id.token.claim": "true", - "user.attribute.region": "region", "access.token.claim": "true", - "user.attribute.locality": "locality" + "claim.name": "locale", + "jsonType.label": "String" } - } - ] - }, - { - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ + }, { - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" } } ] @@ -4192,17 +4304,17 @@ } ], "defaultDefaultClientScopes": [ - "profile", - "email", "roles", + "web-origins", "role_list", - "web-origins" + "email", + "profile" ], "defaultOptionalClientScopes": [ - "microprofile-jwt", "offline_access", - "address", - "phone" + "phone", + "microprofile-jwt", + "address" ], "browserSecurityHeaders": { "contentSecurityPolicyReportOnly": "", @@ -4224,17 +4336,6 @@ "identityProviderMappers": [], "components": { "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, { "name": "Allowed Protocol Mapper Types", "providerId": "allowed-protocol-mappers", @@ -4253,10 +4354,17 @@ ] } }, + { + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, { "name": "Allowed Client Scopes", "providerId": "allowed-client-templates", - "subType": "authenticated", + "subType": "anonymous", "subComponents": {}, "config": { "allow-default-scopes": [ @@ -4279,34 +4387,27 @@ } }, { - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "oidc-full-name-mapper", - "saml-role-list-mapper", - "oidc-usermodel-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "saml-user-property-mapper", - "oidc-sha256-pairwise-sub-mapper" - ] - } + "config": {} }, { - "name": "Consent Required", - "providerId": "consent-required", + "name": "Max Clients Limit", + "providerId": "max-clients", "subType": "anonymous", "subComponents": {}, - "config": {} + "config": { + "max-clients": [ + "200" + ] + } }, { "name": "Allowed Client Scopes", "providerId": "allowed-client-templates", - "subType": "anonymous", + "subType": "authenticated", "subComponents": {}, "config": { "allow-default-scopes": [ @@ -4315,11 +4416,22 @@ } }, { - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", "subComponents": {}, - "config": {} + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "saml-role-list-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper" + ] + } } ], "org.keycloak.userprofile.UserProfileProvider": [ @@ -4331,38 +4443,38 @@ ], "org.keycloak.keys.KeyProvider": [ { - "name": "rsa-generated", - "providerId": "rsa-generated", + "name": "hmac-generated", + "providerId": "hmac-generated", "subComponents": {}, "config": { "priority": [ "100" + ], + "algorithm": [ + "HS256" ] } }, { - "name": "rsa-enc-generated", - "providerId": "rsa-enc-generated", + "name": "rsa-generated", + "providerId": "rsa-generated", "subComponents": {}, "config": { "priority": [ "100" - ], - "algorithm": [ - "RSA-OAEP" ] } }, { - "name": "hmac-generated", - "providerId": "hmac-generated", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", "subComponents": {}, "config": { "priority": [ "100" ], "algorithm": [ - "HS256" + "RSA-OAEP" ] } },