| enabled |
describes whether this part of the policy should be enforced or not |
Boolean |
true |
true, false |
| compensatingControl |
describes whether there’s another mechanism in place [elsewhere] to handle access controls |
Boolean |
false |
true,false |
| authenticationPolicy |
the following definitions apply to the application’s authentication policies |
|
|
|
| authenticationRequired |
describes if authentication is required for access to the application |
Boolean |
true |
true, false |
| supportedMethods |
methods users can take to authenticate to the application |
String Array |
[“uname/passwd”,“oauth”] |
[“uname/passwd”,“oauth”,“saml”,“openid”,“jwt”] |
| passwords |
defines the password policy |
|
|
|
| minLen |
minimum number of characters each password must have |
Number (int) |
12 |
Any Number > 0 |
| maxLen |
maximum number of characters each password can have |
Number(int) |
24 |
Cannot be smaller than minLen |
| regex |
describes what the password must contain (letters, numbers, special characters) |
RegEx String |
”^(?=.[a-z])(?=.[A-Z])(?=.[0-9])(?=.[`~!@#$%^&*()_ .,[=])” => 3 uppercase, 3 lowercase, 3 numbers, 3 special characters (! @#$%^&<) |
N/A |
| expires |
when the password will expire (in days) |
Number (int) |
0 => never expires |
Any integer >= 0 |
| supportedHashes |
which programs can be used to hash the password |
Array |
[“bcrypt”] |
[“bcrypt”,“scrypt”,“sha512”] |
| lockout |
when will users be locked out of their accounts |
|
|
|
| attempts |
how many bad attempts before the account is disabled |
Number (int) |
3 |
Any integer >= 0 (0 = never lock) |
| automaticReset |
how long (in seconds) until the account is re-enabled |
Number (int) |
60000 (10 minutes) |
Any number >= 0 (0 = never unlock) |
| tarpitDefault |
how long (in miliseconds) before users can try again |
Number (int) |
1000 (1 second) |
Any number >= 0 (0 = no tarpitting) |
| mfaRequired |
is multifactor authentication required for the application |
Boolean |
false |
true, false |
| authorization |
the following definitions apply to the application’s authorization policies |
|
|
|
| authorizationRequired |
do users have to be authorized to access parts of the application |
Boolean |
false |
true, false |
| supportedTypes |
describes relationship between roles |
String Array |
[“flat”,“inherited”] |
[“flat”,“inherited”] |
| rbacPolicy |
defines the role based access control policy |
|
|
|
| roles |
what roles will the application support |
String Array |
[“user”,“moderator”,“admin”] |
Any String in Array |
| permissions |
what permissions will each role have |
String Array |
[“read”,“write”,“create”,“delete”,“approve”,“reject”] |
Any String in Array |