> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Get info for a specific account. > A user can have access to multiple accounts and this API tries to look one up given by the input id. ## OpenAPI ````json GET /sys/v1/accounts/{acct_id} { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/sys/v1/accounts/{acct_id}": { "get": { "operationId": "GetAccount", "tags": [ "Accounts" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Get info for a specific account.", "description": "A user can have access to multiple accounts and this API tries\nto look one up given by the input id.", "parameters": [ { "name": "acct_id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } }, { "$ref": "#/components/parameters/GetAccountParams" } ], "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Account" } } } } } } } }, "components": { "parameters": { "GetAccountParams": { "in": "query", "name": "GetAccountParams", "schema": { "$ref": "#/components/schemas/GetAccountParams" }, "explode": true } }, "schemas": { "Account": { "allOf": [ { "type": "object", "properties": { "acct_id": { "type": "string", "format": "uuid" }, "approval_policy": { "$ref": "#/components/schemas/AccountApprovalPolicy" }, "auth_config": { "$ref": "#/components/schemas/AuthConfig" }, "client_configurations": { "$ref": "#/components/schemas/ClientConfigurations" }, "country": { "type": "string", "nullable": true }, "created_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "cryptographic_policy": { "$ref": "#/components/schemas/CryptographicPolicy" }, "custom_logo": { "type": "string", "format": "byte" }, "custom_metadata": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true }, "custom_metadata_attributes": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/CustomAttributeSearchMetadata" }, "nullable": true }, "description": { "type": "string", "nullable": true }, "disabled_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "enabled": { "type": "boolean" }, "initial_purchase_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "key_expiry_alert_config": { "$ref": "#/components/schemas/KeyExpiryAlertConfig" }, "key_history_policy": { "$ref": "#/components/schemas/KeyHistoryPolicy" }, "key_metadata_policy": { "$ref": "#/components/schemas/KeyMetadataPolicy" }, "log_bad_requests": { "type": "boolean", "nullable": true }, "log_retention_days": { "type": "integer", "nullable": true }, "logging_configs": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/LoggingConfig" } }, "mark_key_disable_when_deactivated": { "type": "boolean", "description": "Enable the user to opt out from the current behaviour of key being marked as disabled at time of deactivation." }, "max_app": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_group": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_operation": { "type": "integer", "nullable": true }, "max_plugin": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_sobj": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_user": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" }, "notification_pref": { "$ref": "#/components/schemas/NotificationPref" }, "organization": { "type": "string", "nullable": true }, "original_purpose": { "$ref": "#/components/schemas/AccountPurposeType" }, "parent_acct_id": { "type": "string", "format": "uuid", "nullable": true }, "pending_subscription_change_request": { "$ref": "#/components/schemas/SubscriptionChangeRequest" }, "phone": { "type": "string", "nullable": true }, "plugin_code_signing_policy": { "$ref": "#/components/schemas/PluginCodeSigningPolicy" }, "plugin_enabled": { "type": "boolean", "nullable": true }, "purpose": { "$ref": "#/components/schemas/AccountPurpose" }, "subscription": { "$ref": "#/components/schemas/Subscription" }, "totals": { "$ref": "#/components/schemas/ObjectCounts" }, "trial_expires_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "workspace_cse_config": { "$ref": "#/components/schemas/WorkspaceCseConfig" } }, "required": [ "acct_id", "enabled", "logging_configs", "mark_key_disable_when_deactivated", "name", "original_purpose", "purpose", "subscription" ] }, { "$ref": "#/components/schemas/ApprovalRequestSettings" } ] }, "GetAccountParams": { "allOf": [ { "type": "object", "properties": { "with_totals": { "type": "boolean" }, "previous_id": { "type": "string", "format": "uuid" }, "limit": { "type": "integer" } } }, { "$ref": "#/components/schemas/AccountSort" } ] }, "AccountApprovalPolicy": { "allOf": [ { "type": "object", "description": "Account approval policy.", "properties": { "policy": { "$ref": "#/components/schemas/QuorumPolicy" }, "manage_groups": { "type": "boolean", "nullable": true }, "protect_authentication_methods": { "type": "boolean", "nullable": true, "description": "When this is true, changes to the account authentication methods require approval." }, "protect_cryptographic_policy": { "type": "boolean", "nullable": true, "description": "When this is true, changes to the account cryptographic policy requires approval." }, "protect_logging_config": { "type": "boolean", "nullable": true, "description": "When this is true, changes to logging configuration require approval." }, "protect_custom_role_updates": { "type": "boolean", "nullable": true, "description": "When set to true, updating custom roles would require approval." } }, "required": [ "policy" ] } ] }, "AuthConfig": { "allOf": [ { "type": "object", "description": "Account authentication settings for users.", "properties": { "password": { "$ref": "#/components/schemas/AuthConfigPassword" }, "saml": { "type": "string", "nullable": true, "description": "Settings for SAML authentication.\n\nOmitting this field, or setting it to null, will DISABLE\nSAML authentication for users." }, "oauth": { "$ref": "#/components/schemas/AuthConfigOauth" }, "ldap": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/AuthConfigLdap" }, "nullable": true, "description": "Settings for LDAP authentication. This field is only used\nin responses; in requests, please utilize the `add_ldap`,\n`mod_ldap`, and `del_ldap` fields in an `AccountRequest`." }, "signed_jwt": { "$ref": "#/components/schemas/AuthConfigSignedJwt" }, "vcd": { "$ref": "#/components/schemas/AuthConfigVcd" } } } ] }, "ClientConfigurations": { "allOf": [ { "type": "object", "properties": { "common": { "$ref": "#/components/schemas/CommonClientConfig" }, "pkcs11": { "$ref": "#/components/schemas/Pkcs11ClientConfig" }, "kmip": { "$ref": "#/components/schemas/KmipClientConfig" }, "tep": { "$ref": "#/components/schemas/TepClientConfig" } } } ] }, "CryptographicPolicy": { "allOf": [ { "type": "object", "properties": { "aes": { "$ref": "#/components/schemas/AesOptionsPolicy" }, "aria": { "$ref": "#/components/schemas/AriaOptionsPolicy" }, "des3": { "$ref": "#/components/schemas/Des3OptionsPolicy" }, "rsa": { "$ref": "#/components/schemas/RsaOptionsPolicy" }, "hmac": { "$ref": "#/components/schemas/HmacOptionsPolicy" }, "ec": { "$ref": "#/components/schemas/EcOptionsPolicy" }, "legacy_policy": { "$ref": "#/components/schemas/LegacyKeyPolicy" }, "key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "nullable": true }, "des": { "$ref": "#/components/schemas/DesOptionsPolicy" }, "seed": { "$ref": "#/components/schemas/SeedOptionsPolicy" }, "dsa": { "$ref": "#/components/schemas/DsaOptionsPolicy" }, "kcdsa": { "$ref": "#/components/schemas/KcdsaOptionsPolicy" }, "eckcdsa": { "$ref": "#/components/schemas/EcKcdsaOptionsPolicy" }, "lms": { "$ref": "#/components/schemas/LmsOptionsPolicy" }, "xmss": { "$ref": "#/components/schemas/XmssOptionsPolicy" }, "mldsa": { "$ref": "#/components/schemas/MlDsaOptionsPolicy" }, "mlkem": { "$ref": "#/components/schemas/MlKemOptionsPolicy" }, "bip32": { "$ref": "#/components/schemas/Bip32OptionsPolicy" }, "slip10": { "$ref": "#/components/schemas/Slip10OptionsPolicy" }, "bls": { "$ref": "#/components/schemas/BlsOptionsPolicy" }, "opaque": { "$ref": "#/components/schemas/OpaqueOptionsPolicy" }, "secret": { "$ref": "#/components/schemas/SecretOptionsPolicy" }, "certificate": { "$ref": "#/components/schemas/CertificateOptionsPolicy" } } } ] }, "CustomAttributeSearchMetadata": { "allOf": [ { "type": "object", "properties": { "suggest": { "type": "boolean", "nullable": true } } } ] }, "KeyExpiryAlertConfig": { "allOf": [ { "type": "object", "properties": { "triggers": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/KeyExpiryAlertTrigger" } }, "siem_tool_configs": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/KeyExpiryAlertSiemToolConfig" } } }, "required": [ "triggers", "siem_tool_configs" ] } ] }, "KeyHistoryPolicy": { "allOf": [ { "type": "object", "description": "Configuration for a key history (aka key undo) policy.", "properties": { "undo_time_window": { "$ref": "#/components/schemas/Secs" } }, "required": [ "undo_time_window" ] } ] }, "KeyMetadataPolicy": { "allOf": [ { "type": "object", "properties": { "base": { "$ref": "#/components/schemas/MetadataPolicyItem" }, "for_obj_type": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/MetadataPolicyItem" }, "description": "Each entry in this map fully overrides `base` for a particular object type." }, "legacy_objects": { "$ref": "#/components/schemas/LegacyKeyPolicy" } }, "required": [ "base", "for_obj_type", "legacy_objects" ] } ] }, "LoggingConfig": { "oneOf": [ { "title": "LoggingConfigVariantSplunk", "type": "object", "properties": { "splunk": { "$ref": "#/components/schemas/SplunkLoggingConfig" } }, "required": [ "splunk" ] }, { "title": "LoggingConfigVariantStackdriver", "type": "object", "properties": { "stackdriver": { "$ref": "#/components/schemas/StackdriverLoggingConfig" } }, "required": [ "stackdriver" ] }, { "title": "LoggingConfigVariantSyslog", "type": "object", "properties": { "syslog": { "$ref": "#/components/schemas/SyslogLoggingConfig" } }, "required": [ "syslog" ] }, { "title": "LoggingConfigVariantAzureLogAnalytics", "type": "object", "properties": { "azure_log_analytics": { "$ref": "#/components/schemas/AzureLogAnalyticsLoggingConfig" } }, "required": [ "azure_log_analytics" ] } ] }, "NotificationPref": { "description": "Notification preferences.", "type": "string", "enum": [ "None", "Email", "Phone", "Both" ] }, "AccountPurposeType": { "description": "The purpose of the account (minus any configuration-related details).", "oneOf": [ { "$ref": "#/components/schemas/AccountPurposeTypeVariantStandard" }, { "$ref": "#/components/schemas/AccountPurposeTypeVariantAccountReplication" } ], "discriminator": { "propertyName": "$type", "mapping": { "Standard": "AccountPurposeTypeVariantStandard", "AccountReplication": "AccountPurposeTypeVariantAccountReplication" } } }, "SubscriptionChangeRequest": { "allOf": [ { "type": "object", "description": "A request to update subscription type.", "properties": { "subscription": { "$ref": "#/components/schemas/Subscription" }, "contact": { "type": "string", "nullable": true }, "comment": { "type": "string", "nullable": true } }, "required": [ "subscription" ] } ] }, "PluginCodeSigningPolicy": { "allOf": [ { "type": "object", "description": "Plugin code signing policy.\n\nWhen a code signing policy is set, all requests to create new plugins or\nupdate existing plugins (if updating the code) would need to provide a valid\nsignature.", "properties": { "signing_keys": { "$ref": "#/components/schemas/SigningKeys" } }, "required": [ "signing_keys" ] } ] }, "AccountPurpose": { "description": "Describes the purpose of the account.", "oneOf": [ { "$ref": "#/components/schemas/AccountPurposeVariantStandard" }, { "$ref": "#/components/schemas/AccountPurposeVariantAccountReplication" } ], "discriminator": { "propertyName": "$type", "mapping": { "Standard": "AccountPurposeVariantStandard", "AccountReplication": "AccountPurposeVariantAccountReplication" } } }, "Subscription": { "allOf": [ { "type": "object", "properties": { "memo": { "type": "string", "nullable": true }, "experimental_features": { "$ref": "#/components/schemas/SubscriptionExperimentalFeatures" } } }, { "$ref": "#/components/schemas/SubscriptionType" } ] }, "ObjectCounts": { "allOf": [ { "type": "object", "description": "Counts of objects of various types in an account.", "properties": { "groups": { "type": "integer" }, "apps": { "type": "integer" }, "users": { "type": "integer" }, "plugins": { "type": "integer" }, "sobjects": { "type": "integer", "description": "The total number of sobjects in the account, or\nan approximation thereof.\n\nNote that all sobjects in the account are counted,\nregardless of whether the user has access to them." }, "sobjects_accuracy": { "$ref": "#/components/schemas/CountAccuracy" }, "child_accounts": { "type": "integer" } }, "required": [ "groups", "apps", "users", "plugins", "sobjects", "sobjects_accuracy", "child_accounts" ] } ] }, "WorkspaceCseConfig": { "allOf": [ { "type": "object", "description": "Workspace CSE API settings. Specifying these settings enables the CSE APIs\nfor the account.", "properties": { "identity_providers": { "type": "array", "items": { "$ref": "#/components/schemas/WorkspaceCseIdentityProvider" }, "description": "One or more Identity Providers (IdP) trusted to authenticate users.\nNote that we don't check if Single Sign-On (SSO) settings exist for\neach IdP listed here, but it is recommended to add these IdPs in SSO\nsettings as well (usually as OAuth/OIDC providers)." }, "authorization_providers": { "type": "array", "items": { "$ref": "#/components/schemas/WorkspaceCseAuthorizationProvider" }, "description": "One or more authorization providers used to validate authorization\ntokens. Different Workspace applications might require different\nauthorization settings." }, "auth_method": { "$ref": "#/components/schemas/WorkspaceCseAuthMethod" } }, "required": [ "identity_providers", "authorization_providers" ] } ] }, "ApprovalRequestSettings": { "allOf": [ { "type": "object", "description": "Settings that apply to quorum approval requests.", "properties": { "approval_request_expiry": { "type": "integer", "nullable": true, "description": "The number of seconds after which an approval request expires. If not\nspecified, the cluster-wide setting will be used (30 days by default).\n\nUpon creation, an approval request's expiry date is (time of creation +\nexpiry period). However, when the request is approved by all its approvers,\nits expiry date will be changed to (time of approval + expiry period)." }, "retain_expired_requests": { "type": "boolean", "nullable": true, "description": "Whether or not expired approval requests should be kept. (Obviously, any\npending requests that have expired are no longer actionable!)\n\nThis is only applicable for onprem clusters; the field is ignored in SaaS\nenvironments." }, "log_expired_pending_requests": { "type": "boolean", "nullable": true, "description": "Whether or not expiry of pending approval requests should be audit logged.\n\nThis is only applicable for onprem clusters; the field is ignored in SaaS\nenvironments." }, "check_access_for_sensitive_operation_results": { "type": "boolean", "nullable": true, "description": "Whether or not the requester's access should be checked again when they\nrequest to see the operation results for an approved quorum request with\nsensitive data in the output. Sensitive data includes secret values such\nas API keys, decrypted plaintext, exported key material etc. Note that\nif the result is not deemed sensitive this setting does not apply, e.g.\napproval request to sign a message (signatures are not deemed secret) or\nencrypt data (ciphertext is not deemed secret). Here is the list of all\noperations that are deemed sensitive (this list may be expanded in the\nfuture):\n\n- Get App Credential: `GET /sys/v1/apps/${app_id}/credential`\n- Decrypt:\n- Legacy version: `POST /crypto/v1/keys/${key_id}/decrypt`\n- New version: `POST /crypto/v1/decrypt`\n- Export Object Value:\n- Legacy version: `GET /crypto/v1/keys/${key_id}/export`\n- New version: `POST /crypto/v1/keys/export`\n- Batch: `POST /batch/v1` if any of the operations in the batch input is\nsensitive.\n\nThis setting is introduced for backwards compatibility so that existing\napproval request workflows are not broken. For new use cases, it is\nrecommended to leave this setting enabled." } } } ] }, "AccountSort": { "oneOf": [ { "title": "AccountSortVariantByAcctId", "type": "object", "properties": { "sort_by": { "type": "string", "pattern": "^acct_id:(?:asc|desc)$", "example": "acct_id:asc" } }, "required": [ "sort_by" ] } ] }, "QuorumPolicy": { "allOf": [ { "type": "object", "description": "Approval policy.", "properties": { "quorum": { "$ref": "#/components/schemas/Quorum" }, "user": { "type": "string", "format": "uuid", "nullable": true }, "app": { "type": "string", "format": "uuid", "nullable": true } } } ] }, "AuthConfigPassword": { "allOf": [ { "type": "object", "description": "Password authentication settings.", "properties": { "require_2fa": { "type": "boolean", "description": "Require two-factor authentication for password logins." }, "administrators_only": { "type": "boolean", "description": "Limit password login to account administators only.\n\nNote: password login will be always allowed for all users\nif there are no alternative authentication methods for the\naccount." } }, "required": [ "require_2fa", "administrators_only" ] } ] }, "AuthConfigOauth": { "allOf": [ { "type": "object", "description": "OAuth single sign-on authentication settings.", "properties": { "idp_name": { "type": "string" }, "idp_icon_url": { "type": "string" }, "idp_authorization_endpoint": { "type": "string" }, "idp_token_endpoint": { "type": "string" }, "idp_userinfo_endpoint": { "type": "string", "nullable": true }, "idp_requires_basic_auth": { "type": "boolean" }, "tls": { "$ref": "#/components/schemas/TlsConfig" }, "client_id": { "type": "string" }, "client_secret": { "type": "string" }, "auth_params": { "$ref": "#/components/schemas/OauthAuthenticationParameters" } }, "required": [ "idp_name", "idp_icon_url", "idp_authorization_endpoint", "idp_token_endpoint", "idp_requires_basic_auth", "tls", "client_id", "client_secret" ] } ] }, "AuthConfigLdap": { "allOf": [ { "type": "object", "description": "LDAP authentication settings.", "properties": { "name": { "type": "string", "description": "A user-visible name to give this LDAP integration." }, "icon_url": { "type": "string", "description": "The URL hosting an image to display for this LDAP integration.\nAn empty string can also be specified (to indicate that no\nicon needs to be displayed)." }, "ldap_url": { "type": "string", "description": "The URL of the LDAP server, e.g., \"ldap://example.org\"." }, "dn_resolution": { "$ref": "#/components/schemas/LdapDnResolution" }, "tls": { "$ref": "#/components/schemas/TlsConfig" }, "base_dn": { "type": "string", "nullable": true, "description": "The subtree from which to perform LDAP searches; for example,\n\"OU=users,DC=example,DC=org\"." }, "user_object_class": { "type": "string", "nullable": true, "description": "The LDAP object class (e.g., \"User\") to use when looking up\nDSM users trying to authenticate. This field is required if\nthe DN resolution method is search-by-mail or if authorization\nsettings are enabled for this LDAP integraton." }, "service_account": { "$ref": "#/components/schemas/LdapServiceAccount" }, "authorization": { "$ref": "#/components/schemas/LdapAuthorizationConfig" } }, "required": [ "name", "icon_url", "ldap_url", "dn_resolution", "tls" ] } ] }, "AuthConfigSignedJwt": { "allOf": [ { "type": "object", "description": "Signed JWT authentication settings.", "properties": { "valid_issuers": { "type": "array", "uniqueItems": true, "items": { "type": "string" } }, "signing_keys": { "$ref": "#/components/schemas/SigningKeys" } }, "required": [ "valid_issuers", "signing_keys" ] } ] }, "AuthConfigVcd": { "allOf": [ { "type": "object", "description": "Vcd single sign-on authentication settings.", "properties": { "idp_name": { "type": "string" }, "idp_authorization_endpoint": { "type": "string" }, "org": { "type": "string" }, "tls": { "$ref": "#/components/schemas/TlsConfig" } }, "required": [ "idp_name", "idp_authorization_endpoint", "org", "tls" ] } ] }, "CommonClientConfig": { "allOf": [ { "type": "object", "properties": { "retry_timeout_millis": { "type": "integer", "nullable": true }, "cache_ttl": { "type": "integer", "nullable": true }, "log": { "$ref": "#/components/schemas/ClientLogConfig" }, "h2_num_connections": { "type": "integer", "nullable": true }, "quorum_approval": { "$ref": "#/components/schemas/QuorumApprovalConfig" } } } ] }, "Pkcs11ClientConfig": { "allOf": [ { "type": "object", "properties": { "fake_rsa_x9_31_keygen_support": { "type": "boolean", "nullable": true }, "signing_aes_key_as_hmac": { "type": "boolean", "nullable": true }, "exact_key_ops": { "type": "boolean", "nullable": true }, "prevent_duplicate_opaque_objects": { "type": "boolean", "nullable": true }, "opaque_objects_are_not_certificates": { "type": "boolean", "nullable": true }, "max_concurrent_requests_per_slot": { "type": "integer", "nullable": true } } } ] }, "KmipClientConfig": { "allOf": [ { "type": "object", "properties": { "ignore_unknown_key_ops_for_secrets": { "type": "boolean", "nullable": true, "description": "Use `ignore_unknown_key_ops_for` with [SECRET] instead of `ignore_unknown_key_ops_for_secrets``" }, "ignore_unknown_key_ops_for": { "$ref": "#/components/schemas/ObjectTypeFilter" }, "key_ops_override": { "$ref": "#/components/schemas/KeyOpsOverride" } } } ] }, "TepClientConfig": { "allOf": [ { "type": "object", "properties": { "schema": { "$ref": "#/components/schemas/TepSchema" }, "key_map": { "$ref": "#/components/schemas/TepKeyMapList" } }, "required": [ "schema", "key_map" ] } ] }, "AesOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "random_iv": { "type": "boolean", "nullable": true }, "fpe": { "$ref": "#/components/schemas/FpeOptions" } } } ] }, "AriaOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "random_iv": { "type": "boolean", "nullable": true } } } ] }, "Des3OptionsPolicy": { "allOf": [ { "type": "object", "description": "Cryptographic policy for triple DES objects. Setting `key_sizes: [168]`\nforbids two-key triple DES.", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "random_iv": { "type": "boolean", "nullable": true } } } ] }, "RsaOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "encryption_policy": { "type": "array", "items": { "$ref": "#/components/schemas/RsaEncryptionPolicy" }, "nullable": true }, "signature_policy": { "type": "array", "items": { "$ref": "#/components/schemas/RsaSignaturePolicy" }, "nullable": true, "description": "Signature policy for an RSA key. When doing a signature operation, the policies are\nevaluated against the specified parameters one by one. If one matches, the operation is\nallowed. If none match, including if the policy list is empty, the operation is disallowed.\nMissing optional parameters will have their defaults specified according to the matched\npolicy. The default for new keys is `[{}]` (no constraints).\nIf (part of) a constraint is not specified, anything is allowed for that constraint." }, "minimum_key_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed key length. This is only relevant for group or account cryptographic\npolicies (and hence has no effect in an RSA policy on a specific key)." } } } ] }, "HmacOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "minimum_key_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "EcOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "elliptic_curves": { "type": "array", "items": { "$ref": "#/components/schemas/EllipticCurve" }, "nullable": true } } } ] }, "LegacyKeyPolicy": { "type": "string", "enum": [ "allowed", "prohibited", "unprotect_only" ] }, "KeyOperations": { "description": "Operations allowed to be performed on a given key.\n\n\n\n SIGN:\n If this is set, the key can be used to for signing.\n\n\n VERIFY:\n If this is set, the key can used for verifying a signature.\n\n\n ENCRYPT:\n If this is set, the key can be used for encryption.\n\n\n DECRYPT:\n If this is set, the key can be used for decryption.\n\n\n WRAPKEY:\n If this is set, the key can be used wrapping other keys.\n The key being wrapped must have the EXPORT operation enabled.\n\n\n UNWRAPKEY:\n If this is set, the key can be used to unwrap a wrapped key.\n\n\n DERIVEKEY:\n If this is set, the key can be used to derive another key.\n\n\n TRANSFORM:\n If this is set, the key can be transformed.\n\n\n MACGENERATE:\n If this is set, the key can be used to compute a cryptographic\n Message Authentication Code (MAC) on a message.\n\n\n MACVERIFY:\n If they is set, the key can be used to verify a MAC.\n\n\n EXPORT:\n If this is set, the value of the key can be retrieved\n with an authenticated request. This shouldn't be set unless\n required. It is more secure to keep the key's value inside DSM only.\n\n\n APPMANAGEABLE:\n Without this operation, management operations like delete, destroy,\n rotate, activate, restore, revoke, revert, update, remove_private, etc.\n cannot be performed by a crypto App.\n A user with access or admin app can still perform these operations.\n This option is only relevant for crypto apps.\n\n\n HIGHVOLUME:\n If this is set, audit logs will not be recorded for the key.\n High volume here tries to signify a key that is being used a lot\n and will produce lots of logs. Setting this operation disables\n audit logs for the key.\n\n\n AGREEKEY:\n If this is set, the key can be used for key agreement.\n Both the private and public key should have this option enabled\n to perform an agree operation.\n\n\n ENCAPSULATE:\n If this is set, the key can be used for key encapsulation. The\n result is a new symmetric key and a ciphertext.\n\n\n DECAPSULATE:\n If this is set, the key can be used for key decapsulation. If\n decapsulation succeeds, the result is a new symmetric key.\n\n", "type": "string", "enum": [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ] }, "DesOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "random_iv": { "type": "boolean", "nullable": true } } } ] }, "SeedOptionsPolicy": { "allOf": [ { "type": "object", "properties": { "random_iv": { "type": "boolean", "nullable": true } } } ] }, "DsaOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "KcdsaOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "EcKcdsaOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "LmsOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "XmssOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "MlDsaOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "MlKemOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "Bip32OptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "Slip10OptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "BlsOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "OpaqueOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "SecretOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "CertificateOptionsPolicy": { "allOf": [ { "type": "object", "properties": {} } ] }, "KeyExpiryAlertTrigger": { "oneOf": [ { "$ref": "#/components/schemas/KeyExpiryAlertTriggerVariantDaysAhead" } ], "discriminator": { "propertyName": "$type", "mapping": { "DaysAhead": "KeyExpiryAlertTriggerVariantDaysAhead" } } }, "KeyExpiryAlertSiemToolConfig": { "allOf": [ { "type": "object", "properties": { "max_key_info_per_alert": { "type": "integer", "minimum": 0, "maximum": 65535, "nullable": true }, "config": { "$ref": "#/components/schemas/LoggingConfig" } }, "required": [ "config" ] } ] }, "Secs": { "allOf": [ { "type": "integer" } ] }, "MetadataPolicyItem": { "allOf": [ { "type": "object", "properties": { "custom_metadata": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/MetadataStringConstraint" } }, "description": { "$ref": "#/components/schemas/MetadataStringConstraint" }, "deactivation_date": { "$ref": "#/components/schemas/MetadataDurationConstraint" }, "activation_date": { "$ref": "#/components/schemas/MetadataDurationConstraint" } }, "required": [ "custom_metadata" ] } ] }, "SplunkLoggingConfig": { "allOf": [ { "type": "object", "description": "Splunk logging configuration.", "properties": { "enabled": { "type": "boolean" }, "host": { "type": "string" }, "port": { "type": "integer", "minimum": 0, "maximum": 65535 }, "index": { "type": "string" }, "token": { "type": "string" }, "tls": { "$ref": "#/components/schemas/TlsConfig" }, "use_fqdn_hostname": { "type": "boolean", "nullable": true, "description": "Enable sending the cluster FQDN as the hostname in log entries.\n\nDefaults to `true` for newly created configs, but remains `false` when the\nfield is omitted to preserve backward compatibility." } }, "required": [ "enabled", "host", "port", "index", "tls" ] } ] }, "StackdriverLoggingConfig": { "allOf": [ { "type": "object", "description": "Stackdriver logging configuration.", "properties": { "enabled": { "type": "boolean" }, "log_id": { "type": "string", "description": "The log ID that will receive the log items (see https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry)." }, "service_account_key": { "$ref": "#/components/schemas/GoogleServiceAccountKey" } }, "required": [ "enabled", "log_id", "service_account_key" ] } ] }, "SyslogLoggingConfig": { "allOf": [ { "type": "object", "properties": { "enabled": { "type": "boolean" }, "host": { "type": "string" }, "port": { "type": "integer", "minimum": 0, "maximum": 65535 }, "tls": { "$ref": "#/components/schemas/TlsConfig" }, "facility": { "$ref": "#/components/schemas/SyslogFacility" }, "use_fqdn_hostname": { "type": "boolean", "nullable": true, "description": "Enable sending the cluster FQDN as the hostname in log entries.\n\nDefaults to `true` for newly created configs, but remains `false` when the\nfield is omitted to preserve backward compatibility." } }, "required": [ "enabled", "host", "port", "tls", "facility" ] } ] }, "AzureLogAnalyticsLoggingConfig": { "allOf": [ { "type": "object", "properties": { "enabled": { "type": "boolean" }, "workspace_id": { "type": "string", "format": "uuid" }, "shared_key": { "type": "string", "format": "byte" } }, "required": [ "enabled", "workspace_id" ] } ] }, "AccountPurposeTypeVariantStandard": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Standard" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "AccountPurposeTypeVariantAccountReplication": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "AccountReplication" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "SigningKeys": { "description": "Signing keys used to validate JSON Web Signature objects including signed\nJSON Web Tokens.", "oneOf": [ { "$ref": "#/components/schemas/SigningKeysVariantStored" }, { "$ref": "#/components/schemas/SigningKeysVariantFetched" } ], "discriminator": { "propertyName": "kind", "mapping": { "stored": "SigningKeysVariantStored", "fetched": "SigningKeysVariantFetched" } } }, "AccountPurposeVariantStandard": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Standard" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "AccountPurposeVariantAccountReplication": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "AccountReplication" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/AccountReplicationConfiguration" } ] }, "SubscriptionExperimentalFeatures": { "allOf": [ { "type": "object", "properties": {} } ] }, "SubscriptionType": { "description": "Type of subscription.", "oneOf": [ { "title": "SubscriptionTypeVariantTrial", "type": "object", "properties": { "trial": { "$ref": "#/components/schemas/SubscriptionTypeTrial" } }, "required": [ "trial" ] }, { "title": "SubscriptionTypeVariantStandard", "type": "object", "properties": { "standard": { "type": "object", "properties": {} } }, "required": [ "standard" ] }, { "title": "SubscriptionTypeVariantEnterprise", "type": "object", "properties": { "enterprise": { "type": "object", "properties": {} } }, "required": [ "enterprise" ] }, { "title": "SubscriptionTypeVariantCustom", "type": "object", "properties": { "custom": { "$ref": "#/components/schemas/CustomSubscriptionType" } }, "required": [ "custom" ] }, { "title": "SubscriptionTypeVariantFreemium", "type": "object", "properties": { "freemium": { "$ref": "#/components/schemas/FreemiumSubscriptionType" } }, "required": [ "freemium" ] }, { "title": "SubscriptionTypeVariantOnPrem", "type": "object", "properties": { "on_prem": { "$ref": "#/components/schemas/OnPremSubscriptionType" } }, "required": [ "on_prem" ] }, { "title": "SubscriptionTypeVariantReseller", "type": "object", "properties": { "reseller": { "$ref": "#/components/schemas/ResellerSubscriptionType" } }, "required": [ "reseller" ] } ] }, "CountAccuracy": { "description": "An indicator of how accurate a count of objects is.", "oneOf": [ { "$ref": "#/components/schemas/CountAccuracyVariantExact" }, { "$ref": "#/components/schemas/CountAccuracyVariantApproximate" } ], "discriminator": { "propertyName": "$type", "mapping": { "Exact": "CountAccuracyVariantExact", "Approximate": "CountAccuracyVariantApproximate" } } }, "WorkspaceCseIdentityProvider": { "allOf": [ { "type": "object", "description": "An identity provider trusted to authenticate users for Workspace CSE APIs", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "description": "Identity provider's name" }, "signing_keys": { "$ref": "#/components/schemas/SigningKeys" }, "valid_issuers": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Acceptable values for the `iss` (issuer) field used in authentication\ntokens" }, "valid_audiences": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Acceptable values for the `aud` (audience) field used in authentication\ntokens" } }, "required": [ "name", "signing_keys", "valid_issuers", "valid_audiences" ] } ] }, "WorkspaceCseAuthorizationProvider": { "allOf": [ { "type": "object", "description": "These settings will allow the service to validate the Google-issued\nauthorization tokens used in Workspace CSE APIs.\n\nFor example, the specific settings for CSE Docs & Drive are:\n- JWKS URL: https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com\n- Issuer: gsuitecse-tokenissuer-drive@system.gserviceaccount.com\n- Audience: cse-authorization", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "description": "Authorization provider's name" }, "jwks_url": { "type": "string", "description": "A URL pointing to the JWKS endpoint" }, "cache_duration": { "type": "integer", "description": "Number of seconds that the service is allowed to cache the fetched keys" }, "valid_issuers": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Acceptable values for the `iss` (issuer) field used in Google's\nauthorization tokens" }, "valid_audiences": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Acceptable values for the `aud` (audience) field used in Google's\nauthorization tokens" } }, "required": [ "name", "jwks_url", "cache_duration", "valid_issuers", "valid_audiences" ] } ] }, "WorkspaceCseAuthMethod": { "description": "Authentication method for Google Workspace CSE, `User` (default choice) requires each CSE user\nto be registered as a DSM user, while `App` requires each CSE user to be represented by a DSM app.\n\nNote:\nFor large organizations where lots of users use Google Workspace CSE but are not otherwise expected\nto be able to access DSM, App authentication method could be easier to implement.", "type": "string", "enum": [ "User", "App" ] }, "Quorum": { "allOf": [ { "type": "object", "description": "Quorum approval policy.", "properties": { "n": { "type": "integer" }, "members": { "type": "array", "items": { "$ref": "#/components/schemas/QuorumPolicy" } } }, "required": [ "n", "members" ] }, { "$ref": "#/components/schemas/ApprovalAuthConfig" } ] }, "TlsConfig": { "description": "TLS client settings.", "oneOf": [ { "$ref": "#/components/schemas/TlsConfigVariantDisabled" }, { "$ref": "#/components/schemas/TlsConfigVariantOpportunistic" }, { "$ref": "#/components/schemas/TlsConfigVariantRequired" } ], "discriminator": { "propertyName": "mode", "mapping": { "disabled": "TlsConfigVariantDisabled", "opportunistic": "TlsConfigVariantOpportunistic", "required": "TlsConfigVariantRequired" } } }, "OauthAuthenticationParameters": { "allOf": [ { "type": "object", "description": "Parameters for the OpenID Connect Authentication Request\nhttps://openid.net/specs/openid-connect-core-1_0.html#AuthRequest", "properties": { "prompt": { "type": "array", "items": { "$ref": "#/components/schemas/OauthAuthParamPrompt" }, "nullable": true, "description": "Specifies whether the Authorization Server prompts the End-User for reauthentication and consent" }, "display": { "$ref": "#/components/schemas/OauthAuthParamDisplay" }, "max_age": { "type": "integer", "nullable": true, "description": "Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.\nIf the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User" } } } ] }, "LdapDnResolution": { "description": "Distinguished Name (DN) resolution method. Given a user's email address, a DN resolution method\nis used to find the user's DN in an LDAP directory.", "oneOf": [ { "$ref": "#/components/schemas/LdapDnResolutionVariantConstruct" }, { "$ref": "#/components/schemas/LdapDnResolutionVariantSearchByMail" }, { "$ref": "#/components/schemas/LdapDnResolutionVariantUserPrincipalName" } ], "discriminator": { "propertyName": "method", "mapping": { "construct": "LdapDnResolutionVariantConstruct", "search-by-mail": "LdapDnResolutionVariantSearchByMail", "upn": "LdapDnResolutionVariantUserPrincipalName" } } }, "LdapServiceAccount": { "allOf": [ { "type": "object", "description": "Credentials used by the service to authenticate itself to an LDAP server.", "properties": { "dn": { "type": "string", "description": "Distinguished name of the service account." }, "password": { "type": "string", "description": "The password for the service account." } }, "required": [ "dn", "password" ] } ] }, "LdapAuthorizationConfig": { "allOf": [ { "type": "object", "description": "LDAP authorization settings.", "properties": { "valid_for": { "type": "integer", "description": "Number of seconds after which the authorization should be checked again." }, "require_role": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true, "description": "A map from account roles to distinguished names of LDAP groups.\nIf a DN is specified for an account role, entities with that role\nmust be a member of the specified LDAP group." }, "user_self_provisioning": { "$ref": "#/components/schemas/LdapUserSelfProvisioningConfig" }, "role_conflict_resolution": { "$ref": "#/components/schemas/LdapRoleConflictResolution" } }, "required": [ "valid_for" ] } ] }, "ClientLogConfig": { "allOf": [ { "type": "object", "properties": { "system": { "type": "boolean", "nullable": true }, "file": { "$ref": "#/components/schemas/ClientFileLogging" }, "level": { "type": "string", "nullable": true } } } ] }, "QuorumApprovalConfig": { "allOf": [ { "type": "object", "description": "Quorum Policy Configurations in clients", "properties": { "wait_for_quorum_approval": { "$ref": "#/components/schemas/ApprovalWaitConfig" } } } ] }, "ObjectTypeFilter": { "oneOf": [ { "$ref": "#/components/schemas/ObjectTypeFilterVariantAll" }, { "$ref": "#/components/schemas/ObjectTypeFilterVariantSelection" } ], "discriminator": { "propertyName": "$type", "mapping": { "All": "ObjectTypeFilterVariantAll", "Selection": "ObjectTypeFilterVariantSelection" } } }, "KeyOpsOverride": { "allOf": [ { "type": "object", "properties": { "add_key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "nullable": true, "description": "The operations to add to any key creation request (only supported in KMIP).\n\nThe following operations can be specified:\n- `EXPORT`\n- `APPMANAGEABLE`\n- `HIGHVOLUME`\n\nThe operations specified cannot conflict with what's specified in the\n`key_ops` field of account and/or group policies (where applicable).\n\n**Note**: This is only enforced on (KMIP) creation requests since we assume\nupdates removing key operations are intentional." } } } ] }, "TepSchema": { "oneOf": [ { "$ref": "#/components/schemas/TepSchemaVariantOpenAPI" } ], "discriminator": { "propertyName": "$type", "mapping": { "OpenAPI": "TepSchemaVariantOpenAPI" } } }, "TepKeyMapList": { "allOf": [ { "type": "array", "items": { "$ref": "#/components/schemas/TepKeyMap" } } ] }, "FpeOptions": { "description": "FPE-specific options (for specifying the format of the\ndata to be encrypted)", "oneOf": [ { "$ref": "#/components/schemas/FpeOptionsBasic" }, { "$ref": "#/components/schemas/FpeOptionsAdvanced" }, { "$ref": "#/components/schemas/FpeOptionsV2" } ] }, "RsaEncryptionPolicy": { "allOf": [ { "type": "object", "description": "Constraints on RSA encryption parameters. In general, if a constraint is not specified, anything is allowed.", "properties": { "padding": { "$ref": "#/components/schemas/RsaEncryptionPaddingPolicy" } } } ] }, "RsaSignaturePolicy": { "allOf": [ { "type": "object", "description": "Constraints on RSA signature parameters. In general, if a constraint is not specified, anything is allowed.", "properties": { "padding": { "$ref": "#/components/schemas/RsaSignaturePaddingPolicy" } } } ] }, "EllipticCurve": { "description": "Identifies a standardized elliptic curve.", "type": "string", "enum": [ "X25519", "Ed25519", "Ed448", "X448", "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", "NistP256", "NistP384", "NistP521", "Gost256A" ] }, "KeyExpiryAlertTriggerVariantDaysAhead": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "DaysAhead" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/DaysAhead" } ] }, "MetadataStringConstraint": { "oneOf": [ { "title": "MetadataStringConstraintVariantForbidden", "type": "object", "properties": { "forbidden": { "type": "object", "properties": {} } }, "required": [ "forbidden" ] }, { "title": "MetadataStringConstraintVariantRequired", "type": "object", "properties": { "required": { "$ref": "#/components/schemas/MetadataStringConstraintRequired" } }, "required": [ "required" ] } ] }, "MetadataDurationConstraint": { "oneOf": [ { "title": "MetadataDurationConstraintVariantForbidden", "type": "object", "properties": { "forbidden": { "type": "object", "properties": {} } }, "required": [ "forbidden" ] }, { "title": "MetadataDurationConstraintVariantRequired", "type": "object", "properties": { "required": { "$ref": "#/components/schemas/MetadataDurationConstraintRequired" } }, "required": [ "required" ] } ] }, "GoogleServiceAccountKey": { "allOf": [ { "type": "object", "description": "A Google service account key object. See https://cloud.google.com/video-intelligence/docs/common/auth.", "properties": { "type": { "type": "string" }, "project_id": { "type": "string" }, "private_key_id": { "type": "string" }, "private_key": { "type": "string" }, "client_email": { "type": "string" } }, "required": [ "type", "project_id", "private_key_id", "client_email" ] } ] }, "SyslogFacility": { "type": "string", "enum": [ "User", "Local0", "Local1", "Local2", "Local3", "Local4", "Local5", "Local6", "Local7" ] }, "SigningKeysVariantStored": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "stored" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysStored" } ] }, "SigningKeysVariantFetched": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "fetched" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysFetched" } ] }, "AccountReplicationConfiguration": { "allOf": [ { "type": "object", "properties": { "connection_settings": { "$ref": "#/components/schemas/AccountReplicationConnection" }, "scan_settings": { "$ref": "#/components/schemas/AccountReplicationScanSettings" } }, "required": [ "connection_settings", "scan_settings" ] } ] }, "SubscriptionTypeTrial": { "allOf": [ { "type": "object", "properties": { "expires_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" } } } ] }, "CustomSubscriptionType": { "allOf": [ { "type": "object", "description": "Custom subscription type", "properties": { "max_plugin": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_app": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_hsmg": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_operation": { "type": "integer", "nullable": true }, "max_tokenization_operation": { "type": "integer", "nullable": true }, "count_transient_ops": { "type": "boolean", "nullable": true }, "package_name": { "type": "string", "nullable": true }, "features": { "type": "array", "items": { "$ref": "#/components/schemas/SubscriptionFeatures" }, "nullable": true }, "add_ons": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true }, "soft_ops_per_second_limit": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "FreemiumSubscriptionType": { "allOf": [ { "type": "object", "properties": { "max_app": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_hsmg": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_operation": { "type": "integer", "nullable": true }, "max_tokenization_operation": { "type": "integer", "nullable": true }, "max_plugin": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "OnPremSubscriptionType": { "allOf": [ { "type": "object", "description": "OnPrem subscription type", "properties": { "count_transient_ops": { "type": "boolean", "nullable": true } } } ] }, "ResellerSubscriptionType": { "allOf": [ { "type": "object", "description": "Reseller subscription type", "properties": { "max_plugin": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_operation": { "type": "integer", "nullable": true }, "max_tenant": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_tenant_plugin": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "max_tenant_operation": { "type": "integer", "nullable": true }, "package_name": { "type": "string", "nullable": true }, "features": { "type": "array", "items": { "$ref": "#/components/schemas/SubscriptionFeatures" }, "nullable": true }, "add_ons": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true }, "tenant_features": { "type": "array", "items": { "$ref": "#/components/schemas/SubscriptionFeatures" }, "nullable": true } } } ] }, "CountAccuracyVariantExact": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Exact" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "CountAccuracyVariantApproximate": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Approximate" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "ApprovalAuthConfig": { "allOf": [ { "type": "object", "description": "Authentication requirements for approval request reviewers.", "properties": { "require_password": { "type": "boolean", "nullable": true }, "require_2fa": { "type": "boolean", "nullable": true } } } ] }, "TlsConfigVariantDisabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "TlsConfigVariantOpportunistic": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "opportunistic" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "TlsConfigVariantRequired": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "required" ] } }, "required": [ "mode" ] }, { "$ref": "#/components/schemas/TlsConfigRequired" } ] }, "OauthAuthParamPrompt": { "description": "Corresponds to the `prompt` parameter in\nhttps://openid.net/specs/openid-connect-core-1_0.html#AuthRequest", "type": "string", "enum": [ "login", "none", "consent", "select_account" ] }, "OauthAuthParamDisplay": { "description": "Corresponds to the `display` parameter in\nhttps://openid.net/specs/openid-connect-core-1_0.html#AuthRequest", "type": "string", "enum": [ "page", "popup", "touch", "wap" ] }, "LdapDnResolutionVariantConstruct": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "construct" ] } }, "required": [ "method" ] }, { "$ref": "#/components/schemas/LdapDnResolutionConstruct" } ] }, "LdapDnResolutionVariantSearchByMail": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "search-by-mail" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "LdapDnResolutionVariantUserPrincipalName": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "upn" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "LdapUserSelfProvisioningConfig": { "allOf": [ { "type": "object", "description": "LDAP user self-provisioning settings. Currently, the only\nsetting available for configuration is the mapping from\nLDAP users to DSM account roles.", "properties": { "role_assignment": { "$ref": "#/components/schemas/LdapUserSelfProvisioningRole" } }, "required": [ "role_assignment" ] } ] }, "LdapRoleConflictResolution": { "description": "Controls how we resolve conflicting role assignments with LDAP authorization.\n\nWhen users are authorized through LDAP, their DSM group memberships are\ndetermined by their LDAP groups and the external role mappings created in\nDSM. For example, if the user belongs to 3 LDAP groups A, B and C, and these\nLDAP groups are mapped to DSM groups G1 and G2 in the following way:\n- A -> G1 as \"group auditor\"\n- B -> G1 as \"group administrator\"\n- C -> G2 as \"group administrator\"\nThen which role should be assigned to this user in G1?\n\nThe answer to this question used to be simple before the introduction of\ncustom user roles in DSM: we took the maximum of the roles. Note that the\nlegacy roles (group admin/auditor) formed a strict \"more powerful than\"\nrelation, i.e. group administrator is strictly more powerful than group\nauditor (and same is true for legacy account roles). However, custom user\nroles do not have that relationship anymore. Moreover, the legacy behavior\nis not quite square with the role exclusivity rules either since the legacy\nbehavior can also be regarded as assigning multiple exclusive roles in the\nsame group.\n\nAfter the introduction of custom user roles, we allow a user to have\nmultiple roles in one group as long as none of the roles are marked as\nexclusive. That rule is easily enforceable in the user Invite API. With LDAP\nauthorization, the group memberships are computed dynamically when the\nSelect Account API is called and it is possible that we run into conflicting\nrole assignments due to user's LDAP group membership and current mappings\nbetween external roles (i.e. LDAP groups) and DSM groups.", "type": "string", "enum": [ "backcompat_legacy_roles_only", "disregard_exclusive_roles" ] }, "ClientFileLogging": { "oneOf": [ { "$ref": "#/components/schemas/ClientFileLoggingVariantEnabled" }, { "$ref": "#/components/schemas/ClientFileLoggingVariantDisabled" } ], "discriminator": { "propertyName": "mode", "mapping": { "enabled": "ClientFileLoggingVariantEnabled", "disabled": "ClientFileLoggingVariantDisabled" } } }, "ApprovalWaitConfig": { "allOf": [ { "type": "object", "description": "Configurations for waiting for quorum approval.", "properties": { "enabled": { "type": "boolean", "description": "Indicates whether waiting for quorum approval is activated or disabled" }, "poll_interval_secs": { "type": "integer", "nullable": true, "description": "Time interval in seconds for client lib to check quorum status." }, "max_wait_for_secs": { "type": "integer", "nullable": true, "description": "Maximum time in seconds for client lib to wait for quorum reply." } }, "required": [ "enabled" ] } ] }, "ObjectTypeFilterVariantAll": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "All" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "ObjectTypeFilterVariantSelection": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Selection" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/ObjectTypeFilterSelection" } ] }, "TepSchemaVariantOpenAPI": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "OpenAPI" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": { "openapi": { "type": "string" } } } ] }, "TepKeyMap": { "allOf": [ { "type": "object", "properties": { "path": { "$ref": "#/components/schemas/ApiPath" }, "kid": { "type": "string", "format": "uuid" }, "mode": { "$ref": "#/components/schemas/CipherMode" } }, "required": [ "path", "kid", "mode" ] } ] }, "FpeOptionsBasic": { "allOf": [ { "type": "object", "description": "Basic FPE-specific options. This is suitable for simple datatypes\nthat consist of ASCII digits, or ASCII digits and uppercase letters.", "properties": { "radix": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The FPE base for the input data (i.e., the size of the character\nset of the datatype). This must be an integer from 2 to 36.\n\nThis also implicitly defines the alphabet of the datatype. A base\nfrom 2 to 10 implies ASCII digits (e.g., a radix of 3 can be used\nto represent a ternary string), and a base from 11 to 36 implies\nASCII digits and uppercase letters (e.g., a radix of 16 can be" }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The minimum allowed length for the input data." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The maximum allowed length for the input data." }, "preserve": { "type": "array", "items": { "type": "integer", "format": "int64" }, "description": "The list of indices of characters to be preserved while performing encryption/decryption.\nIndices are Python-like; i.e., nonnegative indices index from the beginning of the input\n(where 0 is the first character), and negative indices index from the end of the input.\n(where -1 is the last character, -2 is second to last, and so on).\n\nAny preserved characters will be concatenated together and used as an FF1 tweak. For example,\nif the input data is \"abcd\", and the first and last characters are to be preserved, the FF1\ntweak will be the ASCII bytes of the string \"ad\"." }, "mask": { "type": "array", "items": { "type": "integer", "format": "int64" }, "nullable": true, "description": "The list of indices of characters to be masked while performing masked decryption.\nIndices are Python-like; i.e., nonnegative indices index from the beginning of the input\n(where 0 is the first character), and negative indices index from the end of the input.\n(where -1 is the last character, -2 is second to last, and so on)." }, "luhn_check": { "type": "boolean", "nullable": true, "description": "Whether the encrypted/decrypted data contains a checksum digit that satisfies the Luhn\nformula. (The output ciphertext/plaintext will also contain a Luhn checksum digit.)" }, "name": { "type": "string", "nullable": true, "description": "The user-provided name for the data type that represents the input data." } }, "required": [ "radix", "min_length", "max_length", "preserve" ] } ] }, "FpeOptionsAdvanced": { "allOf": [ { "type": "object", "description": "Advanced FPE options. It is recommended to use this for\nspecifying any FPE options, as it is more expressive than\nFpeOptionsBasic.", "properties": { "format": { "$ref": "#/components/schemas/FpeDataPart" }, "description": { "type": "string", "nullable": true, "description": "The user-provided name for the data type." } }, "required": [ "format" ] } ] }, "FpeOptionsV2": { "allOf": [ { "type": "object", "properties": { "format_v2": { "$ref": "#/components/schemas/FpeFormatV2" }, "description": { "type": "string", "nullable": true } }, "required": [ "format_v2" ] } ] }, "RsaEncryptionPaddingPolicy": { "description": "RSA encryption padding policy.", "oneOf": [ { "title": "RsaEncryptionPaddingPolicyVariantOaep", "type": "object", "properties": { "OAEP": { "$ref": "#/components/schemas/RsaEncryptionPaddingPolicyOaep" } }, "required": [ "OAEP" ] }, { "title": "RsaEncryptionPaddingPolicyVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] }, { "title": "RsaEncryptionPaddingPolicyVariantRawDecrypt", "type": "object", "properties": { "RAW_DECRYPT": { "type": "object", "properties": {} } }, "required": [ "RAW_DECRYPT" ] } ] }, "RsaSignaturePaddingPolicy": { "description": "RSA signature padding policy.", "oneOf": [ { "title": "RsaSignaturePaddingPolicyVariantPss", "type": "object", "properties": { "PSS": { "$ref": "#/components/schemas/RsaSignaturePaddingPolicyPss" } }, "required": [ "PSS" ] }, { "title": "RsaSignaturePaddingPolicyVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] } ] }, "DaysAhead": { "allOf": [ { "type": "object", "properties": { "days": { "type": "integer", "minimum": 0, "maximum": 65535 } }, "required": [ "days" ] } ] }, "MetadataStringConstraintRequired": { "allOf": [ { "type": "object", "properties": { "non_empty_after_trim": { "type": "boolean", "nullable": true, "description": "If set to `true`, the value must have a length > 0 after trimming\nleading and trailing whitespace characters." }, "allowed_values": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "nullable": true, "description": "If not specified or empty, it will not impose any restrictions on the value." } } } ] }, "MetadataDurationConstraintRequired": { "allOf": [ { "type": "object", "properties": { "allowed_values": { "$ref": "#/components/schemas/RestrictedDuration" } } } ] }, "SigningKeysStored": { "allOf": [ { "type": "object", "properties": { "keys": { "type": "object", "additionalProperties": { "type": "string", "format": "byte" }, "description": "Mapping key ids to DER-encoded public key." } }, "required": [ "keys" ] } ] }, "SigningKeysFetched": { "allOf": [ { "type": "object", "properties": { "url": { "type": "string" }, "cache_duration": { "type": "integer", "description": "Number of seconds that the service is allowed to cache the fetched keys." } }, "required": [ "url", "cache_duration" ] } ] }, "AccountReplicationConnection": { "allOf": [ { "type": "object", "description": "Settings for how a replication account should connect to a source cluster. This type does not\nhandle configuration of a source-side admin app used in the replication process; such setup is\nhandled by separate endpoints.", "properties": { "url": { "type": "string", "format": "url", "description": "The URL of the DSM cluster containing the account to back up. Only HTTPS is supported." }, "active_replication_credential": { "$ref": "#/components/schemas/ReplicationCredentialId" } }, "required": [ "url" ] } ] }, "AccountReplicationScanSettings": { "allOf": [ { "type": "object", "description": "Settings for how DSM should go about replicating objects from the source account once a connection\nhas been established.\n\nToday, account replication is performed using \"basic\" replication, which exports key material in\nthe clear (over a TLS connection).", "properties": { "auto_scan": { "$ref": "#/components/schemas/AutoScanSettings" } }, "required": [ "auto_scan" ] } ] }, "SubscriptionFeatures": { "description": "Features in subscription\n\n\n\n TOKENIZATION:\n\n\n HMG:\n\n\n AWSBYOK:\n\n\n AZUREBYOK:\n\n\n GCPBYOK:\n\n\n GCPEKMCONTROLPLANE:\n\n\n OCIBYOK:\n\n", "type": "string", "enum": [ "TOKENIZATION", "HMG", "AWSBYOK", "AZUREBYOK", "GCPBYOK", "GCPEKMCONTROLPLANE", "OCIBYOK" ] }, "TlsConfigRequired": { "allOf": [ { "type": "object", "properties": { "validate_hostname": { "type": "boolean" }, "ca": { "$ref": "#/components/schemas/CaConfig" }, "client_key": { "type": "string", "format": "byte" }, "client_cert": { "type": "string", "format": "byte" } }, "required": [ "validate_hostname", "ca" ] } ] }, "LdapDnResolutionConstruct": { "allOf": [ { "type": "object", "description": "Transform the user email through a pattern to derive the DN.", "properties": { "domain_format": { "type": "object", "additionalProperties": { "type": "string" }, "description": "For example: \"example.com\" => \"uid={},ou=users,dc=example,dc=com\"." } }, "required": [ "domain_format" ] } ] }, "LdapUserSelfProvisioningRole": { "description": "A structure indicating how self-provisioned LDAP users will\nbe assigned account roles.", "oneOf": [ { "$ref": "#/components/schemas/LdapUserSelfProvisioningRoleVariantFixed" } ], "discriminator": { "propertyName": "$type", "mapping": { "Fixed": "LdapUserSelfProvisioningRoleVariantFixed" } } }, "ClientFileLoggingVariantEnabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "enabled" ] } }, "required": [ "mode" ] }, { "$ref": "#/components/schemas/ClientFileLoggingConfig" } ] }, "ClientFileLoggingVariantDisabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "ObjectTypeFilterSelection": { "allOf": [ { "type": "object", "properties": { "selection": { "type": "array", "items": { "$ref": "#/components/schemas/ObjectType" } } }, "required": [ "selection" ] } ] }, "ApiPath": { "allOf": [ { "type": "object", "properties": { "api_path": { "type": "string" }, "method": { "type": "string" }, "context": { "$ref": "#/components/schemas/TepKeyContext" }, "key_path": { "type": "string" } }, "required": [ "api_path", "method", "context", "key_path" ] } ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "FpeDataPart": { "description": "Structure for specifying (part of) a complex tokenization data type.", "oneOf": [ { "$ref": "#/components/schemas/FpeEncryptedPart" }, { "$ref": "#/components/schemas/FpeDataPartLiteral" }, { "$ref": "#/components/schemas/FpeCompoundPart" } ] }, "FpeFormatV2": { "allOf": [ { "type": "object", "description": "The second generation of Fortanix Tokenization scheme.", "properties": { "variants": { "type": "array", "items": { "$ref": "#/components/schemas/FpeVariant" }, "description": "A token is accepted if it is accepted by any of these variants. Note\ntokenization results depend on the order of this list." }, "mode": { "$ref": "#/components/schemas/FpeTokenizeMode" }, "input_processing": { "$ref": "#/components/schemas/FpeInputProcessing" } }, "required": [ "variants" ] } ] }, "RsaEncryptionPaddingPolicyOaep": { "allOf": [ { "type": "object", "description": "The Optional Asymmetric Encryption Padding scheme, as defined\nin RFC 8017 (PKCS #1 version 2.2)", "properties": { "mgf": { "$ref": "#/components/schemas/MgfPolicy" } } } ] }, "RsaSignaturePaddingPolicyPss": { "allOf": [ { "type": "object", "properties": { "mgf": { "$ref": "#/components/schemas/MgfPolicy" } } } ] }, "RestrictedDuration": { "allOf": [ { "type": "object", "properties": { "min": { "$ref": "#/components/schemas/TimeSpan" }, "max": { "$ref": "#/components/schemas/TimeSpan" }, "default": { "$ref": "#/components/schemas/TimeSpan" } } } ] }, "ReplicationCredentialId": { "description": "The ID of a replication credential.", "allOf": [ { "type": "string" } ] }, "AutoScanSettings": { "allOf": [ { "type": "object", "description": "Settings for automatic scanning in DSM-backed groups or replication accounts.", "properties": { "scan_interval_hours": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The number of hours between successive automatic scans. Must be greater than 0." } }, "required": [ "scan_interval_hours" ] } ] }, "CaConfig": { "description": "CA settings.", "oneOf": [ { "title": "CaConfigVariantCaSet", "type": "object", "properties": { "ca_set": { "$ref": "#/components/schemas/CaSet" } }, "required": [ "ca_set" ] }, { "title": "CaConfigVariantPinned", "type": "object", "properties": { "pinned": { "type": "array", "items": { "type": "string", "format": "byte" } } }, "required": [ "pinned" ] } ] }, "LdapUserSelfProvisioningRoleVariantFixed": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Fixed" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/LdapUserSelfProvisioningRoleFixed" } ] }, "ClientFileLoggingConfig": { "allOf": [ { "type": "object", "properties": { "path": { "type": "string", "nullable": true }, "file_size_kb": { "type": "integer", "nullable": true }, "max_files": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "TepKeyContext": { "type": "string", "enum": [ "request", "response" ] }, "FpeEncryptedPart": { "allOf": [ { "type": "object", "description": "Structure of a tokenized portion of a complex tokenization data type.\n\nImplementation note: the backend parser is locally \"greedy\" and will attempt to match\nas many characters as possible. If this later results in an invalid parse of the rest\nof the input, the backend ***will not backtrack*** and will simply return with an error.", "properties": { "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The maximum allowed length for this part (in chars)." }, "char_set": { "$ref": "#/components/schemas/FpeCharSet" }, "cipher_char_set": { "$ref": "#/components/schemas/FpeCharSet" }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "$ref": "#/components/schemas/FpePreserveMask" }, "mask": { "$ref": "#/components/schemas/FpePreserveMask" } }, "required": [ "min_length", "max_length", "char_set" ] } ] }, "FpeDataPartLiteral": { "allOf": [ { "type": "object", "description": "A section of the data type that is not to be tokenized (e.g., a delimiter).\n\nUnlike preserved characters, literal characters are not used for FF1 tweaks.", "properties": { "literal": { "type": "array", "items": { "type": "string" }, "description": "The list of possible strings that make up this literal portion of the token.\nFor example, if a delimiter can either be a space or a dash, the list would\nbe `[\" \", \"-\"]`.\n\nImplementation note: the backend will pick the first choice that matches when\nwhen parsing the input. If this results in an invalid parse of the rest of the\ninput, the backend ***will not backtrack*** and will simply return with an error." } }, "required": [ "literal" ] } ] }, "FpeCompoundPart": { "description": "Structure of a compound portion of a complex tokenization data type, itself composed of\nsmaller parts.", "oneOf": [ { "$ref": "#/components/schemas/FpeCompoundPartOr" }, { "$ref": "#/components/schemas/FpeCompoundPartConcat" }, { "$ref": "#/components/schemas/FpeCompoundPartMultiple" } ] }, "FpeVariant": { "allOf": [ { "type": "object", "description": "A concatenation of sections.", "properties": { "sections": { "type": "array", "items": { "$ref": "#/components/schemas/FpeSection" } } }, "required": [ "sections" ] } ] }, "FpeTokenizeMode": { "description": "How to tokenize a given input. The most secure option is \"PreserveFormat\".", "type": "string", "enum": [ "preserve_format", "preserve_variant", "preserve_length" ] }, "FpeInputProcessing": { "description": "Options to apply some pre- and post-processing to the input.", "type": "string", "enum": [ "strip_unknown", "passthrough_unknown" ] }, "MgfPolicy": { "description": "MGF policy.", "oneOf": [ { "title": "MgfPolicyVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfPolicyMgf1" } }, "required": [ "mgf1" ] } ] }, "TimeSpan": { "oneOf": [ { "title": "TimeSpanVariantSeconds", "type": "object", "properties": { "seconds": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "seconds" ] }, { "title": "TimeSpanVariantMinutes", "type": "object", "properties": { "minutes": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "minutes" ] }, { "title": "TimeSpanVariantHours", "type": "object", "properties": { "hours": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "hours" ] }, { "title": "TimeSpanVariantDays", "type": "object", "properties": { "days": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "days" ] } ] }, "CaSet": { "description": "Predefined CA sets.", "type": "string", "enum": [ "global_roots" ] }, "LdapUserSelfProvisioningRoleFixed": { "allOf": [ { "type": "object", "description": "Map all self-provisioned users to a single specified account role.\n(Note that this setting only determines the role that a self-\nprovisioned user starts with; an account admin can change any user's\nrole at a later time.) A \"state enabled\" flag will be implicitly added,\nand any specified \"pending invite\" flag will be removed.", "properties": { "role": { "$ref": "#/components/schemas/UserAccountFlags" } }, "required": [ "role" ] } ] }, "FpeCharSet": { "description": "The alphabet to use for an encrypted portion of a complex tokenization data type.\nCharacters should be specified as a list of pairs, where each pair [a, b] represents the\nrange of Unicode code points from a to b, with both bounds being inclusive. A single\ncode point can be specified as [c, c].\n\nNormally, each character is assigned a numeric value for FF1. The first character is\nassigned a value of 0, and subsequent characters are assigned values of 1, 2, and so on,\nup to the size of the alphabet. Note that the order of the ranges matters; characters\nappearing in later ranges are assigned higher numerical values compared to earlier\ncharacters. For instance, in the FpeCharSet [['a', 'z'], ['0', '9']], the digits '0' to\n'9' are assigned values from 26 to 35, since they are listed after the 'a' to 'z' range.\n\nIn any case, ranges should not overlap with each other, and should not contain surrogate\ncode points.", "allOf": [ { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string", "minLength": 1, "maxLength": 1 } } } ] }, "FpeConstraints": { "allOf": [ { "type": "object", "description": "Constraints on a portion of a complex tokenization data type.", "properties": { "luhn_check": { "type": "boolean", "nullable": true, "description": "Whether the token part contains a checksum that satisfies the Luhn formula. It is an\nerror to apply this constraint to non-numeric parts, or to have an encrypted part be\nunder more than one Luhn check constraint. Also, if an encrypted part has a Luhn check\nconstraint applied to it and may contain at least one digit that is not preserved, it\nmust not specify any other constraints." }, "num_gt": { "type": "integer", "nullable": true, "description": "Number that the token part should be greater than.\n\nThis constraint can only be specified on (non-compound) numeric encrypted parts\nguaranteed to preserve either everything or nothing at all. (For example, if an\nencrypted part consists of 5 to 10 digits, a `preserve` list that covers only the\nfirst five digits is not guaranteed to preserve everything, because if the input\nhappens to be six or more digits long, there will be at least one digit that\nremains unpreserved.)" }, "num_lt": { "type": "integer", "nullable": true, "description": "Number that the token part should be smaller than.\n\nThis constraint can only be specified on (non-compound) numeric encrypted parts\nguaranteed to preserve either everything or nothing at all. (For example, if an\nencrypted part consists of 5 to 10 digits, a `preserve` list that covers only the\nfirst five digits is not guaranteed to preserve everything, because if the input\nhappens to be six or more digits long, there will be at least one digit that\nremains unpreserved.)" }, "num_ne": { "type": "array", "items": { "type": "integer" }, "nullable": true, "description": "Numbers that the token part should not be equal to. It is an error to apply this\nconstraint to non-numeric parts." }, "date": { "$ref": "#/components/schemas/FpeDateConstraint" }, "applies_to": { "$ref": "#/components/schemas/FpeConstraintsApplicability" } } } ] }, "FpePreserveMask": { "description": "A structure indicating which indices in an encrypted part to mask or preserve.", "oneOf": [ { "$ref": "#/components/schemas/All" }, { "type": "array", "items": { "type": "integer", "format": "int64" }, "description": "Indicates that only certain characters are to be preserved or masked. Indices are\nPython-like; i.e., negative indices index from the end of the token portion, with\nindex -1 denoting the last character. (Indicating that nothing should be preserved\nor masked can be done via an empty list, which is the default value for this enum.)" } ] }, "FpeCompoundPartOr": { "allOf": [ { "type": "object", "description": "Represents an OR of multiple structures.\n\nImplementation note: an OR is _not_ a union of `FpeDataPart`s. Rather, when parsing\nthe input, the backend will simply choose the first subpart that matches the current\nportion of the input, and tokenize/detokenize accordingly. If that choice results in\nan invalid parse of the rest of the input, the backend ***will not backtrack*** and\nwill simply return with an error.", "properties": { "or": { "type": "array", "items": { "$ref": "#/components/schemas/FpeDataPart" }, "description": "The actual subparts that make up this compound part." }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire OR should be preserved as-is (i.e., not tokenized). If this is\nset, any descendant subparts cannot contain any preserve-related fields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire OR should be masked when doing masked decryption. If this is set,\nany descendant subparts cannot contain any mask-related fields set." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "or" ] } ] }, "FpeCompoundPartConcat": { "allOf": [ { "type": "object", "description": "Represents a concatenation of multiple structures (in a particular order).", "properties": { "concat": { "type": "array", "items": { "$ref": "#/components/schemas/FpeDataPart" }, "description": "The actual subparts that make up this compound part, in order." }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire concat should be preserved as-is (i.e., not tokenized). If this is\nset, any descendant subparts cannot contain any preserve-related fields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire concat should be masked when doing masked decryption. If this is\nset, any descendant subparts cannot contain any mask-related fields set." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "concat" ] } ] }, "FpeCompoundPartMultiple": { "allOf": [ { "type": "object", "description": "Indicates a part that is possibly repeated multiple times.\n\nImplementation note: the backend parser is locally \"greedy\" and will attempt to match\nas many repetitions as possible. If this later results in an invalid parse of the rest\nof the input, the backend ***will not backtrack*** and will simply return with an error.", "properties": { "multiple": { "$ref": "#/components/schemas/FpeDataPart" }, "min_repetitions": { "type": "integer", "nullable": true, "description": "The minimum number of times the subpart may occur. (A value of 1 marks a single\noccurrence.)" }, "max_repetitions": { "type": "integer", "nullable": true, "description": "The maximum number of times the subpart may occur. (A value of 1 marks a single\noccurrence.)" }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire Multiple should be preserved as-is (i.e., not tokenized). If this\nis set, the `multiple` subpart and its descendants cannot contain any preserve-related\nfields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire Multiple should be masked when doing masked decryption. If this is\nset, the `multiple` subpart and its descendants cannot contain any mask-related fields\nset." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "multiple" ] } ] }, "FpeSection": { "allOf": [ { "type": "object", "description": "A concatenation of groups, optionally including a checksum.", "properties": { "groups": { "type": "array", "items": { "$ref": "#/components/schemas/FpeGroup" } }, "checksum": { "$ref": "#/components/schemas/FpeChecksum" } }, "required": [ "groups" ] } ] }, "MgfPolicyMgf1": { "allOf": [ { "type": "object", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } } } ] }, "UserAccountFlags": { "description": "User's role(s) and state in an account.", "allOf": [ { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/UserAccountFlagOrRole" } } ] }, "FpeDateConstraint": { "description": "Possible date-related constraint types for a portion of a complex tokenization data type.", "oneOf": [ { "$ref": "#/components/schemas/FpeDate" }, { "$ref": "#/components/schemas/FpeDatePart" } ] }, "FpeConstraintsApplicability": { "description": "A structure indicating which subparts to which to apply a set of constraints.", "oneOf": [ { "$ref": "#/components/schemas/All" }, { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/FpeConstraintsApplicability" }, "description": "An object representing the individual subparts that the constraints should apply to. This\nis a BTreeMap where for each key-value pair, the key represents the \"index\" of the subpart\n(with the first subpart having index 0), and the value is an FpeConstraintsApplicability\ninstance. Note that a Multiple part only allows for one possible key-value pair, since it\nonly contains one subpart. For Concat parts, the key is the zero-based index of the subpart\nin the `concat` field, and for Multiple parts, this is always 0 (due to a Multiple having\nonly one subpart).\n\nThis cannot be used with OR parts; instead, specify constraints individually on each\nrelevant subpart." } ] }, "All": { "description": "A helper enum with a single variant, All, which indicates that something should apply to an\nentire part. (This is here mainly to allow other untagged enums to work properly.)", "type": "string", "enum": [ "all" ] }, "FpeGroup": { "allOf": [ { "type": "object", "description": "A concatenation of codes, that can be repeated an amount of times. An\namount of leading and trailing characters can be preserved, this is,\nunmodified by tokenization.", "properties": { "codes": { "type": "array", "items": { "$ref": "#/components/schemas/FpeCode" } }, "min_repetitions": { "type": "integer", "nullable": true, "description": "A group cannot be omitted, thus this field must be positive if present." }, "max_repetitions": { "type": "integer", "nullable": true }, "preserve": { "type": "array", "items": { "type": "integer" }, "minItems": 2, "maxItems": 2, "nullable": true, "description": "Amount of leading and trailing characters to preserve in this group.\nPreserved characters are the leading/trailing characters of the whole\ngroup, not individual repetitions." } }, "required": [ "codes" ] } ] }, "FpeChecksum": { "type": "string", "enum": [ "luhn" ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] }, "UserAccountFlagOrRole": { "description": "User account flag or legacy user account role name or custom role id", "oneOf": [ { "$ref": "#/components/schemas/UserAccountFlag" }, { "$ref": "#/components/schemas/LegacyUserAccountRole" }, { "type": "string", "format": "uuid" } ] }, "FpeDate": { "description": "A structure for specifying a token part representing a date that occurs after a specified date\nand/or occurs before a specified date. Depending on the subparts that make up the date, one of\nthe three options is used.", "oneOf": [ { "title": "FpeDateVariantDayMonthYear", "type": "object", "properties": { "dmy_date": { "$ref": "#/components/schemas/FpeDateDayMonthYear" } }, "required": [ "dmy_date" ] }, { "title": "FpeDateVariantMonthDay", "type": "object", "properties": { "month_day_date": { "$ref": "#/components/schemas/FpeDateMonthDay" } }, "required": [ "month_day_date" ] }, { "title": "FpeDateVariantMonthYear", "type": "object", "properties": { "month_year_date": { "$ref": "#/components/schemas/FpeDateMonthYear" } }, "required": [ "month_year_date" ] } ] }, "FpeDatePart": { "description": "Possible date-related constraint types that do not form a complete date (by themselves) for a\ncomplex tokenization data type.", "type": "string", "enum": [ "month", "day", "year" ] }, "FpeCode": { "allOf": [ { "type": "object", "description": "A set of words, repeated an amount of times.", "properties": { "words": { "$ref": "#/components/schemas/FpeWords" }, "min_repetitions": { "type": "integer", "nullable": true }, "max_repetitions": { "type": "integer", "nullable": true } }, "required": [ "words" ] } ] }, "UserAccountFlag": { "description": "User account flag", "type": "string", "enum": [ "STATEENABLED", "PENDINGINVITE" ] }, "LegacyUserAccountRole": { "description": "Legacy user account role", "type": "string", "enum": [ "ACCOUNTADMINISTRATOR", "ACCOUNTMEMBER", "ACCOUNTAUDITOR" ] }, "FpeDateDayMonthYear": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart, a Day subpart, and a Year subpart. The\nYear part is allowed to be preserved, and the Day and Month parts are allowed to be\npreserved together. (The Day part cannot be preserved if the Month part is not, and vice\nversa.)", "properties": { "before": { "$ref": "#/components/schemas/FpeDayMonthYearDate" }, "after": { "$ref": "#/components/schemas/FpeDayMonthYearDate" } } } ] }, "FpeDateMonthDay": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart and a Day subpart. It is an error to\npreserve only the Month part or the Day part.", "properties": { "before": { "$ref": "#/components/schemas/FpeDayMonthDate" }, "after": { "$ref": "#/components/schemas/FpeDayMonthDate" } } } ] }, "FpeDateMonthYear": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart and a Year subpart. The Year part is\nallowed to be preserved; however, the Month part cannot be preserved by itself.", "properties": { "before": { "$ref": "#/components/schemas/FpeMonthYearDate" }, "after": { "$ref": "#/components/schemas/FpeMonthYearDate" } } } ] }, "FpeWords": { "description": "A set of fixed-length strings.", "oneOf": [ { "title": "FpeWordsVariantIntegerRanges", "type": "object", "properties": { "integer_ranges": { "$ref": "#/components/schemas/FpeWordsIntegerRanges" } }, "required": [ "integer_ranges" ] }, { "title": "FpeWordsVariantAlphabet", "type": "object", "properties": { "alphabet": { "$ref": "#/components/schemas/FpeCharSet" } }, "required": [ "alphabet" ] }, { "title": "FpeWordsVariantCustom", "type": "object", "properties": { "custom": { "$ref": "#/components/schemas/FpeWordsCustom" } }, "required": [ "custom" ] } ] }, "FpeDayMonthYearDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a day, month, and year, for use in\nan FpeDate structure.", "properties": { "year": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The year, which should be an integer less than 100000. Zero is treated as a leap year." }, "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." }, "day": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The day, which should be an integer from 1 to either 28, 29, 30, or 31, depending on the\nmonth and year." } }, "required": [ "year", "month", "day" ] } ] }, "FpeDayMonthDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a day and a month, for use in an\nFpeDate structure.", "properties": { "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." }, "day": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The day, which should be an integer from 1 to either 29, 30, or 31, depending on the month\nand year. Here, February is treated as having 29 days." } }, "required": [ "month", "day" ] } ] }, "FpeMonthYearDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a month and a year, for use in an\nFpeDate structure.", "properties": { "year": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The year, which should be an integer less than 100000. Zero is treated as a leap year." }, "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." } }, "required": [ "year", "month" ] } ] }, "FpeWordsIntegerRanges": { "allOf": [ { "type": "object", "description": "A union of positive integer ranges.\n\n```plain\nExamples: [[0, 400], [402, 1000]]\n= {0000, 0001, ..., 0400, 0402, ..., 1000}\n\n[[1,3], [49, 50]] with optional padding of length 8\n= {00000001, 00000002, 00000003, 00000049, 00000050}\n(accepts 1, 01, 00002, 49, 000050, etc)\n```", "properties": { "ranges": { "type": "array", "items": { "type": "array", "items": { "type": "integer" }, "minItems": 2, "maxItems": 2 } }, "padding_required": { "type": "boolean", "description": "If this field is true, this set accepts only numeric strings\npadded to the length given by the maximum integer in the range\nset." } }, "required": [ "ranges", "padding_required" ] } ] }, "FpeWordsCustom": { "allOf": [ { "type": "object", "properties": { "list": { "type": "array", "items": { "type": "string" }, "description": "Examples: {\"john\", \"jane\"}, {\".\", \"-\", \"_\", \"@\", \" \"}" } }, "required": [ "list" ] } ] } } } } ````