OS1 Services

Authentication And Authorization

30min

Introduction
The Authentication And Authorization (AAA) Service provides APIs that allow you to create users, authenticate their identity, and validate their access permissions to App and Platform Resources.
﻿
Functions provided by the AAA Service
The AAA Service facilitates the following actions:
﻿User onboarding﻿﻿
﻿Manage User Groups﻿﻿
﻿User Authentication﻿﻿
﻿Manage resources, permissions, & roles﻿﻿
﻿Permissions﻿﻿
﻿Granting roles to apps and user groups﻿﻿
﻿User authorization﻿﻿
﻿Limits﻿
Please note that AAA API requests that exceed the 375KB size limit will be rejected. Avoid passing large payloads to prevent exceeding this limit.
User onboarding
A Platform User is an entity created in AAA Service that represents a person who interacts with Platform Apps and the OS1 Platform. Onboarding a User in another service, for example, the Participant Service, does not automatically onboard the User to the AAA Service. The user must be specifically onboarded to the AAA Service for using its service functionality.
Creating a User
To create a new User call the Create User﻿ endpoint.
Note: For creating a User, firstName with any one of the email or a primaryMobile number are required. If providing a primaryMobile number then countryCode & number are mandatory fields.
Member
Description
Validation
Data type
email
The email address of the user.
pattern: ^([a-zA-Z0-9_\.\+-]+)@([\da-zA-Z0-9_\.-]+)\.([a-zA-Z\.]{2,6})$   
nullable: false   
minLength: 1
string
firstName
The first name of the user. The value can't be null and it must be between 1 to 36 characters in length.
nullable: false   
minLength: 1   
maxLength: 36
string
lastName   (Optional)
The last name of the user. The value can't be null and it must be between 1 to 36
nullable: false   
minLength: 1   
maxLength: 36
string
countryCode
Country code for mobile number. The value can't be null and it must be between 2 to 4 characters in length.
nullable: false   
pattern: ^\+(\d{1}\-)?(\d{1,3})$   
maxLength: 4   
minLength: 2
string
number
The mobile number of the user. GET calls return a masked string in which only the last 4 digits of the phone number are in clear text. The value can't be null and it must be between 4 to 10 characters in length. Specify a value for either email or primaryMobile number. Also, both can be supplied as well.
nullable: false   
pattern: ^[0-9]{4,14}$   
maxLength: 10   
minLength: 4
string
﻿
Request bodies are specified in JSON format. The following shows an example request body to create a User and to update a User.
Update User
Create User
{
   "primaryMobile":{
      "countryCode":"+1",
      "number":"5551234567"
   }
}
{
   "primaryMobile":{
      "countryCode":"+1",
      "number":"5551234567"
   }
}
﻿
After creating a User, you can edit any attribute except for the tenantId.
User Attributes
The following user attributes can be saved as a part of user onboarding:
Attribute
Description
Remarks
tenantId
Tenant Identifier.
﻿
userId
System-generated user identifier.
﻿
participantId
(Optional)
The Participant Identifier of the user is generated by the Participant Service.
﻿
username
The first, middle, and last name of the User.
The middleName and lastName values are optional. If only the full name is available, it should be sent as firstName.
email
The email address of the User. Either an email address or primary mobile number is required.
GET calls return a masked value that reveals the first two characters of the username part of the email and masks the remaining characters with asterisks. The domain name part is not masked.
primaryMobile
The Primary mobile number with country code in JSON format. Either an email address or primary mobile number is required.
GET calls return the country code and the last 4 digits of the mobile number. The remaining characters are masked.
secondaryMobile
(Optional)
The Secondary mobile number with country code in JSON format. The secondary mobile number is only allowed if a primary mobile number is specified.
GET calls return the country code and the last 4 digits of the mobile number. The remaining characters are masked.
allowSocialAuth
(Optional)
A Boolean value that specifies whether Google Login is allowed.For example: "allowSocialAuth": {"google": true}
Default value: False
allowSAMLAuth
(Optional)
A Boolean value that specifies whether SAML 2.0 Login is allowed.
Default value: False
samlConnector
(Optional)
Named SAML 2.0 Connector.
Required if allowSAMLAuth is set as True.
samlUserId
(Optional)
The identifier for the user in the SAML Identity Provider.
Required if allowSAMLAuth is set to True.
isActive
A Boolean value that indicates whether the user is temporarily deactivated or not. Users deactivated using this flag can be activated again by a user of the tenant (with the required role).
When set to True, User login is allowed. When set to False, User login is disallowed and the User or User Group is archived.
isDeleted
A Boolean value that specifies whether the user is permanently deactivated or not.
When set to True, User login is not allowed
Manage User Groups
A Platform User Group is a collection of Users. A User Group allows a tenant to specify Roles that apply to all of the Users in the User Group. A User can be a part of multiple User Groups. User Groups cannot be nested. This means that they can contain only User entities and not other User Group entities.
Request bodies are specified in JSON format. The following example shows request bodies for the management of User Groups:
Member
Description
Validation
Data type
name
Name of the group. The group name is unique for the application.
minLength: 2
maxLength: 50
pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$
string
description
Description of the group.
minLength: 2
maxLength: 50
string
﻿
Create Groups
Update Groups
Get Group Details

   "roles":[
      "Platform:Role:platform:app:dispatch-api:admin"
   ],
   "users":[
      "503b235b-1378-4cb7-bc40-976cb7ceea51",
      "9efc9aab-c55f-44e7-a01c-790e5d022945"
   ],
   "groupId":"platform:group:DispachAdmin",
   "name":"DispachAdmin",
   "description":"Dispatch Admin Group",
   "isActive":true
}

   "roles":[
      "Platform:Role:platform:app:dispatch-api:admin"
   ],
   "users":[
      "503b235b-1378-4cb7-bc40-976cb7ceea51",
      "9efc9aab-c55f-44e7-a01c-790e5d022945"
   ],
   "groupId":"platform:group:DispachAdmin",
   "name":"DispachAdmin",
   "description":"Dispatch Admin Group",
   "isActive":true
}
﻿
You can rename a user group without changing the Roles attached to the user group.
The following methods are available for working with User Groups:
﻿Get the details of a group of users and roles﻿.
﻿Getting the list of User Groups of which a User is a member﻿﻿
﻿Getting the list of Roles attached to a User Group﻿﻿
User Group Attributes
User Groups are specified by a unique fully qualified name and have the following attributes:
Attributes
Description
Remarks
tenantId
Tenant Identifier.
﻿
groupId
System generated a fully qualified name of the user group.
﻿
name
One-word name for the User Group.
The name must be unique across user groups of a tenant.
roles
A list of roles mapped to the users belonging to the group.
﻿
users
A list of user IDs present in the group.
﻿
isDeleted
A Boolean value that indicates whether the user group is permanently deactivated or not.
Set the value to True to indicate that the User Group is deleted and archived. The default value is False.
﻿
User Authentication Methods
The Authentication And Authorization (AAA) Service supports the following four methods for user authentication:
Primary Mobile Number and OTP
Email Address and OTP
Social Login (Google, Github, etc.)
SAML 2.0 Authentication (configurable for any SAML 2.0 compatible external identity provider)
The tenant has the option to enable or disable Google Login and SAML 2.0 Authentication at the user level (it is disabled by default). Moreover, OTP-based login can be enabled for all users by default and cannot be disabled.
One-Time Password
A One-Time Password (OTP) is a unique 6-digit value and is unique for each OTP request (combination of user, tenant, and request ID). After the OTP is issued, it will expire within 10 minutes from the issue time, or on a successful login with the OTP, whichever occurs first.
The AAA service supports a maximum of 3 requests to resend the OTP. The minimum time gap between the last OTP sent time and the request to resend OTP is 30 seconds.
The Platform enables OTP and email login authentication methods by default.
Social Login
If enabled, Google Login only works if an email address is specified in the AAA service for the User.
To establish a Google Login connection, call the Create a Social Connection endpoint.
The following request body shows a sample API payload to create a social connection:
Member
Description
Validation
Data type
connectionName
Unique name of the connection.
minLength: 2  
maxLength: 50  
pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$
string
connectionClientId
Client ID of the social application.
﻿
string
connectionClientSecret
Client Secret of the social application.
﻿
string
﻿
JSON
{
   "connectionName":"google-demo-connection",
   "connectionClientId":"",//mention the connection client ID
   "connectionClientSecret":""//mention the connection client secret
}
{
   "connectionName":"google-demo-connection",
   "connectionClientId":"",//mention the connection client ID
   "connectionClientSecret":""//mention the connection client secret
}
﻿
SAML 2.0 Authentication
The AAA Service is set up as a Service Provider (SP) only, and not as an Identity Provider (IdP). On successful SAML 2.0 authentication, AAA Service issues an Authentication Token for the user.
Although the AAA Service doesn't act as an IdP, Users have to be pre-onboarded to AAA Service for authorization purposes.
The tenant can configure their own SAML 2.0 connector. Moreover, they can specify which attributes of the User (returned by SAML IdP) are matched with the SAML User Identifier provided in the AAA Service for successful Platform Authentication.
To establish a SAML connection, call create SAML connection endpoint.
The following request body shows a sample API payload to create a connection:
Member
Description
Validation
Data type
connectionName
Unique name of the connection.
minLength: 2  maxLength: 50  pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$
string
signInEndpoint (Optional)
Sign In endpoint of the SAML connection.
﻿
string
signOutEndpoint  (Optional)
Sign Out endpoint of the SAML connection.
﻿
string
publicKeyCertificate
The certificate required for SAML connection should be of x509Cert format.
﻿
string
﻿
JSON
{
  "connectionName": "string",
  "signInEndpoint": "string",
  "signOutEndpoint": "string",
  "publicKeyCertificate": "string"
}
{
  "connectionName": "string",
  "signInEndpoint": "string",
  "signOutEndpoint": "string",
  "publicKeyCertificate": "string"
}
﻿
Authentication Token
On successful authentication, the AAA Service issues a unique JWT (RFC-7519) as an Authentication Token for the User. The Authentication Token is signed using a public/private key pair using RSA. It is valid for 10 minutes and it is invalid in case the user is deactivated or removed from the AAA Service.
The Authentication Token contains the following claims:
Claim Name
Description
Remarks
iss
Issuer
Always fixed for a tenant. Signifies issuer of the token.
sub
Subject
Identifies the User for whom the token is issued.
aud
Audience
Apps for which access is granted.
exp
Expiry
Expiration date time after which the token will be invalid.
iat
Issued At
The date-time at which the token was issued.
On successful authentication, along with the Authentication Token, AAA Service also issues a unique JWT (RFC-7519) as a Refresh Token for the Authentication Token.
Resources, Permissions, and Roles
Resources
A Platform Resource is a generic name representation of any entity in a Platform Registered App on which action(s) can be performed by users or other services and apps.
For Platform Registered Apps, the resources are created in the AAA Services when the app is mapped to a tenant. They are created as per the definition in a YAML file named access-control.yaml provided by each app. These cannot be edited manually by any user of the tenant.
Read APIs are provided for reading a resource by resource ID and reading all resources corresponding to a service or app (appId).
Permissions
A Platform Permission is a generic name representation of authorization to perform a specific action on a defined Platform Resource. The authorized action is specified in the list of allowed actions of the Platform Resource.
For Platform Registered Apps, the permissions are created in the AAA Service when the app is mapped to a tenant. They are created as per the definition in a YAML file named access-control.yaml that is provided by each app. These cannot be edited manually by any user of the tenant.
Permissions are created in AAA Service automatically when resources for a service or app are defined in the AAA Service. Only one Permission is created for each combination of Resource and HTTP Methods.
Read APIs are provided to get:
The permission is specified by the value of permissionId.
To read all of the resources identified to the value that corresponds to a resourceId.
To read all resources corresponding to a service/app as specified by the value of appId.
To read the list of roles to which this permission is granted.
Roles
A Platform Role is a generic named representation of a set of permissions to access resources of a specific app or service. A Role is specific to an application.
Roles are mapped to a User Group or app. One or more Roles can be mapped to a User Group or app. They cannot be granted directly to a User. Granting a Role to a User Group grants the role to all Users in the group.
Creating Roles
To create a Role, call the Create app role endpoint and then pass the following parameters in the request body:
Member
Description
Validation
Data type
roleName
Name of the role (each role should be assigned with a name).
maxLength: 50  pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$
string
description
Description of the role.
nullable: false  minLength: 2  maxLength: 50  
pattern: ^([a-zA-Z])([a-zA-Z0-9,\s]*)$
string
securityLevel
The security level of the role. The default is OPEN. Used to restrict the access level for the role.
default: OPEN  Valid values: SENSITIVE, RESTRICTED, OPEN
string
permissions
IDs of permission that are attached to this role.
pattern: ^([a-zA-Z])([-:a-zA-Z0-9]*)$
string
canGrantToApps
The boolean value indicates if the role can be granted to other apps/services.
default: false
boolean
canGrantToUsers
The boolean value indicates if the Role can be granted to user groups.
default: true
boolean
﻿
The following shows sample request bodies for creating and updating a Role:
Update User
Create User
{
   "roleName":"admin",
   "description":"Admin role of the App",
   "securityLevel": "OPEN",
   "permissions":[
      "platform:app:app1:createAPI:post",
      "platform:app:app1:deleteAPI:delete",
      "platform:app:app1:getAPI:get",
      "platform:app:app1:updateAPI:put"
   ],
  "canGrantToApps": false,
  "canGrantToUsers": true
}
{
   "roleName":"admin",
   "description":"Admin role of the App",
   "securityLevel": "OPEN",
   "permissions":[
      "platform:app:app1:createAPI:post",
      "platform:app:app1:deleteAPI:delete",
      "platform:app:app1:getAPI:get",
      "platform:app:app1:updateAPI:put"
   ],
  "canGrantToApps": false,
  "canGrantToUsers": true
}
﻿
Type of Roles
The platform has two kinds of Roles:
Platform Managed Roles
These are roles created/managed by CoreOS Services and Apps. These roles cannot be edited by any user of the tenant. These roles and their mapping to user groups, apps, or services, get automatically removed when the app/service that created the role is removed for the tenant.
Resources & Permissions Offered by the Service/App.
Roles offered by the Service/App.
Roles required by the installed App to access resources of other Services or Apps.
Tenant Managed Roles
These are Roles created by the Tenant. These roles provide more granularity compared to Platform Managed Roles.
Role Attributes
Roles are specified by a unique fully qualified name and their definition includes the following attributes:
Attribute
Description
Remarks
tenantId
Unique identifier of the tenant.
﻿
appId
The App to which permissions in the Role belong.
A role can contain only permissions for resources that belong to a given App.
roleId
A unique, system-generated fully qualified name for the Role.
Format: Platform:Role:<appId>:<roleName>  
For example:  Platform:Role:FMS:FleetManager  OR  Platform:Role:FaaS:FaaSAdmin
roleName
A unique name for the Role in the App specified by appId.
Max: 50 characters.  
Names can contain only alphabetic characters and hyphens. However, the Name should not start with a hyphen.
permissions
List of Permission Names attached to this Role.
﻿
managedBy
This field contains the appId of the App/service that created the Role or tenantId if the role was created by a tenant.
Users of a tenant cannot edit or remove Roles managed by Apps or services.
canGrantToUsers
A Boolean value that indicates whether this Role can be granted to User Groups.
True if the Role can be granted to User Groups; Otherwise False.  Default value: True
canGrantToApps
A Boolean value that indicates whether this Role can be granted to Apps.
True if the Role can be granted to Apps; Otherwise False. 
Default value: False
isActive
A Boolean value that indicates whether the Role is active. Deactivated Roles can be activated again by a user of the Tenant.
True if the Role is Active; Otherwise False.
isDeleted
A Boolean value that indicates whether the Role is permanently deactivated and will be archived.
True if the Role is permanently deactivated; Otherwise False.
﻿
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a method of restricting access based on the roles of individual users or apps within a tenant.
User Access:
Access can be provided to users by assigning roles to a user group. Roles offered by an App can be mapped to one or more User Groups.
App Access:
Roles are assigned to an app for authenticating apps when they call another web service. Roles can be mapped to one or more Apps or Services. More than one Role can be mapped to an App or Service.
Access Token and Authorization Process
User Access Token
On successful user authentication, a browser/mobile app requests the Authorization API of AAA Service with appDomain, appId, and Authentication Token in HTTP Headers.
After verifying the authentication token, AAA Service issues a unique JWT (RFC-7519) as an Access Token that is valid for the unique combination of browser/mobile app, the tenant associated with the appDomain, and the Authentication Token.
📘 Access Token Validity ﻿
The Access Token has a validity of 24 hours.
User Authentication & Authorization (UI to Service)
Once the user is successfully logged in, all REST API requests to backend services include the following HTTP Headers:
X-COREOS-ACCESS: Authorization Token
X-COREOS-TID: Tenant ID
X-COREOS-REQUEST-ID: Request ID
X-COREOS-USERINFO: Userinfo
Service to Service Authentication & Authorization
For Service-to-Service communication, a client credentials grant is implemented for authentication. AAA service exposes an API to obtain a token for service communication, and this token should be sent as the header in all API communications to other services. The authorization is determined by the roles-required section in the access-control.yaml file.
All Service-to-Service REST API requests include the following headers:
X-COREOS-REQUEST-ID: Request ID
X-COREOS-TID: Tenant ID
Member
Description
Validation
Data type
clientId
Application's Client ID.
nullable: false
string
clientSecret
Application's Client Secret.
nullable: false
string
audience
App ID for which the token is required. Not required in keycloak API calls.
nullable: false
string
JSON
{
  "clientId": "string",
  "clientSecret": "string",
  "audience": "string"
}
{
  "clientId": "string",
  "clientSecret": "string",
  "audience": "string"
}
﻿
﻿

Member	Description	Validation	Data type
email	The email address of the user.	pattern: ^([a-zA-Z0-9_\.\+-]+)@([\da-zA-Z0-9_\.-]+)\.([a-zA-Z\.]{2,6})$ nullable: false minLength: 1	string
firstName	The first name of the user. The value can't be null and it must be between 1 to 36 characters in length.	nullable: false minLength: 1 maxLength: 36	string
lastName (Optional)	The last name of the user. The value can't be null and it must be between 1 to 36	nullable: false minLength: 1 maxLength: 36	string
countryCode	Country code for mobile number. The value can't be null and it must be between 2 to 4 characters in length.	nullable: false pattern: ^\+(\d{1}\-)?(\d{1,3})$ maxLength: 4 minLength: 2	string
number	The mobile number of the user. GET calls return a masked string in which only the last 4 digits of the phone number are in clear text. The value can't be null and it must be between 4 to 10 characters in length. Specify a value for either email or primaryMobile number. Also, both can be supplied as well.	nullable: false pattern: ^[0-9]{4,14}$ maxLength: 10 minLength: 4	string

Attribute	Description	Remarks
tenantId	Tenant Identifier.
userId	System-generated user identifier.
participantId (Optional)	The Participant Identifier of the user is generated by the Participant Service.
username	The first, middle, and last name of the User.	The middleName and lastName values are optional. If only the full name is available, it should be sent as firstName.
email	The email address of the User. Either an email address or primary mobile number is required.	GET calls return a masked value that reveals the first two characters of the username part of the email and masks the remaining characters with asterisks. The domain name part is not masked.
primaryMobile	The Primary mobile number with country code in JSON format. Either an email address or primary mobile number is required.	GET calls return the country code and the last 4 digits of the mobile number. The remaining characters are masked.
secondaryMobile (Optional)	The Secondary mobile number with country code in JSON format. The secondary mobile number is only allowed if a primary mobile number is specified.	GET calls return the country code and the last 4 digits of the mobile number. The remaining characters are masked.
allowSocialAuth (Optional)	A Boolean value that specifies whether Google Login is allowed.For example: "allowSocialAuth": {"google": true}	Default value: False
allowSAMLAuth (Optional)	A Boolean value that specifies whether SAML 2.0 Login is allowed.	Default value: False
samlConnector (Optional)	Named SAML 2.0 Connector.	Required if allowSAMLAuth is set as True.
samlUserId (Optional)	The identifier for the user in the SAML Identity Provider.	Required if allowSAMLAuth is set to True.
isActive	A Boolean value that indicates whether the user is temporarily deactivated or not. Users deactivated using this flag can be activated again by a user of the tenant (with the required role).	When set to True, User login is allowed. When set to False, User login is disallowed and the User or User Group is archived.
isDeleted	A Boolean value that specifies whether the user is permanently deactivated or not.	When set to True, User login is not allowed

Member	Description	Validation	Data type
name	Name of the group. The group name is unique for the application.	minLength: 2 maxLength: 50 pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$	string
description	Description of the group.	minLength: 2 maxLength: 50	string

Attributes	Description	Remarks
tenantId	Tenant Identifier.
groupId	System generated a fully qualified name of the user group.
name	One-word name for the User Group.	The name must be unique across user groups of a tenant.
roles	A list of roles mapped to the users belonging to the group.
users	A list of user IDs present in the group.
isDeleted	A Boolean value that indicates whether the user group is permanently deactivated or not.	Set the value to True to indicate that the User Group is deleted and archived. The default value is False.

Member	Description	Validation	Data type
connectionName	Unique name of the connection.	minLength: 2 maxLength: 50 pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$	string
connectionClientId	Client ID of the social application.		string
connectionClientSecret	Client Secret of the social application.		string

Member	Description	Validation	Data type
connectionName	Unique name of the connection.	minLength: 2 maxLength: 50 pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$	string
signInEndpoint (Optional)	Sign In endpoint of the SAML connection.		string
signOutEndpoint (Optional)	Sign Out endpoint of the SAML connection.		string
publicKeyCertificate	The certificate required for SAML connection should be of x509Cert format.		string

Claim Name	Description	Remarks
iss	Issuer	Always fixed for a tenant. Signifies issuer of the token.
sub	Subject	Identifies the User for whom the token is issued.
aud	Audience	Apps for which access is granted.
exp	Expiry	Expiration date time after which the token will be invalid.
iat	Issued At	The date-time at which the token was issued.

Member	Description	Validation	Data type
roleName	Name of the role (each role should be assigned with a name).	maxLength: 50 pattern: ^[a-zA-Z]+(-[a-zA-Z]+)*$	string
description	Description of the role.	nullable: false minLength: 2 maxLength: 50 pattern: ^([a-zA-Z])([a-zA-Z0-9,\s]*)$	string
securityLevel	The security level of the role. The default is OPEN. Used to restrict the access level for the role.	default: OPEN Valid values: SENSITIVE, RESTRICTED, OPEN	string
permissions	IDs of permission that are attached to this role.	pattern: ^([a-zA-Z])([-:a-zA-Z0-9]*)$	string
canGrantToApps	The boolean value indicates if the role can be granted to other apps/services.	default: false	boolean
canGrantToUsers	The boolean value indicates if the Role can be granted to user groups.	default: true	boolean

Attribute	Description	Remarks
tenantId	Unique identifier of the tenant.
appId	The App to which permissions in the Role belong.	A role can contain only permissions for resources that belong to a given App.
roleId	A unique, system-generated fully qualified name for the Role.	Format: Platform:Role:<appId>:<roleName> For example: Platform:Role:FMS:FleetManager OR Platform:Role:FaaS:FaaSAdmin
roleName	A unique name for the Role in the App specified by appId.	Max: 50 characters. Names can contain only alphabetic characters and hyphens. However, the Name should not start with a hyphen.
permissions	List of Permission Names attached to this Role.
managedBy	This field contains the appId of the App/service that created the Role or tenantId if the role was created by a tenant.	Users of a tenant cannot edit or remove Roles managed by Apps or services.
canGrantToUsers	A Boolean value that indicates whether this Role can be granted to User Groups.	True if the Role can be granted to User Groups; Otherwise False. Default value: True
canGrantToApps	A Boolean value that indicates whether this Role can be granted to Apps.	True if the Role can be granted to Apps; Otherwise False. Default value: False
isActive	A Boolean value that indicates whether the Role is active. Deactivated Roles can be activated again by a user of the Tenant.	True if the Role is Active; Otherwise False.
isDeleted	A Boolean value that indicates whether the Role is permanently deactivated and will be archived.	True if the Role is permanently deactivated; Otherwise False.

Member	Description	Validation	Data type
clientId	Application's Client ID.	nullable: false	string
clientSecret	Application's Client Secret.	nullable: false	string
audience	App ID for which the token is required. Not required in keycloak API calls.	nullable: false	string

Updated 27 Sep 2024

Did this page help you?

Attribute-Based Access Control (ABAC)

Entity