IAM Module Resources

The Identity and Access Management (IAM) module provides a set of resources for managing user authentication, authorization, and access control within the Aidbox.

Overview

IAM module includes the following resource types:

  • AccessPolicy
  • AuthConfig
  • Client
  • Grant
  • IdentityProvider
  • Notification
  • NotificationTemplate
  • Registration
  • Role
  • Scope
  • Session
  • TokenIntrospector
  • User

AccessPolicy

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
and0..*ObjectA list of conditions that must all be satisfied for the policy to grant access.
clj0..1stringClojure code that defines access policy rules. DEPRECATED. DO NOT USE IT.
description0..1stringA textual description of the access policy.
engine0..1stringSpecifies the evaluation engine used for the policy.

Allowed values: json-schema | allow | sql | complex | matcho | clj | matcho-rpc | allow-rpc | signed-rpc | smart-on-fhir

link0..*ReferenceReferences to resources associated with this policy.

Allowed references: Client, User, Operation

matcho0..1ObjectDefines rules using the Matcho pattern-matching syntax.
module0..1stringModule that this policy belongs to.
or0..*ObjectA list of conditions where at least one must be satisfied for the policy to grant access.
roleName0..1stringSymbolic link to Role by name
rpc0..1ObjectDefines rules for Remote Procedure Calls (RPCs).
schema0..1ObjectJSON Schema used to validate requests against the policy.
sql0..1BackboneElementSQL-based policy definition.
sql.query0..1stringSQL query used to evaluate access conditions.
type0..1stringThe type or category of the access policy.

Allowed values: scope | rest | rpc

AuthConfig

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
asidCookieMaxAge0..1integerIn Aidbox version v:2402 and later, sessions created through the Aidbox UI log-in are not infinite.The default session expiration time is set to 432000 seconds (5 days).
theme0..1BackboneElement
theme.brand0..1stringBrand for auth page
theme.title0..1stringTitle for auth page
theme.styleUrl0..1uriURL to external stylesheet
theme.forgotPasswordUrl0..1uriURL to forgot password page
twoFactor0..1BackboneElement
twoFactor.webhook0..1BackboneElement
twoFactor.webhook.headers0..1MapMap of HTTP header key-value pairs
twoFactor.webhook.timeout0..1integerTimeout in milliseconds
twoFactor.webhook.endpoint1..1stringURL to webhook that supports POST method
twoFactor.issuerName0..1stringIssuer name for OTP authenticator app
twoFactor.validPastTokensCount0..1integerNumber of past tokens considered valid (useful with webhook since OTP lives ~30s)

Client

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
active0..1booleanIndicates whether this client is active and can be used for authentication.
allowed-scopes0..*ReferenceReferences to specific Scope resources this client is allowed to request.

Allowed references: Scope

allowedIssuers0..*stringList of authorized token issuers for this client.
allowed_origins0..*uriAllowed Origins are URLs that will be allowed to make requests.
auth0..1BackboneElementAuthentication configuration for different OAuth flows.
auth.client_credentials0..1BackboneElementConfiguration for the client credentials grant type.
auth.client_credentials.token_format0..1stringFormat of the access token.

Allowed values: jwt

auth.client_credentials.access_token_expiration0..1integerExpiration time for access tokens in seconds.
auth.client_credentials.refresh_token_expiration0..1integerExpiration time for refresh tokens in seconds.
auth.client_credentials.audience0..*stringIntended audience for issued tokens. Shows what resource server access is intended for. Aidbox compares the audience of the Client to the audience it receives within aJWT and decides if the access should be granted. The audience attribute can be defined in 2 ways: As a plain string, e.g. https://cmpl.aidbox.app/smart As a Regex. In that case, the audience value should start with the # symbol. For example, #https://cmpl.aidbox.app/tenant/[^\]/smart That validation of the audience happens when SMART on FHIR app launches
auth.client_credentials.client_assertion_types0..*stringSupported client assertion types.

Allowed values: urn:ietf:params:oauth:client-assertion-type:jwt-bearer

auth.client_credentials.refresh_token0..1booleanWhether to issue refresh tokens with this grant type.
auth.implicit0..1BackboneElementConfiguration for the implicit grant type.
auth.implicit.redirect_uri0..1urlRedirect URI for the implicit flow.
auth.implicit.token_format0..1stringFormat of the access token.

Allowed values: jwt

auth.implicit.audience0..*stringIntended audience for issued tokens.
auth.implicit.access_token_expiration0..1integerExpiration time for access tokens in seconds.
auth.password0..1BackboneElementConfiguration for the password grant type.
auth.password.secret_required0..1booleanWhether client secret is required for password grant.
auth.password.audience0..*stringIntended audience for issued tokens.
auth.password.refresh_token0..1booleanWhether to issue refresh tokens with this grant type.
auth.password.redirect_uri0..1urlIf present, turn on redirect protection
auth.password.token_format0..1stringFormat of the access token.

Allowed values: jwt

auth.password.access_token_expiration0..1integerExpiration time for access tokens in seconds.
auth.password.refresh_token_expiration0..1integerExpiration time for refresh tokens in seconds.
auth.authorization_code0..1BackboneElementConfiguration for the authorization code grant type.
auth.authorization_code.token_format0..1stringFormat of the access token.

Allowed values: jwt

auth.authorization_code.refresh_token_expiration0..1integerExpiration time for refresh tokens in seconds.
auth.authorization_code.pkce0..1booleanWhether PKCE (Proof Key for Code Exchange) is required.
auth.authorization_code.access_token_expiration0..1integerExpiration time for access tokens in seconds.
auth.authorization_code.secret_required0..1booleanWhether client secret is required for token exchange.
auth.authorization_code.refresh_token0..1booleanWhether to issue refresh tokens with this grant type.
auth.authorization_code.default_identity_provider0..1ReferenceDefault IdentityProvider that will be used instead of Aidbox login.

Allowed references: IdentityProvider

auth.authorization_code.audience0..*stringIntended audience for issued tokens.
auth.authorization_code.redirect_uri0..1urlRedirect URI for the authorization code flow.
auth.token_exchange0..1BackboneElementConfiguration for the token exchange grant type.
auth.token_exchange.token_format0..1stringFormat of the access token.

Allowed values: jwt

auth.token_exchange.access_token_expiration0..1integerExpiration time for access tokens in seconds.
auth.token_exchange.refresh_token_expiration0..1integerExpiration time for refresh tokens in seconds.
auth.token_exchange.audience0..*stringIntended audience for issued tokens.
auth.token_exchange.refresh_token0..1booleanWhether to issue refresh tokens with this grant type.
description0..1stringA description of the client application for administrative purposes.
details0..1ObjectAdditional client details or configuration options.
fhir-base-url0..1stringBase URL of the FHIR server this client interacts with.
first_party0..1booleanIndicates whether this is a first-party client.
grant_types0..*stringOAuth 2.0 grant types this client is authorized to use.

Allowed values: basic | authorization_code | code | password | client_credentials | implicit | refresh_token | urn:ietf:params:oauth:grant-type:token-exchange

jwks0..*BackboneElementJSON Web Key Set for client authentication and/or verification.
jwks.kid0..1stringKey ID that identifies this key.
jwks.kty0..1stringKey type.

Allowed values: RSA

jwks.alg0..1stringAlgorithm used with this key.

Allowed values: RS384

jwks.e0..1stringExponent value for RSA key.
jwks.n0..1stringModulus value for RSA key.
jwks.use0..1stringKey usage.

Allowed values: sig

jwks_uri0..1urlURI where the client's JSON Web Key Set can be retrieved.
name0..1stringHuman-readable name of the client application.
scope0..*stringList of scopes this client is authorized to request.
scopes0..*BackboneElementDetailed scope configurations with associated policies.
scopes.policy0..1ReferenceReference to an AccessPolicy resource for this scope.

Allowed references: AccessPolicy

scopes.parameters0..1ObjectParameters to be applied with the scope's policy.
secret0..1sha256HashHashed client secret for authentication.
smart0..1BackboneElementSMART on FHIR configuration for this client.
smart.launch_uri0..1stringURI to launch the SMART app.
smart.name0..1stringName of the SMART app.
smart.description0..1stringDescription of the SMART app.
trusted0..1booleanIndicates whether this client is trusted and given special privileges.
type0..1stringThe type of client application.

Grant

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
client0..1ReferenceReference to the client application being granted access.

Allowed references: Client

patient0..1ReferenceReference to the patient this grant is for (in SMART on FHIR scenarios).

Allowed references: Patient

provided-scope0..*stringList of scopes that were actually granted by the user.
requested-scope0..*stringList of scopes that were requested by the client.
scope0..1stringSpace-separated list of granted scopes.
start0..1dateTimeTime when this grant was created.
user0..1ReferenceReference to the user who granted the access.

Allowed references: User

IdentityProvider

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
active0..1booleanIndicates whether this identity provider is active and can be used for authentication.
authorize_endpoint0..1stringThe URL of the authorization endpoint.
base_url0..1uri
client0..1BackboneElementClient configuration for this identity provider.
client.id0..1stringClient identifier used for authentication with the identity provider.
client.redirect_uri0..1uriURI where the provider will redirect after authentication.
client.auth-method0..1stringClient authentication method.

Allowed values: symmetric | asymmetric

client.secret0..1stringClient secret for symmetric authentication.
client.private-key0..1stringPrivate key for asymmetric authentication.
client.certificate0..1stringCertificate
client.certificate-thumbprint0..1stringCertificate thumbprint.
client.creds-ts0..1string
introspection_endpoint0..1stringThe URL of the token introspection endpoint.
isEmailUniqueness0..1booleanIndicates whether email uniqueness should be enforced for this provider.
isScim0..1booleanIndicates whether this provider supports SCIM protocol.
jwks_uri0..1stringURI where the provider's JSON Web Key Set can be retrieved.
kid0..1stringKey identifier used for token verification.
organizations0..*stringOrganizations associated with this identity provider.
registration_endpoint0..1stringThe URL of the registration endpoint.
revocation_endpoint0..1stringThe URL of the token revocation endpoint.
scopes0..*stringOAuth scopes that should be requested during authentication.
system0..1stringSystem identifier for the identity provider.
team_id0..1string
title0..1stringA human-readable name for the identity provider.
toScim0..1ObjectMapping rules for transforming identity provider data.
token_endpoint0..1stringThe URL of the token endpoint.
type0..1stringThe type of identity provider.

Allowed values: aidbox | github | google | OIDC | OAuth | az-dev | yandex | okta | apple

userinfo-source0..1stringSource of userinfo details.

Allowed values: id-token | userinfo-endpoint

userinfo_endpoint0..1stringThe URL of the userinfo endpoint.
userinfo_header0..1stringHeader to be used when calling the userinfo endpoint.

Notification

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
provider0..1string
providerData0..1Object
status0..1stringStatus of the notification delivery (delivered or error).

Allowed values: delivered | error

NotificationTemplate

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
subject0..1stringSubject line for the notification template.
template0..1stringTemplate content used to generate the notification message.

Registration

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
params0..1Object
resource0..1ObjectRegistration form data
status0..1stringStatus of the registration process.

Allowed values: activated | active

Role

User role

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
context0..1Object
description0..1stringText description of the role
links0..1BackboneElementYou may list resources here, which can later be granted access for the user with this role via an AccessPolicy resource.
links.patient0..1ReferenceReference to Patient resource

Allowed references: Patient

links.practitionerRole0..1ReferenceReference to PractitionerRole resource

Allowed references: PractitionerRole

links.practitioner0..1ReferenceReference to Practitioner resource

Allowed references: Practitioner

links.organization0..1ReferenceReference to Organization resource

Allowed references: Organization

links.person0..1ReferenceReference to Person resource

Allowed references: Person

links.relatedPerson0..1ReferenceReference to RelatedPerson resource

Allowed references: RelatedPerson

name1..1stringRole name is a string that defines role. To assign the same role to multiple users, create multiple Role resources with the same "name". [Search param: name => type string]
user1..1ReferenceReference to a User resource for which the role will be applied. [Search param: user => type reference]

Allowed references: User

Scope

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
description0..1stringWhen provided, the scope definition is additionally displayed on the consent screen
scope1..1stringThe value of the scope
title1..1stringA user-friendly name for the scope that appears on the consent screen

Session

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
access_token0..1sha256HashAccess token hash associated with this session.
active0..1booleanIndicates whether this session is currently active.
audience0..1stringIntended audience for tokens issued in this session.
authorization_code0..1sha256HashAuthorization code used to obtain this session.
client0..1ReferenceReference to the client application associated with this session.

Allowed references: Client

ctx0..1Object
end0..1dateTimeTime when the session ended or will end.
exp0..1integerExpiration time for the access token (in seconds since epoch).
jti0..1string
on-behalf0..1ReferenceReference to a user on whose behalf this session is operating.

Allowed references: User

parent0..1ReferenceReference to a parent session if this is a child session.

Allowed references: Session

patient0..1ReferenceReference to the patient associated with this session.

Allowed references: Patient

refresh_token0..1sha256HashRefresh token hash associated with this session.
refresh_token_exp0..1integerExpiration time for the refresh token (in seconds since epoch).
scope0..*stringList of OAuth scopes authorized for this session.
start0..1dateTimeTime when the session started.
type0..1stringType of session (e.g., authorization_code, password, client_credentials).
user0..1ReferenceReference to the user associated with this session.

Allowed references: User

TokenIntrospector

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
identity_provider0..1ReferenceLink to Identity provider associated with the token introspector.

Allowed references: IdentityProvider

introspection_endpoint0..1BackboneElement
introspection_endpoint.url0..1stringThe fully qualified URL of the remote introspection endpoint.
introspection_endpoint.authorization0..1stringThe authorization header value (e.g. a Basic Auth or Bearer token) used when calling the introspection endpoint. If present it will be included in the request headers.
jwks_uri0..1stringA URL pointing to a JSON Web Key Set (JWKS). When type is jwt the introspector retrieves public keys from this URI to validate token signatures.
jwt0..1BackboneElementConfiguration for local JWT validation used when type is jwt.
jwt.iss0..1stringThe expected issuer (iss) claim value for JWTs. The TokenIntrospector ensures that tokens it validates come from this issuer.
jwt.secret0..1stringA shared secret key or other signing key material used to verify the JWT's signature.
jwt.keys0..*BackboneElementThe set of keys to use for validation.
jwt.keys.k0..1stringThe symmetric key to use for validation.
jwt.keys.pub0..1stringThe asymmetric key to use for validation.
jwt.keys.kty1..1stringThe key type to use for validation.

Allowed values: RSA | EC | OCT

jwt.keys.alg1..1stringThe algorithm to use for validation.

Allowed values: RS256 | RS384 | ES256 | HS256

jwt.keys.format1..1stringThe format of the key to use for validation. 'plain' for symmetric algs (HS256) and 'PEM' for all asymmetric algs

Allowed values: PEM | plain

type1..1stringSpecifies the type of token to introspect.

Allowed values: opaque | jwt | aspxauth

User

Path Card. Type Description
_source0..1stringSystem Property. DO NOT USE IT.
active0..1booleanNB: this attr is ignored. Indicates the User's administrative status.
addresses0..*BackboneElementA physical mailing address for this User (e.g. 'work', 'home').
addresses.formatted0..1stringFull address, formatted for display or mailing label.
addresses.streetAddress0..1stringStreet address component (may contain newlines).
addresses.locality0..1stringCity or locality component.
addresses.region0..1stringState or region component.
addresses.postalCode0..1stringZip code or postal code.
addresses.country0..1stringCountry name component.
addresses.type0..1stringA label indicating the address type, e.g. 'work' or 'home'.
costCenter0..1stringIdentifies the name of a cost center.
data0..1ObjectArbitrary user-related data.
department0..1stringIdentifies the name of a department.
displayName0..1stringThe name of the User, suitable for display to end-users.
division0..1stringIdentifies the name of a division.
email0..1emailPrimary email for the user.
emails0..*BackboneElementEmail addresses for the user. Values should be canonicalized (e.g. 'bjensen@example.com').
emails.value0..1stringAn individual email address (canonicalized).
emails.display0..1stringA human-readable name for display purposes (READ-ONLY).
emails.type0..1stringA label indicating the attribute's function, e.g. 'work', 'home'.
emails.primary0..1booleanIndicates if this is the primary email. Only one primary may be 'true'.
employeeNumber0..1stringNumeric or alphanumeric identifier assigned to a person by the organization.
entitlements0..*BackboneElementA list of entitlements for the User that represent a thing the User has.
entitlements.value0..1stringThe value of an entitlement.
entitlements.display0..1stringA human-readable name, primarily used for display purposes (READ-ONLY).
entitlements.type0..1stringA label indicating the attribute's function.
entitlements.primary0..1booleanIndicates if this is the primary entitlement. Only one may be 'true'.
fhirUser0..1ReferenceA reference to a related FHIR resource

Allowed references: Patient, Practitioner, PractitionerRole, Person, RelatedPerson

gender0..1stringThe user's gender.
identifier0..*IdentifierA list of identifiers for the user.
ims0..*BackboneElementInstant messaging addresses for the User.
ims.value0..1stringInstant messaging address.
ims.display0..1stringA human-readable name, primarily for display (READ-ONLY).
ims.type0..1stringA label indicating the IM type, e.g. 'aim', 'gtalk'.
ims.primary0..1booleanIndicates if this is the primary IM. Only one may be 'true'.
inactive0..1booleanA Boolean value indicating the User's administrative status.
link0..*BackboneElementA collection of references or links associated with the user.
link.link0..1ReferenceA referenced resource link.
link.type0..1stringA label indicating the link's function.
locale0..1stringIndicates the User's default location for localization (e.g., currency, date format).
manager0..1ReferenceAnother User resource who is this User's manager.

Allowed references: User

name0..1BackboneElementThe components of the user's real name (formatted, family, given, etc.).
name.formatted0..1stringFull name, including titles and suffixes, formatted for display.
name.familyName0..1stringFamily name (last name in Western languages).
name.givenName0..1stringGiven name (first name in Western languages).
name.middleName0..1stringThe middle name(s) of the User.
name.honorificPrefix0..1stringHonorific prefix (title), e.g. 'Ms.'.
name.honorificSuffix0..1stringHonorific suffix, e.g. 'III'.
organization0..1ReferenceIdentifies the name of an organization.

Allowed references: Organization

password0..1passwordThe User's cleartext password, used for initial or reset scenarios.
phoneNumber0..1stringPrimary phone number.
phoneNumbers0..*BackboneElementPhone numbers for the User, e.g. 'tel:+1-201-555-0123'.
phoneNumbers.value0..1stringThe user's phone number.
phoneNumbers.display0..1stringA human-readable name for display purposes (READ-ONLY).
phoneNumbers.type0..1stringA label for the phone number's function, e.g. 'home', 'work'.
phoneNumbers.primary0..1booleanIndicates if this is the primary phone number. Only one may be 'true'.
photo0..1uriPrimary photo for the user.
photos0..*BackboneElementURLs of photos of the user.
photos.value0..1uriURL of a photo of the User.
photos.display0..1stringA human-readable name, primarily used for display purposes (READ-ONLY).
photos.type0..1stringA label indicating 'photo' or 'thumbnail'.
photos.primary0..1booleanIndicates if this is the primary photo. Only one may be 'true'.
preferredLanguage0..1stringThe User's preferred written or spoken language, e.g. 'en_US'.
profileUrl0..1uriA fully qualified URL pointing to a page representing the User's online profile.
roles0..*BackboneElementA list of roles for the User that collectively represent who the User is (e.g. 'Student', 'Faculty').
roles.value0..1stringThe value of a role.
roles.display0..1stringA human-readable name, primarily used for display purposes (READ-ONLY).
roles.type0..1stringA label indicating the attribute's function.
roles.primary0..1booleanIndicates if this is the primary role. Only one may be 'true'.
securityLabel0..*BackboneElementList of security labes associated to the user
securityLabel.system0..1stringCode system
securityLabel.code0..1stringCode value
timezone0..1stringThe User's time zone in the 'Olson' format, e.g. 'America/Los_Angeles'.
title0..1stringThe user's title, e.g. 'Vice President'.
twoFactor0..1BackboneElementTwo factor settings for user
twoFactor.enabled1..1booleanDefines whether two-factor auth is currently enabled.
twoFactor.transport0..1stringTransport of 2FA confirmation code (if used).
twoFactor.secretKey1..1stringTOTP Secret key.
userName0..1stringUnique identifier for the User, typically used to directly authenticate. Must be unique across the service provider's Users.
userType0..1stringIdentifies the relationship between the organization and the user (e.g. 'Employee', 'Contractor').
x509Certificates0..*BackboneElementA list of certificates issued to the User.
x509Certificates.value0..1base64BinaryThe value of an X.509 certificate (base64).
x509Certificates.display0..1stringA human-readable name, primarily used for display purposes (READ-ONLY).
x509Certificates.type0..1stringA label indicating the certificate's function.
x509Certificates.primary0..1booleanIndicates if this is the primary certificate. Only one may be 'true'.
PreviousSystem Resources Reference
NextSDC Module Resources

Last updated 2025-07-22T00:23:18Z