Security Requirements and Controls
ManageClusterAPI permission
| API Stability |
Long-Term
|
The updateTokenSecurityPolicies() GraphQL mutation is used to update the token security policies for the organization. Updating the policies will update or delete all existing tokens that don't fit into the changes. For instance, enforcing an IP filter for personal user tokens will set the IP filter on all tokens of that type. Disabling a token type, will delete all tokens of that type. Finally setting an enforce expiration after will set that on all tokens that are above the interval and keep their current expiration if inside the interval. Tokens below the expiration will be deleted.
Syntax
Below is the syntax for the updateTokenSecurityPolicies() mutation:
updateTokenSecurityPolicies(
input: TokenSecurityPoliciesInput!
): Organization!Below is an example of how this mutation field might be used:
mutation {
updateTokenSecurityPolicies( input:
{
personalUserTokensEnabled: true,
viewPermissionTokensEnabled: true,
viewPermissionTokensAllowPermissionUpdates: true,
organizationPermissionTokensEnabled: true,
organizationPermissionTokensAllowPermissionUpdates: true,
}
)
{ id }
}{
"data": {
"updateTokenSecurityPolicies": {
"id": "SINGLE_ORGANIZATION_ID"
}
}
}Given Datatypes
The TokenSecurityPoliciesInput has many parameters. Below is a list of them and a description of each:
Table: TokenSecurityPoliciesInput
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Sep 20, 2024 | |||||
personalUserTokensEnabled | string | Whether personal user tokens should be enabled. | |||
personalUserTokensEnforceExpirationAfterMs | long | Maximum time in ms a personal user token can be used before expiring (TTL). | |||
personalUserTokensEnforceIpFilterId | string | The IP filter that will be enforced on all personal user tokens. | |||
organizationPermissionTokensAllowPermissionUpdates | boolean | yes | Whether it should be allowed to change permissions on existing organization permission tokens. | ||
organizationPermissionTokensEnabled | boolean | yes | Whether organization permission tokens should be enabled. | ||
organizationPermissionTokensEnforceExpirationAfterMs | long | Maximum time in milliseconds an organization permission token can be used before expiring (TTL). | |||
organizationPermissionTokensEnforceIpFilterId | string | The IP filter that will be enforced on all organization permission tokens. | |||
systemPermissionTokensAllowPermissionUpdates | boolean | Whether it should be allowed to change permissions on existing system permission tokens. | |||
systemPermissionTokensEnabled | boolean | Whether system permission tokens should be enabled. | |||
systemPermissionTokensEnforceExpirationAfterMs | long | Maximum time in milliseconds a system permission token can be used before expiring (TTL). | |||
systemPermissionTokensEnforceIpFilterId | string | The IP filter that will be enforced on all system permission tokens. | |||
viewPermissionTokensAllowPermissionUpdates | boolean | yes | Whether it should be allowed to change permissions on existing view permission tokens. | ||
viewPermissionTokensEnabled | boolean | yes | Whether view permission tokens should be enabled. | ||
viewPermissionTokensEnforceExpirationAfterMs | long | Maximum time in milliseconds a view permission token can be used before expiring (TTL). | |||
viewPermissionTokensEnforceIpFilterId | string | The IP filter that will be enforced on all view permission tokens. | |||
Returned Datatypes
As indicated by the syntax above, this mutation will return data using the datatype, Organization. Below is a list of the parameters of that datatype:
Table: Organization
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Sep 27, 2024 | |||||
cid | string | Short-Term | The CID corresponding to the organization. | ||
configs | OrganizationConfigs | yes | Short-Term | Organization configurations and settings. See OrganizationDetails. | |
createdAt | long | Short-Term | Date organization was created. | ||
defaultCachePolicy | CachePolicy | Preview | The default cache policy of the organization. See CachePolicy. This is a preview and subject to change. | ||
description | string | Short-Term | The description for the Organization. Can be null. | ||
details | OrganizationDetails | yes | Short-Term | Any additional details related to the organization. See OrganizationDetails. | |
externalGroupSynchronization | boolean | yes | Short-Term | Whether there is group synchronization. | |
externalPermissions | boolean | yes | Short-Term | Whether permissions are managed externally. | |
id | string | yes | Short-Term | The unique id for the Organization. | |
ingestUrl | string | Short-Term | The ingest URL for the organization. | ||
isActionAllowed | multiple | yes | Short-Term | Check if user has a permission in organization. The datatype consists of (action: OrganizationAction): boolean. For OrganizationAction, give the action to check if a user is allowed to perform on the organization. See OrganizationAction. | |
limits | [Limit] | yes | Short-Term | Limits assigned to the organization. See Limit. | |
limitsV2 | [LimitV2] | yes | Short-Term | Limits assigned to the organization. See LimitV2. | |
name | string | yes | Short-Term | The name for the Organization. | |
publicUrl | string | Short-Term | The public URL for the organization. | ||
readonlyDashboardIPFilter | string | Short-Term | IP filter for readonly dashboard links. | ||
searchDomains | [SearchDomain] | yes | Short-Term | Search domains within the organization. See SearchDomain. | |
stats | OrganizationStats | yes | Short-Term | Statistics of the organization. See OrganizationStats. | |
trialStartedAt | long | Short-Term | Date organization's trial started. | ||