These tools create or expect a configuration repository with the structure below. Configuration consists of
-
Realm specific configuration under the
realmstop level directory -
Global configuration under its respective top level directories
The configuration repo contains the top level directory realms with a subdirectory for each of the realms to be pushed/pulled - alpha and/or bravo. Each realm directory has the following subdirectories:
| Directory | Contents |
|---|---|
| scripts | This directory contains one JSON file per script defined in this realm. The scripts themselves are created under script-content/{script-type}. |
| journeys | This contains a subdirectory {journey-name} for each journey configured in the realm. Each of these subdirectories contain the file {journey-name}.json with the overall tree configuration, together with a nodes subdirectory containing one file per node in the tree. Node config filenames are formatted as {node-display-name} - {tree-node-id}.json. In the case of Page nodes, all child nodes are contained within a subdirectory named: {page-node-display-name} - {page-tree-node-id}.json. |
| password‑policy | {realm}_user-password-policy.json contains the realm password policy |
| services | This directory contains one file {service-name}.json per access management service configured in the realm. |
| themes | There is one subdirectory {theme-name} per theme defined in the realm. Each theme directory has the file {theme-name}.json containing the top level theme configuration, alongside separate HTML files containing the header and footer contents. |
| secret-mappings | There is one file {mapping-name}.json per secret mapping defined in each realm. These are specifically the tenant specific mappings defined ni the customer accessible ESV secret store. |
| authorization | This directory contains the Authorization Policy Engine configuration. There are two subdirectories - policy-sets contains a subdirectory per policy set, and resource-types contain the authorization resource types in use by these policy sets. This directory is populated by the fr-config-pull tool according to the list of policy sets defined in the .env file. |
| realm-config | This directory contains the overall configuration for each realm, such as authentication.json, together with the subdirectory agents which contains the OAuth2 agents to be exported/imported for each environment. This directory is populated by the fr-config-pull tool, according to the list of agents defined in the .env file. |
The configuration repo contains the following directories for tenant wide configuration - i.e. non realm specific configuration:
| Directory | Contents |
|---|---|
| sync | Subdirectories as follows
|
| cors | This contains the combined CORS configuration for the tenant cors-config.json, with settings for both /am and /openidm endpoints |
| email‑provider | The external email service configuration external.email.json |
| email‑templates | One subdirectory {template-name} per email template. Each subdirectory contains the top level template configuration {template-name}.json, alongside separate files for
|
| access‑config | The authorisation configuration access.json for /openidm endpoints |
| endpoints | A subdirectory per endpoint, each subdirectory containing a JSON file with the endpoint configuration {endpoint-name}.json alongside the file {endpoint-name}.js containing the endpoint JavaScript. |
| schedules | A subdirectory per schedule, each subdirectory containing a JSON file with the schedule configuration {schedule-name}.json, alongside the script file {schedule-name}.js where applicable. |
| kba | The Knowledge Based Authentication configuration for the tenant as a single JSON file selfservice.kba.json |
| managed‑objects | One subdirectory {object-name} for each managed object configured in the tenant. Each subdirectory contains a JSON file {object-name}.json with the top level managed object configuration, alongside a separate javascript file {object-name}.{event-trigger}.json for each managed object trigger script |
| terms‑conditions | A JSON file with the top level terms and conditions configuration terms-conditions.json, alongside a subdirectory {terms-version} for each version configured. Each subdirectory has an HTML file {language}.html for each language configured |
| ui | A JSON file with the hosted UI configuration |
| esvs | Subdirectories as follows
valueBase64 value. This is intended for substitution with an environment variable in the working environment of the configuration push. In the case of secrets, there are one or more versions of the secret listed in the JSON file. Each version has its own secret value: the highest version in the list will be the active version after running a push. Once the push is complete, any pre-existing versions of a secret are removed. |
| internal‑roles | One JSON file {role-name}.json per authorisation role configured in the tenant. This does not include the system roles such as openidm-admin etc (system roles are detected and excluded based on their having no configured privileges). |
| service-objects | This contains the managed objects to push to each environment - e.g. service managed users, managed roles etc. There is one directory per managed object type to be pushed: within each directory there is one JSON file for each object to create, containing the object attributes. The JSON must contain an _id attribute, which is used for the push so that the object is created or updated with a fixed ID. |
| locales | This contains the UI message strings for all locales configured in the tenant. There is one file {locale}.json per locale configured. |
| audit | This contains the identity management audit configuration for the tenant as a single file audit.json. |
| org-privileges | This contains the organisation privileges configuration as three separate files: alphaOrgPrivileges.json, bravoOrgPrivileges.json and privilegeAssignments.json. |
| raw | This raw configuration, and is where the fr-config-pull raw command creates any individually pulled configuration objects. The fr-config-push raw command will search this directory for any config to be pushed. |