Realms
5 min read | Last updated :
Realms are logical partitioning of users and provides user isolation. Each realm has it’s own set of users and authentication providers.
Structure
The realm definition for your product can be viewed at iam/realms.yaml and has the below parameters.
| Name | Description |
|---|---|
| name | name of the realm |
| default | set to true for default realm |
| active | true for active realms and set to false to inactivated a realm |
| providers | list of authentication providers to be enabled for the product |
Types of Realms
All products have a default realm or create their own custom realm.
Default Realm
Every product has a default realm called users with users entity. Below are they key fields for users entity
| Name | Description | Datatype | Validations | Attributes |
|---|---|---|---|---|
| id | autogenerated unique id | required , unique | ||
| user email | string | required, unique, length min 3 & max 255 | Use for Identity and Authentication | |
| mobile | user mobile | string | unique | Use for Authentication |
| firstname | First name of the user | string | length min 3 & max 255 | required |
| middlename | Middle name of the user | string | length min 3 & max 255 | |
| lastname | Last name of the user | string | length min 3 & max 255 | required |
| displayname | Display name for the user | string | computed : firstname + ” ” + middlename + ” ” + lastname | |
| active | status of the user | boolean | required | defaultvalue : true |
| locked | status of the user account | boolean | required | defaultvalue : false |
| tags | labels that can be associated with the user | array(string) | ||
| password | user can create a string of characters that allows access | string | ||
| meta | miscellaneous fields | object | ||
| properties | user required properties | object |
The required authentication providers can be defined under the users realm.
1iam > realms.yaml2
3realms:4users:5default: true6active: true # optional, default is true7providers:8- password9- o36510- passwordotp11- magicnumbers0112...Custom Realms
At times the fields defined in the default users realm are not sufficient and custom realms and entities need to be defined. Custom realms provides the option to define custom entities and tag them as default realms. Once a realm is defined, it auto applies to all tenants in that environment.
useforauth
Use for authentication will enable a field to be used at the time of login to the application like email, mobile. Any number of fields can be tagged as useforauth.
useforidentity
Identity ensures the user is tracked using this field while using the application. Only one field should be tagged as useforidentity.
NOTE
useforidentity is useful while enabling GDPR for your application where email can be used for authentication and id can be used for identity. When the user needs to be forgotten, only updating users entity is sufficient as the system records all other data with id.Example - Create a custom realm
Let’s create a custom realm called customers and use id for identity and email,mobile for authentication.
customers.yaml
1entities:2- name: customers3 fields:4 - name: id5 type: ulid6 ..7 attributes:8 useforidentity: true9 - name: email10 type: string11 ...12 attributes:13 useforauth: true14 - name: mobile15 type: string16 attributes:17 useforauth: true18 - name: password19 type: string20 - name: active21 type: boolean22 validations:23 - type: required24 defaultvalue: |25 true26 - name: locked27 type: boolean28 defaultvalue: |29 falseNOTE
Custom entity always extends the default users entity.Example - Create a Custom Realm
Let’s create a custom entity called customers and create a customer realm for it.
customers.yaml
1entities:2- name: customers3 fields:4 - name: id5 type: ulid6 defaultvalue: ulid()7 - name: name8 type: string9 validations:10 - type: required11 compliances:12 - type: nolog13 - name: username14 type: string15 - name: password16 type: string17 validations:18 - type: required19 message: Name is required20 compliances:21 - type: hash22 salt: S$gsd#%23 - name: email24 type: stringrealms.yaml
1realms:2 customers:3 entity: customers4 providers:5 - password6 - o365Remote Realms
Remote realms are custom realms created from remote entities. The users created through the remote entity will always be stored in the remote entity itself.
Default Users entity
1---2entities:3- name: users4 status: active5 default-order: id6 cdc: typeaudit7 inherits: kisai.common8 fields:9 - name: id10 type: ulid11 defaultvalue: ulid()12 validations:13 - type: required14 - type: unique15 message: id field needs to be unique16 - type: final17 message: id field cannot be updated18 - name: email19 type: string20 validations:21 - type: required22 - type: length23 min: 324 max: 25525 - type: unique26 attributes:27 useforauth: true28 useforidentity: true29 compliances:30 - type: nolog31 - name: mobile32 type: string33 attributes:34 useforauth: true35 validations:36 - type: unique37 compliances:38 - type: nolog39 - name: meta40 type: object41 defaultvalue: |42 '{}'43 - name: properties44 type: object45 defaultvalue: |46 '{}'47 - name: firstname48 type: string49 validations:50 - type: required51 - type: length52 min: 353 max: 25554 compliances:55 - type: nolog56 - name: lastname57 type: string58 validations:59 - type: required60 - type: length61 min: 362 max: 25563 compliances:64 - type: nolog65 - name: middlename66 type: string67 validations:68 - type: length69 max: 25570 compliances:71 - type: nolog72 - name: displayname73 type: string74 computed: |75 firstname + " " + middlename + " " + lastname76 - name: password77 type: string78 compliances:79 - type: hash80 - name: active81 type: boolean82 validations:83 - type: required84 defaultvalue: |85 true86 - name: locked87 type: boolean88 defaultvalue: |89 false90 - name: tags91 type: array(string)