IAM Configuration
Configuration properties for the Contexa IAM (Identity and Access Management) module — admin console, policy combining algorithm, and step-up authentication settings.
IAM Configuration Overview
The IAM module manages authorization through dynamic policies stored in the database. Unlike most other Contexa modules, policy bodies themselves are created and edited through the Admin Dashboard UI rather than application.yml. Three things are controlled by application.yml:
- Admin console — REST docs path and condition-template auto-generation toggle (
contexa.iam.admin) - Policy combining algorithm — how multiple matching policies collapse to a single decision (
contexa.policy) - Step-up authentication — MFA attempt limits and lockout duration (
security.stepup)
For policy body management, refer to the Admin Dashboard and Policy Management reference pages.
IAM Admin Properties
Properties under contexa.iam.admin, bound to IamAdminProperties. Configures the IAM admin console settings, including the path to the REST API documentation served by the admin module.
| Property | Type | Default | Description |
|---|---|---|---|
contexa.iam.admin | |||
.rest-docs-path |
String |
/docs/index.html |
Path to the REST API documentation page served by the IAM admin module |
.condition-templates.enabled |
boolean |
false |
Opt-in flag. When true, the automatic condition-template generation path is triggered on application startup. Manual admin endpoints are unaffected. |
contexa:
iam:
admin:
rest-docs-path: /docs/index.html
condition-templates:
enabled: falseRelated: Admin Dashboard Reference
Policy Combining Algorithm
Properties under contexa.policy, bound to PolicyCombiningProperties. Selects one of the XACML 3.0 standard combining algorithms used to collapse multiple matching policies into a single decision (ALLOW/DENY).
| Property | Type | Default | Description |
|---|---|---|---|
contexa.policy | |||
.combining-algorithm |
enum |
FIRST_APPLICABLE |
Allowed values: DENY_OVERRIDES (any DENY wins — most secure), PERMIT_OVERRIDES (any ALLOW wins), FIRST_APPLICABLE (priority-ordered, first matching policy decides — default), DENY_UNLESS_PERMIT (DENY unless an explicit ALLOW is present). |
contexa:
policy:
combining-algorithm: FIRST_APPLICABLEStep-up Authentication
Properties under security.stepup, bound to SecurityStepUpProperties. Controls the maximum number of attempts and the lockout duration that apply when a risk signal triggers a step-up MFA challenge.
| Property | Type | Default | Description |
|---|---|---|---|
security.stepup | |||
.max-attempts |
int |
3 |
Maximum number of step-up MFA attempts before the account is locked. |
.lockout-duration |
int |
300 |
Lockout duration in seconds after the maximum attempts are exceeded. Default 300 (5 minutes). |
security:
stepup:
max-attempts: 3
lockout-duration: 300