Advanced Access Control

This module is responsible for configuring the Advanced Access Control (AAC) and Risk Based Access (RBA) capabilities of IBM Verify Identity Access.

class pyivia.core.accesscontrol.AccessControl

Object used to managed Advanced Access Control endpoints. Available modules are:

Variables:

• access_control – Create and manage Access Control policies.

• advanced_config – Manage Advanced Configuration parameters.

• api_protection – Create and manage OIDC API Protection definitions and clients.

• attributes – Create and manage Risk Based Access Attribute mappings.

• authentication – Create and manage Authentication policies and mechanisms.

• fido2_config – Create and manage FIDO2 Configuration including metadata and mediators.

• fido2_registrations – Manage FIDO2 Registrations for runtime users.

• mapping_rules – Create and manage JavaScript Mapping Rules used for customized authentication.

• mmfa_config – Configure Mobile Multi-Factor Authentication for Verify Access.

• push_notifications – Configure and manage Push Notification Providers.

• risk_profiles – Create and manage Risk Based Access Risk Profiles.

• runtime_parameters – Manage Runtime Parameters of the Liberty runtime server.

• scim_config – Create and manage SCIM attribute mapping.

• server_connections – Create Server Connections to external service providers.

• template_files – Create and manage HTML and JSON Template Files.

• user_registry – Manage user authentication to the Liberty runtime server.

• pip – Manage policy information points.

Access Control

class pyivia.core.access.accesscontrol.AccessControl(base_url, username, password)

authenticate_security_access_manager(username=None, password=None, domain=None)

Authenticate to the Verify Identity Access policy server. This is required before an administrator can modify mapping from policies to resources.

Parameters:

• username (str) – Username used to authenticate to the policy server.

• password (str) – Password used to authenticate to the policy server.

• domain (str) – Security domain to authenticate to.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

configure_resource(server=None, resource_uri=None, policy_combining_algorithm=None, policies=None)

Create a new resource in the policy server which can be attached to an authentication policy.

Parameters:

• server (str) – Name of WebSEAL instance in the policy server where resource will be created.

• resource_uri (str) – URI of resource to be created.

• policy_combining_algorithm (str) – Algorithm to use: “denyOverrides” or “permitOverrides”.

• policies (list of str) – List of policies, policy sets or API protection clients.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created policy can be accessed from the response.id_from_location attribute.

Return type:

Response

create_obligation(name=None, description=None, obligation_uri=None, type='Obligation', type_id='1', parameters=None, properties=None)

Create a new obligation for use with RBA.

Parameters:

• name (str) – Name of obligation.

• description (str, optional) – Description of the obligation.

• obligation_uri (str) – URI of the obligation.

• type (str) – The obligation type, “Obligation”.

• type_id (str, optional) – The obligation type id. If not provided, the value will be set to “1”, which is the “Enforcement Point” type.

• parameters (list of str, optional) – List of parameters used by the obligation when making a decision.

• properties (list of str, optional) – Properties used by the obligation.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute.

Return type:

Response

create_policy(name=None, description=None, dialect='urn:oasis:names:tc:xacml:2.0:policy:schema:os', policy=None, attributes_required=False)

Create an AAC Access Policy.

Parameters:

• name (str) – Name of policy to be created.

• description (str, optional) – Description of policy to be created

• dialect (str, optional) – Format of policy XML. Only “urn:oasis:names:tc:xacml:2.0:policy:schema:os” is supported

• policy (str, optional) – XML of policy steps.

• attributes_required (bool) – True if all attributes msut be present in the request before the policy can be evaluated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created policy can be access from the response.id_from_location attribute.

Return type:

Response

create_policy_set(name, description, predefined=False, policies=[], policy_combining_alg='denyOverrides')

Create an AAC Access Policy Set.

Parameters:

• name (str) – Name of policy set to be created.

• description (str, optional) – Description of policy set to be created

• predefined (bool, optional) – False to indicate the policy set is custom defined.

• policies (str, optional) – An array of policy IDs which belong to this policy set. The order that the policies appear in this list is used when the policy_combining_alg is set to “firstApplicable”.

• policy_combining_alg (str, optional) – Defines the combined action for the policies in the set. “firstApplicable” to indicate that the policy set will return the result of the first policy in the set that returns permit or deny, “denyOverrides” to indicate that the policy set should deny access if any policy in the set returns a response of deny , or “permitOverrides” to indicate that the policy set should permit access if any policy in the set returns a response of permit. Default is “denyOverrides”.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created policy set can be access from the response.id_from_location attribute.

Return type:

Response

delete_obligation(id)

Delete an existing obligation from the policy server

Parameters:

id (str) – The id of the obligation to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_policy(id=None)

Delete an AAC Access Policy.

Parameters:

id (str) – Policy id to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_policy_set(set_id)

Delete a configured AAC Access Policies Set.

Parameters:

set_id (str) – Verify Identity Access assigned id for the policy set.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_policy_set(set_id)

Get a configured AAC Access Policies Set.

Parameters:

set_id (str, optional) – Verify Identity Access assigned id for the policy set.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the policy set is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_obligations(sort_by=None, filter=None)

Return the list of configured obligations for AAC.

Parameters:

• sort_by (str, optional) – Optional sorting of returned policies.

• filter (str, optional) – Optional filter for returned policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_policies(sort_by=None, filter=None)

List all of the configured AAC Access Policies.

Parameters:

• sort_by (str, optional) – Optional sorting of returned policies

• filter (str, optional) – Optional filter for returned policies

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the policies are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_policy_sets(sort_by=None, filter=None)

List all of the configured AAC Access Policies Sets.

Parameters:

• sort_by (str, optional) – Optional sorting of returned policies

• filter (str, optional) – Optional filter for returned policies

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the policy sets are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_resources(sort_by=None, filter=None)

Return the list of configured resources.

Parameters:

• sort_by (str, optional) – Optionally specify the attribute to sort the returned list by.

• filter (str) – Optionally specify whether the returned list shouldb e filtered based on an attribute.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

publish_multiple_policy_attachments(ids=[])

Publish the changes to the policy server for one or more resources. This will require a restart of the corresponding WebSEAL instance.

Parameters:

ids (list of str) – List of resource ids to publish.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

publish_policy_attachment(id)

Publish the changes to the policy server. This will require a restart of the corresponding WebSEAL instance.

Parameters:

id (str) – The id of the resource to publish.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

remove_resource(id)

Delete a resource from the policy server.

Parameters:

id (str) – The id of the resource to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_obligation(id, name=None, description=None, obligation_uri=None, type='Obligation', type_id=None, parameters=None, properties=None)

Update an existing obligation for use with RBA

Parameters:

• id (str) – The generated unique id of the obligation to update.

• name (str) – Name of obligation.

• description (str, optional) – Description of the obligation.

• obligationURI (str) – URI of the obligation.

• type (str, optional) – The obligation type, “Obligation”.

• parameters (list of str, optional) – List of parameters used by the obligation when making a decision.

• properties (list of str, optional) – Properties used by the obligation.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute.

Return type:

Response

update_policy_set(set_id, name, description, predefined=False, policies=[], policy_combining_alg='denyOverrides')

Create an AAC Access Policy Set.

Parameters:

• name (str) – Name of policy set to be created.

• description (str, optional) – Description of policy set to be created

• predefined (bool, optional) – False to indicate the policy set is custom defined.

• policies (str, optional) – An array of policy IDs which belong to this policy set. The order that the policies appear in this list is used when the policy_combining_alg is set to “firstApplicable”.

• policy_combining_alg (str, optional) – Defines the combined action for the policies in the set. “firstApplicable” to indicate that the policy set will return the result of the first policy in the set that returns permit or deny, “denyOverrides” to indicate that the policy set should deny access if any policy in the set returns a response of deny , or “permitOverrides” to indicate that the policy set should permit access if any policy in the set returns a response of permit. Default is “denyOverrides”.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created policy set can be access from the response.id_from_location attribute.

Return type:

Response

Advanced Configuration

class pyivia.core.access.advancedconfig.AdvancedConfig(base_url, username, password)

list_properties(sort_by=None, count=None, start=None, filter=None)

Get a list of all the advanced configuration parameters

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the Advanced Configuration Properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_property(id, value=None, sensitive=False)

Update an AAC advanced configuration property.

Parameters:

• id (str) – The id of the property to be updated.

• value (str) – The new value of the configuration property.

• sensitive (bool, optional) – Flag to indicate if value should be obfuscated from logs/audit records. Default is false.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

API Protection

class pyivia.core.access.apiprotection.APIProtection(base_url, username, password)

create_client(name=None, redirect_uri=None, company_name=None, company_url=None, contact_person=None, contact_type=None, email=None, phone=None, other_info=None, definition=None, client_id=None, client_secret=None)

Create an OIDC api protection client.

Parameters:

• name (str) – Name of the client.

• redirect_uri (str, optional) – URL which client should redirect to.

• company_name (str, optional) – Company to associate client with.

• company_url (str, optional) – URL to associate client with.

• contact_person (str, optional) – Person who is responsible for API client.

• contact_type (str, optional) – Position of contact person.

• email (str, optional) – Contact email address for client.

• phone (str, optional) – Contact phone number for client.

• other_info (str, optional) – Other contact details associated with client.

• definition (str) – The id of the API protection definition to use.

• client_id (str) – The id of the client.

• client_secret (str, optional) – The client secret to use. If not specified then a public client is created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created API client can be accessed from the response.id_from_location attribute.

Return type:

Response

create_definition(name=None, description=None, tcm_behavior=None, token_char_set=None, access_token_lifetime=None, access_token_length=None, authorization_code_lifetime=None, authorization_code_length=None, refresh_token_length=None, max_authorization_grant_lifetime=None, pin_length=None, enforce_single_use_authorization_grant=None, issue_refresh_token=None, enforce_single_access_token_per_grant=None, enable_multiple_refresh_tokens_for_fault_tolerance=None, pin_policy_enabled=None, grant_types=None)

Create an OIDC API Protection definition. Definitions can be used to configure one or more clients.

Parameters:

• name (str) – Name of the OIDC definition.

• description (str, optional) – Description of the OIDC definition.

• tcm_behavior (str, optional) – Specify the Trust Client Manager’s behavior.

• token_char_set (str, optional) – Specify the allowed characters for generated tokens. Default is alphanumeric set of characters.

• access_token_lifetime (int, optional) – Length of time that access token is valid for.

• authorization_code_lifetime (int, optional) – Length of time that authorization code is valid for.

• authorization_code_length (int, optional) – Number of characters used to generate authorization code.

• refresh_token_length (int, optional) – Number of characters used to generate refresh tokens.

• max_authorization_grant_lifetime (int, optional) – The maximum duration of a grant, in seconds, where the resource owner authorized the client to access the protected resource.

• pin_length (int, optional) – Length of PIN used to protect refresh token.

• enforce_single_use_authorization_grant (bool, optional) – True if all tokens of the authorization grant should be revoked after an access token is validated.

• issue_refresh_token (bool, optional) – True if a refresh token should be issued to the client.

• enforce_single_access_token_per_grant (bool, optional) – True if previously granted access tokens should be revoked after a new access token is generated via a refresh token.

• enable_multiple_refresh_tokens_for_fault_tolerance (bool, optional) – True if multiple refresh tokens are stored so that the old refresh token is valid until the new refresh token is successfully delivered.

• pin_policy_enabled (bool, optional) – True if the refresh token will be further protected with a PIN provided by the API protection client.

• grant_types (list of str) – A list of supported authorization grant types.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created OIDC definition can be accessed from the response.id_from_location attribute

Return type:

Response

delete_client(id)

Delete an OIDC API protection client.

Parameters:

id (str) – The id of the client to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_definition(id)

Remove an OIDC API protection definition.

Parameters:

id (str) – the id of the definition to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

list_clients(sort_by=None, count=None, start=None, filter=None)

Get a list of API clients.

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the API clients are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_definitions(sort_by=None, count=None, start=None, filter=None)

Get a list of the configured API protection definitions.

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the OIDC definitions are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_client(id=None, name=None, redirect_uri=None, company_name=None, company_url=None, contact_person=None, contact_type=None, email=None, phone=None, other_info=None, definition=None, client_id=None, client_secret=None)

Update an OIDC API protection client.

Parameters:

• name (str) – Name of the client.

• redirect_uri (str, optional) – URL which client should redirect to.

• company_name (str, optional) – Company to associate client with.

• company_url (str, optional) – URL to associate client with.

• contact_person (str, optional) – Person who is responsible for API client.

• contact_type (str, optional) – Position of contact person.

• email (str, optional) – Contact email address for client.

• phone (str, optional) – Contact phone number for client.

• other_info (str, optional) – Other contact details associated with client.

• definition (str) – The id of the API protection definition to use.

• client_id (str) – The id of the client.

• client_secret (str, optional) – The client secret to use. If not specified then a public client is created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_definition(definition_id=None, name=None, description=None, tcm_behavior=None, token_char_set=None, access_token_lifetime=None, access_token_length=None, authorization_code_lifetime=None, authorization_code_length=None, refresh_token_length=None, max_authorization_grant_lifetime=None, pin_length=None, enforce_single_use_authorization_grant=None, issue_refresh_token=None, enforce_single_access_token_per_grant=None, enable_multiple_refresh_tokens_for_fault_tolerance=None, pin_policy_enabled=None, grant_types=None, oidc_enabled=False, iss=None, poc=None, lifetime=None, alg=None, db=None, cert=None, enc_enabled=False, enc_alg=None, enc_db=None, enc_cert=None, enc_enc=None, access_policy_id=None)

Update an OIDC API Protection definition. Definitions can be used to configure one or more clients.

Parameters:

• name (str) – Name of the OIDC definition.

• description (str, optional) – Description of the OIDC definition.

• tcm_behavior (str, optional) – Specify the Trust Client Manager’s behavior.

• token_char_set (str, optional) – Specify the allowed characters for generated tokens. Default is alphanumeric set

• access_token_lifetime (int, optional) – Length of time that access token is valid for.

• authorization_code_lifetime (int, optional) – Length of time that authorization code is valid for.

• authorization_code_length (int, optional) – Number of characters used to generate authorization code.

• refresh_token_length (int, optional) – Number of characters used to generate refresh tokens.

• max_authorization_grant_lifetime (int, optional) – The maximum duration of a grant, in seconds, where the resource owner authorized the client to access the protected resource.

• pin_length (int, optional) – Length of PIN used to protect refresh token.

• enforce_single_use_authorization_grant (bool, optional) – True if all tokens of the authorization grant should be revoked after an access token is validated.

• issue_refresh_token (bool, optional) – True if a refresh token should be issued to the client.

• enforce_single_access_token_per_grant (bool, optional) – True if previously granted access tokens should be revoked after a new access token is generated via a refresh token.

• enable_multiple_refresh_tokens_for_fault_tolerance (bool, optional) – True if multiple refresh tokens are stored so that the old refresh token is valid until the new refresh token is successfully delivered.

• pin_policy_enabled (bool, optional) – True if the refresh token will be further protected with a PIN provided by the API protection client.

• grant_types (list of str) – A list of supported authorization grant types.

• oidc_enabled (bool, optional) – If OpenID Connect is enabled for this definition.

• iss (str) – The issuer identifier of this definition.

• poc (str) – The Point of Contact URL for this definition.

• lifetime (int) – The lifetime of the id_tokens issued.

• alg (str) – The signing algorithm for the JWT.

• db (str) – The SSL database containing the signing key for RS/ES signing methods.

• cert (str) – The certificate label of the signing key for RS/ES signing methods.

• enc_enabled (bool) – Is encryption enabled for this definition.

• enc_alg (str) – The key agreement algorithm for encryption.

• enc_enc (str) – The encryption algorithm.

• access_policy_id (int) – The id of access policy assigned to this definition.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Attributes

class pyivia.core.access.attributes.Attributes(base_url, username, password)

create_attribute(category=None, matcher=None, issuer=None, description=None, name=None, datatype=None, uri=None, storage_session=None, storage_behavior=None, storage_device=None, type_risk=None, type_policy=None)

Create an CBA attribute.

Parameters:

• category (str) – The part of the XACML request that the attribute value comes from.

• matcher (str) – ID of the attribute matcher.

• issuer (str) – The name of the policy information point from which the value of the attribute is retrieved.

• description (str, optional) – Description of the attribute.

• name (str) – Name of the attribute

• datatype (str) – The type of values that the attribute can accept.

• uri (str) – The identifier of the attribute that is used in the generated XACML policy.

• storage_session (bool) – True if the attribute is collected in the user session.

• storage_behavior (bool) – True if historic data for this attribute is stored in the database and used for behavior-based attribute matching.

• storage_device (bool) – True if the attribute is stored when a device is registered as part of the device fingerprint.

• type_risk (bool) – True if the attribute is used in risk profiles.

• type_policy (bool) – True if the attribute is used in policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created CBA attribute can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_attribute(attribute_id)

Delete an existing attribute.

Parameters:

attribute_id (str, optional) – The system-assigned attribute ID value.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_attribute(attribute_id)

Get a specific configured attribute.

Parameters:

id (str) – The system-assigned attribute ID value.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the attribute is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_attribute_matchers(sort_by=None, filter=None)

Get a list of the configured attribute matchers.

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• filter (str) – Attribute to filter results by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the attribute matchers are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_attributes(sort_by=None, count=None, start=None, filter=None)

Get a list of the configured attributes.

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the attributes are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_attribute(id, category=None, matcher=None, issuer=None, description=None, name=None, datatype=None, uri=None, storage_session=None, storage_behavior=None, storage_device=None, type_risk=None, type_policy=None)

Update an existing CBA attribute.

Parameters:

• id (str) – The assigned attribute identifier.

• category (str) – The part of the XACML request that the attribute value comes from.

• matcher (str) – ID of the attribute matcher.

• issuer (str) – The name of the policy information point from which the value of the attribute is retrieved.

• description (str, optional) – Description of the attribute.

• name (str) – Name of the attribute

• datatype (str) – The type of values that the attribute can accept.

• uri (str) – The identifier of the attribute that is used in the generated XACML policy.

• storage_session (bool) – True if the attribute is collected in the user session.

• storage_behavior (bool) – True if historic data for this attribute is stored in the database and used for behavior-based attribute matching.

• storage_device (bool) – True if the attribute is stored when a device is registered as part of the device fingerprint.

• type_risk (bool) – True if the attribute is used in risk profiles.

• type_policy (bool) – True if the attribute is used in policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_attribute_matcher(id, uri=None, predefined=True, supported_data_types='String', properties=[])

Update an existing attribute matcher’s properties.

Parameters:

• id (str) – The system-assigned attribute matcher ID value.

• uri – (str): The identifier of the attribute matcher that is used in generated XACML. Cannot be updated.

• supported_data_types (str) – “String” to accept string input for the properties. Cannot be updated.

• predefined (bool) – True to indicate the attribute matcher is predefined and ships with the product. Cannot be updated.

• properties (list of dict) – Array of property values associated with this attribute matcher.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Authentication

class pyivia.core.access.authentication.Authentication(base_url, username, password)

create_mechanism(description=None, name=None, uri=None, type_id=None, properties=[], attributes=[])

Create an authentication mechanism.

Parameters:

• description – (str): Description of the mechanism.

• name (str) – Name of the mechanism.

• uri (str) – URI of the mechanism.

• type_id (str) – Mechanism type to inherit from

• properties (list of dict) –

  List of properties for the mechanism. Properties are determined by the mechanism type. Properties should follow the format:

  [
      {"key":"property.key.name",
       "value":"property.value"
      }
  ]
  

• attributes –

  (list of dict): List of attributes to retrieve from the request context before executing the mechanism. Attributes should follow the format:

  [
      {"selector":"Context.REQUEST",
       "namespace": "urn:ibm:security:asf:request:parameter",
       "name": "parameter"
      }
  ]
  

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created mechanism can be accessed from the response.id_from_location attribute.

Return type:

Response

create_policy(name=None, policy=None, uri=None, description=None, dialect='urn:ibm:security:authentication:policy:1.0:schema', enabled=None)

Create an authentication policy.

Parameters:

• name (str) – Name of the policy to be created.

• policy (str) – XML config of the policy.

• uri (str) – URI used to identify the policy.

• description (str, optional) – Description of the policy.

• dialect (str, optional) – Schema used to create policy. use the default “urn:ibm:security:authentication:policy:1.0:schema”.

• enabled (bool) – Flag to enable the policy for use by the AAC runtime.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created mechanism can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_mechanism(mechanism_id)

Delete an existing authentication mechanism. Only administrator created (not pre-defined) mechanisms can be deleted.

Parameters:

mechanism_id (str) – The identifier for the mechanism to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_policy(id)

Retrieve a policy configuration.

Parameters:

id (str) – the id of the policy to be deleted.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_mechanism_types(sort_by=None, count=None, start=None, filter=None)

Get the list of available mechanism types

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the authentication mechanism types are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_mechanisms(sort_by=None, count=None, start=None, filter=None)

Get the list of available mechanisms

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the authentication mechanism are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_policies(sort_by=None, count=None, start=None, filter=None)

Get a list of all of hte configured AAC policies.

Parameters:

• sort_by (str, optional) – Attribute to sort results by.

• count (str, optional) – Maximum number of results to fetch.

• start (str, optional) – Pagination offset of returned results.

• filter (str) – Attribute to filter results by

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the authentication policies are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_mechanism(id, description=None, name=None, uri=None, type_id=None, predefined=True, properties=None, attributes=None)

Update an authentication mechanism.

Parameters:

• description – (str): Description of the mechanism.

• name (str) – Name of the mechanism.

• uri (str) – URI of the mechanism.

• type_id (str) – Mechanism type to inherit from.

• predefined (bool, optional) – If this mechanism is pre-defined by Verify Identity Access. Default value is true.

• properties (list of dict) –

  List of properties for the mechanism. Properties are determined by the mechanism type. Properties should use the format:

  [
      {"key":"property.key.name",
       "value":"property.value"
      }
  ]
  

• attributes –

  (list of dict): List of attributes to retrieve from the request context before executing the mechanism. Attributes should use the format:

  [
      {"selector":"Context.REQUEST",
       "namespace": "urn:ibm:security:asf:request:parameter",
       "name": "parameter"
      }
  ]
  

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created mechanism can be accessed from the response.id_from_location attribute

Return type:

Response

update_policy(id, name=None, policy=None, uri=None, description=None, dialect='urn:ibm:security:authentication:policy:1.0:schema', user_last_modified=None, last_modified=None, date_created=None, predefined=None, enabled=None)

Update an AAC authentication policy

Parameters:

• id (str) – The id of the policy to be updated.

• name (str) – Name of the policy.

• policy (str) – XML config of the policy.

• uri (str) – URI used to identify the policy.

• description (str, optional) – Description of the policy.

• dialect (str, optional) – Schema used to create policy. use the default urn:ibm:security:authentication:policy:1.0:schema

• user_las_modified (str) – User id of the user who last made modifications to the authentication policy.

• last_modified (str) – Timestamp of when this policy was last modified.

• date_created (str) – Timestamp of when this policy was created.

• predefined (bool) – Flag to indicate if this is a default policy available out of the box.

• enabled (bool) – Flag to enable the policy for use by the AAC runtime.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

FIDO2 Configuration

class pyivia.core.access.fido2config.FIDO2Config(base_url, username, password)

create_mediator(name=None, filename=None)

Create a FIDO2 mediator JavaScript mapping rule.

Parameters:

• name (str) – The name of the mapping rule to be created.

• filename (str) – The contents of the mapping rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created mediator can be access from the response.id_from_location attribute.

Return type:

Response

create_metadata(filename=None)

Create a metadata document from a file.

Parameters:

filename (str) – Absolute path to a FIDO2 Metadata document

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created metadata can be accessed from the response.id_from_location attribute.

Return type:

Response

create_metadata_service(url, retry_interval=None, jws_truststore=None, truststore=None, username=None, password=None, keystore=None, certificate=None, protocol=None, timeout=None, proxy=None, headers=[])

Create a FIDO2 Metadata Service connection.

Parameters:

• url (str) – The URL used to connect to the metadata service (including the protocol).

• retry_interval (int) – When the lifetime of a downloaded metadata has expired and a request to retrieve the new metadata fails, this defines the wait interval (in seconds) before retrying the download. If not specified the default value of 3600 seconds will be used. A value of 0 will result in a retry on each attestation validation.

• jws_truststore (str) – The name of the JWS verification truststore. The truststore contains the certificate used to verify the signature of the downloaded metadata blob. If not specified the SSL trust store or the trust store configured in the HTTPClientV2 advanced configuration will be used.

• truststore (str) – The name of the truststore to use. The truststore has a dual purpose. Firstly it is used when making a HTTPS connection to the Metadata Service. Secondly if the jws_truststore is not specified it must contain the certificate used to verify the signature of the downloaded metadata blob. If not specified and a HTTPS connection is specified, the trust store configured in the HTTPClientV2 advanced configuration will be used.

• username (str) – The basic authentication username. If not specified BA will not be used.

• password (str) – The basic authentication password. If not specified BA will not be used.

• keystore (str) – The client keystore. If not specified client certificate authentication will not be used.

• protocol (str) – The SSL protocol to use for the HTTPS connection. Valid values are TLS, TLSv1, TLSv1.1 and TLSv1.2. If not specified the protocol configured in the HTTPClientV2 advanced configuration will be used.

• timeout (int) – The request timeout in seconds. A value of 0 will result in no timeout. If not specified the connect timeout configured in the HTTPClientV2 advanced configuration will be used.

• proxy (str) – Yes The URL of the proxy server used to connect to the metadata service (including the protocol).

• headers (list of str) – A list of HTTP headers to be added to the HTTP request when retrieving the metadata from the service.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created FIDO2 metadata service can be accessed from the response.id_from_location attribute

Return type:

Response

create_relying_party(name=None, rp_id=None, origins=None, metadata_set=[], metadata_soft_fail=True, mediator_mapping_rule_id=None, attestation_statement_types=None, attestation_statement_formats=None, attestation_public_key_algorithms=None, attestation_android_safetynet_max_age=None, attestation_android_safetynet_clock_skew=None, attestation_android_safetynet_cts_match=None, relying_party_impersonation_group=None, compound_all_valid=None, timeout=None, metadata_services=[])

Create a FIDO2 relying party.

Parameters:

• name (str) – Name of relying party.

• rp_id (str) – The domain that the relying party acts for This should be a valid domain name.

• origins (list of str) – List of allowed origins for he relying party. Origins must be a valid URI and https origins should be a subdomain of the rp_id.

• metadata_set (list of str) – List of document id’s to included as metadata.

• metadata_soft_fail (bool) – Flag to indicate if a registration attempt should fail if metadata cannot be found.

• mediator_mapping_rule_id (str) – The id of the FIDO JavaScript mapping rule to use as a mediator.

• attestation_statement_types (list of str) – List of allowed attestation types.

• attestation_statement_formats (list of str) – List of allowed attestation formats.

• attestation_public_key_algorithms (list of str) – List of supported cryptographic signing algorithms.

• attestation_android_safetynet_max_age (int) – Length of time that an “android-safetynet” attestation is valid for.

• attestation_android_safetynet_clock_skew (int) – Clock skew allowed for “android-safetynet” attestations.

• attestation_android_safetynet_cts_match (int) – Enforce the Android Safetynet CTS Profile Match flag.

• relying_party_impersonation_group (str, optional) – Group which permits users to perform FIDO flows on behalf of another user.

• compound_all_valid (bool, optional) – True if all attestation statements in a compound attestatation must be valid to successfully register a given authenticator. Only valid if compound is included in attestation_statement_formats.

• timeout (int, optional) – Lenght of time a user has to complete a FIDO2/WebAuthn ceremony. Default value is 300 seconds (5 mins).

• metadata_services (list of str) – List of MDS id’s to included as metadata providers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created FIDO2 relying party can be accessed from the response.id_from_location attribute

Return type:

Response

delete_mediator(mediator_id)

Remove a configured mediator mapping rule.

Parameters:

mediator_id (str) – The id of the mediator mapping rule to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_metadata(metadata_id)

Remove an existing metadata document from the store

Parameters:

metadata_id (str) – The id of the metadata document to be removed.

Returns

Response: The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

delete_metadata_service(mds_id)

Delete a configured metadata service.

Parameters:

mds_id (str) – The Verify Identity Access assigned identifier.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_relying_party(rp_id)

Delete an existing FIDO2 relying party.

Parameters:

rp_id (str) – The id of the FIDO2 relying party.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_mediator(mediator_id)

Get the contents of a configured mediator.

Parameters:

mediator_id (str) – The id of the mediator to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the mediator is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_metadata(metadata_id)

Get a configured metadata documents.

Arg:

metadata_id (str): The id of the metadata document to get.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the metadata document is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_metadata_service(mds_id)

Get a configured metadata service.

Parameters:

mds_id (str) – The Verify Identity Access assigned identifier.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the metadata service is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_relying_party(rp_id)

Get the configuration of a FIDO2 relying party.

Parameters:

rp_id (str) – The id of the FIDO2 relying party.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the FIDO2 relying party is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_mediators()

Get a list of all of the configured mediators.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the metadata document is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_metadata()

Get a list of all the configured metadata documents.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the metadata documents are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_metadata_services()

List the configured metadata services.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the metadata services are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_relying_parties()

Get a list of all the configured FIDO2 relying parties.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the FIDO2 relying parties are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_mediator(mediator_id, filename=None)

Update an existing mediator mapping rule with new contents

Parameters:

• mediator_id (str) – The id of the existing mapping rule.

• filename (str) – Absolute path to the file containing the new mapping rule contents.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_metadata(metadata_id, filename=None)

Update an existing metadata document from a file.

Parameters:

• metadata_id (str) – The id of the FIDO2 metadata document to be updated.

• filename (str) – Absolute path to a FIDO2 Metadata document.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_metadata_service(mds_id, url=None, retry_interval=None, jws_truststore=None, truststore=None, username=None, password=None, keystore=None, certificate=None, protocol=None, timeout=None, proxy=None, headers=[])

Update an existing FIDO2 Metadata Service connection.

Parameters:

• mds_id (str) – The Verify Identity Access assigned identifier.

• url (str) – The URL used to connect to the metadata service (including the protocol).

• retry_interval (int) – When the lifetime of a downloaded metadata has expired and a request to retrieve the new metadata fails, this defines the wait interval (in seconds) before retrying the download. If not specified the default value of 3600 seconds will be used. A value of 0 will result in a retry on each attestation validation.

• jws_truststore (str) – The name of the JWS verification truststore. The truststore contains the certificate used to verify the signature of the downloaded metadata blob. If not specified the SSL trust store or the trust store configured in the HTTPClientV2 advanced configuration will be used.

• truststore (str) – The name of the truststore to use. The truststore has a dual purpose. Firstly it is used when making a HTTPS connection to the Metadata Service. Secondly if the jws_truststore is not specified it must contain the certificate used to verify the signature of the downloaded metadata blob. If not specified and a HTTPS connection is specified, the trust store configured in the HTTPClientV2 advanced configuration will be used.

• username (str) – The basic authentication username. If not specified BA will not be used.

• password (str) – The basic authentication password. If not specified BA will not be used.

• keystore (str) – The client keystore. If not specified client certificate authentication will not be used.

• protocol (str) – The SSL protocol to use for the HTTPS connection. Valid values are TLS, TLSv1, TLSv1.1 and TLSv1.2. If not specified the protocol configured in the HTTPClientV2 advanced configuration will be used.

• timeout (int) – The request timeout in seconds. A value of 0 will result in no timeout. If not specified the connect timeout configured in the HTTPClientV2 advanced configuration will be used.

• proxy (str) – Yes The URL of the proxy server used to connect to the metadata service (including the protocol).

• headers (list of str) – A list of HTTP headers to be added to the HTTP request when retrieving the metadata from the service.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_relying_party(id, name=None, rp_id=None, origins=None, metadata_set=[], metadata_soft_fail=True, mediator_mapping_rule_id=None, attestation_statement_types=None, attestation_statement_formats=None, attestation_public_key_algorithms=None, attestation_android_safety_net_max_age=None, attestation_android_safetynet_clock_skew=None, attestation_android_safetynet_cts_match=None, relying_party_impersonation_group=None, compound_all_valid=None, timeout=None, metadata_services=[])

Update a FIDO2 relying party.

Parameters:

• name (str) – Name of relying party.

• rp_id (str) – The domain that the relying party acts for This should be a valid domain name.

• origins (list of str) – List of allowed origins for he relying party. Origins must be a valid URI and https origins should be a subdomain of the rp_id.

• metadata_set (list of str) – List of document id’s to included as metadata.

• metadata_soft_fail (bool) – Flag o indicate if a registration attempt should fail if metadata cannot be found.

• mediator_mapping_rule_id (str) – The id of the FIDO JavaScript mapping rule to use as a mediator.

• attestation_statement_types (list of str) – List of allowed attestation types.

• attestation_statement_formats (list of str) – List of allowed attestation formats.

• attestation_public_key_algorithms (list of str) – List of supported cryptographic signing algorithms.

• attestation_android_safetynet_max_age (int) – Length of time that an “android-safetynet” attestation is valid for.

• attestation_android_safetynet_clock_skew (int) – Clock skew allowed for “android-safetynet” attestations.

• attestation_android_safetynet_cts_match (int) – Enforce the Android Safetynet CTS Profile Match flag.

• relying_party_impersonation_group (str) – Group which permits users to perform FIDO flows on behalf of another user.

• compound_all_valid (bool, optional) – True if all attestation statements in a compound attestatation must be valid to successfully register a given authenticator. Only valid if compound is included in attestation_statement_formats.

• timeout (int, optional) – Lenght of time a user has to complete a FIDO2/WebAuthn ceremony. Default value is 300 seconds (5 mins).

• metadata_services (list of str) – List of MDS id’s to included as metadata providers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

FIDO2 Registrations

class pyivia.core.access.fido2registrations.FIDO2Registrations(base_url, username, password)

delete_registration_by_credential_id(credential_id=None)

Delete a registration associated with the specified credential id.

Parameters:

credential_id (str) – The credential id to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_registration_by_user(username=None)

Remove all registrations associated with a username.

Parameters:

username (str) – The username to remove registrations for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_registration(credential_id)

Get a specific registration by credential id.

Parameters:

credential_id (str) – The unique identifier for the authenticator.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the FIDO2 registration is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_registrations(username=None, credential_id=None)

Get a list all of the known FIDO2 registrations.

Parameters:

• username (str, optional) – Specify a username to filter registrations by.

• credential_id (str) – Specify a credential id to filter registrations by.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the FIDO2 registrations are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

Mapping Rules

class pyivia.core.access.mappingrules.MappingRules(base_url, username, password)

create_rule(rule_name=None, category=None, content=None)

Create a JavaScript mapping rule.

Parameters:

• rule_name (str) – The name of the new mapping rule.

• category (str) – Type of mapping rule to create.

• contents (str) – The JavaScript content of the new mapping rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created mapping rule can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_rule(rule_id=None)

Delete the specified mapping rule if it exists.

Parameters:

rule_id (str) – The id of the mapping rule to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_rule(rule_id=None)

Get a mapping rule based on a rule id.

Parameters:

rule_id (str, optional) – The id of the mapping rule to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the mapping rule is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

import_rule(rule_name=None, category=None, file_name=None)

Create a JavaScript mapping rule from a file.

Parameters:

• rule_name (str) – The name of the rule to be created.

• category (str) – Type of mapping rule to create.

• file_name (str) – The absolute path to the JavaScript mapping rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute.

Return type:

Response

list_rules(filter=None)

Return a list of all mapping rules.

Parameters:

filter (str, optional) – Filter to apply to returned rules. eg. “name startswith Test”.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the mapping rules are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_rule(rule_id, file_name=None, content=None)

Update an existing JavaScript mapping rule with new contents

Parameters:

• rule_id (str) – The id of the rule to be updated.

• file_name (str, optional) – Absolute path to file containing new mapping rule. Must specify either file_name or content.

• content (str, optional) – The javascript code to replace current mapping rule. Must specify either file_name or content.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Mobile Multi-Factor Authentication

class pyivia.core.access.mmfaconfig.MMFAConfig9021(base_url, username, password)

delete()

Delete the mobile multi-factor authentication configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update(client_id=None, hostname=None, junction=None, port=None, details_url=None, enrollment_endpoint=None, hotp_shared_secret_endpoint=None, totp_shared_secret_endpoint=None, token_endpoint=None, authntrxn_endpoint=None, mobile_endpoint_prefix=None, qrlogin_endpoint=None, discovery_mechanisms=[], options=None)

Update the mobile multi-factor authentication (MMFA) configuration.

Parameters:

• client_id (str) – The id of the OIDC client to use.

• hostname (str, optional) – The hostname of the WebSEAL instance configured for MMFA.

• junction (str, optional) – The junction prefix configured for MMFA.

• port (int, optional) – The port the MMFA endpoint is listening on.

• hotp_shared_secret_endpoint (str) – The HOTP shared secret endpoint returned from the discovery endpoint.

• totp_shared_secret_endpoint (str) – The TOTP shared secret endpoint returned from the discovery endpoint.

• token_endpoint (str) – The OAuth token endpoint returned from the discovery endpoint.

• authntrxn_endpoint (str) – The SCIM Transaction endpoint returned from the discovery endpoint.

• mobile_endpoint_prefix (str) – The prefix of the runtime endpoint that is constructed and saved as the request URL of a transaction.

• qrlogin_endpoint (str) – The QR Code login endpoint returned from the discovery endpoint.

• discovery_mechanisms (list of str) – A list of authentication mechanism URIs to be included in the discovery endpoint response.

• options (str) – A list of configurable key-value pairs to be presented in the QR code.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Policy Information Points

class pyivia.core.access.pip.PIP(base_url, username, password)

create_pip(name=None, description=None, type=None, attributes=[], properties=[])

Create a new Policy Information Point.

Parameters:

• name (str) – A unique name for the policy information point. This name is used as the Issuer for custom attributes whose value is returned by this policy information point.

• description (str, optional) – A description of the policy information point.

• type (str) – The policy information point type for this policy information point. valid values are “Database”, “FiberLink MaaS360”, “JavaScript”, “RESTful Web Service”, “LDAP”, and “QRadar User Behavior Analytics”.

• attributes (list of dict) – A list of custom attributes whose values are retrieved from select portions of the response from this policy information point.

• properties (list of dict) – Configurable properties defining this policy information point. These entries are specific to the policy information point type.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created PIP can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_pip(pip_id)

Delete a configured PIP.

Parameters:

pip_id (str) – The Verify Identity Access assigned identifier of the pip.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_pip(pip_id)

Get the configuration for a specific PIP.

Parameters:

pip_id (str) – The Verify Identity Access assigned identifier of the PIP.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the PIP configuration is returned as JSON and can be accessed via the response.json property.

Return type:

Response

list_pips(sort_by=None, filter=None)

Get a list of all the configured PIPs.

Returns:

~requests.Response: The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the PIP configuration is returned as JSON and can be accessed via the response.json property.

Return type:

obj

update_pip(pip_id, name=None, description=None, type=None, attributes=[], properties=[])

Update an existing Policy Information Point.

Parameters:

• pip_id (str) – The Verify Identity Access assigned identifier of the PIP.

• name (str) – A unique name for the policy information point. This name is used as the Issuer for custom attributes whose value is returned by this policy information point.

• description (str, optional) – A description of the policy information point.

• type (str) – The policy information point type for this policy information point. valid values are “Database”, “FiberLink MaaS360”, “JavaScript”, “RESTful Web Service”, “LDAP”, and “QRadar User Behavior Analytics”.

• attributes (list of dict) – A list of custom attributes whose values are retrieved from select portions of the response from this policy information point.

• properties (list of dict) – Configurable properties defining this policy information point. These entries are specific to the policy information point type.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Push Notification Providers

class pyivia.core.access.pushnotification.PushNotification9021(base_url, username, password)

create_provider(app_id=None, platform=None, provider_address=None, apple_key_store=None, apple_key_label=None, firebase_server_key=None, imc_client_id=None, imc_client_secret=None, imc_refresh_token=None, imc_app_key=None)

Create a push notification provider.

Parameters:

• app_id (str) – The application identifier associated with the registration.

• platform (str) – The platform the registration is for.

• provider_address (str) – The “host:port” address of the push notification service.

• apple_key_store (str, optional) – The key store database containing the APNS certificate.

• apple_key_label (str, optional)

• firebase_server_key (str) – The server key for access to the Firebase push notification service.

• imc_client_id (str, optional) – The IBM Marketing Cloud issued Oauth client ID.

• imc_client_secret (str, optional) – The IBM Marketing Cloud issued Oauth client secret.

• imc_refresh_token (str, optional) – The IBM Marketing Cloud issued Oauth refresh token.

• imc_app_key (str, optional) – The app key issued by IBM Marketing Cloud for the associated application.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the push notification provider uuid is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_provider(pnr_id)

Delete an existing push notification provider.

Parameters:

pnr_id (str) – The identifier for the push notification resource to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the push notification provider is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_provider(pnr_id)

Get a specific push notification provider.

Parameters:

pnr_id (str) – The unique identifier for the push notification resource.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the push notification provider is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_providers()

List the configured push notification service providers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the push notification providers are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_provider(pnr_id, app_id=None, platform=None, provider_address=None, apple_key_store=None, apple_key_label=None, firebase_server_key=None, imc_client_id=None, imc_client_secret=None, imc_refresh_token=None, imc_app_key=None)

Update an existing a push notification provider.

Parameters:

• pnr_id (str) – The unique identifier for the push notification resource.

• app_id (str) – The application identifier associated with the registration.

• platform (str) – The platform the registration is for.

• provider_address (str) – The “host:port” address of the push notification service.

• apple_key_store (str, optional) – The key store database containing the APNS certificate.

• apple_key_label (str, optional)

• firebase_server_key (str) – The server key for access to the Firebase push notification service.

• imc_client_id (str, optional) – The IBM Marketing Cloud issued Oauth client ID.

• imc_client_secret (str, optional) – The IBM Marketing Cloud issued Oauth client secret.

• imc_refresh_token (str, optional) – The IBM Marketing Cloud issued Oauth refresh token.

• imc_app_key (str, optional) – The app key issued by IBM Marketing Cloud for the associated application.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the push notification provider uuid is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

Risk Profiles

class pyivia.core.access.riskprofiles.RiskProfiles(base_url, username, password)

create_profile(description=None, name=None, active=None, attributes=None, predefined=False)

Create a risk profile.

Parameters:

• description (str) – A description associated with the risk profile.

• name (str) – A unique name of the risk profile.

• active (bool) – Indicate if this is the active risk profile.

• attributes (list of dict) –

  Array of attributes comprising this risk profile and the weight value of each attribute which is used in determining the risk score. eg:

  [
      {"weight":50,
       "attributeID":"28"
      },
      {"weight":10,
       "attributeID":"34"
      }
  ]
  

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created risk profile can be accessed from the response.id_from_location attribute.

Return type:

Response

delete_profile(_id)

Delete an existing risk profile.

Parameters:

_id (str) – The id of the risk profile to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get_profile(_id)

Get the configuration of a specific risk profile

Parameters:

_id (str) – The id of the risk profile to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the risk profiles are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_profiles()

List all of the configured risk profiles.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the risk profiles are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_profile(_id, description=None, name=None, active=None, attributes=None, predefined=False)

Update an existing risk profile.

Parameters:

• _id (str) – The id of the risk profile to be updated.

• description (str) – A description associated with the risk profile.

• name (str) – A unique name of the risk profile.

• active (bool) – Indicate if this is the active risk profile.

• attributes (list of dict) –

  Array of attributes comprising this risk profile and the weight value of each attribute which is used in determining the risk score. eg:

  [
      {"weight":50,
       "attributeID":"28"
      },
      {"weight":10,
       "attributeID":"34"
      }
  ]
  

• predefined (bool, optional) – Is this risk profile pre-defined by Verify Identity Access.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Runtime Parameters

class pyivia.core.access.runtimeparameters.RuntimeParameters(base_url, username, password)

add_listening_interface(interface, port, secure=None)

Add a new endpoint for the runtime server.

Parameters:

• interface (str) – The concatenation of the interface and IP address UUIDs, separated by a ‘.’ character. eg: 38a69185-a61a-44a1-b574-a3b502f01414.f980aabe-80b7-4738-9cda-bccede8d34f2

• port (int) – The port that the endpoint will listen on.

• secure (bool) – Flag to indicate if endpoint uses SSL

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the new runtime endpoint id is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

delete_listening_interface(interface, port)

Remove an existing runtime endpoint.

Parameters:

• interface (str) – The concatenation of the interface and IP address UUIDs, separated by a ‘.’ character. eg: 38a69185-a61a-44a1-b574-a3b502f01414.f980aabe-80b7-4738-9cda-bccede8d34f2

• port (int) – The port that the endpoint will listen on.

• secure (bool) – Flag to indicate if endpoint uses SSL

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

list_parameters()

Get a list of all of the configured runtime tuning parameters.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the runtime tuning parameters are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_parameter(parameter, value=None)

Update a single runtime tuning parameter.

Parameters:

value (str) – The parameter to be updated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_trace(trace_string='')

Update the JVM trace settings for the Runtime Liberty server.

Parameters:

trace_string (str) – The new JVM trace settings.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

System for Cross-Domain Identity Management (SCIM) Configuration

class pyivia.core.access.scimconfig.SCIMConfig(base_url, username, password)

get_config()

Get the current SCIM configuration profile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the SCIM profile is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_general_config()

Get the general SCIM configuration settings:

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the general SCIM properties are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_schema(schema_name)

Get the current SCIM configuration for a specific schema.

Parameters:

schema_name (str) – The name of the SCIM schema to fetch configuration for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the SCIM schema profile is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update(data)

Update the SCIM configuration profile. This method could be better.

update_attribute_mode(schema_name, scim_attribute, scim_subattribute=None, mode=None)

Update the attribute model used for SCIM attribute mapping.

Parameters:

• schema_name (str) – Name of ths SCIM schema to update attribute modes for.

• scim_attribute (str) – Name of the SCIM attribute to update mode for.

• scim_subattribute (str, optional) – If the SCIM attribute is a multi-valued attribute this is the second level attribute name.

• mode (str) – New mode for the SCIM attribute. Valid values are: “readonly”, “writeonly”, “readwrite”, “adminwrite” or “immutable”.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_general_config(admin_group='adminGroup', enable_header_authentication=True, enable_authz_filter=True, max_user_responses=None, attribute_modes=[])

Update the general configuration settings of the SCIM profile.

Parameters:

• admin_group (str, optional) – The name of the group used to identify SCIM admin users. Default is “adminGroup”.

• enable_header_authentication (bool, optional) – Whether or not SCIM header authentication is enabled. Default is true.

• enable_authz_filter (bool, optional) – Whether or not the authorization filter is enabled.

• max_user_response (int, optional) – The maximum number of entries that can be returned from a single call to the /User endpoint.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

update_isam_user(ldap_connection=None, isam_domain=None, update_native_users=None)

Update SCIM user mappings for basic and full Verify Identity Access users.

Parameters:

• ldap_connection (str) – The name of the ldap server connection to the Verify Identity Access user registry.

• isam_domain (str) – The name of the Verify Identity Access domain.

• update_native_users (bool) – Whether the UID of native users should be updated with the Verify Identity Access user identity when an Verify Identity Access user is created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the updated SCIM user configuration is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_schema(schema_name, data)

Update the configuration profile of a SCIM schema.

Parameters:

• schema_name (str) – The name of the SCIM schema to update.

• data (dict) – The updated configuration profile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Server Connections

class pyivia.core.access.serverconnections.ServerConnections(base_url, username, password)

create_ci(name=None, description=None, locked=None, connection_host_name=None, connection_client_id=None, connection_client_secret=None, connection_ssl_truststore=None)

Create a Cloud Identity server connection.

Parameters:

• name (str) – Unique name for the server connection.

• description (str) – Description of the server connection.

• locked (bool) – Controls whether the connection is allowed to be deleted.

• connection_host_name (str) – The hostname of the Cloud Identity Tenant.

• connection_client_id (str) – The id of the OIDC client to authenticate to Cloud Identity.

• connection_client_secret (str) – The OIDC client secret to authenticate to Cloud Identity.

• connection_ssl_truststore (str) – The SSL database to authenticate connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the uuid of the created Cloud Identity connection can be accessed from the response.id_from_location attribute

Return type:

Response

create_jdbc(name=None, description=None, locked=None, database_type=None, connection_jndi=None, connection_host_name=None, connection_port=None, connection_ssl=None, connection_user=None, connection_password=None, connection_type=None, connection_service_name=None, connection_database_name=None, connection_aged_timeout=None, connection_connection_timeout=None, connection_per_thread=None, connection_max_idle=None, connection_max_pool_size=None, connection_min_pool_size=None, connection_per_local_thread=None, connection_purge_policy=None, connection_reap_time=None)

Create JDBC server connection.

Parameters:

• name (str) – Unique name for the server connection.

• description (str) – Description of the server connection.

• locked (bool) – Controls whether the connection is allowed to be deleted.

• database_type (str) – The database type deployed on the server connection.

• connection_jndi (str) – The internal JNDI id used to reference this connection.

• connection_host_name (str) – The hostname for the database server.

• connection_port (int) – The port that the database is listening on.

• (bool (connection_ssl) – Flag to enable SSL encryption on connections.

• connection_user (str) – User to authenticate to database.

• connection_password (str) – Password to authenticate to database.

• connection_type (str) – The Oracle JDBC driver type. Only valid for Oracle databases.

• connection_service_name (str) – The name of the database service to connect to.

• connection_database_name (str) – The name of the database to connect to.

• connection_aged_timeout (int) – Amount of time before a physical connection can be discarded by pool maintenance.

• connection_connection_timeout (int) – Amount of time after which a connection request times out.

• connection_per_thread (int) – Limits the number of open connections on each thread.

• connection_max_idle (str) – Amount of time after which an unused or idle connection can be discarded.

• connection_max_pool_size (int) – Maximum number of physical connections for a pool. A value of 0 is unlimited.

• connection_min_pool_size (int) – Minimum number of physical connections to maintain in the pool.

• connection_per_local_thread (int) – Caches the specified number of connections for each thread.

• connection_purge_policy (str) – Specifies which connections to destroy when a stale connection is detected in a pool.

• connection_reap_time (str) – Amount of time between runs of the pool maintenance thread. A value of -1 disables pool maintenance.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the uuid of the created JDBC can be accessed from the response.id_from_location attribute

Return type:

Response

create_ldap(name=None, description=None, locked=None, connection_host_name=None, connection_bind_dn=None, connection_bind_pwd=None, connection_ssl_truststore=None, connection_ssl_auth_key=None, connection_host_port=None, connection_ssl=None, connect_timeout=None, servers=None)

Create a LDAP server connection.

Parameters:

• name (str) – Unique name for the server connection.

• description (str) – Description of the server connection.

• locked (bool) – Controls whether the connection is allowed to be deleted.

• connection_host_name (str) – Host name for the LDAP server.

• connection_bind_dn (str) – Name to bind to LDAP server for admin operations.

• connection_bind_pwd (str) – Password associated with admin domain name.

• connection_ssl_truststore (str, optional) – The SSL database to use. Only valid if ssl is enabled.

• connection_ssl_auth_key (str, optional) – The certificate to use to authentication connections. Only valid if ssl is enabled.

• connection_host_port (str) – The port that the LDAP server is listening on.

• connection_ssl (bool) – Enable SSL encryption on connections.

• connect_timeout (int) – Length of time Verify Identity Access will wait before timing out a connection.

• servers – (list of dict): Additional LDAP servers for this connection.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the uuid of the created LDAP connection can be accessed from the response.id_from_location attribute.

Return type:

Response

create_smtp(name=None, description=None, locked=None, connect_timeout=None, connection_host_name=None, connection_host_port=None, connection_ssl=None, connection_user=None, connection_password=None)

Create a SMTP server connection.

Parameters:

• name (str) – Unique name for the server connection.

• description (str) – Description of the server connection.

• locked (bool) – Controls whether the connection is allowed to be deleted.

• connect_timeout (int) – Amount of time Verify Identity Access will wait before timing out a connection.

• connection_host_name (str, optional) – The hostname of the SMTP server. Only valid if SSL is enabled.

• connection_host_port (str, optional) – The port that the SMTP server is listening on. Only valid if SSL is enabled.

• connection_ssl (bool) – Enable SSL encryption on connections.

• connection_user (str, optional) – User to authenticate to SMTP server.

• connection_password (str, optional) – Password to authenticate to SMTP server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the uuid of the created LDAP connection can be accessed from the response.id_from_location attribute.

Return type:

Response

create_web_service(name=None, description=None, locked=None, connection_url=None, connection_user=None, connection_password=None, connection_ssl_truststore=None, connection_ssl_auth_key=None, connection_ssl=None)

Create a Web Service server connection.

Parameters:

• name (str) – Unique name for the server connection.

• description (str) – Description of the server connection.

• locked (bool) – Controls whether the connection is allowed to be deleted.

• connection_url (str) – The URL to the server.

• connection_user (str, optional) – The user to authenticate to the Web Service.

• connection_password (str, optional) – The password to authenticate to the Web Service.

• connection_ssl_truststore (str, optional) – The SSL database to authenticate connections. Only valid if SSL is enabled.

• connection_ssl_auth_key (str) – The certificate to authenticate connections. Only valid if SSL is enabled.

• connection_ssl (bool) – Flag to enable SSL encryption for connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the uuid of the created Web Service connection can be accessed from the response.id_from_location attribute

Return type:

Response

delete_ci(uuid)

Delete an existing Cloud Identity server connection.

Parameters:

uuid (str) – The id of the Cloud Identity connection to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_jdbc(uuid)

Delete an existing JDBC server connection.

Parameters:

uuid (str) – The id of the JDBC to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_ldap(uuid)

Delete an existing LDAP server connection.

Parameters:

uuid (str) – The id of the LDAP server connection to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_smtp(uuid)

Delete an existing SMTP server connection.

Parameters:

uuid (str)

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_web_service(uuid)

Delete an existing Web Service server connection.

Parameters:

uuid (str) – The id of the Web Service server connection to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list_all()

List all of the configured server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the server connections are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_ci()

List the configured Cloud Identity server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the Cloud Identity server connections are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_jdbc()

List the configured JDBC server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the JDBC’s are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_ldap()

List the configured LDAP server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the LDAP server connections are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_smtp()

List the configured SMTP server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the SMTP server connections are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_web_service()

List the configure Web Service server connections.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the Web Service server connections are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

Template Files

class pyivia.core.access.templatefiles.TemplateFiles(base_url, username, password)

create_directory(path, dir_name=None)

Create a new directory for template files.

Parameters:

• path (str) – Path to directory where new directory will be created.

• dir_name (str) – Name of new directory

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the directory is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create_file(path, file_name=None, contents=None)

Create a new template file.

Parameters:

• name (str) – Name of new file

• file_name (str, optional) – Absolute path to file with contents of new template file. Either file_name or contents must be specified.

• contents (str, optional) – Contents of new template file. Either file_name or contents must be specified.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the contents of the directory is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

delete_file(path, file_name)

Delete a template file from Verify Identity Access.

Parameters:

• path (str) – Path to template file.

• file_name (str) – Name of template file to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_directory(path, recursive=None)

List the contents of a directory.

Parameters:

• path (str) – Path to directory to list.

• recursive (bool) – Flag to recursively list subdirectories.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the contents of the directory is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get_file(path, file_name)

Get the conents of a template file.

Parameters:

• path (str) – Path to template file.

• file_name (str) – Name of the file to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the contents of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

import_file(path, file_name, file_path)

Import a template file to Verify Identity Access.

Parameters:

• path (str) – The path to the directory where the new template file will be created

• file_name (str) – The name of the template file.

• file_path (str) – Absolute path to local file to be imported.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

import_files(file_path, force=True)

Import a compressed (zip) file of template files.

Parameters:

• file_path (str) – Absolute path to compressed file to be imported.

• force (bool) – Flag to overwrite any existing template files in Verify Identity Access.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update_file(path, file_name, contents=None, force=False)

Update an existing template file.

Parameters:

• path (str) – Path to directory where template file will be updated.

• file_name (str) – name of file to be updated.

• contents (str) – new contents of template file.

• force (bool) – Flag o overwrite an existing file with the same name.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

User Registry

class pyivia.core.access.userregistry.UserRegistry(base_url, username, password)

update_user_password(username, password=None)

Update the password for a user in the AAC runtime server user registry.

Parameters:

• username (str) – User to update password for.

• password (str) – New password for user.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response