FRN Resource Registry¶
This document catalogues every resource type in the DotID platform, its canonical FRN pattern, and the actions that operate on it.
FRN patterns use the format frn:{account-id}:{service}:{resource-path}.
See FRN 规范 for full syntax and wildcard rules.
Resource Scoping¶
DotID resources fall into two scoping categories:
Account-scoped — the account-id segment is the owning account.
frn:{accountId}:iam:user/{userId}
frn:{accountId}:audit:event/{eventId}
Organization-scoped — the account-id segment is the management
account of the organization.
frn:{mgmtAccountId}:org:organization/{orgId}
frn:{mgmtAccountId}:quota:organization/{orgId}
iam — Identity & Access Management¶
All IAM resources are scoped to the account that owns them.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
IAM User |
|
|
Keycloak user in account realm |
IAM Group |
|
|
Account-scoped group |
Managed Policy |
|
|
Reusable, attachable policy |
Inline Policy |
|
|
Embedded on user or group |
Resource Policy |
|
|
Attached to another FRN |
Permission Boundary |
|
|
Per-user max permissions |
Credentials |
|
|
Access keys (future) |
Wildcard examples for policy documents:
frn:*:iam:user/* ← any user in any account
frn:acc-123:iam:policy/* ← all policies in account acc-123
frn:*:iam:** ← all IAM resources everywhere
org — Organizations¶
Organization resources are scoped to the management account.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
Organization |
|
|
Top-level org |
Organizational Unit |
|
|
Hierarchical |
Member Account |
|
|
Account within org |
Wildcard examples:
frn:*:org:organization/* ← any org
frn:acc-mgmt:org:organization/*/ou/* ← any OU in any org under acc-mgmt
frn:acc-mgmt:org:organization/*/account/** ← any account in any org under acc-mgmt
scp — Service Control Policies¶
SCPs are scoped to the management account of the organization.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
Service Control Policy |
|
|
Org-scoped |
audit — Audit¶
Audit events are scoped to the account where the event occurred.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
Audit Event |
|
|
Immutable log entries |
Wildcard examples:
frn:*:audit:event/* ← audit events across all accounts
frn:acc-123:audit:** ← all audit resources in acc-123
quota — Service Quotas¶
Quota resources are scoped to the management account, at the organization level. This is the only namespace currently enforced by the policy engine.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
Service Quota |
|
|
Enforced |
licensing — IoT Device Licensing (TrustMint)¶
Licensing resources are scoped to the account that owns the devices. This namespace is registered dynamically via the DotID Service Registry API at TrustMint startup.
Resource Type |
FRN Pattern |
Actions |
Notes |
|---|---|---|---|
Device |
|
|
IoT device inventory |
Approval Request |
|
|
License approval workflow |
Certificate |
|
|
X.509 device certificates |
License Token |
|
|
JWT license tokens |
Event |
|
|
Provisioning events |
Wildcard examples:
frn:*:licensing:device/* ← any device in any account
frn:acc-123:licensing:approval/* ← all approval requests in acc-123
frn:*:licensing:** ← all licensing resources everywhere
Summary¶
Service |
Scope |
Resources |
Action Count |
Enforced |
|---|---|---|---|---|
|
Account |
user, group, policy, inline-policy, resource-policy, permission-boundary, credentials |
36 |
No |
|
Org (mgmt) |
organization, ou, account |
16 |
No |
|
Org (mgmt) |
policy |
7 |
No |
|
— |
(no resources defined) |
2 |
No |
|
Account |
event |
3 |
No |
|
Org (mgmt) |
organization (quota scope) |
6 |
Yes |
|
Account |
device, approval, certificate, license, event |
13 |
No |