Conjur's authorization engine is used to define and enforce access control rules.
It maintains a catalogue of roles, resources, and permissions.
On top of these basic concepts more complex features are supported, such as storing encrypted information with managed read and write access.
Each role and resources is assigned a unique identfiier.
Each identifier is a string in the form:
The organization account id which you chose when you configured Conjur.
This is basically a short, lower-case name of your organization such as
The record type. Examples of
kind are: “user”, “group”, “host”, "layer", “variable”, "service".
When you create your own "raw" resources, you can use any kind that you like. They should be short and lower-cased.
An identifier that is unique within the
kind. Typically, the id is a path/based/string, except for user
ids which are alphanumeric plus underscore, dash, and the @ symbol.
The id should almost always start with a prefix that groups related ids together.
For example, consider assigning Conjur identifiers to cloud-hosted virtual machines. A good scheme for the id is:
id of an EC2 VM would look something like
ec2/i-aeeb32a9. The full identifier would be
User ids can be simple ids like
jpage. They can also be formed like email addresses: