# Control Center Service Schema # Policy management, RBAC, and compliance configuration let workspace_schema = import "schemas/platform/common/workspace.ncl" in let server_schema = import "schemas/platform/common/server.ncl" in let database_schema = import "schemas/platform/common/database.ncl" in let security_schema = import "schemas/platform/common/security.ncl" in let monitoring_schema = import "schemas/platform/common/monitoring.ncl" in let logging_schema = import "schemas/platform/common/logging.ncl" in let docker_build_schema = import "schemas/platform/docker-build.ncl" in { ControlCenterConfig = { # Workspace configuration workspace | workspace_schema.WorkspaceConfig | optional, # HTTP server settings (port must be >= 9000 for control-center) server | server_schema.ServerConfigHighPort | optional, # Database configuration (policy storage) database | database_schema.DatabaseConfig | optional, # Security configuration (JWT, RBAC, encryption, MFA) security | security_schema.SecurityConfig | optional, # Policy Engine Configuration policy | { # Enable policy engine enabled | Bool | default = true, # Policy evaluation mode (sync, async) # Policy cache cache | { enabled | Bool | default = true, ttl | Number | optional, max_policies | Number | optional, } | optional, # Policy versioning versioning | { enabled | Bool | default = true, max_versions | Number | optional, } | optional, # Policy conflict resolution } | optional, # RBAC Configuration rbac | { # Enable RBAC enabled | Bool | default = true, # Role hierarchy/inheritance hierarchy | Bool | default = true, # Dynamic role assignment dynamic_roles | Bool | default = false, # Default role for new users default_role | String | optional, # Pre-defined roles roles | { admin | Bool | default = true, operator | Bool | default = true, viewer | Bool | default = true, } | optional, # Role-based attribute (ABAC) attribute_based | Bool | default = false, } | optional, # User Management users | { # Enable user management enabled | Bool | default = true, # User registration registration | { enabled | Bool | default = true, requires_approval | Bool | default = false, auto_assign_role | String | optional, } | optional, # User session management sessions | { max_active | Number | optional, idle_timeout | Number | optional, absolute_timeout | Number | optional, } | optional, # User audit trail audit_enabled | Bool | default = false, } | optional, # Audit Logging Configuration audit | { # Enable audit logging enabled | Bool | default = false, # Audit events to log events | Array String | optional, # Audit storage storage | { retention_days | Number | optional, immutable | Bool | default = false, } | optional, # Sensitive data redaction in logs redact_sensitive | Bool | default = true, } | optional, # Compliance Configuration compliance | { # Enable compliance checks enabled | Bool | default = false, # Compliance frameworks # Compliance validation validation | { enabled | Bool | default = false, interval_hours | Number | optional, } | optional, # Data retention policies data_retention | { policy_years | Number | optional, audit_log_days | Number | optional, } | optional, # Encryption requirements encryption_required | Bool | default = false, } | optional, # Integration with External Services integrations | { # LDAP/Active Directory integration ldap | { enabled | Bool | default = false, server_url | String | optional, base_dn | String | optional, } | optional, # OAuth2/OIDC providers oauth2 | { enabled | Bool | default = false, providers | Array String | optional, } | optional, # Webhook notifications webhooks | { enabled | Bool | default = false, endpoints | Array String | optional, } | optional, } | optional, # Monitoring configuration monitoring | monitoring_schema.MonitoringConfig | optional, # Logging configuration logging | logging_schema.LoggingConfig | optional, # Docker build configuration build | docker_build_schema.DockerBuildConfig | optional, }, }