8.4.15 Fields: Principals

See the associated 4.19  Principals resource section for more information on how to use this resource and supported operations.

Additional References

Type Value Additional Information
Permissions resource principals Permissions
Hooks filename principals.groovy Pre- and Post-Processing Hooks
Distinct query-supported Yes Distinct

Principal

A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.

Field Name Type POST PUT Description
id String No No

The unique ID of this principal.
attachedRoles Set<Role> Yes Yes

The MWS roles this principal is authorized to use.
description String Yes Yes

The principal description.
groups List<Map> Yes Yes

The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, and PAMGROUP. Example group: {"name": "CN=Engineering,CN=Users,DC=corp,DC=hpc, DC=dev","type": "LDAPGROUP"} or {"name": "engineering", "type": "PAMGROUP"}
name String Yes Yes

The unique human-readable name of this principal. Required during POST.
users List<Map> Yes Yes

The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: {"name": "jhammon", "type": "LDAP"} or {"name": "jhammon", "type": "PAM"}

Role

A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
description String Yes Yes

The role description.
name String Yes Yes

The unique human-readable name of this role. Required during POST.
permissions List<Permission> Yes Yes

The set of permissions enforced based on the proxy-user.

Permission

Represents a permission.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
action String No No

The action that can be performed on the resource.
administrator Boolean No No

If true, grants full rights over the given resource for the given action. For example, if resource is 'jobs' and action is 'update' and administrator is true, then this permission allows the user to update any job, not just jobs owned by the user.
description String No No

A description of this permission.
fieldPath String No No

Field level ACL control, if null or '*', all fields are accessible; otherwise requests must match dot delimited path. Currently only checked when doing writable actions. For example, attributes.*: create|update
label String No No

A human readable label for this permission.
resource String No No

The resource the permission applies to.
resourceFilter Map<String, Map> No No

A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax.
type String No No

The type of the permission. Only 'api' type permissions are enforced.

Principal

A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.

Field Name Type POST PUT Description
id String No No

The unique ID of this principal.
attachedRoles Set<Role> Yes Yes

The MWS roles this principal is authorized to use.
description String Yes Yes

The principal description.
groups List<Map> Yes Yes

The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, and PAMGROUP. Example group: {"name": "CN=Engineering,
CN=Users,DC=corp,DC=hpc,DC=dev", "type": "LDAPGROUP"} or {"name": "engineering", "type": "PAMGROUP"}
name String Yes Yes

The unique human-readable name of this principal. Required during POST.
users List<Map> Yes Yes

The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: {"name": "jhammon", "type": "LDAP"} or {"name": "jhammon", "type": "PAM"}

Role

A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
description String Yes Yes

The role description.
name String Yes Yes

The unique human-readable name of this role. Required during POST.
permissions List<Permission> Yes Yes

The set of permissions enforced based on the proxy-user.

Permission

Represents a permission.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
action String No No

The action that can be performed on the resource.
administrator Boolean No No

If true, grants full rights over the given resource for the given action. For example, if resource is 'jobs' and action is 'update' and administrator is true, then this permission allows the user to update any job, not just jobs owned by the user.
description String No No

A description of this permission.
fieldPath String No No

Field level ACL control, if null or '*', all fields are accessible; otherwise requests must match dot delimited path. Currently only checked when doing writable actions. For example, attributes.*: create|update
label String No No

A human readable label for this permission.
resource String No No

The resource the permission applies to.
resourceFilter Map<String, Map> No No

A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax.
type String No No

The type of the permission. Only 'api' type permissions are enforced.

Related Topics