(Click to open topic with navigation)
See the associated Principals resource section for more information on how to use this resource and supported operations.
Additional references
Type | Value | Additional information |
---|---|---|
Permissions resource | principals | Permissions |
Hooks filename | principals.groovy | Pre- and Post-Processing Hooks |
Tenant-supported | No | Tenants |
Distinct query-supported | Yes | Distinct |
A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this principal. |
attachedRoles | Set<Role> | Yes | Yes |
The MWS roles this principal is authorized to use. |
description | String | Yes | Yes |
The principal description. |
groups | List<Map> | Yes | Yes |
The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, PAMGROUP, and SSO. Example group: |
name | String | Yes | Yes |
The unique human-readable name of this principal. Required during POST. |
users | List<Map> | Yes | Yes |
The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: |
A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this role. |
description | String | Yes | Yes |
The role description. |
name | String | Yes | Yes |
The unique human-readable name of this role. Required during POST. |
permissions | List<Permission> | Yes | Yes |
The set of permissions enforced based on the proxy-user. |
scope | PrivilegeScope | No | No |
Represents a permission
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this role. |
action | String | No | No |
The action that can be performed on the resource. |
description | String | No | No |
A description of this permission. |
fieldPath | String | No | No |
Field level ACL control, if null or '*', all fields are accessible, otherwise requests must match dot delimited path. Currently only checked when doing writable actions. Example - attributes.*: create|update |
label | String | No | No |
A human readable label for this permission. |
resource | String | No | No |
The resource the permission applies to. |
resourceFilter | Map<String, Map> | No | No |
A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax. |
scope | PrivilegeScope | No | No |
Whether this permission applies to the principal's tenant-associated resources or globally |
type | String | No | No |
The type of the permission. Only 'api' type permissions are enforced. |
Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.
Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.
A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this principal. |
attachedRoles | Set<Role> | Yes | Yes |
The MWS roles this principal is authorized to use. |
description | String | Yes | Yes |
The principal description. |
groups | List<Map> | Yes | Yes |
The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, PAMGROUP, and SSO. Example group: |
name | String | Yes | Yes |
The unique human-readable name of this principal. Required during POST. |
users | List<Map> | Yes | Yes |
The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: |
A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this role. |
description | String | Yes | Yes |
The role description. |
name | String | Yes | Yes |
The unique human-readable name of this role. Required during POST. |
permissions | List<Permission> | Yes | Yes |
The set of permissions enforced based on the proxy-user. |
scope | PrivilegeScope | No | No |
Represents a permission
Field Name | Type | POST | PUT | Description |
---|---|---|---|---|
id | String | No | No |
The unique ID of this role. |
action | String | No | No |
The action that can be performed on the resource. |
description | String | No | No |
A description of this permission. |
fieldPath | String | No | No |
Field level ACL control, if null or '*', all fields are accessible, otherwise requests must match dot delimited path. Currently only checked when doing writable actions. Example - attributes.*: create|update |
label | String | No | No |
A human readable label for this permission. |
resource | String | No | No |
The resource the permission applies to. |
resourceFilter | Map<String, Map> | No | No |
A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax. |
scope | PrivilegeScope | No | No |
Whether this permission applies to the principal's tenant-associated resources or globally |
type | String | No | No |
The type of the permission. Only 'api' type permissions are enforced. |
Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.
Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.
Related Topics