(Click to open topic with navigation)

5.341 Fields: Principals

See the associated Principals resource section for more information on how to use this resource and supported operations.

Additional references

Type Value Additional information
Permissions resource principals Permissions
Hooks filename principals.groovy Pre- and Post-Processing Hooks
Distinct query-supported Yes Distinct
ClosedAPI version 3

Principal

A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.

Field Name Type POST PUT Description
id String No No

The unique ID of this principal.
attachedRoles Set<Role> Yes Yes

The MWS roles this principal is authorized to use.
description String Yes Yes

The principal description.
groups List<Map> Yes Yes

The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, and PAMGROUP. Example group: {"name": "CN=Engineering,CN=Users,DC=corp,DC=cloud,DC=dev", "type": "LDAPGROUP"} or {"name": "engineering", "type": "PAMGROUP"}
name String Yes Yes

The unique human-readable name of this principal. Required during POST.
users List<Map> Yes Yes

The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: {"name": "jhammon", "type": "LDAP"} or {"name": "jhammon", "type": "PAM"}

Role

A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
description String Yes Yes

The role description.
name String Yes Yes

The unique human-readable name of this role. Required during POST.
permissions List<Permission> Yes Yes

The set of permissions enforced based on the proxy-user.
scope PrivilegeScope No No

Permission

Represents a permission

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
action String No No

The action that can be performed on the resource.
administrator Boolean No No

If true, grants full rights over the given resource for the given action. For example, if resource is "jobs" and action is "update" and administrator is true, then this permission allows the user to update any job, not just jobs owned by the user.
description String No No

A description of this permission.
fieldPath String No No

Field level ACL control, if null or '*', all fields are accessible, otherwise requests must match dot delimited path. Currently only checked when doing writable actions. Example - attributes.*: create|update
label String No No

A human readable label for this permission.
resource String No No

The resource the permission applies to.
resourceFilter Map<String, Map> No No

A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax.
scope PrivilegeScope No No

Whether this permission applies to the principal's tenant-associated resources or globally
type String No No

The type of the permission. Only 'api' type permissions are enforced.

PrivilegeScope

Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.

Value Description
GLOBAL Describes a role or permission that applies globally, irrespective of the principal's tenants. This scope can be applied to any role or permission.
TENANT Describes a role or permission that applies only to the resources associated with the principal's tenants. This scope can be applied to any role, but only to those permissions associated with tenanted resources (e.g. nodes, services, etc.).
NONE Scope doesn't apply to some permissions. As of right now, all non-domain permissions (e.g. those created by Viewpoint) don't need a scope. NONE should therefore be assigned to all non-domain permissions.

PrivilegeScope

Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.

Value Description
GLOBAL Describes a role or permission that applies globally, irrespective of the principal's tenants. This scope can be applied to any role or permission.
TENANT Describes a role or permission that applies only to the resources associated with the principal's tenants. This scope can be applied to any role, but only to those permissions associated with tenanted resources (e.g. nodes, services, etc.).
NONE Scope doesn't apply to some permissions. As of right now, all non-domain permissions (e.g. those created by Viewpoint) don't need a scope. NONE should therefore be assigned to all non-domain permissions.
ClosedAPI version 2

Principal

A principal maps to a set of ldap users, ldap groups, pam users, and/or pam groups. MWS roles are attached to the principals to authorize the group to use the specific MWS roles.

Field Name Type POST PUT Description
id String No No

The unique ID of this principal.
attachedRoles Set<Role> Yes Yes

The MWS roles this principal is authorized to use.
description String Yes Yes

The principal description.
groups List<Map> Yes Yes

The groups associated with this principal. Each group has a name and a type. The valid types of groups are LDAPOU, LDAPGROUP, and PAMGROUP. Example group: {"name": "CN=Engineering,CN=Users,DC=corp,DC=cloud,DC=dev", "type": "LDAPGROUP"} or {"name": "engineering", "type": "PAMGROUP"}
name String Yes Yes

The unique human-readable name of this principal. Required during POST.
users List<Map> Yes Yes

The users associated with this principal. Each user has a name and type. The valid types of users are LDAP and PAM. Example user: {"name": "jhammon", "type": "LDAP"} or {"name": "jhammon", "type": "PAM"}

Role

A role defines a set of permissions that are based on the proxy-user. If no proxy user is specified then access to objects in MWS are limited to its application permissions. For example if the application has permission to update all resources in MWS and no proxy-user is specified in the request then the request can access all resources in MWS.

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
description String Yes Yes

The role description.
name String Yes Yes

The unique human-readable name of this role. Required during POST.
permissions List<Permission> Yes Yes

The set of permissions enforced based on the proxy-user.
scope PrivilegeScope No No

Permission

Represents a permission

Field Name Type POST PUT Description
id String No No

The unique ID of this role.
action String No No

The action that can be performed on the resource.
administrator Boolean No No

If true, grants full rights over the given resource for the given action. For example, if resource is "jobs" and action is "update" and administrator is true, then this permission allows the user to update any job, not just jobs owned by the user.
description String No No

A description of this permission.
fieldPath String No No

Field level ACL control, if null or '*', all fields are accessible, otherwise requests must match dot delimited path. Currently only checked when doing writable actions. Example - attributes.*: create|update
label String No No

A human readable label for this permission.
resource String No No

The resource the permission applies to.
resourceFilter Map<String, Map> No No

A map used to limit which resource instances this permission applies to. If this is null then the permission will apply to all instances of the resource. For api permissions the filter uses mongo query syntax.
scope PrivilegeScope No No

Whether this permission applies to the principal's tenant-associated resources or globally
type String No No

The type of the permission. Only 'api' type permissions are enforced.

PrivilegeScope

Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.

Value Description
GLOBAL Describes a role or permission that applies globally, irrespective of the principal's tenants. This scope can be applied to any role or permission.
TENANT Describes a role or permission that applies only to the resources associated with the principal's tenants. This scope can be applied to any role, but only to those permissions associated with tenanted resources (e.g. nodes, services, etc.).
NONE Scope doesn't apply to some permissions. As of right now, all non-domain permissions (e.g. those created by Viewpoint) don't need a scope. NONE should therefore be assigned to all non-domain permissions.

PrivilegeScope

Some permissions and roles ignore tenants and apply globally. Others apply only to the resources associated with the principal's tenants.

Value Description
GLOBAL Describes a role or permission that applies globally, irrespective of the principal's tenants. This scope can be applied to any role or permission.
TENANT Describes a role or permission that applies only to the resources associated with the principal's tenants. This scope can be applied to any role, but only to those permissions associated with tenanted resources (e.g. nodes, services, etc.).
NONE Scope doesn't apply to some permissions. As of right now, all non-domain permissions (e.g. those created by Viewpoint) don't need a scope. NONE should therefore be assigned to all non-domain permissions.

Related Topics 

© 2016 Adaptive Computing