Skip to main content

Authorization Configuration REST API

Authorization configuration in IQ Server is done by granting/revoking roles to/from users and groups.

These APIs use internal IDs for organizations, applications, and roles.

To find the internal IDs for organizations and applications, use Application REST API.

Note

You can use the static identifier ROOT_ORGANIZATION_ID for the root organization

To find the internal IDs for roles, use Role REST API.

Get the users and groups by role

Get the users and groups by role for an application by making an HTTP GET request to:

GET /api/v2/roleMemberships/application/{applicationInternalId}

Get the users and groups by role for an organization by making an HTTP GET request to:

GET /api/v2/roleMemberships/organization/{organizationId}

Get the users and groups by role for all repositories by making an HTTP GET request to:

GET /api/v2/roleMemberships/repository_container

Get the users and groups by role for administrator roles by making an HTTP GET request to:

GET /api/v2/roleMemberships/global

For example

curl -X GET -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965'

returns the users and groups by role for the organization with ID a67da3c322d44ed68a2f5ae17db6a965:

{
  "memberMappings": [
    {
      "roleId": "1da70fae1fd54d6cb7999871ebdb9a36",
      "members": [
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "admin"
        },
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "mike"
        }
      ]
    },
    {
      "roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
      "members": [
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "ted"
        }
      ]
    }
  ]
}

Note that the result includes both members that were granted a role for the particular organization/application the REST request was made for as well as members that inherit a role from higher up in the organization hierarchy.

Grant a role to a user or group

A role can be granted to a user for an application by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/user/{userName}

A role can be granted to a group for an application by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/group/{groupName}

A role can be granted to a user for an organization by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/user/{userName}

A role can be granted to a group for an organization by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/group/{groupName}

A role can be granted to a user for all repositories by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/repository_container/role/{roleId}/user/{userName}

A role can be granted to a group for all repositories by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/repository_container/role/{roleId}/group/{groupName}

An administrator role can be granted to a user by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/global/role/{roleId}/user/{userName}

An administrator role can be granted to a group by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/global/role/{roleId}/group/{groupName}

For example

curl -X PUT -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965/role/1da70fae1fd54d6cb7999871ebdb9a36/user/mike'

grants the role with ID 1da70fae1fd54d6cb7999871ebdb9a36 (this is the ID of the Developer role) to user mike for the organization with ID a67da3c322d44ed68a2f5ae17db6a965.

Revoke a role from a user or group

A role can be revoked from a user for an application by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/user/{userName}

A role can be revoked from a group for an application by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/group/{groupName}

A role can be revoked from a user for an organization by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/user/{userName}

A role can be revoked from a group for an organization by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/group/{groupName}

A role can be revoked from a user for all repositories by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/repository_container/role/{roleId}/user/{userName}

A role can be revoked from a group for all repositories by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/repository_container/role/{roleId}/group/{groupName}

An administrator role can be revoked from a user by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/global/role/{roleId}/user/{userName}

An administrator role can be revoked from a group by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/global/role/{roleId}/group/{groupName}

For example

curl -X DELETE -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965/role/1da70fae1fd54d6cb7999871ebdb9a36/user/mike'

revokes the role with ID 1da70fae1fd54d6cb7999871ebdb9a36 (this is the ID of the Developer role) from user mike for the organization with ID a67da3c322d44ed68a2f5ae17db6a965.