Authorization Configuration (aka Role Membership) REST API - v2

NEW IN RELEASE 70

Authorization configuration in IQ Server is done by granting/revoking roles to/from users and groups.

These APIs use the internal IDs for organizations, applications, and roles.

To find the internal IDs for organizations and applications, use Application REST APIs - v2.

To find the internal IDs for roles, use Role REST API - v2.

Authorization Configuration REST API allows to:

In the following sections, all partial URLs are relative to IQ Server's base URL and we issue requests using the cURL tool. Also response bodies are JSON content (formatted here for readability).

Get the users and groups by role

Get the users and groups by role for an application by making an HTTP GET request to:

GET /api/v2/roleMemberships/application/{applicationInternalId}

Get the users and groups by role for an organization by making an HTTP GET request to:

GET /api/v2/roleMemberships/organization/{organizationId}

Get the users and groups by role for all repositories by making an HTTP GET request to:

GET /api/v2/roleMemberships/repository_container

Get the users and groups by role for administrator roles by making an HTTP GET request to:

GET /api/v2/roleMemberships/global

For example

curl -X GET -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965'

returns the users and groups by role for the organization with ID a67da3c322d44ed68a2f5ae17db6a965:

{
  "memberMappings": [
    {
      "roleId": "1da70fae1fd54d6cb7999871ebdb9a36",
      "members": [
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "admin"
        },
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "mike"
        }
      ]
    },
    {
      "roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
      "members": [
        {
          "ownerId": "a67da3c322d44ed68a2f5ae17db6a965",
          "ownerType": "ORGANIZATION",
          "type": "USER",
          "userOrGroupName": "ted"
        }
      ]
    }
  ]
}

Note that the result includes both members that were granted a role for the particular organization/application the REST request was made for as well as members that inherit a role from higher up in the organization hierarchy.

Grant a role to a user or group

A role can be granted to a user for an application by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/user/{userName}

A role can be granted to a group for an application by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/group/{groupName}

A role can be granted to a user for an organization by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/user/{userName}

A role can be granted to a group for an organization by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/group/{groupName}

A role can be granted to a user for all repositories by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/repository_container/role/{roleId}/user/{userName}

A role can be granted to a group for all repositories by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/repository_container/role/{roleId}/group/{groupName}

An administrator role can be granted to a user by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/global/role/{roleId}/user/{userName}

An administrator role can be granted to a group by making an HTTP PUT request to:

PUT /api/v2/roleMemberships/global/role/{roleId}/group/{groupName}

For example

curl -X PUT -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965/role/1da70fae1fd54d6cb7999871ebdb9a36/user/mike'

grants the role with ID 1da70fae1fd54d6cb7999871ebdb9a36 (this is the ID of the Developer role) to user mike for the organization with ID a67da3c322d44ed68a2f5ae17db6a965.

Revoke a role from a user or group

A role can be revoked from a user for an application by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/user/{userName}

A role can be revoked from a group for an application by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/application/{applicationInternalId}/role/{roleId}/group/{groupName}

A role can be revoked from a user for an organization by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/user/{userName}

A role can be revoked from a group for an organization by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/organization/{organizationId}/role/{roleId}/group/{groupName}

A role can be revoked from a user for all repositories by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/repository_container/role/{roleId}/user/{userName}

A role can be revoked from a group for all repositories by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/repository_container/role/{roleId}/group/{groupName}

An administrator role can be revoked from a user by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/global/role/{roleId}/user/{userName}

An administrator role can be revoked from a group by making an HTTP DELETE request to:

DELETE /api/v2/roleMemberships/global/role/{roleId}/group/{groupName}

For example

curl -X DELETE -u admin:admin123 'http://localhost:8070/api/v2/roleMemberships/organization/a67da3c322d44ed68a2f5ae17db6a965/role/1da70fae1fd54d6cb7999871ebdb9a36/user/mike'

revokes the role with ID 1da70fae1fd54d6cb7999871ebdb9a36 (this is the ID of the Developer role) from user mike for the organization with ID a67da3c322d44ed68a2f5ae17db6a965.