Organization REST APIs - v2

The Organization REST API allows you to create new organizations and browse the list of organizations.

Supported HTTP methods include:

  • GET - Used to retrieve the list of organizations (including their internal IDs and associated tags).
  • GET - Previously used for retrieving roles and the mapping of those roles to an organization. Starting in version 70, this is deprecated and Authorization Configuration REST API - v2 should be used instead.
  • POST - Used to create organizations.
  • PUT - Previously used for authorization configuration for organizations (i.e. mapping users or groups to roles). Starting in version 70, this is deprecated and Authorization Configuration REST API - v2 should be used instead.

Supported operations include:

Add Organization 

Creating an organization is quite simple, only requiring a unique name:

ItemDescription
nameThe name of the new organization. In the IQ Server GUI this corresponds to the "Organization Name" field. It must be unique.

We'll be making a POST API call for this operation:

POST /api/v2/organizations

The JSON payload contains the name parameter, for example:

{
    "name": "My Organization"
}

You can run the following cURL command to make the request:

curl -u admin:admin123 -X POST -H "Content-Type: application/json" -d '{"name": "My Organization"}' 'http://localhost:8070/api/v2/organizations'

If your organization was successfully created, the system will respond with the following:

{
    "id": "ab3d35233046480a9c30bb2437a48103",
    "name": "My Organization",
    "tags": []
}
ItemDescription
id

This is the internal id for the organization.

nameThis is the name of the organization, and is visible in the IQ Server GUI.
tagsTags are created at the organization level, and then applied to applications. A newly-created organization will have no tags.

Note that the "id" returned is the ID of the new organization. This can be used in other operations that require an organization ID.

Get All Organizations

To get a list of the organizations we must start with a GET call:

GET /api/v2/organizations

We can use cURL to make the request:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/organizations'

This will produce a list of your organizations and associated information in a JSON format. Here is an example of what might be returned.

{
    "organizations": [
        {
            "id": "36d7e629462a4038b581488c347959bc",
            "name": "My Organization",
            "tags": [ ]
        },
        {
            "id": "f48b5344fa204a4c88df96b2d455d521",
            "name": "My Organization 2",
            "tags": [
                {
                    "id": "cd8fd2f4f289445b8975092e7d3045ba",
                    "name": "Distributed",
                    "description": "Applications that are provided for consumption outside the company",
                    "color": "yellow"
                },
                {
                    "id": "004d789684834f7c889c8b186a5ff24b",
                    "name": "Hosted",
                    "description": "Applications that are hosted such as services or software as a service.",
                    "color": "grey"
                },
                {
                    "id": "da9e09887c754157a2113831ae7e99ac",
                    "name": "Internal",
                    "description": "Applications that are used only by your employees",
                    "color": "green"
                }
            ]
        }
    ]
}
ItemDescription
id

This is the internal id for the organization.

nameThis is the name of the organization, and is visible in the IQ Server GUI.
tagsTags represent identifying characteristics for an application. Tags are created at the organization level, and then applied to applications. Policies can then select which tags, and in turn applications, the policy will be evaluated against.
id (tags)The internal id for the tag. This will be used when creating the application.
name (tags)The name of the tag, which is visible in the IQ Server GUI.
description (tags)Each tag is required to have a description. This description provides information related to the type of application it should be applied to.

Find the Currently Available Roles

Starting in version 70, this path is deprecated and Role REST API - v2 should be used.

Before mapping any roles, it’s a good idea to take a look at all the available roles for organizations. This can be done using a simple GET which is equivalent to that used for applications i.e.

GET /api/v2/applications/roles

This returns all the available roles for all organizations:

{
    "roles": [
        {
            "id": "2cb71b3468d649789163ea2e212b541e",
            "name": "Application Evaluator",
            "description": "Evaluates applications and views policy violation summary results."
        },
        {
            "id": "90c7c98683b4471cb77a916744540bcc",
            "name": "Component Evaluator",
            "description": "Evaluates individual components and views policy violation results for a specified application."
        },
        {
            "id": "1da70fae1fd54d6cb7999871ebdb9a36",
            "name": "Developer",
            "description": "Views all information for their assigned organization or application."
        },
        {
            "id": "1cddabf7fdaa47d6833454af10e0a3ef",
            "name": "Owner",
            "description": "Manages assigned organizations, applications, policies, and policy violations."
        }
    ]
}

Item

Description

idThis is the internal ID for the role. There is no corresponding field in the IQ Server GUI.
nameThis is the name of the role, which is exactly the same as the Role Name displayed in the IQ Server GUI.
descriptionThis provides a description of the level of access the role grants.

As you may notice, there are four roles available for organizations at this time. Before proceeding to the next step, take note of the role id (in this example we will be adding an owner). This will be needed for mapping a user to the specific role.

Map Users to Roles

Starting in version 70, this path is deprecated and Authorization Configuration REST API - v2 should be used.

To map users to roles, we’ll need the id (organization ID) from our successful organization creation, the role id for the role returned above that you will be mapping a user to, and the following information:

ItemDescription
typeThe type of user, which at this time, can only be either USER or GROUP.
userOrGroupNameThis is the username for the user you want to add to the role. If you are using LDAP and have configured it to work with the IQ Server, the LDAP user or group name can be used here.

For this step, we’ll be using the following PUT API call…

PUT /api/v2/organizations/{organizationInternalId}/roleMembers

with an appended JSON-formatted body. Here is an example of the body that’s been formatted for easier review:

{
    "memberMappings": [
        {
            "roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
            "members": [
                {
                    "type": "USER",
                    "userOrGroupName": "user-owner"
                }
            ]
        }
    ]
}

Putting this altogether, and using our cURL example, you should enter the following command:

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"memberMappings": [{"roleId": "1cddabf7fdaa47d6833454af10e0a3ef","members": [{"type": "USER","userOrGroupName": "user-owner"}]}]}' 'http://localhost:8070/api/v2/organizations/ab3d35233046480a9c30bb2437a48103/roleMembers'

As before, standard HTTP response codes will be returned.

You can map multiple roles in a single PUT.

Get All Role Members

Starting in version 70, this path is deprecated and Authorization Configuration REST API - v2 should be used.

To get the members of each role for an organization we can use this GET call:

GET /api/v2/organizations/{organizationInternalId}/roleMembers

We can use cURL to make the request:

curl -u admin:admin123 -X GET 'http://localhost:8070/api/v2/organizations/ab3d35233046480a9c30bb2437a48103/roleMembers'

This will produce the mappings from all roles to their members for your organization in a JSON format. Here is an example of what might be returned.

{
	"memberMappings": [{
		"roleId": "2cb71b3468d649789163ea2e212b541e",
		"members": [{
			"type": "GROUP",
			"userOrGroupName": "(all-authenticated-users)"
		}]
	},
	...
	{
		"roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
		"members": [{
			"type": "USER",
			"userOrGroupName": "user-owner"
		}]
	}]
}