Authorization (RBAC)
For general information about RBAC, check out this link.
The following endpoint is the base url for the APIs below.
List permissions
List all permissions supported by RBAC in all namespaces. For reference, supported permissions can be found here.
Request
Response
HTTP/1.1 200 OK
[
{
"namespace":"wave",
"permissions":[
"Admin",
"ModifySettings",
"..."
]
},
{
"namespace":"ripple",
"permissions":[
"Admin"
]
}
]
Create role
During role creation, if your permissions list contains an Admin entry, all other entries will be discarded except Admin.
Roles are root user-level. That means all roles created by the root user, or any subuser that has permissions to create roles, are available to all subusers.
Request
POST /roles HTTP1.1
authorization: Bearer {token}
content-type: application/json
{
"name":"testrole",
"namespace":"wave",
"permissions":[
"ModifySettings",
"ViewSettings",
...
]
}
Role names should have at least 6 characters in length and 32 characters maximum. It should also be alphanumeric. Hyphens and underscores are allowed in between. The regular expression used for validation is below:
Response
HTTP/1.1 200 OK
{
"name":"testrole",
"namespace":"wave",
"permissions":[
"ModifySettings",
"ViewSettings",
...
]
}
List roles
Request
The {namespace} parameter is optional. If not provided, all roles will be returned.
Response
HTTP/1.1 200 OK
[
{
"name": "testrole",
"namespace": "wave",
"permissions": [
"ModifySettings",
"ViewSettings",
"ModifyAccountSettings"
]
},
{
"name": "waveAdmin",
"namespace": "wave",
"permissions": [
"Admin"
]
},
...
]
Update role
Update role. If role name is different, rename mapped role name.
Request
PATCH /roles/{namespace}/{rolename} HTTP1.1
authorization: Bearer {token}
content-type: application/json
{
"namespace":"wave",
"permissions":[
"ModifySettings",
"ViewSettings",
...
]
}
Response
HTTP/1.1 200 OK
{
"name": "testrole",
"namespace":"wave",
"permissions":[
"ModifySettings",
"ViewSettings",
...
]
}
Delete role
Delete role. Deleting a role will also remove all mappings.
Request
Map roles to user
You can only map (or attach) up to 5 roles to a user per namespace. There is no limit for filtering rules per user.
Valid values for type for filtering rules:
| Namespace | Value |
|---|---|
wave |
linkAcct, group, tags |
ripple |
billingGroup |
Request
POST /userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json
{
"user_id":"subuser1",
"roles":[
{
"namespace":"wave",
"role": "somerole",
},
...
]
}
Response
List user role mappings
Request
For this endpoint, the returned role mappings are those attached to the caller.
For listing role mappings of other subusers, use this endpoint.
{subuser} is the subuser name.
Response
HTTP/1.1 200 OK
[
{
"root_user":"58c2297d25645",
"sub_user":"subuser01",
"namespace":"wave",
"role":"testrole1"
},
{
"root_user":"58c2297d25645",
"sub_user":"subuser02",
"namespace":"wave",
"filter":"billingGroup:2222"
},
...
]
List user permissions
Retrieve all permissions to all roles attached to the {subuser}.
Request
Response
HTTP/1.1 200 OK
[
{
"namespace":"wave",
"permissions":[
"Admin",
"ModifySettings",
"..."
]
},
{
"namespace":"ripple",
"permissions":[
"Admin"
]
}
]
Update map roles to user
You can only update map (or attach) up to 5 roles to a user per namespace. There is no limit for filtering rules per user.
Valid values for type for filtering rules:
| Namespace | Value |
|---|---|
wave |
linkAcct, group, tags |
ripple |
billingGroup |
This method replaces subuser's all roles to information in the request body.
Request
PATCH /userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json
{
"roles":[
{
"namespace":"wave",
"role": "somerole",
},
...
]
}
PATCH /{subuser}/userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json
{
"roles":[
{
"namespace":"wave",
"role": "somerole",
},
...
]
}
{subuser} is the subuser id.
Response