Granting Permissions to Users or Groups
Use the post /v1/cckm/sfdc/organizations/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a Salesforce organization on the CipherTrust Manager.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupload, and keyimport. Now, to permit one more action keydestroy to the user or group, set "permit":true and "actions": "keydestroy" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/sfdc/organizations/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action-1>", "<action-2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the ID of the Salesforce organization resource on the CipherTrust Manager.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| Create | keycreate | Permission to create Salesforce keys. |
| Upload | keyupload | Permission to upload keys to Salesforce. |
| Destroy Key | keydestroy | Permission to destroy Salesforce keys. |
| Import Key | keyimport | Permission to import a destroyed Salesforce keys. |
| Rotate Key | keyrotate | Permission to rotate the Salesforce keys. |
| Synchronize | keysynchronize | Permission to synchronize Salesforce keys. |
| Cancel | keysynchronize | Permission to cancel Salesforce key synchronization jobs. |
| Update | keyupdate | Permission to update cache-only key attributes (certificate and named credential). |
| Enable Key Rotation | keyupdate | Permission to enable automatic key rotation of Salesforce keys. |
| Disable Key Rotation | keyupdate | Permission to disable automatic key rotation of Salesforce keys. |
| List | view | Permission to view Salesforce keys. |
| Get (Salesforce Keys) | view | Permission to view details of a Salesforce key with the given ID. |
| List (Salesforce Organizations) | view | Permission to view Salesforce organizations. |
| Get (Salesforce Organizations) | view | Permission to view details of Salesforce organizations with the given ID. |
| Create Cache-only Key Endpoint | endpointcreate | Permission to create cache-only key endpoints. |
| Update Cache-only Key Endpoint | endpointupdate | Permission to update cache-only key endpoints. |
| Delete Cache-only Key Endpoint | endpointdelete | Permission to delete cache-only key endpoints. |
| Activate Cache-only Key | cacheonlykeyactivate | Permission to activate cache-only keys. |
| Upload Cache-only Key | cacheonlykeyupload | Permission to upload cache-only keys. |
| Update Cache-only Key | cacheonlykeyupdate | Permission to update cache-only keys. |
| Destroy Cache-only Key | cacheonlykeydestroy | Permission to destroy cache-only keys. |
| Create Certificate | certificatecreate | Permission to create certificate to be used to encrypt tenant secrets. |
| Delete Certificate | certificatedelete | Permission to delete certificates. |
| Synchronize Certificate | certificatesync | Permission to synchronize certificates from Salesforce to the CipherTrust Manager. |
| Delete Backup | deletebackup | Permission to delete backup of Salesforce keys from CCKM. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sfdc/organizations/2473e846-31a8-4ee6-8299-17025548b4e2/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNkNWM4OWYzLTM1OWYtNGZmYS04ZTMyLWMxZjk0NTIyMWYzNiIsImlhdCI6MTYyMDE5NTY0NCwiZXhwIjoxNjIwMTk1OTQ0fQ.NAHcbm9TIB3YmVg-i_nfXf0-B0wMbAoXMSTaAJ-Ke-U' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view", "keycreate"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "2473e846-31a8-4ee6-8299-17025548b4e2",
"uri": "kylo:kylo:cckm:sfdc-organization:2473e846-31a8-4ee6-8299-17025548b4e2",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-07-22T09:21:07.019666Z",
"updatedAt": "2021-07-22T09:29:20.198938053Z",
"name": "Thales",
"organization_id": "00DB000000040bIMAQ",
"connection": "sfdc-connection",
"cloud_name": "sfdc",
"type": "Regular",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view",
"keycreate"
]
}
]
}
The output shows the updated permissions for the Salesforce organization with ID 2473e846-31a8-4ee6-8299-17025548b4e2.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
