Granting Permissions to Users or Groups
Use the post /v1/cckm/external-cm/domains/{id}/update-acls API to grant permissions to users or groups to perform specified operations on an external CipherTrust Manager domain using CCKM.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate and refresh. Now, to permit one more action keydelete to the user or group, set "permit":true and "actions": "keydelete" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/external-cm/domains/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": <group>",\n "actions": [\n "<action1>"\n ],\n "<action2>": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the ID of the external CipherTrust Manager domain resource on the CipherTrust Manager. Refer to Adding External CipherTrust Manager Domains to find out the resource ID of a domain.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. The actions can be: • keycreate • keydelete • view • refresh Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| Create | keycreate | Permission to create external CipherTrust Manager keys. |
| Delete | keydelete | Permission to delete external CipherTrust Manager keys. |
| Refresh | refresh | Permission to refresh external CipherTrust Manager domains. |
| List | view | Permission to view external CipherTrust Manager domains and their keys. |
| Get (External CipherTrust Manager domain keys) | view | Permission to view details of an external CipherTrust Manager key. |
| List (External CipherTrust Manager domains) | view | Permission to view external CipherTrust Manager domains and their keys. |
| Get (External CipherTrust Manager domain) | view | Permission to view details of an external CipherTrust Manager domain. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/external-cm/domains/0b840971-a6b8-460b-b01c-a982dd053939/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFkYzNiZGQ4LTQ3YmItNGY0Zi05YzJkLWU0ODExOGE3YWI0NiIsImlhdCI6MTYxNDc1MjQzOCwiZXhwIjoxNjE0NzUyNzM4fQ.6S9ae8ESCkT6-aOd3vX2fdtq_jG1kUn6TWthrr9ZVms' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "0b840971-a6b8-460b-b01c-a982dd053939",
"uri": "kylo:kylo:cckm:external-cm-domain:0b840971-a6b8-460b-b01c-a982dd053939",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-01-12T07:28:34.244511Z",
"updatedAt": "2023-01-12T07:30:15.696029Z",
"acls": [
{
"user_id": "local|8ef8442a-2cb6-4dc9-8ac5-d25c03d21ac0",
"actions": [
"view",
"refresh"
]
}
],
"connection": "cm-connection",
"cm_domain": {
"domain_id": "0c78b1c9-486e-41fd-ad1d-b80912342073",
"domain_uri": "kylo:kylo:solo:domains:0c78b1c9-486e-41fd-ad1d-b80912342073",
"account_uri": "kylo:kylo:admin:accounts:kylo",
"domain_application": "ncryptify:gemalto:admin:apps:kylo",
"domain_created_at": "2023-01-05 07:51:27.312078 +0000 UTC",
"domain_name": "domain",
"domain_updated_at": "2023-01-11 11:23:57.637539 +0000 UTC",
"domain_meta": "",
"zone_id": "ef583371-6a73-443c-9dc9-3013e7ed866d",
"parent_domain_id": "00000000-0000-0000-0000-000000000000",
"enable_syslog_redirection": true,
"domain_account": "kylo:kylo-0c78b1c9-486e-41fd-ad1d-b80912342073:admin:accounts:kylo-0c78b1c9-486e-41fd-ad1d-b80912342073",
"allow_user_management": false
}
}
The output shows the updated permissions for the domain with ID 0b840971-a6b8-460b-b01c-a982dd053939.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
