Viewing KACLS Endpoint Perimeters
KACLS endpoint perimeters are the policies that allow or disallow the wrap
, unwrap
, and takeout_unwrap
operations. Refer to Access Policies for details.
Use the GET /v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/perimeters
API to view the perimeters of a KACLS endpoint. Until a custom policy is attached, the API returns the following default policy:
package example
default allow = false
allow {
input.authentication.email == input.authorization.email
}
allow {
input.perimeter_id == "takeout"
}
Syntax
curl -k '<IP>/api/v1/cckm/GoogleWorkspaceCSE/endpoints/{id}/perimeters' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the endpoint. To find out the ID of an endpoint, refer to Viewing KACLS Endpoints. |
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/GoogleWorkspaceCSE/endpoints/c1583936-7d03-4e2d-a0ae-3a1ae2d2e200/perimeters' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Example Response - 1
"package example default allow = false allow { input.authorization.email == \"abc@foo.com\" input.authentication.email == \"abc@foo.com\" input.authentication.ExtraClaims.location == \"Noida\" input.perimeter_id == \"takeout\" }"
Example Response - 2
For a policy with different identity provider and Google email addresses, the output looks similar to the following:
"package example default allow = false allow { input.authentication.google_email lower(input.authorization.email) == lower(input.authentication.google_email) } allow { not input.authentication.google_email lower(input.authorization.email) == lower(input.authentication.email) } allow { input.perimeter_id == \"takeout\" }"
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
Refer to HTTP status codes for details.