Granting Permissions to Users or Groups
Use the post /v1/cckm/sfdc/organizations/{id}/update-acls
API to grant permissions to users or groups to perform specified operations on a Salesforce organization on the CipherTrust Manager.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true
or false
.
For example, a user or group is permitted actions, keycreate
, keyupload
, and keyimport
. Now, to permit one more action keydestroy
to the user or group, set "permit":true
and "actions": "keydestroy" and run the API. Similarly, now to deny permission to the action keycreate
, set "permit":false
, "actions": "keycreate"
, and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/sfdc/organizations/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action-1>", "<action-2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
Here, {id}
represents the ID of the Salesforce organization resource on the CipherTrust Manager.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
Parameter | Type | Description |
---|---|---|
actions | array of strings | List of actions. Refer to Actions for details. |
group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
APIs | Actions | Description |
---|---|---|
Create | keycreate | Permission to create Salesforce keys. |
Upload | keyupload | Permission to upload keys to Salesforce. |
Destroy Key | keydestroy | Permission to destroy Salesforce keys. |
Import Key | keyimport | Permission to import a destroyed Salesforce keys. |
Rotate Key | keyrotate | Permission to rotate the Salesforce keys. |
Synchronize | keysynchronize | Permission to synchronize Salesforce keys. |
Cancel | keysynchronize | Permission to cancel Salesforce key synchronization jobs. |
Update | keyupdate | Permission to update cache-only key attributes (certificate and named credential). |
Enable Key Rotation | keyupdate | Permission to enable automatic key rotation of Salesforce keys. |
Disable Key Rotation | keyupdate | Permission to disable automatic key rotation of Salesforce keys. |
List | view | Permission to view Salesforce keys. |
Get (Salesforce Keys) | view | Permission to view details of a Salesforce key with the given ID. |
List (Salesforce Organizations) | view | Permission to view Salesforce organizations. |
Get (Salesforce Organizations) | view | Permission to view details of Salesforce organizations with the given ID. |
Create Cache-only Key Endpoint | endpointcreate | Permission to create cache-only key endpoints. |
Update Cache-only Key Endpoint | endpointupdate | Permission to update cache-only key endpoints. |
Delete Cache-only Key Endpoint | endpointdelete | Permission to delete cache-only key endpoints. |
Activate Cache-only Key | cacheonlykeyactivate | Permission to activate cache-only keys. |
Upload Cache-only Key | cacheonlykeyupload | Permission to upload cache-only keys. |
Update Cache-only Key | cacheonlykeyupdate | Permission to update cache-only keys. |
Destroy Cache-only Key | cacheonlykeydestroy | Permission to destroy cache-only keys. |
Create Certificate | certificatecreate | Permission to create certificate to be used to encrypt tenant secrets. |
Delete Certificate | certificatedelete | Permission to delete certificates. |
Synchronize Certificate | certificatesync | Permission to synchronize certificates from Salesforce to the CipherTrust Manager. |
Delete Backup | deletebackup | Permission to delete backup of Salesforce keys from CCKM. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sfdc/organizations/2473e846-31a8-4ee6-8299-17025548b4e2/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNkNWM4OWYzLTM1OWYtNGZmYS04ZTMyLWMxZjk0NTIyMWYzNiIsImlhdCI6MTYyMDE5NTY0NCwiZXhwIjoxNjIwMTk1OTQ0fQ.NAHcbm9TIB3YmVg-i_nfXf0-B0wMbAoXMSTaAJ-Ke-U' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view", "keycreate"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "2473e846-31a8-4ee6-8299-17025548b4e2",
"uri": "kylo:kylo:cckm:sfdc-organization:2473e846-31a8-4ee6-8299-17025548b4e2",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-07-22T09:21:07.019666Z",
"updatedAt": "2021-07-22T09:29:20.198938053Z",
"name": "Thales",
"organization_id": "00DB000000040bIMAQ",
"connection": "sfdc-connection",
"cloud_name": "sfdc",
"type": "Regular",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view",
"keycreate"
]
}
]
}
The output shows the updated permissions for the Salesforce organization with ID 2473e846-31a8-4ee6-8299-17025548b4e2
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.