Permission
Get Permissions#
Endpoints#
GET /passportsvc/api/v1/permissions|Request#
Query parameters#
| Parameter | Type | Description | Required |
|---|---|---|---|
_user._id | String | Enter either the user id, user group id, permprofileid or *. For *, enter "user" for _user._type. | Optional |
_user._type | String | Either "user", "usergroup" or "permprofile". Required if you use a user id or user group id for _user._id. | Optional |
_resourceDesc._irn=valid | String | Enter an IRN. | Required |
_namespace=namespace | String | Pass one or more namespaces. For multiple namespaces, pass them in the following format: _namespace=NS1&_namespace=NS2. | Required |
_resourceDesc._criteria.<attribute> | String | Enter the attribute you want to query, followed by its value, for example: _resourceDesc._criteria.usertype=myUserType. For the attribute, pass null to match records without criteria. | Required |
patternmatch | boolean | Is _resourceDesc._irn considered to be a pattern or not? | Optional |
Response#
Codes#
| Code | Description | Example |
|---|---|---|
200 | Success | |
400 | Bad Request | If a user or usergroupid is given but the user type is not. |
403 | Forbidden | For a permissions request for other users, the current user should have SHARE permissions if they use a Passport Service IRN, otherwise the request must come from trusted client. |
Response data example#
{ "_offset": 0, "_pageSize": 2, "_total": 2, "_list": [ { "_namespace": "gda_szJOU5wi", "_user": { "_id": "cfd0bc81-d9b7-4892-a83f-47af96a48c96", "_type": "user" }, "_actions": [ "*" ], "_id": "8b7ec203-2916-4af5-a473-069100ed2721", "_resourceDesc": { "_irn": "passportsvc:usergroup:fffa0317-6c42-4564-9c36-39b94db2148b" } }, { "_namespace": "gda_szJOU5wi", "_user": { "_id": "cfd0bc81-d9b7-4892-a83f-47af96a48c96", "_type": "user" }, "_actions": [ "*" ], "_id": "0b136ff6-a65b-4815-84b0-43b8e0ab415c", "_resourceDesc": { "_irn": "*:*:*" } } ]}Create or Update Permissions#
Endpoints#
PUT /passportsvc/api/v1/permissionsRequest#
Body parameters#
| Parameter | Type | Description | Required |
|---|---|---|---|
_actions | Array of String | Array of actions | Required |
_user._id | String | Either user id, user group id, or permprofile id | Required |
_user._type | String | Either user, usergroup, or permprofile | Required |
_resourceDesc._irn | String | Pass an IRN. | Required |
_namespace | String | Pass the namespace you want the permission to operate in. | Required |
Request body example#
[ { "_namespace": "1112_kXElcNCN", "_user": { "_id": "487a132f-d1de-4dd2-9f47-a515ff6c2536", "_type": "user" }, "_resourceDesc": { "_irn": "passportsvc:workspace:fffa0317-6c42-4564-9c36-39b94db2148b" }, "_actions": [ "*" ] }, { "_namespace": "1112_kXElcNCN", "_user": { "_id": "5d9f5736-88c0-46d2-ad1a-398010e55ff4", "_type": "user" }, "_resourceDesc": { "_irn": "passportsvc:workspace:fffa0317-6c42-4564-9c36-39b94db2148b" }, "_actions": [ "*" ] }]Response#
Codes#
| Code | Description | Example |
|---|---|---|
200 | Success | |
400 | Bad Request | You can add up to 25 permissions at a time. Individual permission records have their own success or failure statuses. |
403 | Forbidden | The current user must have SHARE permission for Passort Service IRNs, otherwise the request must come from trusted client. |
Response data example#
{ "_success": [ { "_namespace": "1112_kXElcNCN", "_user": { "_id": "487a132f-d1de-4dd2-9f47-a515ff6c2536", "_type": "user" }, "_actions": [ "*" ], "_status": 200, "_id": "7d785281-b37f-4d92-99e4-c268889d690f", "_resourceDesc": { "_irn": "passportsvc:workspace:fffa0317-6c42-4564-9c36-39b94db2148b" } }, { "_namespace": "1112_kXElcNCN", "_user": { "_id": "5d9f5736-88c0-46d2-ad1a-398010e55ff4", "_type": "user" }, "_actions": [ "*" ], "_status": 200, "_id": "6da79027-d371-482d-972a-b48a963be9af", "_resourceDesc": { "_irn": "passportsvc:workspace:fffa0317-6c42-4564-9c36-39b94db2148b" } } ], "_failures": []}Delete Permissions#
Endpoints#
DELETE|/passportsvc/api/v1/permissions/{id}Request#
Body parameters#
| Parameter | Type | Description | Required |
|---|---|---|---|
id | String | The Permission's id | Required |
Response#
Response codes#
| Code | Description |
|---|---|
204 | No Content |
Response data#
None
Sample Scenarios#
For GET /passportsvc/api/v1/permissions, we lookup permission in two ways:
- Look up permissions for given IRN
- Lookup permissions for given pattern
Consider below permissions Records in DB:
- irn1 -
itemsvc:nameduseritem:* - irn2 -
itemsvc:nameduseritem:<id> - irn3 -
*:*:*
| irn | actions |
|---|---|
itemsvc:nameduseritem:* | READ, EDIT |
itemsvc:nameduseritem:<id> | * |
*:*:* | READ, SHARE |
Look up permissions for given IRN#
It considers irn in the DB as pattern and irn in the query string as text to match. It would be used to get permissions for given resource. For above test data it gets below result.
| irn query | results | actions performed |
|---|---|---|
itemsvc:nameduseritem:* | irn1,irn3 | READ, EDIT, SHARE |
itemsvc:nameduseritem:<id> | irn1,irn2,irn3 | * |
*:*:* | irn3 | READ, SHARE |
Lookup permissions for given pattern#
It considers irn in the querystring as pattern and irn in the DB as text to match. It would be used to get multiple permissions matching for given pattern. The same input would have different results.
| irn query | results |
|---|---|
itemsvc:nameduseritem:* | irn1,irn2 |
itemsvc:nameduseritem:<id> | irn2 |
*:*:* | irn1,irn2,irn3 |
when patternmatch=true in the query string then result would have union both #1 and #2. The request should come from trusted client when pattenmatch=true
| Query string | Result | Permissions required |
|---|---|---|
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id> | Returns permissions for current user for given namespaces and irn | |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id>&_user._id=* | Returns permissions for all the users and user groups | The session user should have SHARE permissions if irn belongs to passport service, otherwise the request should come from trusted client |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id>&_user._id=<user_id>&_user._type=user | usertype is required when user id or user group id is given. Returns permissions for given user and user groups s/he belongs to | The session user should have SHARE permissions if irn belongs to passport service, otherwise the request should come from trusted client |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id>&_user._id=<user_group_id>&_user._type=usergroup | usertype is required when user id or user group id is given. Returns permissions for given usergroup. | The session user should have SHARE permissions if irn belongs to passport service, otherwise the request should come from trusted client |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=filesvc:file:<file_id> | Returns permissions for current user for given namespaces and irn, It doesn't consider criteria, includes the permissions has criteria or doesn't have criteria | |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=filesvc:file:<file_id>&_resourceDesc._criteria .<criteria_1>=<value> | Returns permissions for current user for given namespaces and irn and matches criteria | |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=filesvc:file:<file_id>&_resourceDesc._criteria =null | Returns permissions for current user for given namespaces and irn and criteria is null. It doesn't return permissions if it has any criteria |
Pattern Match Queries#
| Query string | Result | Permissions required |
|---|---|---|
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id>&patternmatch=true | ||
| Returns union of below: | The request should come from trusted client | |
_namespace=NS1&_namespace=NS2&_resourceDesc._irn=passportsvc:workspace:<workspace_id>&_user._id=<user_id>&_user._type=user | ||
| Returns union of below: | The request should come from trusted client |