IAM Access Policies Update (v1)¶
Create the bearer_token and store in a file in a secure local directory with 0600 permissions.
See API Request Authorization and Authentication.
Note
The following example shows use of the API over curl in a bash terminal. The concepts are fully portable to any other REST client (eg PostMan or python requests)
Set the URL (for example):
$ export URL=https://synsation.1234-5678.nodes.archivist.jitsuin.io
Define the access_policies parameters to be changed and store in /path/to/jsonfile:
{
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "Attachments", "Firmware", "Maintenance", "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Note
- filters
list of asset attributes filters.
- access_permissions
A list specifying which subjects and users get what rights for the matching assets.
- behaviours
list of behaviours allowed to update the asset for the matching subjects and users. For all behaviours use [ “*” ]
- asset_attributes_read
asset attributes named in this list will be visible.
- asset_attributes_write
asset attributes named in this list will be writable. Note they can only be read if also listed in asset_attributes_read.
- event_arc_display_type_read
events which have an event attribute arc_display_type with a value from this list will be visible. Matches due to event_arc_display_type_read are OR’d with matches due to include_attributes. To share all events with the specified users for any asset matching the filters, use [ “*” ]. Using “*” means the event can have any value in arc_display_type or can omit it all together.
- event_arc_display_type_write
events which have an event attribute arc_display_type with a value from this list will be WRITABLE. Matches due to event_arc_display_type_write are OR’d with matches due to include_attributes. To share all events with the specified users for any asset matching the filters, use [ “*” ]. Using “*” means the event can set any value in arc_display_type or can omit it all together.
- include_attributes
list of attributes to share with the matching subjects and be visible to the matching users. For all attributes use [ “*” ]. matches due to include_attributes are OR’d with event_arc_display_type_read
- subjects
list of subject identities of subjects who are to be granted these rights
- user_attributes
list of user attribute filters that specifies who is allowed to see the assets matching the policy filters and use those assets behaviours
Update the access policy:
$ curl -v -X PATCH \
-H "@$BEARER_TOKEN_FILE" \
-H "Content-type: application/json" \
-d "@/path/to/jsonfile" \
$URL/archivist/iam/v1/access_policies/47b58286-ff0f-11e9-8f0b-362b9e155667
The response is:
{
"identity": "access_policies/3f5be24f-fd1b-40e2-af35-ec7c14c74d53",
"display_name": "Friendly name of the policy",
"description": "Description of the policy",
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "Attachments", "Firmware", "Maintenance", "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Note
A full API reference is available in Swagger PATCH API