Skip to content

Authorization (RBAC)

For general information about RBAC, check out this link.

The following endpoint is the base url for the APIs below.

https://service.alphaus.cloud/m/auth/rbac/

List permissions

List all permissions supported by RBAC in all namespaces. For reference, supported permissions can be found here.

Request

GET /permissions HTTP1.1
authorization: Bearer {token}

Response

HTTP/1.1 200 OK

[
  {
    "namespace":"wave",
    "permissions":[
      "Admin",
      "ModifySettings",
      "..."
    ]
  },
  {
    "namespace":"ripple",
    "permissions":[
      "Admin"
    ]
  }
]

Create role

During role creation, if your permissions list contains an Admin entry, all other entries will be discarded except Admin.

Roles are root user-level. That means all roles created by the root user, or any subuser that has permissions to create roles, are available to all subusers.

Request

POST /roles HTTP1.1
authorization: Bearer {token}
content-type: application/json

{
  "name":"testrole",
  "namespace":"wave",
  "permissions":[
    "ModifySettings",
    "ViewSettings",
    ...
  ]
}

Role names should have at least 6 characters in length and 32 characters maximum. It should also be alphanumeric. Hyphens and underscores are allowed in between. The regular expression used for validation is below:

^[A-Za-z0-9][A-Za-z0-9_-]*[A-Za-z0-9]$

Response

HTTP/1.1 200 OK

{
  "name":"testrole",
  "namespace":"wave",
  "permissions":[
    "ModifySettings",
    "ViewSettings",
    ...
  ]
}

List roles

Request

GET /roles?namespace={namespace} HTTP1.1
authorization: Bearer {token}

The {namespace} parameter is optional. If not provided, all roles will be returned.

Response

HTTP/1.1 200 OK

[
  {
    "name": "testrole",
    "namespace": "wave",
    "permissions": [
      "ModifySettings",
      "ViewSettings",
      "ModifyAccountSettings"
    ]
  },
  {
    "name": "waveAdmin",
    "namespace": "wave",
    "permissions": [
      "Admin"
    ]
  },
  ...
]

Update role

Update role. If role name is different, rename mapped role name.

Request

PATCH /roles/{namespace}/{rolename} HTTP1.1
authorization: Bearer {token}
content-type: application/json

{
  "namespace":"wave",
  "permissions":[
    "ModifySettings",
    "ViewSettings",
    ...
  ]
}

Response

HTTP/1.1 200 OK

{
  "name": "testrole",
  "namespace":"wave",
  "permissions":[
    "ModifySettings",
    "ViewSettings",
    ...
  ]
}

Delete role

Delete role. Deleting a role will also remove all mappings.

Request

DELETE /roles/{namespace}/{rolename} HTTP1.1
authorization: Bearer {token}

Map roles to user

You can only map (or attach) up to 5 roles to a user per namespace. There is no limit for filtering rules per user.

Valid values for type for filtering rules:

Namespace Value
wave linkAcct, group, tags
ripple billingGroup

Request

POST /userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json

{
  "user_id":"subuser1",
  "roles":[
    {
      "namespace":"wave",
      "role": "somerole",
    },
    ...
    ]
}

Response

HTTP/1.1 200 OK

{
  "success":[
    "somerole"
  ],
  "failed":[],
  "filters":[]
}

List user role mappings

Request

For this endpoint, the returned role mappings are those attached to the caller.

GET /userroles HTTP1.1
authorization: Bearer {token}

For listing role mappings of other subusers, use this endpoint.

GET /{subuser}/userroles HTTP1.1
Authorization: Bearer {token}

{subuser} is the subuser name.

Response

HTTP/1.1 200 OK

[
  {
    "root_user":"58c2297d25645",
    "sub_user":"subuser01",
    "namespace":"wave",
    "role":"testrole1"
  },
  {
    "root_user":"58c2297d25645",
    "sub_user":"subuser02",
    "namespace":"wave",
    "filter":"billingGroup:2222"
  },
  ...
]

List user permissions

Retrieve all permissions to all roles attached to the {subuser}.

Request

GET /{subuser}/permissions HTTP1.1
authorization: Bearer {token}

Response

HTTP/1.1 200 OK

[
  {
    "namespace":"wave",
    "permissions":[
      "Admin",
      "ModifySettings",
      "..."
    ]
  },
  {
    "namespace":"ripple",
    "permissions":[
      "Admin"
    ]
  }
]

Update map roles to user

You can only update map (or attach) up to 5 roles to a user per namespace. There is no limit for filtering rules per user.

Valid values for type for filtering rules:

Namespace Value
wave linkAcct, group, tags
ripple billingGroup

This method replaces subuser's all roles to information in the request body.

Request

PATCH /userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json

{
  "roles":[
    {
      "namespace":"wave",
      "role": "somerole",
    },
    ...
    ]
}
PATCH /{subuser}/userroles HTTP1.1
authorization: Bearer {token}
content-type: application/json

{
  "roles":[
    {
      "namespace":"wave",
      "role": "somerole",
    },
    ...
    ]
}

{subuser} is the subuser id.

Response

HTTP/1.1 200 OK

{
  "success":[
    "somerole"
  ],
  "failed":[],
  "filters":[]
}