Manage Policies
- Print
- PDF
Manage Policies
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
- The condition field used in the following APIs can be a string or a JSON object.
"condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.15\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-07-31 00:00:00\",\"toDate\":\"2023-12-15 00:00:00\",\"timezone\":\"Pacific/Honolulu\"},\"daysSchedule\":{\"fromTime\":\"01:00:00\",\"toTime\":\"23:30:00\",\"timezone\":\"Pacific/Honolulu\",\"days\":[\"MONDAY\",\"TUESDAY\",\"WEDNESDAY\",\"THURSDAY\"]}},\"approval\":{\"approvers\":{\"userIds\":[\"vaishali\"]},\"validFor\":4,\"isValidForInDays\":true,\"timeToApprove\":60,\"notificationMedium\":[\"Email Only\",\"teams-vw\",\"Slack - Arpita\"]}}""condition": { "approval": { "notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b", "timeToApprove": 300, "validFor": 300, "isValidForInDays": true, "approvers": { "userIds": [ "CCy1O21HXuzSNzCp8vWI" ] } } } - notificationMedium inside the condition field can be either a string or an array.
- Only one notification medium can be specified when used as a string.NotificationMedium as a string
"notificationMedium\":\"12051835-cdf3-494b-a07e-923cb945b97b\" - Multiple notification mediums can be specified when used as an array.NotificationMedium as an array
"notificationMedium\":[\"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9\",\"b438ae73-2930-41d9-b736-f80e072af753\"]
- Only one notification medium can be specified when used as a string.
1. Create Policy
This POST method creates a policy.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.create.
| POST | {{url}}/api/v1/policy-admin/policies |
curl -X POST '{{url}}/api/v1/policy-admin/policies'
-H 'Authorization: Bearer <token>'
-d
'{
"name": "Policy_14dec",
"description": "test",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": {"timeOfAccess":{"dateSchedule":{"fromDate":"2022-12-18 00:30:00","toDate":"2022-12-20 02:30:00","timezone":"Europe/Paris"},"daysSchedule":{"fromTime":"20:30:00","toTime":"21:30:00","timezone":"Europe/Paris", "days":["SATURDAY","TUESDAY"]}}},
"permissions": [
{
"name": "policy_14dec_per",
"consumer": "secretmanager",
"actions": [
"sm.node.*"
],
"resources": [
"/*"
],
"isInline": true,
"isReadOnly": false
}
],
"members": {
"users": [
{
"id": "CCy1O21HXuzSNzCp8vWI"
}
]
},
"resource": "aziewhoieflmzqd4k7yf",
"consumer": "secretmanager",
"accessType": "Allow"
}'Response Example
| Status: 201 Created |
{
"id": "581371e8-372e-4e3e-82ba-0830698e9e98",
"name": "Policy_14dec",
"description": "test",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": {
"timeOfAccess": {
"dateSchedule": {
"fromDate": "2022-12-18 00:30:00",
"toDate": "2022-12-20 02:30:00",
"timezone": "Europe/Paris"
},
"daysSchedule": {
"fromTime": "20:30:00",
"toTime": "21:30:00",
"timezone": "Europe/Paris",
"days": [
"SATURDAY",
"TUESDAY"
]
}
}
},
"permissions": [
{
"id": "21384ccc-1174-46b1-9099-f540518d75b5",
"name": "policy_14dec_per",
"consumer": "secretmanager",
"actions": [
"sm.node.create",
"sm.node.delete",
"sm.node.list",
"sm.node.read",
"sm.node.update"
],
"resources": [
"/*"
],
"isInline": true,
"isReadOnly": false
}
],
"members": {
"users": [
{
"id": "CCy1O21HXuzSNzCp8vWI",
"name": "jliu1"
}
]
},
"resource": "aziewhoieflmzqd4k7yf",
"consumer": "secretmanager",
"accessType": "Allow"
}2. Create Policy with Entity Names
This POST method creates a policy with entity names.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.create.
| POST | {{url}}/api/v1/policy-admin/policies |
curl -X POST '{{url}}/api/v1/policy-admin/policies'
-H 'Authorization: Bearer <token>' -H 'content-type: application/json'
-d
'{
""name"": ""Node_Admin"",
""description"": ""AdminPolicy_2Mar1 description"",
""isActive"": true,
""isDraft"": false,
""isReadOnly"": false,
""condition"": """",
""permissions"": [
{
""name"": ""AdminPolicy_2Mar1 per root"",
""description"": """",
""consumer"": ""secretmanager"",
""actions"": [
""sm.node.list"",
""sm.node.create"",
""sm.secret.read""
],
""resources"": [
""/*""
],
""isInline"": true,
""isReadOnly"": false
}
],
""members"": {
""users"": [
{
""name"": ""nitishag""
}
]
},
""accessType"": ""allow""
}
'OR
'{
"name": "vaultAdminPolicy",
"description": "Vault Admin Policy",
"permissions" :
[
{
"consumer": "secretmanager",
"resources": ["*"],
"actions": ["sm.secret.list"],
"isInline": true
}
]
"roles": [{ "id": "role_1"}, {"id": "role_2"}],
"accessType": "Allow",
"members":
{
"tags": [ "group1"],
"tokens": ["hytrdsakjdksdks"],
"users": ["user1"]
},
"condition": "{\"ipAddress\": \"10.10.25.11,10.10.25.12,0.0.0.0/8\", \"timeOfAccess\": {\"from\": \"2021-10-06 16:00:00\", \"to\": \"2021-10-06 19:00:00\"}, \"approval\": {\"approvers\": \"user1\", \"timeout\": 15}}",
"isActive": true,
"isDraft": false
}'Response Example
| Status: 201 Created |
'{
""id"": ""cc79d402-b055-4c41-9264-a661304637aa"",
""name"": ""Node_Admin"",
""description"": ""AdminPolicy_2Mar1 description"",
""isActive"": true,
""isDraft"": false,
""isReadOnly"": false,
""condition"": """",
""permissions"": [
{
""id"": ""81b04f2a-d09a-4d2c-9377-991c5d586974"",
""name"": ""AdminPolicy_2Mar1 per root"",
""description"": """",
""consumer"": ""secretmanager"",
""actions"": [
""sm.node.list"",
""sm.node.create"",
""sm.secret.read""
],
""resources"": [
""/*""
],
""isInline"": true,
""isReadOnly"": false
}
],
""members"": {
""users"": [
{
""id"": ""gdjz92zquajbqpec41d6"",
""name"": ""nitishag""
}
]
},
""accessType"": ""allow""
}
'3. Get Policy Details
This GET method returns details of a policy specified by <policy_id>.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.read.
| GET | {{url}}/api/v1/policy-admin/policies/<policy_id> |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
compactResponse | The API returns a lesser details in permission, members fields of policy. | Boolean | Optional |
conditionJson | The condition is returned as JSON when TRUE otherwise condition is returned as a string. | Boolean | Optional |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies/<policy_id>' -H 'Authorization: Bearer <token>'Response Example
{
"id": "f4e023b0-2521-4761-82c9-04d49a8f7fb4",
"name": "Reg_policy_14apr",
"description": "updated on 14 april 12:13",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.12\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-04-18 00:00:00\",\"toDate\":\"2023-04-25 00:00:00\",\"timezone\":\"Pacific/Pago_Pago\"},\"daysSchedule\":{\"fromTime\":\"19:00:00\",\"toTime\":\"19:30:00\",\"timezone\":\"Pacific/Pago_Pago\",\"days\":[\"WEDNESDAY\",\"THURSDAY\",\"FRIDAY\"]}},\"approval\":{\"approvers\":{\"userIds\":[\"k9hv0lowfsg803spfijy\"]},\"validFor\":600,\"isValidForInDays\":false,\"timeToApprove\":60,\"notificationMedium\":\"51414376-e572-4a59-b9aa-b602fa99fb30\"}}",
"permissions": [
{
"id": "8f6ebf55-23d0-42a9-9f06-cea1dd97f452",
"name": "SMAdminPermission",
"description": "Administrative permission for \"Secret Manager\"",
"consumer": "secretmanager",
"actions": [
"authz.policy.create",
"authz.policy.delete",
"authz.policy.list",
"authz.policy.read",
"authz.policy.update",
"sm.key.rotate",
"sm.node.create",
"sm.node.delete",
"sm.node.list",
"sm.node.update",
"sm.passwordpolicy.create",
"sm.passwordpolicy.delete",
"sm.passwordpolicy.list",
"sm.passwordpolicy.read",
"sm.passwordpolicy.update",
"sm.secret.read",
"sm.secret.update",
"sm.secrettemplate.create",
"sm.secrettemplate.delete",
"sm.secrettemplate.list",
"sm.secrettemplate.read",
"sm.secrettemplate.update",
"sm.vault.create",
"sm.vault.delete",
"sm.vault.list",
"sm.vault.read",
"sm.vault.update"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
},
{
"id": "7dc6a468-4692-4959-adfd-d24d92d69b29",
"name": "SMAuditorPermission",
"description": "View permission for \"Secret Manager\"",
"consumer": "secretmanager",
"actions": [
"authz.policy.list",
"authz.policy.read",
"sm.node.list",
"sm.passwordpolicy.list",
"sm.passwordpolicy.read",
"sm.secrettemplate.list",
"sm.secrettemplate.read",
"sm.vault.list",
"sm.vault.read"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
}
],
"members": {
"users": [
{
"id": "6tlwdvkw3548yeizrv2u",
"name": "vaishali21"
}
]
},
"accessType": "Allow"
}4. Get Policy with Entity Names
This GET method returns details of a policy for a specified <policy_name>.
Note: To execute this API, user should have permission assigned (through policy) with action as authz.policy.read.
| GET | {{url}}/api/v1/policy-admin/policies/<policy_name> |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies/<policy_name>' -H 'Authorization: Bearer <token>'Response Example
{
"id": "93f517cd-866e-4ec2-a7c6-d2a3f31f731c",
"name": "DocTestPolicy",
"description": "",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": "{\"ipAddress\":null,\"timeOfAccess\":null,\"approval\":null}",
"permissions": [
{
"id": "c46be179-f563-43fa-996e-6e50ef456865",
"name": "NewDocPolicy",
"description": "Permission testing",
"consumer": "secretmanager",
"actions": [
"sm.secret.read"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
}
],
"members": {
"users": [
{
"id": "x9xxsh8y3899jhw0qq1y",
"name": "userTest1"
}
]
},
"roles": [
{
"id": "16a5e509-fde5-4a46-9d26-c4d4b945defe",
"name": "SMAuditorRole",
"description": "Provides ability to view \"Secret Manager\"",
"permissions": [
{
"id": "d5fa6644-641f-426a-82b2-a3e7aa287cdb",
"name": "UserViewPermission",
"description": "View permission for \"Identity Management\".",
"consumer": "identity",
"actions": [
"identity.user.list",
"identity.user.view"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
},
{
"id": "5a937d6f-1f55-4555-b02d-04645a3a0798",
"name": "NMAuditorPermission",
"description": "View permission for \"Notification Service\"",
"consumer": "notificationmanager",
"actions": [
"nm.channels.list",
"nm.notification.list",
"nm.notification.read",
"nm.notificationmetadata.list",
"nm.notificationmetadata.read"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
},
{
"id": "cb428506-d6c9-4b84-996a-86aed5844a27",
"name": "SecurityViewPermission",
"description": "View permission for Security.",
"consumer": "securityadmin",
"actions": [
"securityadmin.security.list",
"securityadmin.security.view"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
},
{
"id": "d1b4dc40-f91d-4fe6-adbf-c09ae479974b",
"name": "SMAuditorPermission",
"description": "View permission for \"Secret Manager\"",
"consumer": "secretmanager",
"actions": [
"authz.policy.list",
"authz.policy.read",
"sm.node.list",
"sm.node.read",
"sm.passwordpolicy.list",
"sm.passwordpolicy.read",
"sm.secret.list",
"sm.secret.read",
"sm.secrettemplate.list",
"sm.secrettemplate.read",
"sm.vault.list",
"sm.vault.read"
],
"resources": [
"*"
],
"isInline": false,
"isReadOnly": true
}
],
"isReadOnly": true
}
],
"resource": "/*",
"consumer": "secretmanager",
"accessType": "Allow"
}5. Get All Policies
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.
| GET | {{url}}/api/v1/policy-admin/policies |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
filter | The filter that can filter the list of actions based on the name of policies. The supported operators are 'eq', 'sw' and 'co'. An example format is given here: name eq TestRole | String | Optional |
pageToken | Autogenerated token for next page of records in case the results are more than one page. Append this token in requested API URL to access the next set of pages. | String | Optional |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies' -H 'Authorization: Bearer <token>'Response Example
| Status: 200 OK |
{
"result": [
{
"id": "0f8908f5-c1ab-4f32-b23b-323498d0c8ad",
"name": "NMAdminPolicy",
"description": "Grants administrative access to \"Notification Service\" module",
"isActive": false,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "28b35b0a-dcec-451d-9291-331d6414fbb5",
"name": "AuthzAdminPolicy",
"description": "Grants view access to \"Identity Management\" and Security modules and administrative access to \"Role and Policy Management\" module.",
"isActive": false,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "2f06ac6a-e5dd-4d34-8ed0-9741af1f8a9e",
"name": "TenantAuditorPolicy",
"description": "Grants view only access on the platform.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "73885bfe-7313-4b27-a4d8-0ba63067c19e",
"name": "SMAuditorPolicy",
"description": "Grants view access to \"Secret Manager\" module",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "93f7e80a-aaef-4845-be98-d3d45b81ceea",
"name": "SMAdminPolicy",
"description": "Grants administrative access to \"Secret Manager\" module",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "95c4fe32-883e-47e9-b997-09ccbeffcbb8",
"name": "TenantAdminPolicy",
"description": "Grants administrative access to all modules. Tenant Root user is part of this policy by default.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "c12f63df-241c-4e3b-83dd-a91d44ebaf08",
"name": "AuthzAuditorPolicy",
"description": "Grants view access to \"Identity Management\", Security and \"Role and Policy Management\" modules.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "c9abc144-754d-4e90-9e6a-7ac5362d77cc",
"name": "NMAuditorPolicy",
"description": "Grants view access to \"Notification Service\" module",
"isActive": false,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
{
"id": "cdd7ae04-1c6e-4909-a0f0-ab3b68bdb522",
"name": "TenantSCIMPolicy",
"description": "Grants administrative access for SCIM tokens, to the \"Identity Management\" component.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"accessType": "Allow"
},
],
"pagination": {
"next": "",
"prev": ""
}
}6. Delete Policy
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.delete.
| DELETE | {{url}}/api/v1/policy-admin/policies/<policy_id> |
curl -X DELETE {{url}}/api/v1/policy-admin/policies/<policy_id>' -H 'Authorization: Bearer <token>'Response Example
| Status:204 No Content |
7. Delete Policy with entity name
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.delete.
| DELETE | {{url}}/api/v1/policy-admin/policies/<policy_name> |
curl -X DELETE {{url}}/api/v1/policy-admin/policies/<policy_name>' -H 'Authorization: Bearer <token>'Response Example
| Status:204 No Content |
8. Update Policy
Note: To execute this API, user should have permission assigned (through policy) with action as authz.policy.update.
| PATCH | {{url}}api/v1/policy-admin/policies/<policy_name> |
curl -X PATCH ‘{{url}}/api/v1/policy-admin/policies/<policy_name>'
-H 'Authorization: Bearer <token>' -H 'content-type: application/json'
-d
'{
"id": "f4e023b0-2521-4761-82c9-04d49a8f7fb4",
"name": "Reg_policy_14apr",
"description": "updated on 14 april 12:13",
"members": {
"users": [
{
"id": "6tlwdvkw3548yeizrv2u"
}
],
"tags": [],
"tokens": [],
"serviceIdentities": []
},
"permissions": [
{
"id": "8f6ebf55-23d0-42a9-9f06-cea1dd97f452"
},
{
"id": "7dc6a468-4692-4959-adfd-d24d92d69b29"
}
],
"roles": [],
"isActive": true,
"condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.12\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-04-18 00:00:00\",\"toDate\":\"2023-04-25 00:00:00\",\"timezone\":\"Pacific/Pago_Pago\"},\"daysSchedule\":{\"fromTime\":\"19:00:00\",\"toTime\":\"19:30:00\",\"timezone\":\"Pacific/Pago_Pago\",\"days\":[\"WEDNESDAY\",\"THURSDAY\",\"FRIDAY\"]}},\"approval\":{\"notificationMedium\":\"51414376-e572-4a59-b9aa-b602fa99fb30\",\"timeToApprove\":60,\"validFor\":600,\"isValidForInDays\":false,\"approvers\":{\"userIds\":[\"k9hv0lowfsg803spfijy\"]}}}",
"isDraft": false
}'Response Example
| Status:204 No Content |
9. Update Policy with Entity Name
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.update.
| PATCH | {{url}}api/v1/policy-admin/policies/<id> |
curl -X PATCH ‘{{url}}/api/v1/policy-admin/policies/<id>'
-H 'Authorization: Bearer <token>' -H 'content-type: application/json'
-d
'{
"name": "vaultAdminPolicy",
"description": "Vault Admin Policy",
"permissions" : [{ "id": "permission_1"}, {"id": "permission_2"}],
"roles": [{ "id": "role_1"}, {"id": "role_2"}],
"accessType": "Allow",
"members":
{
"tags": [ "group1"],
"tokens": ["hytrdsakjdksdks"],
"users": ["user1"]
},
"condition": "{\"ipAddress\": \"10.10.25.11,10.10.25.12,0.0.0.0/8\", \"timeOfAccess\": {\"from\": \"2021-10-06 16:00:00\", \"to\": \"2021-10-06 19:00:00\"}, \"approval\": {\"approvers\": \"user1\", \"timeout\": 15}}",
"isActive": true,
"isDraft": false
}'Response Example
| Status:204 No Content |
Was this article helpful?
