Use Privileges to Create a Delegated Administrator
You can use the IDM REST API to create an internal/role with privileges that have object, array, and relationship type attribute access. You can then use that role as a delegated administrator to perform operations on those attributes.
Use the following example to create a delegated administrator:
Note
If you want to experiment with delegated administrators in Postman, download and import this Postman collection.
To ensure a role object exists when roles are requested, you must create a managed role.
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "name": "testManagedRole", "description": "a managed role for test" }' \ "http://localhost:8080/openidm/managed/role/testManagedRole"{ "_id": "testManagedRole", "_rev": "00000000e0945865", "name": "testManagedRole", "description": "a managed role for test" }
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "password": "Passw0rd" }' \ "http://localhost:8080/openidm/managed/user/psmith"{ "_id": "psmith", "_rev": "000000008fefe160", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "effectiveRoles": [], "effectiveAssignments": [] }
In this step, you'll create two users with the following attributes:
preferencesmanagerroles
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "userName": "scarter", "sn": "Carter", "givenName": "Steven", "mail": "scarter@example.com", "telephoneNumber": "082082082", "password": "Passw0rd", "preferences": { "updates": true, "marketing": false }, "manager": {"_ref" : "managed/user/psmith"}, "roles": [{"_ref" : "managed/role/testManagedRole"}] }' \ "http://localhost:8080/openidm/managed/user/scarter"{ "_id": "scarter", "_rev": "00000000a8d501f8", "userName": "scarter", "sn": "Carter", "givenName": "Steven", "mail": "scarter@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "effectiveRoles": [ { "_ref": "managed/role/testManagedRole" } ], "effectiveAssignments": [] }
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "password": "Passw0rd", "preferences": { "updates": true, "marketing": false }, "manager": {"_ref" : "managed/user/psmith"}, "roles": [{"_ref" : "managed/role/testManagedRole"}] }' \ "http://localhost:8080/openidm/managed/user/jdoe"{ "_id": "jdoe", "_rev": "00000000b174fbd4", "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "effectiveRoles": [ { "_ref": "managed/role/testManagedRole" } ], "effectiveAssignments": [] }
You will delegate an internal/role with privileges to this user in the next step:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "userName": "bjensen", "sn": "Jensen", "givenName": "Barbara", "mail": "bjensen@example.com", "telephoneNumber": "082082082", "password": "Passw0rd" }' \ "http://localhost:8080/openidm/managed/user/bjensen"{ "_id": "bjensen", "_rev": "0000000022fae330", "userName": "bjensen", "sn": "Jensen", "givenName": "Barbara", "mail": "bjensen@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "effectiveRoles": [], "effectiveAssignments": [] }
This role will have the following privileges:
A
managed/userprivilege with accessFlags attributes that are of types: "String", "boolean", and "number"; but also for:An object type that is not a relationship (
preferences).An object type that is a relationship (
manager).Array types that are relationships (
roles,authzRoles,reports).
A
managed/roleprivilege for viewing details of the "roles" property of a managed user.An
internal/roleprivilege for viewing the details of the "authzRoles" property of a managed user.
Note
You can populate the privilege filter field to apply a finer level of permissions for what a delegated administrator can see or do with certain objects. The filter field is omitted in this example to allow all.
For properties that are not relationships, such as preferences, you can't specify finer-grained permissions. For example, you can't set permissions on preferences/marketing.
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "name": "internal_role_with_object_array_and_relationship_privileges", "description": "an internal role that has privileges for object & array types and relationships", "privileges": [ { "name": "managed_user_privilege", "path": "managed/user", "permissions": [ "VIEW", "CREATE", "UPDATE", "DELETE" ], "actions": [], "accessFlags": [ { "attribute": "userName", "readOnly": false }, { "attribute": "password", "readOnly": false }, { "attribute": "givenName", "readOnly": false }, { "attribute": "sn", "readOnly": false }, { "attribute": "mail", "readOnly": false }, { "attribute": "description", "readOnly": false }, { "attribute": "accountStatus", "readOnly": false }, { "attribute": "telephoneNumber", "readOnly": false }, { "attribute": "postalAddress", "readOnly": false }, { "attribute": "city", "readOnly": false }, { "attribute": "postalCode", "readOnly": false }, { "attribute": "country", "readOnly": false }, { "attribute": "stateProvince", "readOnly": false }, { "attribute": "preferences", "readOnly": false }, { "attribute": "roles", "readOnly": false }, { "attribute": "manager", "readOnly": false }, { "attribute": "authzRoles", "readOnly": false }, { "attribute": "reports", "readOnly": false } ] }, { "name": "managed_role_privilege", "path": "managed/role", "permissions": [ "VIEW" ], "actions": [], "accessFlags": [ { "attribute": "name", "readOnly": true }, { "attribute": "description", "readOnly": true } ] }, { "name": "internal_role_privilege", "path": "internal/role", "permissions": [ "VIEW" ], "actions": [], "accessFlags": [ { "attribute": "name", "readOnly": true }, { "attribute": "description", "readOnly": true }, { "attribute": "authzMembers", "readOnly": true } ] } ] }' \ "http://localhost:8080/openidm/internal/role/testInternalRole"{ "_id": "testInternalRole", "_rev": "0000000079775d19", "name": "internal_role_with_object_array_and_relationship_privileges", "description": "an internal role that has privileges for object & array types and relationships", "temporalConstraints": null, "condition": null, "privileges": [ { "name": "managed_user_privilege", "path": "managed/user", "permissions": [ "VIEW", "CREATE", "UPDATE", "DELETE" ], "actions": [], "accessFlags": [ { "attribute": "userName", "readOnly": false }, { "attribute": "password", "readOnly": false }, { "attribute": "givenName", "readOnly": false }, { "attribute": "sn", "readOnly": false }, { "attribute": "mail", "readOnly": false }, { "attribute": "description", "readOnly": false }, { "attribute": "accountStatus", "readOnly": false }, { "attribute": "telephoneNumber", "readOnly": false }, { "attribute": "postalAddress", "readOnly": false }, { "attribute": "city", "readOnly": false }, { "attribute": "postalCode", "readOnly": false }, { "attribute": "country", "readOnly": false }, { "attribute": "stateProvince", "readOnly": false }, { "attribute": "preferences", "readOnly": false }, { "attribute": "roles", "readOnly": false }, { "attribute": "manager", "readOnly": false }, { "attribute": "authzRoles", "readOnly": false }, { "attribute": "reports", "readOnly": false } ] }, { "name": "managed_role_privilege", "path": "managed/role", "permissions": [ "VIEW" ], "actions": [], "accessFlags": [ { "attribute": "name", "readOnly": true }, { "attribute": "description", "readOnly": true } ] }, { "name": "internal_role_privilege", "path": "internal/role", "permissions": [ "VIEW" ], "actions": [], "accessFlags": [ { "attribute": "name", "readOnly": true }, { "attribute": "description", "readOnly": true }, { "attribute": "authzMembers", "readOnly": true } ] } ] }
In this step, assign the internal/role from step 5 to the user created in step 4 by creating a relationship:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "_ref": "managed/user/bjensen", "_refProperties": {} }' \ "http://localhost:8080/openidm/internal/role/testInternalRole/authzMembers?_action=create"{ "_id": "732d3ab1-4319-41de-801b-80f4f4c97ef2", "_rev": "00000000e6dd99e0", "_ref": "managed/user/bjensen", "_refResourceCollection": "managed/user", "_refResourceId": "bjensen", "_refProperties": { "_id": "732d3ab1-4319-41de-801b-80f4f4c97ef2", "_rev": "00000000e6dd99e0" } }
You can now perform operations as a delegated administrator, such as:
The query results display all users' properties that are allowed by the privileges:
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --request GET \ "http://localhost:8080/openidm/managed/user?_queryFilter=true&_pageSize=100&_fields=*,*_ref/*"{ "result": [ { "_id": "psmith", "_rev": "000000008fefe160", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "reports": [ { "_ref": "managed/user/scarter", "_refResourceCollection": "managed/user", "_refResourceId": "scarter", "_refProperties": { "_id": "c4e296ba-b0bb-44b8-a3e5-8d7c1656cef2", "_rev": "00000000e6f694a4" }, "userName": "scarter", "sn": "Carter", "givenName": "Steven", "mail": "scarter@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "_rev": "00000000a8d501f8", "_id": "scarter" }, { "_ref": "managed/user/jdoe", "_refResourceCollection": "managed/user", "_refResourceId": "jdoe", "_refProperties": { "_id": "1e3dd17d-a540-4652-984a-60bd60e546d5", "_rev": "0000000066ee928d" }, "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "_rev": "00000000b174fbd4", "_id": "jdoe" } ], "manager": null, "roles": [], "authzRoles": [], "_notifications": [], "_meta": { "_ref": "internal/usermeta/0c15f08b-cf2e-4408-b302-4f46a40bf943", "_refResourceCollection": "internal/usermeta", "_refResourceId": "0c15f08b-cf2e-4408-b302-4f46a40bf943", "_refProperties": { "_id": "da3e2429-ae6f-4ea6-b5db-d3112f7c9d6a", "_rev": "00000000fd019b55" }, "_rev": "000000003d8f5ca1", "_id": "0c15f08b-cf2e-4408-b302-4f46a40bf943" } }, { "_id": "scarter", "_rev": "00000000a8d501f8", "userName": "scarter", "sn": "Carter", "givenName": "Steven", "mail": "scarter@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "reports": [], "manager": { "_ref": "managed/user/psmith", "_refResourceCollection": "managed/user", "_refResourceId": "psmith", "_refProperties": { "_id": "c4e296ba-b0bb-44b8-a3e5-8d7c1656cef2", "_rev": "00000000e6f694a4" }, "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "_rev": "000000008fefe160", "_id": "psmith" }, "roles": [ { "_ref": "managed/role/testManagedRole", "_refResourceCollection": "managed/role", "_refResourceId": "testManagedRole", "_refProperties": { "_id": "352d7864-3143-4c56-ae11-8f75c96e980a", "_rev": "00000000b9ef9689" }, "name": "testManagedRole", "description": "a managed role for test", "_rev": "00000000e0945865", "_id": "testManagedRole" } ], "authzRoles": [], "_notifications": [], "_meta": { "_ref": "internal/usermeta/6677aad2-def9-4507-9ea0-edd95da8da43", "_refResourceCollection": "internal/usermeta", "_refResourceId": "6677aad2-def9-4507-9ea0-edd95da8da43", "_refProperties": { "_id": "cc32ab82-084a-455c-bf97-3f2f2a71f848", "_rev": "00000000f4819bb6" }, "_rev": "0000000090ae5c88", "_id": "6677aad2-def9-4507-9ea0-edd95da8da43" } }, { "_id": "jdoe", "_rev": "00000000b174fbd4", "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active", "reports": [], "manager": { "_ref": "managed/user/psmith", "_refResourceCollection": "managed/user", "_refResourceId": "psmith", "_refProperties": { "_id": "1e3dd17d-a540-4652-984a-60bd60e546d5", "_rev": "0000000066ee928d" }, "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "_rev": "000000008fefe160", "_id": "psmith" }, "roles": [ { "_ref": "managed/role/testManagedRole", "_refResourceCollection": "managed/role", "_refResourceId": "testManagedRole", "_refProperties": { "_id": "a3f6be90-3009-4e87-af46-257306617bd9", "_rev": "00000000b8f69498" }, "name": "testManagedRole", "description": "a managed role for test", "_rev": "00000000e0945865", "_id": "testManagedRole" } ], "authzRoles": [], "_notifications": [], "_meta": { "_ref": "internal/usermeta/5b844d7e-c200-4b67-9fad-fa346740c79d", "_refResourceCollection": "internal/usermeta", "_refResourceId": "5b844d7e-c200-4b67-9fad-fa346740c79d", "_refProperties": { "_id": "42aa7cf0-6726-461b-92f9-1a22dab0b3c3", "_rev": "000000003aa1993e" }, "_rev": "000000003e4f5bba", "_id": "5b844d7e-c200-4b67-9fad-fa346740c79d" } }, { "_id": "bjensen", "_rev": "0000000022fae330", "userName": "bjensen", "sn": "Jensen", "givenName": "Barbara", "mail": "bjensen@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "reports": [], "manager": null, "roles": [], "authzRoles": [ { "_ref": "internal/role/testInternalRole", "_refResourceCollection": "internal/role", "_refResourceId": "testInternalRole", "_refProperties": { "_id": "732d3ab1-4319-41de-801b-80f4f4c97ef2", "_rev": "00000000e6dd99e0" }, "_id": "testInternalRole", "name": "internal_role_with_object_array_and_relationship_privileges", "description": "an internal role that has privileges for object & array types and relationships", "_rev": "0000000079775d19" } ], "_notifications": [], "_meta": { "_ref": "internal/usermeta/0fbeb220-5e95-42b4-9bdd-0464e23194d4", "_refResourceCollection": "internal/usermeta", "_refResourceId": "0fbeb220-5e95-42b4-9bdd-0464e23194d4", "_refProperties": { "_id": "cbdb3794-1629-424d-8d7a-9e9b0c93287f", "_rev": "000000002b5199f1" }, "_rev": "000000002fbc5b92", "_id": "0fbeb220-5e95-42b4-9bdd-0464e23194d4" } } ], "resultCount": 4, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --request GET \ "http://localhost:8080/openidm/managed/user/jdoe?_fields=preferences"{ "_id": "jdoe", "_rev": "00000000b174fbd4", "preferences": { "updates": true, "marketing": false } }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --request GET \ "http://localhost:8080/openidm/managed/user/scarter/roles?_queryFilter=true&_fields=*"{ "result": [ { "_id": "352d7864-3143-4c56-ae11-8f75c96e980a", "_rev": "00000000b9ef9689", "_refResourceCollection": "managed/role", "_refResourceId": "testManagedRole", "_refResourceRev": "00000000e0945865", "name": "testManagedRole", "description": "a managed role for test", "_ref": "managed/role/testManagedRole", "_refProperties": { "_id": "352d7864-3143-4c56-ae11-8f75c96e980a", "_rev": "00000000b9ef9689" } } ], "resultCount": 1, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --request GET \ "http://localhost:8080/openidm/managed/user/scarter/manager?_fields=*"{ "_id": "c4e296ba-b0bb-44b8-a3e5-8d7c1656cef2", "_rev": "00000000e6f694a4", "_refResourceCollection": "managed/user", "_refResourceId": "psmith", "_refResourceRev": "000000008fefe160", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active", "_ref": "managed/user/psmith", "_refProperties": { "_id": "c4e296ba-b0bb-44b8-a3e5-8d7c1656cef2", "_rev": "00000000e6f694a4" } }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation" : "replace", "field" : "reports", "value" : [{"_ref" : "managed/user/scarter"}] } ]' \ "http://localhost:8080/openidm/managed/user/psmith"{ "_id": "psmith", "_rev": "000000008fefe160", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active" }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "add", "field": "manager", "value": {"_ref" : "managed/user/psmith"} } ]' \ http://localhost:8080/openidm/managed/user/jdoe{ "_id": "jdoe", "_rev": "00000000b174fbd4", "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active" }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "remove", "field": "manager" } ]' \ http://localhost:8080/openidm/managed/user/jdoe{ "_id": "jdoe", "_rev": "00000000b174fbd4", "userName": "jdoe", "sn": "Doe", "givenName": "John", "mail": "jdoe@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active" }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "replace", "field": "manager", "value": {"_ref" : "managed/user/jdoe"} } ]' \ "http://localhost:8080/openidm/managed/user/scarter"{ "_id": "scarter", "_rev": "00000000a8d501f8", "userName": "scarter", "sn": "Carter", "givenName": "Steven", "mail": "scarter@example.com", "telephoneNumber": "082082082", "preferences": { "updates": true, "marketing": false }, "accountStatus": "active" }
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Content-Type: application/json" \ --request DELETE \ "http://localhost:8080/openidm/managed/user/psmith"{ "_id": "psmith", "_rev": "000000008fefe160", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active" }
Using POST:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --request POST \ --data '{ "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "password": "Passw0rd" }' \ "http://localhost:8080/openidm/managed/user"{ "_id": "e5f6a856-9f3c-49fd-904c-c5f87004b682", "_rev": "000000004bbde938", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active" }Using PUT:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "If-None-Match: *" \ --request PUT \ --data '{ "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "password": "Passw0rd" }' \ "http://localhost:8080/openidm/managed/user/psmith"{ "_id": "psmith", "_rev": "00000000658fe17a", "userName": "psmith", "sn": "Smith", "givenName": "Patricia", "mail": "psmith@example.com", "telephoneNumber": "082082082", "accountStatus": "active" }
Note
For more examples, including working with filters, see the Postman collection.
Note
All patches are done with a PATCH request. Delegated administrator operations do not currently support using POST actions for patch requests (POST _action=patch will not work).