Manipulate Roles Over REST and in the UI
These sections show the REST calls to create, read, update, and delete managed roles, and to grant roles to users. For information about using roles to provision users to external systems, see "Use Assignments to Provision Users".
Note that the easiest way to work with roles is to use the Admin UI.
To create a role, send a PUT or POST request to the /openidm/managed/role
context path. The following example creates a managed role named employee
:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "name": "employee", "description": "Role granted to workers on the company payroll" }' \ "http://localhost:8080/openidm/managed/role?_action=create"
{ "_id": "5790220a-719b-49ad-96a6-6571e63cbaf1", "_rev": "0000000079c6644f", "name": "employee", "description": "Role granted to workers on the company payroll" }
This employee
role has no corresponding assignments. Assignments are what enables the provisioning logic to the external system. Assignments are created and maintained as separate managed objects, and are referred to within role definitions. For more information about assignments, see "Use Assignments to Provision Users".
To create a role through the Admin UI:
Select Manage > Role and select New Role on the Role List page.
Enter a name and description for the new role and select Save.
Optionally, select Temporal Constraint to restrict the role grant to a set time period or Condition to define a query filter that will allow the role to be granted to members dynamically.
For more information, see "Use Temporal Constraints to Restrict Effective Roles" and Grant Roles Dynamically.
To list all managed roles over REST, query the openidm/managed/role
endpoint. The following example shows the employee
role that you created in the previous example:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/role?_queryFilter=true"
{ "result": [ { "_id": "5790220a-719b-49ad-96a6-6571e63cbaf1", "_rev": "0000000079c6644f", "name": "employee", "description": "Role granted to workers on the company payroll" } ], ... }
To display all configured managed roles in the Admin UI, select Manage > Role.
If you have a large number of roles, select Advanced Filter to build a more complex query filter to display only the roles you want.
You grant roles to users through the relationship mechanism. Relationships are essentially references from one managed object to another; in this case from a user object to a role object. For more information about relationships, see Relationships Between Objects.
You can grant roles statically or dynamically.
To grant a role statically, you must do one of the following:
Update the value of the user's
roles
property to reference the role.Update the value of the role's
members
property to reference the user.
For more information see To Grant Roles Statically.
Dynamic role grants use the result of a condition or script to update a user's list of roles. For more information, see Grant Roles Dynamically.
Grant a role to a user statically using the REST interface or the Admin UI as follows:
- Over REST
Use one of the following methods to grant a role to a user over REST:
Update the user's
roles
property to refer to the role.The following example grants the
employee
role (with ID5790220a-719b-49ad-96a6-6571e63cbaf1
) to user scarter:curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "add", "field": "/roles/-", "value": {"_ref" : "managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1"} } ]' \ "http://localhost:8080/openidm/managed/user/scarter"
{ "_id": "scarter", "_rev": "000000003be825ce", "mail": "scarter@example.com", "givenName": "Steven", "sn": "Carter", "description": "Created By CSV", "userName": "scarter", "telephoneNumber": "1234567", "accountStatus": "active", "effectiveRoles": [ { "_ref": "managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1" } ], "effectiveAssignments": [] }
Note that scarter's
effectiveRoles
attribute has been updated with a reference to the new role. For more information about effective roles and effective assignments, see "Effective Roles and Effective Assignments".When you update a user's existing roles array, use the
-
special index to add the new value to the set. For more information, see Set semantic arrays in "Patch Operation: Add".Update the role's
members
property to refer to the user.The following sample command makes scarter a member of the
employee
role:curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "add", "field": "/members/-", "value": {"_ref" : "managed/user/scarter"} } ]' \ "http://localhost:8080/openidm/managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1"
{ "_id": "5790220a-719b-49ad-96a6-6571e63cbaf1", "_rev": "0000000079c6644f", "name": "employee", "description": "Role granted to workers on the company payroll" }
The
members
property of a role is not returned by default in the output. To show all members of a role, you must specifically request the relationship properties (*_ref
) in your query. The following example lists the members of theemployee
role (currently only scarter):curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1?_fields=*_ref,name"
{ "_id": "5790220a-719b-49ad-96a6-6571e63cbaf1", "_rev": "0000000079c6644f", "name": "employee", "assignments": [], "members": [ { "_ref": "managed/user/scarter", "_refResourceCollection": "managed/user", "_refResourceId": "scarter", "_refProperties": { "_id": "7ad15a7b-6806-487b-900d-db569927f56d", "_rev": "0000000075e09cbf" } } ] }
You can replace an existing role grant with a new one by using the
replace
operation in your patch request.The following command replaces scarter's entire
roles
entry (that is, overwrites any existing roles) with a single entry, the reference to theemployee
role (ID5790220a-719b-49ad-96a6-6571e63cbaf1
):curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request PATCH \ --data '[ { "operation": "replace", "field": "/roles", "value": [ {"_ref":"managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1"} ] } ]' \ "http://localhost:8080/openidm/managed/user/scarter"
{ "_id": "scarter", "_rev": "00000000da112702", "mail": "scarter@example.com", "givenName": "Steven", "sn": "Carter", "description": "Created By CSV", "userName": "scarter", "telephoneNumber": "1234567", "accountStatus": "active", "effectiveRoles": [ { "_ref": "managed/role/5790220a-719b-49ad-96a6-6571e63cbaf1" } ], "effectiveAssignments": [] }
- Using the Admin UI
Use one of the following UI methods to grant a role to a user:
Update the user entry:
Select Manage > User and select the user to whom you want to grant the role.
Select the Provisioning Roles tab and select Add Provisioning Roles.
Select the role from the dropdown list and select Add.
Update the role entry:
Select Manage > Role and select the role that you want to grant.
Select the Role Members tab and select Add Role Members.
Select the user from the dropdown list and select Add.
Grant a role dynamically by using one of the following methods:
Use a condition, expressed as a query filter, in the role definition. If the condition is
true
for a particular member, that member is granted the role. Conditions can be used in both managed and internal roles.Use a custom script to define a more complex role-granting strategy.
A role that is granted based on a defined condition is called a conditional role. To create a conditional role, include a query filter in the role definition.
Important
Properties that are used as the basis of a conditional role query must be configured as searchable
and must be indexed in the repository configuration. To configure a property as searchable
, update the schema in your conf/managed.json
file. For more information, see "Create and Modify Object Types".
To create a conditional role by using the Admin UI, select Condition on the role Details page, then define the query filter that will be used to assess the condition.
To create a conditional role over REST, include the query filter as a value of the condition
property in the role definition. The following example creates a role, fr-employee
, that will be granted only to those users who live in France (whose country
property is set to FR
):
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "name": "fr-employee", "description": "Role granted to employees resident in France", "condition": "/country eq \"FR\"" }' \ "http://localhost:8080/openidm/managed/role?_action=create"
{ "_id": "eb18a2e2-ee1e-4cca-83fb-5708a41db94f", "_rev": "000000004085704c", "name": "fr-employee", "description": "Role granted to employees resident in France", "condition": "/country eq \"FR\"" }
When a conditional role is created or updated, IDM automatically assesses all managed users, and recalculates the value of their roles
property, if they qualify for that role. When a condition is removed from a role, that is, when the role becomes an unconditional role, all conditional grants are removed. So, users who were granted the role based on the condition, have that role removed from their roles
property.
Caution
When a conditional role is defined in an existing data set, every user entry (including the mapped entries on remote systems) must be updated with the assignments implied by that conditional role. The time that it takes to create a new conditional role is impacted by the following items:
The number of managed users affected by the condition.
The number of assignments related to the conditional role.
The average time required to provision updates to all remote systems affected by those assignments.
In a data set with a very large number of users, creating a new conditional role can therefore incur a significant performance cost when you create it. Ideally, you should set up your conditional roles at the beginning of your deployment to avoid performance issues later.
The easiest way to grant roles dynamically is to use conditional roles, as described in Grant a Role Based on a Condition. If your deployment requires complex conditional logic that cannot be achieved with a query filter, you can create a custom script to grant the role, as follows:
Create a
roles
directory in your project'sscript
directory and copy the default effective roles script to that new directory:mkdir project-dir/script/roles/
cp /path/to/openidm/bin/defaults/script/roles/effectiveRoles.js project-dir/script/roles/
The new script will override the default effective roles script.
Modify the script to reference additional roles that have not been granted manually, or as the result of a conditional grant. The effective roles script calculates the grants that are in effect when the user is retrieved.
For example, the following addition to the
effectiveRoles.js
script grants the rolesdynamic-role1
anddynamic-role2
to all active users (managed user objects whoseaccountStatus
value isactive
). This example assumes that you have already created the managed roles,dynamic-role1
(with IDd2e29d5f-0d74-4d04-bcfe-b1daf508ad7c
) anddynamic-role2
(with ID709fed03-897b-4ff0-8a59-6faaa34e3af6
, and their corresponding assignments:// This is the location to expand to dynamic roles, // project role script return values can then be added via // effectiveRoles = effectiveRoles.concat(dynamicRolesArray); if (object.accountStatus === 'active') { effectiveRoles = effectiveRoles.concat([ {"_ref": "managed/role/d2e29d5f-0d74-4d04-bcfe-b1daf508ad7c"}, {"_ref": "managed/role/709fed03-897b-4ff0-8a59-6faaa34e3af6"} ]); }
Note
For conditional roles, the user's roles
property is updated if the user meets the condition. For custom scripted roles, the user's effectiveRoles
property is calculated when the user is retrieved, and includes the dynamic roles according to the custom script.
If you make any of the following changes to a scripted role grant, you must perform a manual reconciliation of all affected users before assignment changes will take effect on an external system:
If you create a new scripted role grant.
If you change the definition of an existing scripted role grant.
If you change any of the assignment rules for a role that is granted by a custom script.
To query user roles over REST, query the user's roles
property. The following example shows that scarter has been granted two roles—an employee
role, and an fr-employee
role:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/user/scarter/roles?_queryFilter=true&_fields=_ref/*,name"
{ "result": [ { "_id": "5a023862-654d-4d7f-b9d0-7c151b8dede5", "_rev": "00000000baa999c1", "_refResourceCollection": "managed/role", "_refResourceId": "b8783543-869a-4bd4-907e-9c1d89f826ae", "_refResourceRev": "0000000027a959cf", "name": "employee", "_ref": "managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae", "_refProperties": { "_id": "5a023862-654d-4d7f-b9d0-7c151b8dede5", "_rev": "00000000baa999c1" } }, { "_id": "b281ffdf-477e-4211-a112-84476435bab2", "_rev": "00000000d612a248", "_refResourceCollection": "managed/role", "_refResourceId": "01ee6191-75d8-4d4b-9291-13a46592c57a", "_refResourceRev": "000000000cb0794d", "name": "fr-employee", "_ref": "managed/role/01ee6191-75d8-4d4b-9291-13a46592c57a", "_refProperties": { "_grantType": "conditional", "_id": "b281ffdf-477e-4211-a112-84476435bab2", "_rev": "00000000d612a248" } } ], ... }
Note that the fr-employee
role indicates a _grantType
of conditional
. This property indicates how the role was granted to the user. If no _grantType
is listed, the role was granted statically.
Querying a user's roles in this way does not return any roles that would be in effect as a result of a custom script, or of any temporal constraint applied to the role. To return a complete list of all the roles in effect at a specific time, query the user's effectiveRoles
property, as follows:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/managed/user/scarter?_fields=effectiveRoles"
Alternatively, to check which roles have been granted to a user, either statically or dynamically, look at the user's entry in the Admin UI:
Select Manage > User, then select the user whose roles you want to see.
Select the Provisioning Roles tab.
If you have a large number of managed roles, use the Advanced Filter option on the Role List page to build a custom query.
To remove a statically granted role from a user entry, do one of the following:
Update the value of the user's
roles
property to remove the reference to the role.Update the value of the role's
members
property to remove the reference to that user.
You can use both of these methods over REST, or use the Admin UI.
Important
A delegated administrator must use PATCH to add or remove relationships.
Roles that have been granted as the result of a condition can only be removed when the condition is changed or removed, or when the role itself is deleted.
- Over REST
Use one of the following methods to remove a role grant from a user:
DELETE the role from the user's
roles
property, including the reference ID (the ID of the relationship between the user and the role) in the delete request.The following example removes the
employee
role from user scarter. The role ID isb8783543-869a-4bd4-907e-9c1d89f826ae
, but the ID required in the DELETE request is the reference ID (5a023862-654d-4d7f-b9d0-7c151b8dede5
):curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request DELETE \ "http://localhost:8080/openidm/managed/user/scarter/roles/5a023862-654d-4d7f-b9d0-7c151b8dede5"
{ "_id": "5a023862-654d-4d7f-b9d0-7c151b8dede5", "_rev": "00000000baa999c1", "_ref": "managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae", "_refResourceCollection": "managed/role", "_refResourceId": "b8783543-869a-4bd4-907e-9c1d89f826ae", "_refProperties": { "_id": "5a023862-654d-4d7f-b9d0-7c151b8dede5", "_rev": "00000000baa999c1" } }
PATCH the user entry to remove the role from the array of roles, specifying the value of the role object in the JSON payload.
Caution
When you remove a role in this way, you must include the entire object in the value, as shown in the following example:
curl \ --header "Content-type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request PATCH \ --data '[ { "operation" : "remove", "field" : "/roles", "value" : { "_ref": "managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae", "_refResourceCollection": "managed/role", "_refResourceId": "b8783543-869a-4bd4-907e-9c1d89f826ae", "_refProperties": { "_id": "5a023862-654d-4d7f-b9d0-7c151b8dede5", "_rev": "00000000baa999c1" } } } ]' \ "http://localhost:8080/openidm/managed/user/scarter"
{ "_id": "scarter", "_rev": "000000007b78257d", "mail": "scarter@example.com", "givenName": "Steven", "sn": "Carter", "description": "Created By CSV", "userName": "scarter", "telephoneNumber": "1234567", "accountStatus": "active", "effectiveRoles": [ { "_ref": "managed/role/01ee6191-75d8-4d4b-9291-13a46592c57a" } ], "effectiveAssignments": [], "preferences": { "updates": false, "marketing": false }, "country": "France" }
DELETE the user from the role's
members
property, including the reference ID (the ID of the relationship between the user and the role) in the delete request.The following example first queries the members of the
employee
role, to obtain the ID of the relationship, then removes bjensen's membership from that role:curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae/members?_queryFilter=true"
{ "result": [ { "_id": "a5a4bf94-6425-4458-aae4-bbd6ad094f72", "_rev": "00000000c25d994a", "_ref": "managed/user/bjensen", "_refResourceCollection": "managed/user", "_refResourceId": "bjensen", "_refProperties": { "_id": "a5a4bf94-6425-4458-aae4-bbd6ad094f72", "_rev": "00000000c25d994a" } } ], ... }
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request DELETE \ "http://localhost:8080/openidm/managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae/members/a5a4bf94-6425-4458-aae4-bbd6ad094f72"
{ "_id": "a5a4bf94-6425-4458-aae4-bbd6ad094f72", "_rev": "00000000c25d994a", "_ref": "managed/user/bjensen", "_refResourceCollection": "managed/user", "_refResourceId": "bjensen", "_refProperties": { "_id": "a5a4bf94-6425-4458-aae4-bbd6ad094f72", "_rev": "00000000c25d994a" } }
- Using the Admin UI
Use one of the following methods to remove a user's roles:
Select Manage > User and select the user whose role or roles you want to remove.
Select the Provisioning Roles tab, select the role that you want to remove, then select Remove Selected Provisioning Roles.
Select Manage > Role, and select the role whose members you want to remove.
Select the Role Members tab, select the member or members that that you want to remove, then select Remove Selected Role Members.
Delete a managed provisioning or authorization role over REST interface or by using the Admin UI.
To delete a role over the REST interface, simply delete that managed object. The following command deletes the employee
role created in the previous section:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request DELETE \ "http://localhost:8080/openidm/managed/role/b8783543-869a-4bd4-907e-9c1d89f826ae"
{ "_id": "b8783543-869a-4bd4-907e-9c1d89f826ae", "_rev": "0000000027a959cf", "privileges": [], "name": "employee", "description": "All employees" }
Note
You cannot delete a role that is currently granted to users. If you attempt to delete a role that is granted to a user (either over the REST interface, or by using the Admin UI), IDM returns an error. The following example attempts to remove a role that is still granted to a user:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request DELETE \ "http://localhost:8080/openidm/managed/role/01ee6191-75d8-4d4b-9291-13a46592c57a"
{ "code": 409, "reason": "Conflict", "message": "Cannot delete a role that is currently granted" }
To delete a role through the Admin UI, select Manage > Role, select the role you want to remove, then Delete Selected.