How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I maintain relationships for a managed user in IDM (All versions) using REST Patch operations?

Last updated Jun 30, 2021

The purpose of this article is to provide information on maintaining relationships for a managed user in IDM using REST Patch operations (add, replace and remove). This applies to all any-to-many relationships such as roles or members.


Adding relationships

You can add relationships to a managed user using the Patch operation in two ways; add a relationship to the user's existing list of relationships or replace the user's existing list of relationships with a new value. Example curl commands for both these methods are shown below.

The key differences between the curl commands used are:

  • for appending, the field value is "/field/-" and the array brackets [ ] are not needed for the value since the special hyphen construct is being used.
  • for replacing, the field value is "/field" and the array brackets [ ] are needed.

Add a relationship to the user's existing list of relationships

If you want to add a relationship to the user's existing list of relationships, you can use a curl command such as the following (this example updates the members field):

  • IDM 7 and later: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -d '[    {        "operation": "add",        "field": "/members/-",        "value": {"_ref" : "managed/user/14786a13-33c3-42d4-aadd-675b072339ee"}     }  ]' "http://localhost:8080/openidm/managed/role/employee"
  • Pre-IDM 7: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Content-Type: application/json" -d '[    {        "operation": "add",        "field": "/members/-",        "value": {"_ref" : "managed/user/14786a13-33c3-42d4-aadd-675b072339ee"}     }  ]' "http://localhost:8080/openidm/managed/role/employee"

Replace the user's existing list of relationships with a new value

If you want to replace the user's existing list of relationships with a new value, you would use a curl command such as the following (this example updates the roles field):

  • IDM 7 and later: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -d '[    {        "operation": "replace",        "field": "/roles",        "value": [ {"_ref" : "managed/role/employee"} ]     }  ]' "http://localhost:8080/openidm/managed/user/jdoe"
  • Pre-IDM 7: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Content-Type: application/json" -d '[    {        "operation": "replace",        "field": "/roles",        "value": [ {"_ref" : "managed/role/employee"} ]     }  ]' "http://localhost:8080/openidm/managed/user/jdoe"

Removing relationships

You can remove a relationship using the Patch operation.

The following examples update the roles field and remove the relationship from the array of relationships; you must include the entire relationship object in the value. See Create a Relationship Between Two Objects for further information on the relationship object and values.

  • IDM 7 and later: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Accept-API-Version: resource=1.0" -H "Content-type: application/json" -d '[    {       "operation" : "remove",       "field" : "/roles",       "value" :     {        "_ref": "managed/role/6bf4701a-7579-43c4-8bb4-7fd6cac552a1",        "_refResourceCollection": "managed/role",        "_refResourceId": "6bf4701a-7579-43c4-8bb4-7fd6cac552a1",        "_refProperties": {          "_id": "14786a13-33c3-42d4-aadd-675b072339ee",          "_rev": "00000000baa999c1"        }      }     }   ]' "http://localhost:8080/openidm/managed/user/jdoe"
  • IDM 6.x: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Content-type: application/json" -d '[    {       "operation" : "remove",       "field" : "/roles",       "value" :     {        "_ref": "managed/role/6bf4701a-7579-43c4-8bb4-7fd6cac552a1",        "_refResourceCollection": "managed/role",        "_refResourceId": "6bf4701a-7579-43c4-8bb4-7fd6cac552a1",        "_refProperties": {          "_id": "14786a13-33c3-42d4-aadd-675b072339ee",          "_rev": "00000000baa999c1"        }      }     }   ]' "http://localhost:8080/openidm/managed/user/jdoe"
  • IDM 5: $ curl -X PATCH -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Content-type: application/json" -d '[    {       "operation" : "remove",       "field" : "/roles",       "value" :     {        "_ref": "managed/role/6bf4701a-7579-43c4-8bb4-7fd6cac552a1",        "_refProperties": {          "temporalConstraints": [],          "_grantType": "",          "_id": "14786a13-33c3-42d4-aadd-675b072339ee",          "_rev": "00000000baa999c1"        }      }     }   ]' "http://localhost:8080/openidm/managed/user/jdoe"

You can also use the Delete operation as noted in Manipulate Roles Over REST and in the UI.

See Also

How do I remove elements of a string array using the REST Patch operation in IDM (All versions)?

Relationships Between Objects

Managed Users

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.