Granting Permissions to Users or Groups
Use the post /v1/cckm/dsm/domains/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a DSM domain on the CipherTrust Manager.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate and keyrefresh. Now, to permit one more action keydelete to the user or group, set "permit":true and "actions": "keydelete" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/dsm/domains/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": <group>",\n "actions": [\n "<action1>"\n ],\n "<action2>": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the ID of the DSM domain resource on the CipherTrust Manager. Refer to Adding DSM Domains to find out the resource ID of a domain.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. The actions can be: • keycreate • keydelete • view • refresh Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| Create | keycreate | Permission to create DSM keys. |
| Delete | keydelete | Permission to delete DSM keys. |
| Refresh | refresh | Permission to refresh DSM domains. |
| List | view | Permission to view DSM domains and their keys. |
| Get (DSM domain keys) | view | Permission to view details of a DSM key. |
| List (DSM domain) | view | Permission to view DSM domains and their keys. |
| Get (DSM domain) | view | Permission to view details of a DSM domain. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/dsm/domains/83d7b91f-2298-420e-b7a5-ce0dce07a6d9/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFkYzNiZGQ4LTQ3YmItNGY0Zi05YzJkLWU0ODExOGE3YWI0NiIsImlhdCI6MTYxNDc1MjQzOCwiZXhwIjoxNjE0NzUyNzM4fQ.6S9ae8ESCkT6-aOd3vX2fdtq_jG1kUn6TWthrr9ZVms' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "83d7b91f-2298-420e-b7a5-ce0dce07a6d9",
"uri": "kylo:kylo:cckm:domain:83d7b91f-2298-420e-b7a5-ce0dce07a6d9",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-03-03T06:15:15.622119Z",
"updatedAt": "2021-03-03T06:22:13.54186619Z",
"dsm_params": {
"id": 1769,
"url": "/v1/domains/1769",
"name": "testkeydomain",
"adminType": "ALL_ADMIN",
"kmipEnabled": false,
"fingerprintRegistrationDisabled": false,
"registrationTokenEnabled": false
},
"connection": "dsm-connection",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view"
]
}
],
"synced_at": null,
"description": "This domain is used for testing."
}
The output shows the updated permissions for the domain with ID 83d7b91f-2298-420e-b7a5-ce0dce07a6d9.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
