Managing Permissions on OCI Users or Groups
Use the post /v1/cckm/oci/vaults/{id}/update-acls API to grant permissions to users or groups to perform specific actions on the OCI vaults. User ID and group are mutually exclusive – specify either.
For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupload, and keydelete. Now, to permit one more action keyrestore to the user or group, set "permit":true and "actions": "keyrestore" and run the API. Similarly, now to deny permission to the action "keycreate", set "permit":false, "actions": "keycreate", and run the API.
Syntax
curl -k '<IP>/api/v1/cckm/oci/vaults/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action-1>", "<action-2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
Here, {id} is the resource ID of the OCI vault on the CipherTrust Manager. Run the get /v1/cckm/oci/vaults API to view the resource ID (id) of the OCI vaults added to the CipherTrust Manager. Note that this resource id is different from the vault_id on OCI.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authentication token. |
| actions | array of strings | List of actions. Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive - specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set to true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| List | view | Permission to view vaults and their keys. |
| Create | keycreate | Permission to create OCI native keys. |
| Upload | keyupload | Permission to upload the CipherTrust Manager keys to OCI. |
| Schedule Deletion | keydelete | Permission for schedule deletion of keys. |
| Cancel Delete | keycanceldelete | Permission to cancel deletion of keys. |
| Restore | keyrestore | Permission to restore backed up keys to vaults. |
| Update (Edit key) | keyupdate | Permission to update keys, for example, editing properties, enabling/disabling keys, and editing tags. |
| Delete Backup | deletebackup | Permission to delete backups of OCI keys from the CCKM. |
| Rotate to Native Key | keyrotatetonative | Permission to rotate keys on OCI vaults natively. |
| Rotate to BYOK Key | keyrotatetobyok | Permission to rotate keys on OCI vaults using BYOK. |
| Synchronize | keysynchronize | Permission to synchronize OCI keys. |
| Cancel | keysynchronize | Permission to cancel synchronization jobs. |
| Remove | keyremove | Permission to remove OCI keys with their versions and backups from the CCKM. |
| List (HYOK Key) | viewhyokkey | Permission to view OCI HYOK keys. |
| Create (HYOK Key) | hyokkeycreate | Permission to create an OCI HYOK key. |
| Update (HYOK Key) | hyokkeyupdate | Permission to update an OCI HYOK key. |
| Block/Unblock (HYOK Key) | hyokkeyblockunblock | Permission to block/unblock an OCI HYOK key. |
| Delete (HYOK Key) | hyokkeydelete | Permission to delete an OCI HYOK key (applicable only to unlinked key). |
| Rotate (HYOK Key) | hyokkeyrotate | Permission to rotate a HYOK key in the CipherTrust Manager. |
| Create Report | reportcreate | Permission to create a report. |
| Delete Report | reportdelete | Permission to delete a report. |
| Download Report | reportdownload | Permission to download a report. |
| View Report | reportview | Permission to view the content of a report. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/oci/vaults/f3f71f32-a89f-4c0a-be14-44e324b38f63/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNTQ1ZjU0OS1iMDViLTQ2MWUtYmY4MC00NWI3ZjQxNmUwMjgiLCJzdWIiOiJsb2NhbHw3ODA0Y2QzOC01YWIyLTQ1MjktOTcwYi1hOTEyNzVmOTBkMzUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjg1MDQ5ZmUtZGM4Ni00NDVhLWEwMTUtNGUyM2NkNTc4OGM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjMzNWFjYjg0LTJjN2ItNGM1ZC1iMDIzLTgyOTQxNmZjYzUyZSIsImlhdCI6MTYzMzMzOTk4NywiZXhwIjoxNjMzMzQwMjg3fQ.wNxiuDp1f6ycODQUAPKtiyY-1wVzCkm6KjG5XYyUfh8' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "f3f71f32-a89f-4c0a-be14-44e324b38f63",
"uri": "kylo:kylo:cckm:oci-vault:f3f71f32-a89f-4c0a-be14-44e324b38f63",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T10:38:22.152433Z",
"updatedAt": "2022-01-11T07:41:56.757694505Z",
"compartment_id": "oraclevault.tenancyb2vg7audpd4d4mcf5zluymff6sq",
"display_name": "CCKM-Testing",
"vault_id": "oraclevaultabuwcljta35dmgypqud5hgd7ikl7pmfn7q6wogbigjryu4udtkinnkmyacrq",
"lifecycle_state": "ACTIVE",
"management_endpoint": "https://oraclevault.oraclecloud.com",
"time_created": "2021-12-07T11:50:37.691Z",
"cloud_name": "oci",
"connection": "OCI Connection",
"vault_type": "DEFAULT",
"wrappingkey_id": "oraclevaultabuwcljstmemqexx5cvev2bfitrlw6tqwqic7mgcbv7chsv7myhpnusyk3zq",
"defined_tags": {},
"freeform_tags": {
"tag-key-1": "tag-value-1",
"tag-key-2": "tag-value-2",
"testVault": "cckm"
},
"replication_id": "",
"is_primary": true,
"acls": [
{
"group": "CCKM Users",
"actions": [
"view"
]
}
]
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.