Managing Permissions on SAP Users or Groups
Use the post /v1/cckm/sap/groups/{id}/update-acls API to grant permissions to users or groups to perform specific actions on the SAP groups. User ID and group are mutually exclusive – specify either.
For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupload, and keydelete. Now, to permit one more action keyrestore to the user or group, set "permit":true and "actions": "keyrestore" and run the API. Similarly, now to deny permission to the action "keycreate", set "permit":false, "actions": "keycreate", and run the API.
Syntax
curl -k '<IP>/api/v1/cckm/sap/groups/{id}/update-acls' -X POST -H 'Authorization: AUTHTOKEN --compressed
Here, {id} is the resource ID of the SAP group.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authentication token. |
| actions | array of strings | List of actions. The actions can be: • keycreate • keyupload • keyrotate • keyupdate • view • deletebackup • keydelete • keypurge • keyrestore • keysynchronize • keyrotatetonative • keyrotatetobyok • keyremove Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive - specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| List | view | Permission to view groups and their keys. |
| Create | keycreate | Permission to create SAP native keys. |
| Upload | keyupload | Permission to upload the CipherTrust Manager keys to SAP. |
| Delete | keydelete | Permission to delete SAP keys. |
| Restore | keyrestore | Permission to restore backed up keys to groups. |
| Update(Edit key) | keyupdate | Permission to update keys, for example, editing properties, enabling/disabling keys, enabling/disabling key version, and editing labels. |
| Delete Backup | deletebackup | Permission to delete backups of SAP keys from the CCKM. |
| Rotate to Native Key | keyrotatetonative | Permission to rotate keys on SAP groups natively. |
| Rotate to BYOK Key | keyrotatetobyok | Permission to rotate keys on SAP groups using BYOK. |
| Synchronize | keysynchronize | Permission to synchronize SAP keys. |
| Cancel | keysynchronize | Permission to cancel synchronization jobs. |
| Remove | keyremove | Permission to remove SAP keys with their versions and backups from the CCKM. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sap/groups/e4b2c2da-4226-4cd8-bbfa-b3ad7a7c05ea/update-acls' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNTQ1ZjU0OS1iMDViLTQ2MWUtYmY4MC00NWI3ZjQxNmUwMjgiLCJzdWIiOiJsb2NhbHw3ODA0Y2QzOC01YWIyLTQ1MjktOTcwYi1hOTEyNzVmOTBkMzUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjg1MDQ5ZmUtZGM4Ni00NDVhLWEwMTUtNGUyM2NkNTc4OGM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjMzNWFjYjg0LTJjN2ItNGM1ZC1iMDIzLTgyOTQxNmZjYzUyZSIsImlhdCI6MTYzMzMzOTk4NywiZXhwIjoxNjMzMzQwMjg3fQ.wNxiuDp1f6ycODQUAPKtiyY-1wVzCkm6KjG5XYyUfh8' --compressed
Example Response
{
"application/json":{
"id":"ce0ffe4b-fbda-4e87-88af-4b9b4e6484f9",
"uri":"kylo:kylo:cckm:sfdc-organization:ce0ffe4b-fbda-4e87-88af-4b9b4e6484f9",
"account":"kylo:kylo:admin:accounts:kylo",
"application":"ncryptify:gemalto:admin:apps:kylo",
"devAccount":"ncryptify:gemalto:admin:accounts:gemalto",
"createdAt":"2021-08-25T04:30:47.915696Z",
"updatedAt":"2021-08-25T10:04:24.415596321Z",
"name":"orgnisation name",
"sfdc_org_id":"00DB000000012ABCDE",
"connection":"sfdc",
"cloud_name":"sfdc",
"organization_type":"Sandbox",
"refreshed_at":"2021-08-25T04:31:24.089748Z",
"acls":[
{
"user_id":"local|624b6c12-21d4-489a-ab8b-982f91f2f3aa",
"actions":[
"view",
"keydestroy"
]
},
{
"group":"CCKM Users",
"actions":[
"view"
]
}
]
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.