Granting Permissions to Users or Groups in a Google Cloud Project
Use the post /v1/cckm/google/projects/{id}/update-acls API to grant permissions to users or groups to perform specified EKM ACL operations or actions relating to a CCKM EKM cryptospace within a Google Cloud project. Use the Google project ID to identify the given project.
To use this API, you must have the role of a CCKM administrator or Domain administrator for the Google Cloud project.
By default, no user or user group is assigned in the EKM ACL. Access needs to be explicitly granted to the ACL. A user is required to be a member of the CCKM user group to have granular access in a Google project.
User ID and group are mutually exclusive. Specify either of the two. As a CCKM or Domain administrator of a Google Cloud project, configure the actions that are permitted or denied for a user or a group to perform relating to a CCKM EKM cryptospace within a given Google project. However, if the permissions of a user or group requires modification after the initial configuration, such as a new action is to be permitted or an existing action is to be revoked, (as the CCKM or Domain administrator) set the given action to true or false.
For example, a user or group is initially permitted the actions of cryptospacecreate, cryptospaceupdate, and cryptospacedelete. To update the actions permitted for the user or group to now permit one more action of cryptospaceblock, set "permit":true and "actions": "cryptospaceblock", and run the API. Similarly, to deny permission to the action of cryptospacecreate, set "permit":false, "actions": "cryptospacecreate", and run the API.
If cryptospaceview is not previously granted as a permitted action in the ACL, this API adds it to the ACL when a user is granted one of the following permissions: cryptospacecreate, cryptospaceupdate, cryptospaceblock, cryptospaceunblock, cryptospacedelete, cryptospaceekmenable, and cryptospaceekmdisable. Additionally, this API revokes these permissions (that were previously granted as a permitted action in the ACL), if cryptospaceview is a revoked action.
The granted permissions for a user or group in the given Google Cloud project are cumulative.
Refer to Actions for the supported actions.
Refer to Google Cloud EKM APIs for more information about Google Cloud EKM Cryptospace APIs.
Syntax
curl -k '<IP>/api/v1/cckm/google/projects/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group_name>",\n "actions": [\n "<action1>", "<action2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
"project_id": "<id_of_project>"\n }\n ]\n}' --compressed
Here, {id} represents the project ID of the Google Cloud project on the CipherTrust Manager.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. Refer to Actions for the supported actions and details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive. Specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive. Specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions Required | Description |
|---|---|---|
| Create Cryptospace | cryptospacecreate | Permission to create a cryptospace. |
| Update Cryptospace | cryptospaceupdate | Permission to update the attributes of a cryptospace. |
| Block Cryptospace | cryptospaceblock | Permission to block operations on EKM endpoints in a cryptospace. |
| Unblock Cryptospace | cryptospaceunblock | Permission to unblock operations on EKM endpoints in a cryptospace. |
| Delete Cryptospace | cryptospacedelete | Permission to delete a cryptospace. |
| Get Cryptospace | cryptospaceview | Permission to view cryptospaces. |
| Enable Cryptospace EKM endpoints | cryptospaceekmenable | Permission to enable operations on EKM endpoints in a cryptospace. |
| Disable Cryptospace EKM endpoints | cryptospaceekmdisable | Permission to disable operations on EKM endpoints in a cryptospace. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/projects/a2ff0283-77ce-4194-968e-0661053cad4f/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMzRiZGY4OC1mMTMwLTQ4ZjAtYjRlMC1iYTJlZDI1MzI0Y2MiLCJzdWIiOiJsb2NhbHw0YjZmM2MwYy1iMjI2LTRjNmEtOWE4OS1kMGRmM2M3MDQ3YmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfaWQiOiI4MzdjODQwZC03NWRkLTRiNGYtYTMxOC03OWNiMTZjYTI0OGQiLCJjbGllbnRfbmFtZSI6ImFwaS1wbGF5Z3JvdW5kIiwiY2xpZW50X3R5cGUiOiJwdWJsaWMiLCJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmExYzI2MjMtZmI3ZC00MzQ3LWI5YWYtMGM2MmNmNzZmMjgzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUyNmUxOTMzLTc3MzctNDQ2OC1hMGNhLWMxYjgwNzhkNTkxMiIsImlhdCI6MTY3NjQxMzcxMywiZXhwIjoxNjc2NDE0MDEzfQ.GjacKl5F6mSpfetUI3zWOIAQUEIFD1GoLcAJVt7Ru9Q' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "acls": []\n}' --compressed
Example Response
{
"id": "03b24ef3-0078-4dbb-9444-a4242f992d69",
"uri": "kylo:kylo:cckm:gcp-project:03b24ef3-0078-4dbb-9444-a4242f992d69",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-02-25T07:54:14.945148Z",
"updatedAt": "2021-02-25T07:54:14.943021Z",
"create_time": "2018-03-19T17:42:03.596Z",
"lifecycle_state": "ACTIVE",
"name": "cckm",
"parent_id": "1234567891234",
"parent_type": "folder",
"project_id": "cckm-project",
"project_number": "12345678912",
"connection": "gcp-connection",
"cloud_name": "gcp",
"acls": [
{
"group": "CCKM Users",
"actions": [
"cryptospaceview",
"cryptospacecreate",
"cryptospaceekmenable",
"cryptospaceekmdisable"
]
}
]
}
The output shows the permissions for the group CCKM Users for the Google Cloud project with ID 03b24ef3-0078-4dbb-9444-a4242f992d69.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.