Granting Permissions to Users or Groups
Use the post /v1/cckm/sfdc/organizations/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a Salesforce organization on the CipherTrust Manager.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupload, and keyimport. Now, to permit one more action keydestroy to the user or group, set "permit":true and "actions": "keydestroy" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/sfdc/organizations/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action-1>", "<action-2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the ID of the Salesforce organization resource on the CipherTrust Manager.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| Create | keycreate | Permission to create SFDC keys. |
| Upload | keyrotatetobyok | Permission to upload keys to SFDC. |
| Destroy key | keydestroynative | Permission to destroy native SFDC keys. |
| Destroy key | keydestroybyok | Permission to destroy BYOK SFDC keys. |
| Import | keyimportnative | Permission to import a destroyed native SFDC keys. |
| Import | keyimportbyok | Permission to import a destroyed byok SFDC keys. |
| Synchronize | keysynchronize | Permission to synchronize SFDC keyss. |
| Cancel | keysynchronize | Permission to cancel a synchronization job. |
| Update | keyupdate | Permission to updates cache only key attributes (certificate and named credential). |
| List | view | Permission to view SFDC keys. |
| Get (SFDC Keys) | view | Permission to get the details of an SFDC key with the given id. |
| List SFDC Organization | view | Permission to view SFDC organizations. |
| Get (SFDC Organizations) | view | Permission to get the details of SFDC Organization with given id. |
| Create cache only key endpoint | endpointcreate | Permission to create cache only key endpoint. |
| Update cache only key endpoint | endpointupdate | Permission to update cache only key endpoint. |
| Delete cache only key endpoint | endpointdelete | Permission to delete cache only key endpoint. |
| Activate cache only key | cacheonlykeyactivate | Permission to activate cache only key. |
| Upload cache only key | cacheonlykeyupload | Permission to upload cache only key. |
| Update cache only key | cacheonlykeyupdate | Permission to update cache only key. |
| Destroy cache only key | cacheonlykeydestroy | Permission to destroy cache only key. |
| Create certificate | certificatecreate | Permission to create certificate to be used to encrypt tenant secret. |
| Delete certificate | certificatedelete | Permission to delete certificate. |
| Synchronize certificate | certificatesync | Permission to synchronize certificate from SFDC to CM. |
| Delete Backup | deletebackupnative | Permission to deletes a SFDC native key backup from CCKM. |
| Delete Backup | deletebackupbyok | Permission to deletes a SFDC byok key backup from CCKM. |
| Create Report | reportcreate | Permission to create a report. |
| Delete Report | reportdelete | Permission to delete a report. |
| Download Report | reportdownload | Permission to download a report. |
| View Report | reportview | Permission to view the content of a report. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sfdc/organizations/2473e846-31a8-4ee6-8299-17025548b4e2/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNkNWM4OWYzLTM1OWYtNGZmYS04ZTMyLWMxZjk0NTIyMWYzNiIsImlhdCI6MTYyMDE5NTY0NCwiZXhwIjoxNjIwMTk1OTQ0fQ.NAHcbm9TIB3YmVg-i_nfXf0-B0wMbAoXMSTaAJ-Ke-U' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view", "keycreate"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "2473e846-31a8-4ee6-8299-17025548b4e2",
"uri": "kylo:kylo:cckm:sfdc-organization:2473e846-31a8-4ee6-8299-17025548b4e2",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-07-22T09:21:07.019666Z",
"updatedAt": "2021-07-22T09:29:20.198938053Z",
"name": "Thales",
"organization_id": "00DB000000040bIMAQ",
"connection": "sfdc-connection",
"cloud_name": "sfdc",
"type": "Regular",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view",
"keycreate"
]
}
]
}
The output shows the updated permissions for the Salesforce organization with ID 2473e846-31a8-4ee6-8299-17025548b4e2.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.