Entity - Role Based Access Control - Interrogates the Permission table in the database

Page version: 26, last updated:



VerbRequestNotesPermissions required
GET - single /Consumer/Permissions/{permissionId }

Gets permission details for the specified Permission ID.

Example Response
{
  "Id": 15,
  "SecurableId": null,
  "SecurableTypeId": 3,
  "SecurableTypeName": "ProductPackManagement",
  "RoleId": 1,
  "RoleName": "Global Administrators",
  "OperationId": 9,
  "OperationName": "Add",
  "Allowed": true,
  "CreatedTimestampUtc": "2016-05-17T09:49:59.41Z",
  "ModifiedTimestampUtc": "2016-05-17T09:49:59.41Z"
}
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET /Consumer/Permissions/Role/{roleId }

Gets permission details for the specified Role ID.

Example Response
[
  {
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 3,
    "SecurableTypeName": "ProductPackManagement",
    "RoleId": 2,
    "RoleName": "Product Pack Administrators",
    "Allowed": true,
    "Operations": [
      {
        "PermissionId": 12,
        "OperationId": 9,
        "OperationName": "Add",
        "CreatedTimestampUtc": "2016-05-17T09:49:59.41Z",
        "ModifiedTimestampUtc": "2016-05-17T09:49:59.41Z"
      },
      {
        "PermissionId": 13,
        "OperationId": 8,
        "OperationName": "Delete",
        "CreatedTimestampUtc": "2016-05-17T09:49:59.41Z",
        "ModifiedTimestampUtc": "2016-05-17T09:49:59.41Z"
      },
      {
        "PermissionId": 14,
        "OperationId": 10,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2016-05-17T09:49:59.41Z",
        "ModifiedTimestampUtc": "2016-05-17T09:49:59.41Z"
      }
    ]
  }
]
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET /Consumer/Permissions/Principal/{accountName }

Gets permission details for the specified Account Name.

AccountName should be specified in Base64 encoding.

Example Response
[
  {
    "SecurableId": 11,
    "SecurableName": null,
    "SecurableTypeId": 1,
    "SecurableTypeName": "ProductPack",
    "RoleId": 9,
    "RoleName": "CM questions",
    "Allowed": true,
    "Operations": [
      {
        "PermissionId": 24,
        "OperationId": 3,
        "OperationName": "Questioner",
        "CreatedTimestampUtc": "2016-05-18T15:56:46.09Z",
        "ModifiedTimestampUtc": "2016-05-18T15:56:46.09Z"
      }
    ]
  }
]
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

A user can request own permissions.

GET/Consumer/Permissions/Securable/{typeId}Gets permission details for the specified securable type.
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET/Consumer/Permissions/Securable/{typeId}/{instanceId:int?}

Gets permission details for the specified securable type instance.

  • TypeID = SecurableTypeId from the Permissions table
  • InstanceID = SecurableId as displayed in the Permissions table and also the Questions ID from the QuestionsDefinition table
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET/Consumer/Permissions/Role/{roleId}/Type/{securableTypeName}/{instanceId:int?}

Gets permission details for the specified role on a securable type instance.

  • roleId - role id
  • securableTypeName - securable type
  • instanceId - securable instance id (optional)
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET/Consumer/Permissions/Principal/{accountName}/Type/{securableTypeName}/{instanceId:int?}

Gets permission details for the specified user account on a securable type instance.

  • accountName - user account
  • securableTypeName - securable type
  • instanceId - securable instance id (optional)
  • Read

Returns Unauthorized (401) if user does not have the required permissions.

GET/Consumer/Permissions/RBAC/EnabledReturns true if RBAC is enabled on the server, otherwise false.
  • Unrestricted
GET/Consumer/Permissions/InstructionAccess/{instructionId}

Checks authorization of the calling user to access the specified instruction.

Returns true if the calling user has Viewer permission on the Product Pack that contains the instruction definition for the specified instruction, otherwise returns false.

  • Unrestricted
GET/Consumer/Permissions/InstructionAccess/{InstructionId}/{managementGroupId}

Minimum API version 8.0

Behaves like the previous API
Consumer/Permissions/InstructionAccess/{instructionId}
if the new (optional) parameter added at the end is omitted. But if provided, the instruction filters its result by the management group specified by this parameter.

  • Unrestricted
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}

Checks authorization o f the calling user to perform the specified operation.

  • securableType - type of object permissions is being tested
  • operation - operation on type/object for which permission is being tested
  • Unrestricted
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}/{managementGroupId}

Minimum API version 8.0

Behaves like the previous API
/Consumer/Permissions/Type/{securableType}/Operation/{operation}
if the new (optional) parameter added at the end is omitted. But if provided, the instruction filters its result by the management group specified by this parameter.

  • Unrestricted
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}/{idProperty}/{id}

Checks authorization o f the calling user to access the specified securable type instance..

  • securableType - type of object permissions is being tested
  • operation - operation on type/object for which permission is being tested
  • idProperty - identification property of type/object
  • id - identification value
  • Unrestricted
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}/{idProperty}/{id}/{managementGroupId}

Minimum API version 8.0

Behaves like the previous API
/Consumer/Permissions/Type/{securableType}/Operation/{operation}/{idProperty}/{id}
if the new (optional) parameter added at the end is omitted. But if provided, the instruction filters its result by the management group specified by this parameter.

  • Unrestricted
POST/Consumer/Permissions

Creates permissions in bulk.

  • Write

Returns Unauthorized (401) if user does not have the required permissions.

POST/Consumer/Permissions/single

Creates an individual permission.

Example Request
{
    "OperationName":"DummyOperation2",
    "SecurableTypeName":"MySecurableType",
    "RoleName":"Global Administrators",
    "Allowed":true
}
  • OperationName can be substituted by OperationId. These are mutually exclusive and only one can be used.
  • SecurableTypeName can be substituted by SecurableTypeId. These are mutually exclusive and only one can be used.
  • RoleName can be substituted by RoleId. These are mutually exclusive and only one can be used.
  • Write

Returns Unauthorized (401) if user does not have the required permissions.

DELETE/Consumer/Permissions/{permissionId}

Deletes a permission by id.


  • Write

Returns Unauthorized (401) if user does not have the required permissions.

GET/Consumers/Permissions/ProductPack/{operation}

REMOVED IN 3.1

Checks if calling user has given permission on any of the product pack

None
GET/Consumer/Permissions/InstructionSet/{operation}

Minimum API version 3.1

Check if calling user has given permission on any instruction set


GET/Consumer/Permissions/InstructionSet/{operation}/{managementGroupId}

Minimum API version 8.0

Behaves like the previous API
/Consumer/Permissions/InstructionSet/{operation}
if the new (optional) parameter added at the end is omitted. But if provided, the instruction filters its result by the management group specified by this parameter.


GET/Consumer/Permissions/{id}/ManagementGroups

Minimum API version 3.3

Returns Management Groups linked to given permission

Obsolete as of API version 8.0. Provided for backwards compatibility. Returns results by joining Permissions to Management Groups through the PrincipalRoleManagementGroup table, which may not match exactly the results returned by the previous version of the API.

Requires 'Read' on Security
POST/Consumer/Permissions/{permissionId}/ManagementGroups/{managementGroupId}

Minimum API version 3.3

Links given Management Group to given Permission.

  • permissionId - Id of the Permission
  • managementGroupId - Id of the Management Group

Return payload is empty.

Removed as of API version 8.0. Will return 405 if called . It cannot work anymore or be made backwards compatible in a sensible way because Management Groups are no longer linked to Permissions.

Requires 'Write' on Security
POST/Consumer/Permissions/ManagementGroups

Minimum API version 3.3

Links given Management Groups to given Permission

Sample Request payload
{
	"PermissionId": 1,
	"ManagementGroupIds": [1,2,3]
}

Return payload is empty.

Removed as of API version 8.0. Will return 405 if called . It cannot work anymore or be made backwards compatible in a sensible way because Management Groups are no longer linked to Permissions.

Requires 'Write' on Security
DELETE/Consumer/Permissions/{permissionId}/ManagementGroups/{managementGroupId}

Minimum API version 3.3

Removes a link between given Management Group from given Permission.

  • permissionId - Id of the Permission
  • managementGroupId - Id of the Management Group

Return payload is empty.

Removed as of API version 8.0. Will return 405 if called . It cannot work anymore or be made backwards compatible in a sensible way because Management Groups are no longer linked to Permissions.

Requires 'Write' on Security
DELETE/Consumer/Permissions/ManagementGroups

Minimum API version 3.3

Removes a link between given Management Groups from given Permission

Sample Request payload
{
	"PermissionId": 1,
	"ManagementGroupIds": [1,2,3]
}

Return payload is empty.

Removed as of API version 8.0. Will return 405 if called . It cannot work anymore or be made backwards compatible in a sensible way because Management Groups are no longer linked to Permissions.

Requires 'Write' on Security
PUT/Consumers/Permissions/refreshForces internal permissions cache to be refreshed.None
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}/{idProperty}/{id}/UsableId/{managementGroupUsableId}

Minimum API version 8.0

Similar to /Consumer/Permissions/Type/{securableType}/Operation/{operation}/{idProperty}/{id}/{managementGroupId} but accepting UsableId instead of regular Id

Checks authorization of the calling user to access the specified securable type instance
GET/Consumer/Permissions/Type/{securableType}/Operation/{operation}/UsableId/{managementGroupUsableId}

Minimum API version 8.0

Similar to /Consumer/Permissions/Type/{securableType}/Operation/{operation}/{managementGroupId:int?} but accepting UsableId instead of regular Id

Checks authorization of the calling user to access the specified securable type instance