Entity - Role Based Access Control - Interrogates the PrincipalRoleManagementGroup table in the database

Page version: 1, last updated:


All the entries described below require at least API version 8.0.

VerbRequestNotesPermissions Required
GET/Consumer/PrincipalRoleManagementGroups

Gets all assignments that are visible to the invoking user.

Example data returned
[
    {
        "PrincipalId": 1,
        "RoleId": 1,
        "ManagementGroupId": 1,
        "CreatedTimestampUtc": "2021-04-15T11:25:49.423Z",
        "Principal": {
            "Id": 1,
            "ExternalId": "S-1-5-21-193489370-1251057138-4208286054-1234",
            "PrincipalName": "Domain\\User",
            "Email": null,
            "Enabled": true,
            "CreatedTimestampUtc": "2020-02-21T09:23:31.937Z",
            "ModifiedTimestampUtc": "2020-02-21T09:23:31.937Z",
            "SystemPrincipal": false,
            "DisplayName": "Alberto",
            "IsGroup": false
        },
        "Role": {
            "AssignedManagementGroupCount": 2,
            "HasAllDevicesManagementGroupAssigned": true,
            "AssignedPrincipalCount": 2,
            "Id": 1,
            "Name": "Global Administrators",
            "Description": "Has the combined rights of all the other system roles",
            "CreatedTimestampUtc": "2020-02-21T09:23:31.907Z",
            "ModifiedTimestampUtc": "2020-04-14T15:30:02.96Z",
            "SystemRole": true
        },
        "ManagementGroup": {
            "Id": 1,
            "Name": "All Devices",
            "Description": "All devices are members of this ManagementGroup",
            "Expression": null,
            "TachyonManagementGroupType": 0,
            "TachyonDeviceCount": -1,
            "UsableId": "global",
            "HashOfMembers": "global",
            "CreatedTimestampUtc": "2020-02-21T09:23:34.23Z",
            "ModifiedTimestampUtc": "2020-02-21T09:23:34.23Z",
            "ParentUsableId": null
        }
    },
    {
        ...etc...
    }
]

Requires 'Read' permission on the 'Security' securable type


GET/Consumer/PrincipalRoleManagementGroups/Principal/Id/{principalId}Gets all assignments for a Principal given by its IdRequires 'Read' permission on the 'Security' securable type
GET/Consumer/PrincipalRoleManagementGroups/Principal/Name/{principalName}Gets all assignments for a Principal given by its NameRequires 'Read' permission on the 'Security' securable type
GET/Consumer/PrincipalRoleManagementGroups/Role/Id/{roleId}Gets all assignments for a Role given by its IdRequires 'Read' permission on the 'Security' securable type
GET/Consumer/PrincipalRoleManagementGroups/Role/Name/{roleName}Gets all assignments for a Role given by its NameRequires 'Read' permission on the 'Security' securable type
GET/Consumer/PrincipalRoleManagementGroups/ManagementGroup/Id/{managementGroupId}/{includeInherited}

Gets all assignments for a Management Group given by its Id

The optional parameter includeInherited is a true/false value (defaults to false if not provided in the query string) that determines whether the results will include assignments that are not explicitly provided for the given Management Group, but rather are inferred from the Management Groups inheritance tree. A property called IsInherited is returned in every row to indicate if the row is inferred from inheritance or is an actual explicit assignment.

Requires 'Read' permission on the 'Security' securable type
GET/Consumer/PrincipalRoleManagementGroups/ManagementGroup/UsableId/{usableId}/{includeInherited}

Gets all assignments for a Management Group given by its UsableId

The optional parameter includeInherited is a true/false value (defaults to false if not provided in the query string) that determines whether the results will include assignments that are not explicitly provided for the given Management Group, but rather are inferred from the Management Groups inheritance tree. A property called IsInherited is returned in every row to indicate if the row is inferred from inheritance or is an actual explicit assignment.

Requires 'Read' permission on the 'Security' securable type
POST/Consumer/PrincipalRoleManagementGroups

Adds multiple assignments, ignoring any already existing entries.

Returns a collection containing the newly created assignments.

Sample input
[
    { "PrincipalId":3, "RoleId": 10, "ManagementGroupId": 5 },
    { "PrincipalId":3, "RoleId": 10, "ManagementGroupId": 7 }
]

  


Requires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/Principal/Id/{principalId}

Replaces all current assignments for a Principal with the set supplied in the request. All entries in the set are assigned to the principal indicated in the query string. Any principal Id specified within the entries is ignored.

Example input body
[
    { "RoleId": 10, "ManagementGroupId": 5 },
    { "RoleId": 10, "ManagementGroupId": 7 
]

Returns the newly created assignments.

Requires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/Principal/Name/{principalName}Like above, but the Principal that receives the assignments is specified by Name instead of by IdRequires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/Role/Id/{roleId}Replaces all current assignments for a Role with the set supplied in the request. All entries in the set must be for the same role.Requires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/Role/Name/{roleName}Like above, but the Role that receives the assignments is specified by Name instead of by IdRequires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/ManagementGroup/Id/{Id}Replaces all current assignments for a Management Group with the set supplied in the request. All entries in the set must be for the same MG.Requires 'Write' permission on the 'Security' securable type
PUT/Consumer/PrincipalRoleManagementGroups/ManagementGroup/UsableId/{usableId}Like above, but the Management Group that receives the assignments is specified by UsableId instead of by IdRequires 'Write' permission on the 'Security' securable type
DELETE/Consumer/PrincipalRoleManagementGroups

Deletes multiple assignments, specified in the body of the request.

Input: takes an array of PrincipalRoleManagementGroup objects.


Requires 'Write' permission on the 'Security' securable type
DELETE/Consumer/PrincipalRoleManagementGroups/PrincipalId/{principalId}/RoleId/{roleId}/ManagementGroupId/{managementGroupId}Deletes a single assignment, specified in the URL.Requires 'Write' permission on the 'Security' securable type