Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

This section contains an overview of Tachyon role based access control (RBAC) and its components and how to configure Tachyon RBAC. This is not intended as an in-depth explanation of what RBAC is, but as a demonstration of how it's been implemented in Tachyon and how users can configure it programmatically.

RBAC implementation in Tachyon has had a major rework in version 8.0. This page will highlight differences between 'old' and 'new' implementations.

The C# examples assume you're using Tachyon Consumer SDK and you have an instantiated an instance of Tachyon connector class in an object called connector.  All SDK methods return the same class called ApiCallResponse. Inside the object of ApiCallResponse you'll find a property called ReceivedObject. That object is the actual data received from the API.

In the following examples this detail is left out, stating that the returned object contains the data. For example, when we say that XYZ object contains certain data, this means the ReceivedObject property inside said object contains that data.


Advanced Panelboxes for Confluence
id1
titleOn this page:

Table of Contents
maxLevel3
indent20px
separatornewline


Basics of role based access control (RBAC)

Role-based access control is an access control mechanism defined around roles and privileges. This security model pivots around the concept or a Role. Users (called principals in Tachyon) can be assigned to a Role and it's through a Role they gain permissions to perform actions. Each element of Tachyon's security system leads back to a Role.

In Tachyon 8.0, a third element has been added - a Management Group. How it comes into play you can read further down ===INSERT ANCHOR LINK HERE===

RBAC objects in Tachyon

Tachyon has several types of objects that are part of its RBAC system. This section serves as a brief description of these objects and their purpose.

Principals

Principals are identical to users. They're not called users because the word 'user' is traditionally associated with a person. A principal is, from a technical standpoint, an Active Directory account which may be a user account or a computer account. It can also be an AD group.

Tachyon allows access only to principals authenticated through Windows authentication and known to Tachyon itself. Depending on the request, Tachyon establishes the permissions of the calling principal by looking at the roles that principal is assigned to. By default, a fresh installation of Tachyon has a principal representing the user account installing it and another principal for the "NT AUTHORITY\Network Service", which many of Tachyon's services will be running as.

Roles

A Role is a container for Permissions and all permissions are linked to roles

Principals must have roles assigned to them before using the system.

Permissions

A permission is an ability to perform an operation on a securable type.

Securable Types

A Securable Type represents a type of an object that can have permissions assigned to it. For example, Instructions can have permissions, as can Consumers and Management Groups. Security itself is an object principals need permissions to, so they can modify it, it will also have a Securable Type. If an element of Tachyon has security defined for it, it must have a securable type.

Instances

An Instance is one, specifc copy of an object of a given Securable Type. This can, for instance, be a single Instruction Set.

While most permissions work on Securable Types as a general thing, where if a Principal is assigned a Permission on a given Securable Type they can work with any object of that type, some Securable Types allow Permissions to be specified on just one given instance of a Securable Type object, giving a more granular control over access to that Securable Type.

At the moment only InstructionSet securable type supports instances.

Operations

An Operation (also called Applicable Operation) represents the type of an action that can be performed on a securable type, like "Read" or "Write".

Anchor
MGINTRO
MGINTRO
Management Group

A Management Group is a container for Devices. A Management Group can either define rules, which are then used to decide which Devices belongs to a given group, or can explicitly list Devices that should belong to the Management Group.

While Management Groups are discussed in this article, they are not a focus of it and the nature of their creation and evaluation is covered elsewhere.

A Management Group and contain other Management Groups, with child Management Groups inheriting all rules of the parent and assing new ones, narrowing the device selection further with each level of nesting.

Permissions are inherited throughout the Management Group structure. This means that for RBAC purposes having Permissions on a Management Group means a automatically having the same Permissions on any and all children of that Management Groups.

Example how to read permissions

Marc (Principal) through his Global Questioners (Role) has Questioner (Applicable Operation) permission on Instructions (Securable type) assigned on USA-Engineering (Management Group).

A Principal will have a specific permission on given securable type through a role the principal belongs to. This is the only way principals can obtain permissions and permissions are always for a specific operation on a given type.

To establish the full permission set of a given principal you have to combine all permissions from all the roles assigned to that principal.

Changes introduced in Tachyon version 8.0

There are two main changes introduced in version 8.0. The first is the very mechanism by which a User is assigned to a Role, and the second is the concept of delegation. There are, however, other, auxiliary concepts and changes that we will coverin this section.

Principals, Roles and Management Groups

In previous versions of Tachyon a Principal was assigned to a Role.

Furthermore, a Role could be linked to a Management Group, providing said Role had an Instruction Set related permission(s).

That way, a Role could be linked to given Management Group(s), and that link would be passed on to every Principal assigned to the Role. That way, a Role could be created with access to a specific Management Group(s) before any Principals have been assigned to the Role.

In version 8.0, Management Groups cannot be linked directly to Roles. Instead, RBAC assignments follow a "Who, What, Where" pattern - "Who" can perform "What" action(s) "Where".

"Who" is a Principals, so a User or a Group that is performs various actions in the system.

"What" is the set of Permissions assigned to a Role. We will be talking about a Role, as it is little more than a container for Permissions, but we should remember that it is the Permissions assigned to a Role that defined what the Role's assignee can do.

"Where" is the collection of Devices on which Principals can excercise their Permissions. These collections are Management Groups.

This means that from version 8.0 onwards, Principals are assigned to a Role on a specific Management Group. This means that given Principal will be able to excercise Pemrissions of the Role they've been assigned on a given Management Group.

As an example, when a Principal wished to excercise their "Actioner" Permission they have via 'All Instructions Actioner' Role, they will only be able to do so on a specific Management Group.

Global and Local Permissions

Not all Securable Types are connected to Management Groups. Many types are used to secure parts of the system not connected in any way with Devices, hence they are ignorant of Management Groups.

These Securable Types are called 'global' securable types and are easily identifiable as they have 'IsGlobal' flag set to true.

Because global Securable Types have no link to Devices or Management Groups, it is irrelevant what Management Group is assigned to Role that uses global securable types in its Permissions.

A Securable Type that has the 'IsGlobal' flag set to false is called a Local type and Permissions that use that Securable Type are called Localized Permissions.

This means that the Management Group part of the assignment will define the boundaries of where the Permission can be excercised.

Role types

Because some Permissions are localized and some are global, depending on which Securable Type they use, we now have 3 types of Roles: Global, Local and Hybrid.

  • Global Roles - these roles contain only permissions that use SecurableTypes which have 'IsGlobal' flag set tot true.
  • Local Roles - these roles contain only permissions that use Securable Types which have 'IsGlobal' flag set to false.
  • Hybrid Roles - these roles contain a mixture of permissions that use both global and non-global Securable Types.

Non-delegatable Roles (be that Global, Hybrid or Local) can only be assigned to "All Devices", with the exception of "Group Administrator" Role, which cannot be assigned to All Devices despite being a hybrid Role.

Delegatable Roles, except for "Group Administratorbe assigned to any Management Group, including "All Devices", subject to caller's Security Permissions.

You also have to remember that only Local Roles are delegatable. You can read about delegation here.

Anatomy of an RBAC assignment

An Assignment is a three-way "who, what, where" relationship between a Principal, Role and a Management Group.

A single Assignment is between a single Principal, a single Role and a single Management Group.

If you wish for a Principal to be able to excercise given Role's Permissions on two unrelated (see here) Management Groups, you will need to create two assignments.

You can create any number of assignments as long as they are all for unique combination of Principal, Role and Management Group.

Anchor
DELEGATION
DELEGATION
Delegation

Delegation is, in broadest terms, a concept where an administrator would delegate some of their own responsibility to other users while limiting the area where they can excercise that responsibility.

While the concept itself is outside the bounds of this page, we will cover how delegation works internally in Tchyon and what implications it has to API users.

Types of security administrator

Before we delve into how the feature works, we have to establish two terms that we will use later on: global security administrator and local security administrator.

A global security administrator is a Principal that has a Role with a Permission that uses "Security" Securable Type and that Role is assigned to "All Devices" Management Group.

A local security administrator is a Principal that has a Role with a Permission that uses "Security" Securable Type and that Role is assigned on a Management Group other than "All Devices".

It is important to understand that global security administrator and local security administrator are not explicit Roles. Any Role with "Security" Permissions can make a Principal be considered global or local security administrator, depending on what Management Group said Role is assigned on.

One should also remember that the global and local security administrator aren't actually referenced in Tachyon and are not terms used by documentation in general. We define them here because they will be used on this page to descirbe how delegation works.

Who can assign what?

A global security administrator can create and modify Roles. They can also assign any Role in the system to any Principal using any Management Group they see fit (with some exceptions, like the fact that "Area Administrator" Role cannot be assigned to "All Devices" at all).

A local security administrator cannot create or modify Roles. They can assign any Role that is marked as delegatable (so has the "CanBeDelegated" flag set to true) to a Management Group they have the Security Permission on or any of its children. The exception here is that a local security administrator cannot assign a Role that has "Security" Permission using the same Management Group they themselves have "Security" Permission on. They have to use a child Management Group of the one they themselves have "Security" Permission on.

Effectively, a local security administrator cannot create an assignment that would result in another Principal having the same "Security" Permissions as they do.

An example of how it works

Let's assume we have following Management Group structure:

Gliffy Diagram
nameExample Management Group structure
pagePin2

We also have a Role called 'Security Administrator', which has Permission on Security (Read and Write), and another role called "Actioner" which has Actioner permission on Instruction Set.

Now let us assume we have 3 Principals. First Principal, called 'John', has the 'Security Administrator' Role assigned on 'All Devices' Management Group.

The second Principal, called 'Jane', has, at the moment, no Roles assigned at all.

The third Principal, called 'Frank", has no Roles assigned either.

At this point John, as per the rules outlined above, can create and modify Roles and assign any Role to any Principal using any Management Group.

John decides that he is going to delegate some of his responsibilities to Jane by assigning her to 'Security Administrator' on 'Europe' Management Group.

This means Jane is not able to create or edit Roles because, as per rules outlined above, she is a local security administrator. When manging assignments she can also only use "Europe", "UK", "France" and "Italy" Management Groups, because she has Security permission assigned on "UK" and "UK", "France" and "Italy" are children Management Groups of "Europe". She is also limited to using only Roles that are marked as 'delegatable'.

Jane can assign "Actioner" role to Frank on "Europe" Management Group, because that Role does not have Security Permission.

Jane will not be able to assign "Security Administrator" Role to Frank using "Europe" Management Group, because she herself has Security Permission on that very Management Group and because that Role does have a Security Permission. She can, however, assign "Security Administrator" to Frank using either "Europe", "France" or "Italy" Management Groups, because those are children Management Groups or the Management Group she has Security Permission on.

Retrieving RBAC objects

In this section we will look at endpoints that allow you to examine existing RBAC objects.

Getting Principals

The most basic functionality is to retrieve all Principals:

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Principals will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "Id": 1,
        "ExternalId": "S-1-5-21-1202660629-789336158-1349024091-27850",
        "PrincipalName": "SomeDomain\\Administrator",
        "Email": "Administrator@SomeDomain.com",
        "Enabled": true,
        "CreatedTimestampUtc": "2019-11-07T13:14:52.777Z",
        "ModifiedTimestampUtc": "2019-11-07T13:14:52.777Z",
        "SystemPrincipal": true,
        "DisplayName": "Administrator",
        "IsGroup": false
    },
    {
        "Id": 2,
        "ExternalId": "S-1-5-20",
        "PrincipalName": "NT AUTHORITY\\Network Service",
        "Email": null,
        "Enabled": true,
        "CreatedTimestampUtc": "2019-11-07T13:14:56.687Z",
        "ModifiedTimestampUtc": "2019-11-07T13:14:56.687Z",
        "SystemPrincipal": true,
        "DisplayName": "Network Service",
        "IsGroup": false
    },
    {
        "Id": 3,
        "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
        "PrincipalName": "SomeDomain\\Jane.Doe",
        "Email": "Jane.Doe@SomeDomain.com",
        "Enabled": true,
        "CreatedTimestampUtc": "2019-11-07T13:14:52.777Z",
        "ModifiedTimestampUtc": "2019-11-07T13:14:52.777Z",
        "SystemPrincipal": false,
        "DisplayName": "Jane Doe",
        "IsGroup": false
    },
    {
        "Id": 4,
        "ExternalId": "S-1-5-21-3276326578-728399001-2836074973-1009",
        "PrincipalName": "SomeDomain\\John.Doe",
        "Email": "John.Doe@SomeDomain",
        "Enabled": true,
        "CreatedTimestampUtc": "2016-11-30T15:10:10.73Z",
        "ModifiedTimestampUtc": "2016-11-30T15:10:10.73Z",
        "SystemPrincipal": false,
        "DisplayName": "John Doe",
        "IsGroup": false
    }
]


Use Principals object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all principals
collapsetrue
principals = onnector.Principals.GetAll();

"principals" object will contain the same data you can see in the JSON response on the left.

Or just a single Principal by their Id. Here we'll look for "SomeDomain\\Jane.Doe", who in has the Id of 3:

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Principals/3 will yield following response:

Code Block
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 3,
    "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
    "PrincipalName": "SomeDomain\\Jane.Doe",
    "Email": "Jane.Doe@SomeDomain.com",
    "Enabled": true,
    "CreatedTimestampUtc": "2019-11-07T13:14:52.777Z",
    "ModifiedTimestampUtc": "2019-11-07T13:14:52.777Z",
    "SystemPrincipal": false,
    "DisplayName": "Jane Doe",
    "IsGroup": false
}


Use Principals object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving specific Principal
collapsetrue
principal = connector.Principals.Get(3);

"principal" object will contain the same data you can see in the JSON response on the left.

You can also retrieve all Principals that have a specific Role assigned to them. Here we'll get all Principals who are "Global Administrators", which has the Id of 1:

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Principals/Role/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "PrincipalId": 1,
        "RoleId": 1,
        "CreatedTimestampUtc": "2019-11-07T13:15:01.533Z",
        "Role": null,
        "Principal": {
            "Id": 1,
            "ExternalId": "S-1-5-21-1202660629-789336158-1349024091-27850",
            "PrincipalName": "SomeDomain\\Administrator",
            "Email": "Administrator@SomeDomain.com",
            "Enabled": true,
            "CreatedTimestampUtc": "2019-11-07T13:14:52.777Z",
            "ModifiedTimestampUtc": "2019-11-07T13:14:52.777Z",
            "SystemPrincipal": true,
            "DisplayName": "Administrator",
            "IsGroup": false
        }
    }
]


Use Principals object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all principals that have a specific role
collapsetrue
principals = connector.Principals.GetForRole(1);

"principals" object will contain the same data you can see in the JSON response on the left.

Getting Roles

Much like with Principals, you can retrieve all Roles in the system:

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Roles will yield following response

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "Id": 27,
        "Name": "1E ITSM Connect Actioner",
        "Description": "The ServiceNow proxy user is added to this role instead of Global Actioners so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.51Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": false,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 7,
        "Name": "All Instructions Actioner",
        "Description": "This role will allow assigned users to execute all instructions that are defined as Actions.",
        "CreatedTimestampUtc": "2021-10-07T10:51:35.063Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 1,
        "HasSecurityPermission": false
    },
    {
        "Id": 5,
        "Name": "All Instructions Approver",
        "Description": "This role will allow assigned users to approve all instructions that require approval.",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.84Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 6,
        "Name": "All Instructions Questioner",
        "Description": "This role will allow assigned users to execute all instructions that are defined as Questions.",
        "CreatedTimestampUtc": "2021-10-07T10:51:35.06Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 8,
        "Name": "All Instructions Viewer",
        "Description": "This role will allow assigned users to view responses to all instructions.",
        "CreatedTimestampUtc": "2021-10-07T10:51:35.063Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 40,
        "Name": "Area Administrator",
        "Description": "The Area Administrator role allows users assigned to assign users permission that have been defined as delegatable in Tachyon, this means that they can be restricted to a Management Group.",
        "CreatedTimestampUtc": "2021-10-07T10:51:39.213Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:39.213Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": true
    },
    {
        "Id": 32,
        "Name": "Engagement Administrator",
        "Description": "View, create, update, delete and enable Engagements",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.01Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.01Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 1,
        "HasSecurityPermission": false
    },
    {
        "Id": 41,
        "Name": "Experience Administrator",
        "Description": "The Experience Administrator role allows users assigned to access all areas of Experience, including defining Engagement Surveys and Announcements.",
        "CreatedTimestampUtc": "2021-10-07T10:51:39.22Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:39.22Z",
        "SystemRole": false,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 38,
        "Name": "Experience Engagement Assigner",
        "Description": "This role will allow assigned users the ability to assign Engagements to any Management Group that is including in their assignments.",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.97Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.97Z",
        "SystemRole": false,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 30,
        "Name": "Experience User",
        "Description": "The Experience User role allows users assigned to view access all areas of Experience.",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.833Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": false,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 1,
        "Name": "Full Administrator",
        "Description": "The Full Administrator has the combined permissions of all other roles.",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.837Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 1,
        "HasSecurityPermission": true
    },
    {
        "Id": 24,
        "Name": "Guaranteed State Administrator",
        "Description": "The Guaranteed State Administrator role allows users assigned to access all areas of Guaranteed State including defining Rules, Polices and uploading fragments.",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.463Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 37,
        "Name": "Guaranteed State Policy Assigner",
        "Description": "This role will allow assigned users the ability to assign Policies to any Management Group that is including in their assignments.",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.96Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.96Z",
        "SystemRole": true,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 25,
        "Name": "Guaranteed State User",
        "Description": "The Guaranteed State User role allows users assigned to view access all areas of Guaranteed State.",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.467Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 39,
        "Name": "Installer",
        "Description": "The Installer role has minimum permissions to install the Platform and Applications, register Consumers, upload Products packs and manage Instructions sets.",
        "CreatedTimestampUtc": "2021-10-07T10:51:39.203Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:39.203Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 1,
        "HasSecurityPermission": true
    },
    {
        "Id": 13,
        "Name": "Management Group Administrator",
        "Description": "Create, delete, update and initiate synchronization of Management Groups",
        "CreatedTimestampUtc": "2021-10-07T10:51:36.98Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 44,
        "Name": "Nomad Administrators",
        "Description": null,
        "CreatedTimestampUtc": "2021-10-07T13:42:13.523Z",
        "ModifiedTimestampUtc": "2021-10-07T13:42:13.523Z",
        "SystemRole": false,
        "CanBeDelegated": true,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 42,
        "Name": "Patch Success Administrator",
        "Description": "The Patch Success Administrator role allows users assigned to access all areas of Patch Success including deploying Patches.",
        "CreatedTimestampUtc": "2021-10-07T10:51:39.223Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:39.223Z",
        "SystemRole": false,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 26,
        "Name": "Patch Success User",
        "Description": "The Patch Success User role allows users assigned to view access all areas of Patch Success and initiate check status and update status.",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.49Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
        "SystemRole": false,
        "CanBeDelegated": false,
        "NumberOfAssignments": 0,
        "HasSecurityPermission": false
    },
    {
        "Id": 43,
        "Name": "Tachyon System",
        "Description": "The System role allows assigned users to performance operations required to execute the different cross component activities needed for Tachyon Platform to run normally.",
        "CreatedTimestampUtc": "2021-10-07T10:51:39.227Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:39.227Z",
        "SystemRole": true,
        "CanBeDelegated": false,
        "NumberOfAssignments": 1,
        "HasSecurityPermission": true
    }
]


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all Roles
collapsetrue
roles = connector.Roles.GetAll();

"roles" object will contain the same data you can see in the JSON response on the left.

But unlike the Principals, roles also have an endpoint that supports filtering, sorting and paging. In the example below we'll look for custom roles and sort them by name.

Direct Consumer API callC# code using Consumer SDK library
Making a POST request to https://my.tachyon.server/Consumer/Roles/Search with following payload:
Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
{
 "PageSize": 10,
 "Start": 1,
 "Filter": {
 "Attribute": "SystemRole",
 "Operator": "==",
 "Value": "false"
 },
 "Sort": [{
 "Direction": "ASC",
 "Column": "Name"
 }]
}

Yields following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "TotalCount": 7,
    "Items": [
        {
            "Id": 27,
            "Name": "1E ITSM Connect Actioner",
            "Description": "The ServiceNow proxy user is added to this role instead of Global Actioners so that ServiceNow users can only use instructions belonging to instruction sets assigned to this role",
            "CreatedTimestampUtc": "2021-10-07T10:51:37.51Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
            "SystemRole": false,
            "CanBeDelegated": true,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 41,
            "Name": "Experience Administrator",
            "Description": "The Experience Administrator role allows users assigned to access all areas of Experience, including defining Engagement Surveys and Announcements.",
            "CreatedTimestampUtc": "2021-10-07T10:51:39.22Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:39.22Z",
            "SystemRole": false,
            "CanBeDelegated": false,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 38,
            "Name": "Experience Engagement Assigner",
            "Description": "This role will allow assigned users the ability to assign Engagements to any Management Group that is including in their assignments.",
            "CreatedTimestampUtc": "2021-10-07T10:51:38.97Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:38.97Z",
            "SystemRole": false,
            "CanBeDelegated": true,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 30,
            "Name": "Experience User",
            "Description": "The Experience User role allows users assigned to view access all areas of Experience.",
            "CreatedTimestampUtc": "2021-10-07T10:51:37.833Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
            "SystemRole": false,
            "CanBeDelegated": false,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 44,
            "Name": "Nomad Administrators",
            "Description": null,
            "CreatedTimestampUtc": "2021-10-07T13:42:13.523Z",
            "ModifiedTimestampUtc": "2021-10-07T13:42:13.523Z",
            "SystemRole": false,
            "CanBeDelegated": true,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 42,
            "Name": "Patch Success Administrator",
            "Description": "The Patch Success Administrator role allows users assigned to access all areas of Patch Success including deploying Patches.",
            "CreatedTimestampUtc": "2021-10-07T10:51:39.223Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:39.223Z",
            "SystemRole": false,
            "CanBeDelegated": false,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        },
        {
            "Id": 26,
            "Name": "Patch Success User",
            "Description": "The Patch Success User role allows users assigned to view access all areas of Patch Success and initiate check status and update status.",
            "CreatedTimestampUtc": "2021-10-07T10:51:37.49Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
            "SystemRole": false,
            "CanBeDelegated": false,
            "NumberOfAssignments": 0,
            "HasSecurityPermission": false
        }
    ]
}


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleSearching for Roles
collapsetrue
var payload = new Search
{
	PageSize = 10,
	Start = 1,
	Filter = new ExpressionObject
	{
		Attribute = "SystemRole",
		Operator = "==",
		Value = "false"
	},
	Sort = new List<SortSpec>() { new SortSpec
	{
		Direction = "ASC",
		Column = "Name"
	}}
};

searchResults = connector.Roles.FindRoles(payload);

"searchResults" object will contain the same data you can see in the JSON response on the left.

You can also retrieve a singel Role by its Id, here we'll retrieve the Global Administrators role which has the Id of 1.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Roles/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 1,
    "Name": "Full Administrator",
    "Description": "The Full Administrator has permissions in the system.",
    "CreatedTimestampUtc": "2021-10-07T10:51:34.837Z",
    "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
    "SystemRole": true,
    "CanBeDelegated": false,
    "NumberOfAssignments": 1,
    "HasSecurityPermission": true
}


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving a specifc Role by its Id
collapsetrue
roles = connector.Roles.Get(1);

"role" object will contain the same data you can see in the JSON response on the left.

Lastly, we'll look at retrieving all Roles given Principal has assigned to them using that Principal's Id. Here we'll get all the Roles that "SomeDomain\Jane.Doe" has assigned and that Principal's Id is 3:

Direct Consumer API callC# code using Consumer SDK library
Making a GET request to https://my.tachyon.server/Consumer/Roles/Principal/3 will yield following response:
Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "PrincipalId": 3,
        "RoleId": 7,
        "CreatedTimestampUtc": "2021-10-08T13:39:01.5694234Z",
        "Role": {
            "Id": 7,
            "Name": "All Instructions Actioner",
            "Description": "This role will allow assigned users to execute all instructions that are defined as Actions.",
            "CreatedTimestampUtc": "2021-10-07T10:51:35.063Z",
            "ModifiedTimestampUtc": "2021-10-07T10:51:37.893Z",
            "SystemRole": true,
            "CanBeDelegated": false,
            "NumberOfAssignments": 1,
            "HasSecurityPermission": false
        },
        "Principal": null
    }
]


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all Roles fora given Principal
collapsetrue
roles = connector.Roles.GetForPrincipal(principalId);

"roles" object will contain the same data you can see in the JSON response on the left.

Getting Securable Types

You can retrieve all Securable Types with following call:

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/SecurableTypes will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "Id": 1,
        "Name": "InstructionSet",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:36.647Z",
        "Operations": [
            {
                "Id": 2,
                "OperationName": "Actioner",
                "SecurableTypeId": 1,
                "SecurableTypeName": "InstructionSet"
            },
            {
                "Id": 4,
                "OperationName": "Approver",
                "SecurableTypeId": 1,
                "SecurableTypeName": "InstructionSet"
            },
            {
                "Id": 3,
                "OperationName": "Questioner",
                "SecurableTypeId": 1,
                "SecurableTypeName": "InstructionSet"
            },
            {
                "Id": 1,
                "OperationName": "Viewer",
                "SecurableTypeId": 1,
                "SecurableTypeName": "InstructionSet"
            }
        ],
        "IsGlobal": false,
        "Description": "Execute, schedule, cancel, and approve instructions - view responses"
    },
    {
        "Id": 2,
        "Name": "Security",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "Operations": [
            {
                "Id": 7,
                "OperationName": "Delete",
                "SecurableTypeId": 2,
                "SecurableTypeName": "Security"
            },
            {
                "Id": 5,
                "OperationName": "Read",
                "SecurableTypeId": 2,
                "SecurableTypeName": "Security"
            },
            {
                "Id": 6,
                "OperationName": "Write",
                "SecurableTypeId": 2,
                "SecurableTypeName": "Security"
            }
        ],
        "IsGlobal": false,
        "Description": "Add and remove Users - view all Roles - add, modify, and delete Custom roles - assign roles to users - view Audit information log"
    },
    {
        "Id": 3,
        "Name": "InstructionSetManagement",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:36.647Z",
        "Operations": [
            {
                "Id": 9,
                "OperationName": "Add",
                "SecurableTypeId": 3,
                "SecurableTypeName": "InstructionSetManagement"
            },
            {
                "Id": 8,
                "OperationName": "Delete",
                "SecurableTypeId": 3,
                "SecurableTypeName": "InstructionSetManagement"
            },
            {
                "Id": 10,
                "OperationName": "Read",
                "SecurableTypeId": 3,
                "SecurableTypeName": "InstructionSetManagement"
            }
        ],
        "IsGlobal": true,
        "Description": "Upload product packs - add, modify, and delete instruction sets - delete instruction definitions"
    },
    {
        "Id": 4,
        "Name": "Infrastructure",
        "CreatedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:34.83Z",
        "Operations": [
            {
                "Id": 85,
                "OperationName": "Delete",
                "SecurableTypeId": 4,
                "SecurableTypeName": "Infrastructure"
            },
            {
                "Id": 11,
                "OperationName": "Read",
                "SecurableTypeId": 4,
                "SecurableTypeName": "Infrastructure"
            },
            {
                "Id": 84,
                "OperationName": "Write",
                "SecurableTypeId": 4,
                "SecurableTypeName": "Infrastructure"
            }
        ],
        "IsGlobal": true,
        "Description": "View System health and System information - view, add, and edit global settings"
    },
    {
        "Id": 5,
        "Name": "CustomProperty",
        "CreatedTimestampUtc": "2021-10-07T10:51:35.33Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:35.33Z",
        "Operations": [
            {
                "Id": 12,
                "OperationName": "Read",
                "SecurableTypeId": 5,
                "SecurableTypeName": "CustomProperty"
            },
            {
                "Id": 13,
                "OperationName": "Write",
                "SecurableTypeId": 5,
                "SecurableTypeName": "CustomProperty"
            }
        ],
        "IsGlobal": true,
        "Description": "View, add, edit, and delete Custom properties"
    },
    {
        "Id": 6,
        "Name": "Consumer",
        "CreatedTimestampUtc": "2021-10-07T10:51:35.877Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:35.877Z",
        "Operations": [
            {
                "Id": 14,
                "OperationName": "Read",
                "SecurableTypeId": 6,
                "SecurableTypeName": "Consumer"
            },
            {
                "Id": 15,
                "OperationName": "Write",
                "SecurableTypeId": 6,
                "SecurableTypeName": "Consumer"
            }
        ],
        "IsGlobal": true,
        "Description": "View, add, edit, and delete Consumers"
    },
    {
        "Id": 7,
        "Name": "AgentDeployment",
        "CreatedTimestampUtc": "2021-10-07T10:51:36.84Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:36.84Z",
        "Operations": [
            {
                "Id": 18,
                "OperationName": "Approve",
                "SecurableTypeId": 7,
                "SecurableTypeName": "AgentDeployment"
            },
            {
                "Id": 16,
                "OperationName": "Execute",
                "SecurableTypeId": 7,
                "SecurableTypeName": "AgentDeployment"
            },
            {
                "Id": 17,
                "OperationName": "View",
                "SecurableTypeId": 7,
                "SecurableTypeName": "AgentDeployment"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, and cancel 1E Client deployment jobs"
    },
    {
        "Id": 8,
        "Name": "AgentInstallerManagement",
        "CreatedTimestampUtc": "2021-10-07T10:51:36.88Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:36.88Z",
        "Operations": [
            {
                "Id": 19,
                "OperationName": "Add",
                "SecurableTypeId": 8,
                "SecurableTypeName": "AgentInstallerManagement"
            },
            {
                "Id": 20,
                "OperationName": "Delete",
                "SecurableTypeId": 8,
                "SecurableTypeName": "AgentInstallerManagement"
            },
            {
                "Id": 21,
                "OperationName": "Read",
                "SecurableTypeId": 8,
                "SecurableTypeName": "AgentInstallerManagement"
            }
        ],
        "IsGlobal": true,
        "Description": "View, upload, and delete 1E Client installers"
    },
    {
        "Id": 9,
        "Name": "ManagementGroup",
        "CreatedTimestampUtc": "2021-10-07T10:51:36.98Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:36.98Z",
        "Operations": [
            {
                "Id": 29,
                "OperationName": "Delete",
                "SecurableTypeId": 9,
                "SecurableTypeName": "ManagementGroup"
            },
            {
                "Id": 22,
                "OperationName": "Read",
                "SecurableTypeId": 9,
                "SecurableTypeName": "ManagementGroup"
            },
            {
                "Id": 24,
                "OperationName": "Synchronize",
                "SecurableTypeId": 9,
                "SecurableTypeName": "ManagementGroup"
            },
            {
                "Id": 23,
                "OperationName": "Write",
                "SecurableTypeId": 9,
                "SecurableTypeName": "ManagementGroup"
            }
        ],
        "IsGlobal": false,
        "Description": "Create, delete, edit, and initiate synchronization of Management Groups"
    },
    {
        "Id": 10,
        "Name": "Connector",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 27,
                "OperationName": "Delete",
                "SecurableTypeId": 10,
                "SecurableTypeName": "Connector"
            },
            {
                "Id": 28,
                "OperationName": "Execute",
                "SecurableTypeId": 10,
                "SecurableTypeName": "Connector"
            },
            {
                "Id": 25,
                "OperationName": "Read",
                "SecurableTypeId": 10,
                "SecurableTypeName": "Connector"
            },
            {
                "Id": 26,
                "OperationName": "Write",
                "SecurableTypeId": 10,
                "SecurableTypeName": "Connector"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, delete, and test Connectors"
    },
    {
        "Id": 11,
        "Name": "Schedule",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 32,
                "OperationName": "Delete",
                "SecurableTypeId": 11,
                "SecurableTypeName": "Schedule"
            },
            {
                "Id": 30,
                "OperationName": "Read",
                "SecurableTypeId": 11,
                "SecurableTypeName": "Schedule"
            },
            {
                "Id": 31,
                "OperationName": "Write",
                "SecurableTypeId": 11,
                "SecurableTypeName": "Schedule"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, and delete Schedules - view Schedule history"
    },
    {
        "Id": 12,
        "Name": "ProcessLog",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 90,
                "OperationName": "Delete",
                "SecurableTypeId": 12,
                "SecurableTypeName": "ProcessLog"
            },
            {
                "Id": 33,
                "OperationName": "Read",
                "SecurableTypeId": 12,
                "SecurableTypeName": "ProcessLog"
            },
            {
                "Id": 89,
                "OperationName": "Write",
                "SecurableTypeId": 12,
                "SecurableTypeName": "ProcessLog"
            }
        ],
        "IsGlobal": true,
        "Description": "View and purge the Process log, Cancel all actions"
    },
    {
        "Id": 13,
        "Name": "SynchronizationLog",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 34,
                "OperationName": "Read",
                "SecurableTypeId": 13,
                "SecurableTypeName": "SynchronizationLog"
            }
        ],
        "IsGlobal": true,
        "Description": "View Sync log"
    },
    {
        "Id": 14,
        "Name": "Component",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 35,
                "OperationName": "Read",
                "SecurableTypeId": 14,
                "SecurableTypeName": "Component"
            },
            {
                "Id": 86,
                "OperationName": "Write",
                "SecurableTypeId": 14,
                "SecurableTypeName": "Component"
            }
        ],
        "IsGlobal": true,
        "Description": "View and configure Components"
    },
    {
        "Id": 15,
        "Name": "ProviderConfiguration",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 38,
                "OperationName": "Delete",
                "SecurableTypeId": 15,
                "SecurableTypeName": "ProviderConfiguration"
            },
            {
                "Id": 36,
                "OperationName": "Read",
                "SecurableTypeId": 15,
                "SecurableTypeName": "ProviderConfiguration"
            },
            {
                "Id": 37,
                "OperationName": "Write",
                "SecurableTypeId": 15,
                "SecurableTypeName": "ProviderConfiguration"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, and delete Providers"
    },
    {
        "Id": 16,
        "Name": "InfrastructureLog",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 39,
                "OperationName": "Read",
                "SecurableTypeId": 16,
                "SecurableTypeName": "InfrastructureLog"
            }
        ],
        "IsGlobal": true,
        "Description": "View Infrastructure log"
    },
    {
        "Id": 17,
        "Name": "Repository.Inventory",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.38Z",
        "Operations": [
            {
                "Id": 43,
                "OperationName": "Archive",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            },
            {
                "Id": 42,
                "OperationName": "Delete",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            },
            {
                "Id": 53,
                "OperationName": "EvaluateManagementGroups",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            },
            {
                "Id": 44,
                "OperationName": "Populate",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            },
            {
                "Id": 40,
                "OperationName": "Read",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            },
            {
                "Id": 41,
                "OperationName": "Write",
                "SecurableTypeId": 17,
                "SecurableTypeName": "Repository.Inventory"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, and delete Inventory repositories - populate and archive them"
    },
    {
        "Id": 18,
        "Name": "Application",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.433Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.433Z",
        "Operations": [
            {
                "Id": 46,
                "OperationName": "Delete",
                "SecurableTypeId": 18,
                "SecurableTypeName": "Application"
            },
            {
                "Id": 45,
                "OperationName": "Write",
                "SecurableTypeId": 18,
                "SecurableTypeName": "Application"
            }
        ],
        "IsGlobal": true,
        "Description": "Install and uninstall Tachyon Portal applications"
    },
    {
        "Id": 19,
        "Name": "GuaranteedState",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.463Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.463Z",
        "Operations": [
            {
                "Id": 49,
                "OperationName": "Delete",
                "SecurableTypeId": 19,
                "SecurableTypeName": "GuaranteedState"
            },
            {
                "Id": 47,
                "OperationName": "Read",
                "SecurableTypeId": 19,
                "SecurableTypeName": "GuaranteedState"
            },
            {
                "Id": 48,
                "OperationName": "Write",
                "SecurableTypeId": 19,
                "SecurableTypeName": "GuaranteedState"
            }
        ],
        "IsGlobal": true,
        "Description": "View, add, edit, and delete Rules, Fragments, Trigger templates, and Policies - view Guaranteed State dashboards"
    },
    {
        "Id": 20,
        "Name": "Repository.Patch",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.49Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.49Z",
        "Operations": [
            {
                "Id": 50,
                "OperationName": "Read",
                "SecurableTypeId": 20,
                "SecurableTypeName": "Repository.Patch"
            }
        ],
        "IsGlobal": true,
        "Description": "View Patch Success dashboards"
    },
    {
        "Id": 21,
        "Name": "Repository.BI",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.5Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.5Z",
        "Operations": [
            {
                "Id": 52,
                "OperationName": "Populate",
                "SecurableTypeId": 21,
                "SecurableTypeName": "Repository.BI"
            },
            {
                "Id": 51,
                "OperationName": "Read",
                "SecurableTypeId": 21,
                "SecurableTypeName": "Repository.BI"
            }
        ],
        "IsGlobal": true,
        "Description": "View and populate the BI respository"
    },
    {
        "Id": 22,
        "Name": "EventSubscription",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.74Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.74Z",
        "Operations": [
            {
                "Id": 56,
                "OperationName": "Delete",
                "SecurableTypeId": 22,
                "SecurableTypeName": "EventSubscription"
            },
            {
                "Id": 54,
                "OperationName": "Read",
                "SecurableTypeId": 22,
                "SecurableTypeName": "EventSubscription"
            },
            {
                "Id": 55,
                "OperationName": "Write",
                "SecurableTypeId": 22,
                "SecurableTypeName": "EventSubscription"
            }
        ],
        "IsGlobal": false,
        "Description": "View, create, edit, and delete the configurations of event subscriptions"
    },
    {
        "Id": 24,
        "Name": "Experience",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.833Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.833Z",
        "Operations": [
            {
                "Id": 58,
                "OperationName": "Read",
                "SecurableTypeId": 24,
                "SecurableTypeName": "Experience"
            }
        ],
        "IsGlobal": true,
        "Description": "View Experience dashboards"
    },
    {
        "Id": 25,
        "Name": "Inventory",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.85Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.85Z",
        "Operations": [
            {
                "Id": 60,
                "OperationName": "Export",
                "SecurableTypeId": 25,
                "SecurableTypeName": "Inventory"
            },
            {
                "Id": 59,
                "OperationName": "Read",
                "SecurableTypeId": 25,
                "SecurableTypeName": "Inventory"
            }
        ],
        "IsGlobal": true,
        "Description": "View Inventory dashboards and export inventory data"
    },
    {
        "Id": 26,
        "Name": "Inventory.Association",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.85Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.85Z",
        "Operations": [
            {
                "Id": 64,
                "OperationName": "Delete",
                "SecurableTypeId": 26,
                "SecurableTypeName": "Inventory.Association"
            },
            {
                "Id": 63,
                "OperationName": "Export",
                "SecurableTypeId": 26,
                "SecurableTypeName": "Inventory.Association"
            },
            {
                "Id": 61,
                "OperationName": "Read",
                "SecurableTypeId": 26,
                "SecurableTypeName": "Inventory.Association"
            },
            {
                "Id": 62,
                "OperationName": "Write",
                "SecurableTypeId": 26,
                "SecurableTypeName": "Inventory.Association"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, and delete SCCM Associations in Inventory"
    },
    {
        "Id": 27,
        "Name": "AppClarity.Entitlement",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "Operations": [
            {
                "Id": 68,
                "OperationName": "Delete",
                "SecurableTypeId": 27,
                "SecurableTypeName": "AppClarity.Entitlement"
            },
            {
                "Id": 69,
                "OperationName": "Execute",
                "SecurableTypeId": 27,
                "SecurableTypeName": "AppClarity.Entitlement"
            },
            {
                "Id": 67,
                "OperationName": "Export",
                "SecurableTypeId": 27,
                "SecurableTypeName": "AppClarity.Entitlement"
            },
            {
                "Id": 65,
                "OperationName": "Read",
                "SecurableTypeId": 27,
                "SecurableTypeName": "AppClarity.Entitlement"
            },
            {
                "Id": 66,
                "OperationName": "Write",
                "SecurableTypeId": 27,
                "SecurableTypeName": "AppClarity.Entitlement"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, delete, export, and manage AppClarity Entitlement"
    },
    {
        "Id": 28,
        "Name": "AppClarity.Compliance",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "Operations": [
            {
                "Id": 73,
                "OperationName": "Delete",
                "SecurableTypeId": 28,
                "SecurableTypeName": "AppClarity.Compliance"
            },
            {
                "Id": 74,
                "OperationName": "Execute",
                "SecurableTypeId": 28,
                "SecurableTypeName": "AppClarity.Compliance"
            },
            {
                "Id": 72,
                "OperationName": "Export",
                "SecurableTypeId": 28,
                "SecurableTypeName": "AppClarity.Compliance"
            },
            {
                "Id": 70,
                "OperationName": "Read",
                "SecurableTypeId": 28,
                "SecurableTypeName": "AppClarity.Compliance"
            },
            {
                "Id": 71,
                "OperationName": "Write",
                "SecurableTypeId": 28,
                "SecurableTypeName": "AppClarity.Compliance"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, delete, export, and manage AppClarity Compliance and LDC"
    },
    {
        "Id": 29,
        "Name": "AppClarity.Reclaim",
        "CreatedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:37.877Z",
        "Operations": [
            {
                "Id": 78,
                "OperationName": "Delete",
                "SecurableTypeId": 29,
                "SecurableTypeName": "AppClarity.Reclaim"
            },
            {
                "Id": 79,
                "OperationName": "Execute",
                "SecurableTypeId": 29,
                "SecurableTypeName": "AppClarity.Reclaim"
            },
            {
                "Id": 77,
                "OperationName": "Export",
                "SecurableTypeId": 29,
                "SecurableTypeName": "AppClarity.Reclaim"
            },
            {
                "Id": 75,
                "OperationName": "Read",
                "SecurableTypeId": 29,
                "SecurableTypeName": "AppClarity.Reclaim"
            },
            {
                "Id": 76,
                "OperationName": "Write",
                "SecurableTypeId": 29,
                "SecurableTypeName": "AppClarity.Reclaim"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, delete, export, and manage AppClarity Reclaim"
    },
    {
        "Id": 30,
        "Name": "Engagements",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.01Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.01Z",
        "Operations": [
            {
                "Id": 82,
                "OperationName": "Delete",
                "SecurableTypeId": 30,
                "SecurableTypeName": "Engagements"
            },
            {
                "Id": 83,
                "OperationName": "Execute",
                "SecurableTypeId": 30,
                "SecurableTypeName": "Engagements"
            },
            {
                "Id": 80,
                "OperationName": "Read",
                "SecurableTypeId": 30,
                "SecurableTypeName": "Engagements"
            },
            {
                "Id": 81,
                "OperationName": "Write",
                "SecurableTypeId": 30,
                "SecurableTypeName": "Engagements"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, delete, and enable Engagements (Surveys and Announcements)"
    },
    {
        "Id": 31,
        "Name": "VDI",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.1Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.1Z",
        "Operations": [
            {
                "Id": 87,
                "OperationName": "Read",
                "SecurableTypeId": 31,
                "SecurableTypeName": "VDI"
            },
            {
                "Id": 88,
                "OperationName": "Write",
                "SecurableTypeId": 31,
                "SecurableTypeName": "VDI"
            }
        ],
        "IsGlobal": true,
        "Description": "View, create, edit, and delete application servers"
    },
    {
        "Id": 32,
        "Name": "ProviderOperationLog",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.13Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.13Z",
        "Operations": [
            {
                "Id": 91,
                "OperationName": "Read",
                "SecurableTypeId": 32,
                "SecurableTypeName": "ProviderOperationLog"
            }
        ],
        "IsGlobal": true,
        "Description": "Update, delete and view provider configurations"
    },
    {
        "Id": 33,
        "Name": "PolicyDeployment",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.15Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.15Z",
        "Operations": [
            {
                "Id": 92,
                "OperationName": "Execute",
                "SecurableTypeId": 33,
                "SecurableTypeName": "PolicyDeployment"
            }
        ],
        "IsGlobal": true,
        "Description": "Deploy all types of policies (including metrics, events, and engagements)"
    },
    {
        "Id": 34,
        "Name": "OffloadingData",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.25Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.25Z",
        "Operations": [
            {
                "Id": 93,
                "OperationName": "Offload",
                "SecurableTypeId": 34,
                "SecurableTypeName": "OffloadingData"
            }
        ],
        "IsGlobal": true,
        "Description": "Offload (forward) event data to any Web API responsible for processing that data"
    },
    {
        "Id": 35,
        "Name": "Nomad",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.287Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.287Z",
        "Operations": [
            {
                "Id": 96,
                "OperationName": "Delete",
                "SecurableTypeId": 35,
                "SecurableTypeName": "Nomad"
            },
            {
                "Id": 94,
                "OperationName": "Read",
                "SecurableTypeId": 35,
                "SecurableTypeName": "Nomad"
            },
            {
                "Id": 95,
                "OperationName": "Write",
                "SecurableTypeId": 35,
                "SecurableTypeName": "Nomad"
            }
        ],
        "IsGlobal": true,
        "Description": "View Nomad dashboards and SSD peer data. View, add, and delete pre-cache jobs. Pause and resume download activity of Nomad clients"
    },
    {
        "Id": 36,
        "Name": "Protect",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.317Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.317Z",
        "Operations": [
            {
                "Id": 97,
                "OperationName": "Read",
                "SecurableTypeId": 36,
                "SecurableTypeName": "Protect"
            },
            {
                "Id": 98,
                "OperationName": "Write",
                "SecurableTypeId": 36,
                "SecurableTypeName": "Protect"
            }
        ],
        "IsGlobal": true,
        "Description": "View and deploy patches at all endpoints"
    },
    {
        "Id": 37,
        "Name": "PolicyAssignment",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.603Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.603Z",
        "Operations": [
            {
                "Id": 99,
                "OperationName": "Assign",
                "SecurableTypeId": 37,
                "SecurableTypeName": "PolicyAssignment"
            }
        ],
        "IsGlobal": false,
        "Description": "Assign Guaranteed State policies to Management Groups"
    },
    {
        "Id": 38,
        "Name": "EngagementAssignment",
        "CreatedTimestampUtc": "2021-10-07T10:51:38.957Z",
        "ModifiedTimestampUtc": "2021-10-07T10:51:38.957Z",
        "Operations": [
            {
                "Id": 100,
                "OperationName": "Assign",
                "SecurableTypeId": 38,
                "SecurableTypeName": "EngagementAssignment"
            }
        ],
        "IsGlobal": false,
        "Description": "Assign Engagements (Surveys and Announcements) to Management Groups"
    }
]


Use SecurableTypes object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all Securable Types
collapsetrue
secTypes = connector.SecurableTypes.GetAll();

"secTypes" object will contain the same data you can see in the JSON response on the left.

You can also retrieve a specific Securable Type by either its Name or Id.

Direct Consumer API callC# code using Consumer SDK library

If you wish to use the Id, make a GET request to https://my.tachyon.server/Consumer/SecurableTypes/1

If you wish to use the Name instead, make a GET request to https://my.tachyon.server/Consumer/SecurableTypes/Name/InstructionSet

Both yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 1,
    "Name": "InstructionSet",
    "CreatedTimestampUtc": "2019-11-07T13:14:52.75Z",
    "ModifiedTimestampUtc": "2019-11-07T13:14:56.113Z",
    "IsGlobal": false,
    "Description": "Execute, schedule, cancel, and approve instructions - view responses"
    "Operations": [
        {
            "Id": 2,
            "OperationName": "Actioner",
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet"
        },
        {
            "Id": 4,
            "OperationName": "Approver",
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet"
        },
        {
            "Id": 3,
            "OperationName": "Questioner",
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet"
        },
        {
            "Id": 1,
            "OperationName": "Viewer",
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet"
        }
    ]
}


Use SecurableTypes object inside the Tachyon connector instance.

To retrieve a Securable Type using its Id use:

Code Block
languagec#
themeMidnight
titleRetrieving a Securable Type by Id
collapsetrue
secType = connector.SecurableTypes.Get(1);

To retrieve a Securable Type using its Name use:

Code Block
languagec#
themeMidnight
titleRetrieving Securable Type by Name
collapsetrue
secType = connector.SecurableTypes.Get("InstructionSet");

"secType" object will contain the same data you can see in the JSON response on the left.

Getting Applicable Operations

Applicable Operations work in the context of a Securable Type, which is why Tachyon allows you to retrieve all Applicable Operations for given Securable Type. You can use either Name or Id to specify which Securable Type you want Applicable Operations for.

Direct Consumer API callC# code using Consumer SDK library

If you wish to use the Id, make a GET request to https://my.tachyon.server/Consumer/ApplicableOperations/SecurableTypeId/1

If you wish to use the Name instead, make a GET request to https://my.tachyon.server/Consumer/ApplicableOperations/SecurableTypeName/InstructionSet

Both yield the following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "Id": 2,
        "OperationName": "Actioner",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet"
    },
    {
        "Id": 4,
        "OperationName": "Approver",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet"
    },
    {
        "Id": 3,
        "OperationName": "Questioner",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet"
    },
    {
        "Id": 1,
        "OperationName": "Viewer",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet"
    }
]


Use ApplicableOperations object inside the Tachyon connector instance.

To retrieve Applicable Operations for a Securable Type using the type's Id use:

Code Block
languagec#
themeMidnight
titleRetrieve Applicable Operations using Securable Type's Id
collapsetrue
operations = connector.ApplicableOperations.Get(1);

To retrieve Applicable Operations for a Securable Type using the type's Name use:

Code Block
languagec#
themeMidnight
titleRetrieve Applicable Operations using Securable Type's Name
collapsetrue
operations = connector.ApplicableOperations.Get("InstructionSet");

"operations" object will contain the same data you can see in the JSON response on the left.

Getting Permissions

You can retrieve permissions in several different ways, for example for a Principal, a Role or a Securable Type.

Some APIs perform checks for the calling user by pulling the user information from the HTTP request itself. Other APIs allow you to specify which object you want to get permissions for.

Getting permissions for a Principal

Getting all Permissions

Retrieving a principal's permissions is done using the account name (for example "somedomain\jane.doe") of that principal. When directly using the API, you have to encode that account name into base64 before sending it. C# Consumer API SDK will do the encoding for you.

In general, any GET endpoint requires you to base64 encode the principal name, due to the fact that principal names can contain characters that are not allowed in URIs.

When you request permissions for a specific Principal, you'll get the permissions that Principal has stemming from any of their roles.

Please note that these Permissions will specify which Management Group they have been granted on, which reflect on how the Role containing these Permissions is assigned to the Principal.

If given Principal has the same Permission on two different Management Groups (for instance because those Permissions come from two different Roles, which have been assigned using a different Management Group, or perhaps the same Role assigned twice, each time using a different Management Group), there will be two rows for the same Permission which will differ in the Management Group Id and Name.

Another important thing to remember is that a non-global securable type will yield extra Permission row(s), one per child of the Management Group that the original Permission has been assigned on.

What this means is that in an example we saw earlier, if "Actioner" Role is assigned on "Europe" Management Group to a Principal, asking about that Principal's Permission with yield 4 rows - one for "Europe", one for "UK", one for "France" and one for "Italy". This is because "InstructionSet" is a local Securable Type.

Had "Actioner" has Permisison for, for instance, "InfrastructureLog" Securable Type, which is global, and was assigned to "Europe", there would only be one row, the one containing "Europe".

The following examples use the "somedomain\jane.doe" account.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Principal/c29tZWRvbWFpblxqYW5lLmRvZQ== will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[{
    "ManagementGroupId": 1,
    "ManagementGroupName": "All Devices",
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 4,
    "SecurableTypeName": "Instrumentation",
    "RoleId": 4,
    "RoleName": "Infrastructure Administrators",
    "Allowed": true,
    "Operations": [{
        "PermissionId": 19,
        "OperationId": 11,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2019-06-07T15:12:40.757Z",
        "ModifiedTimestampUtc": "2019-06-07T15:12:40.757Z"
    }]
},
{
    "ManagementGroupId": 1,
    "ManagementGroupName": "All Devices",
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 12,
    "SecurableTypeName": "ProcessLog",
    "RoleId": 16,
    "RoleName": "Log Viewers",
    "Allowed": true,
    "Operations": [{
        "PermissionId": 61,
        "OperationId": 33,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2019-06-07T15:12:44.13Z",
        "ModifiedTimestampUtc": "2019-06-07T15:12:44.13Z"
    }]
},
{
    "ManagementGroupId": 1,
    "ManagementGroupName": "All Devices",
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 13,
    "SecurableTypeName": "SynchronizationLog",
    "RoleId": 16,
    "RoleName": "Log Viewers",
    "Allowed": true,
    "Operations": [{
        "PermissionId": 62,
        "OperationId": 34,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2019-06-07T15:12:44.13Z",
        "ModifiedTimestampUtc": "2019-06-07T15:12:44.13Z"
    }]
},
{
    "ManagementGroupId": 1,
    "ManagementGroupName": "All Devices",
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 14,
    "SecurableTypeName": "Component",
    "RoleId": 17,
    "RoleName": "Component Viewers",
    "Allowed": true,
    "Operations": [{
        "PermissionId": 64,
        "OperationId": 35,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2019-06-07T15:12:44.13Z",
        "ModifiedTimestampUtc": "2019-06-07T15:12:44.13Z"
    }]
},
{
    "ManagementGroupId": 1,
    "ManagementGroupName": "All Devices",
    "SecurableId": null,
    "SecurableName": null,
    "SecurableTypeId": 16,
    "SecurableTypeName": "InfrastructureLog",
    "RoleId": 16,
    "RoleName": "Log Viewers",
    "Allowed": true,
    "Operations": [{
        "PermissionId": 63,
        "OperationId": 39,
        "OperationName": "Read",
        "CreatedTimestampUtc": "2019-06-07T15:12:44.13Z",
        "ModifiedTimestampUtc": "2019-06-07T15:12:44.13Z"
    }]
}]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all Permissions for a specific Principal
collapsetrue
permissions = connector.Permissions.GetForPrincipal("somedomain\\jane.doe");

"permissions" object will contain the same data you can see in the JSON response on the left.

Checking for a specific Permission

You can also retrieve permissions given a Principal has on a particular Securable Type.

In the example below, we'll look at InstructionSet related permissions "somedomain\jane.doe" account has.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Principal/c29tZWRvbWFpblxqYW5lLmRvZQ==/Type/InstructionSet will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "ManagementGroupId": 1,
        "ManagementGroupName": "All Devices",
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 1,
        "RoleName": "Global Administrators",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 1,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 2,
                "OperationId": 2,
                "OperationName": "Actioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 3,
                "OperationId": 3,
                "OperationName": "Questioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 4,
                "OperationId": 4,
                "OperationName": "Approver",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            }
        ]
    },
    {
        "ManagementGroupId": 1,
        "ManagementGroupName": "All Devices",
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 5,
        "RoleName": "Global Approvers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 5,
                "OperationId": 4,
                "OperationName": "Approver",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving InstructionSet related permissions for a Principal
collapsetrue
permissions = connector.Permissions.GetForPrincipalAndType("somedomain\\jane.doe", "InstructionSet");

"permissions" object will contain the same data you can see in the JSON response on the left.

If given Securable Type supports Instances, you can also check a Principal's permissions on a specific instance.

In the example below we'll use a different account called "somedomain\john.doe" and check what permissions it has on Instruction Set with the Id of 1.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Principal/c29tZWRvbWFpblxqb2huLmRvZQ==/Type/InstructionSet/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "ManagementGroupId": 1,
        "ManagementGroupName": "All Devices",
        "SecurableId": 1,
        "SecurableName": "MySet",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 30,
        "RoleName": "MySet Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 137,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2020-01-02T12:04:04.963Z",
                "ModifiedTimestampUtc": "2020-01-02T12:04:04.963Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagejs
themeMidnight
titleRetrieving Principal's permissions to a specific instruction set
collapsetrue
permissions = connector.Permissions.GetForPrincipalAndTypeAndInstance("somedomain\\john.doe", "InstructionSet", 1);

"permissions" object will contain the same data you can see in the JSON response on the left.

If the given Principal has no permissions or does not have permissions on given Securable Type and/or instance, an empty collection is returned.

Checking Permissions on a specific Management Group

You can check what Permissions a Principal has on a given Management Group.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Principal/c29tZWRvbWFpblxqb2huLmRvZQ==/ManagementGroup/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "ManagementGroupId": 1,
        "ManagementGroupName": "All Devices",
        "SecurableId": 1,
        "SecurableName": "MySet",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 30,
        "RoleName": "MySet Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 137,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2020-01-02T12:04:04.963Z",
                "ModifiedTimestampUtc": "2020-01-02T12:04:04.963Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagejs
themeMidnight
titleRetrieving Principal's permissions on a specific Management Group
collapsetrue
permissions = connector.Permissions.GetForPrincipalAndManagementGroup("somedomain\\john.doe", 1);

"permissions" object will contain the same data you can see in the JSON response on the left.

You can also check if given Principal has a specific Permission on a specific Management Group

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Principal/c29tZWRvbWFpblxqb2huLmRvZQ==/ManagementGroup/1/Type/InstructionSet/ will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "ManagementGroupId": 1,
        "ManagementGroupName": "All Devices",
        "SecurableId": 1,
        "SecurableName": "MySet",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 30,
        "RoleName": "MySet Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 137,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2020-01-02T12:04:04.963Z",
                "ModifiedTimestampUtc": "2020-01-02T12:04:04.963Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagejs
themeMidnight
titleRetrieving a specific type or Permission that a Principal has on a specific Management Group
collapsetrue
permissions = connector.Permissions.GetForPrincipalAndTypeAndManagementGroupAndInstance("somedomain\\john.doe", 1, 1);

"permissions" object will contain the same data you can see in the JSON response on the left.

Getting permissions for a Role

You can retieve Role's permissions by using the role Id.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Role/16 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 12,
        "SecurableTypeName": "ProcessLog",
        "RoleId": 16,
        "RoleName": "Log Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 61,
                "OperationId": 33,
                "OperationName": "Read",
                "CreatedTimestampUtc": "2019-11-07T13:14:56.673Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:56.673Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 13,
        "SecurableTypeName": "SynchronizationLog",
        "RoleId": 16,
        "RoleName": "Log Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 62,
                "OperationId": 34,
                "OperationName": "Read",
                "CreatedTimestampUtc": "2019-11-07T13:14:56.673Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:56.673Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 16,
        "SecurableTypeName": "InfrastructureLog",
        "RoleId": 16,
        "RoleName": "Log Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 63,
                "OperationId": 39,
                "OperationName": "Read",
                "CreatedTimestampUtc": "2019-11-07T13:14:56.673Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:56.673Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving all permissions assigned to a Role
collapsetrue
permissions = connector.Permissions.GetForRole(16);

"permissions" object will contain the same data you can see in the JSON response on the left.

You can also retrieve all permissions given Role has on a specific Securable Type.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Role/16/Type/ProcessLog will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 12,
        "SecurableTypeName": "ProcessLog",
        "RoleId": 16,
        "RoleName": "Log Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 61,
                "OperationId": 33,
                "OperationName": "Read",
                "CreatedTimestampUtc": "2019-11-07T13:14:56.673Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:56.673Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving permissions that a Role has on a given Securable Type
collapsetrue
permissions = connector.Permissions.GetForRoleAndType(16, "ProcessLog");

"permissions" object will contain the same data you can see in the JSON response on the left.

And for Securable Types that support Instances, you can also check Permissions on a specific Instance.

Here we'll get permissions for a custom Role that's been assigned a 'Viewer' permissions on an Instruction Set.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Role/30/Type/InstructionSet/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "SecurableId": 1,
        "SecurableName": "Wszystko",
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 30,
        "RoleName": "MySet Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 137,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2020-01-02T12:04:04.963Z",
                "ModifiedTimestampUtc": "2020-01-02T12:04:04.963Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving permissions a Role has on a specific Instance of a Securable Type
collapsetrue
permissions = connector.Permissions.GetForRoleAndTypeAndInstance(30, "InstructionSet", 1);

"permissions" object will contain the same data you can see in the JSON response on the left.

Getting permissions for a Securable Type

You can retrieve permissions granted on a Securable Type using the type's Id. This will return a collection of all permissions on a given type assigned to any of the Roles.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Securable/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 1,
        "RoleName": "Global Administrators",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 1,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 2,
                "OperationId": 2,
                "OperationName": "Actioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 3,
                "OperationId": 3,
                "OperationName": "Questioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            },
            {
                "PermissionId": 4,
                "OperationId": 4,
                "OperationName": "Approver",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 5,
        "RoleName": "Global Approvers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 5,
                "OperationId": 4,
                "OperationName": "Approver",
                "CreatedTimestampUtc": "2019-11-07T13:14:52.77Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:52.77Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 6,
        "RoleName": "Global Questioners",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 21,
                "OperationId": 3,
                "OperationName": "Questioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:54.96Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:54.96Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 7,
        "RoleName": "Global Actioners",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 22,
                "OperationId": 2,
                "OperationName": "Actioner",
                "CreatedTimestampUtc": "2019-11-07T13:14:54.96Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:54.96Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 8,
        "RoleName": "Global Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 23,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2019-11-07T13:14:54.96Z",
                "ModifiedTimestampUtc": "2019-11-07T13:14:54.96Z"
            }
        ]
    },
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 27,
        "RoleName": "ServiceNow ITSM Connect",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 136,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2019-11-07T13:18:05.767Z",
                "ModifiedTimestampUtc": "2019-11-07T13:18:05.767Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagejs
themeMidnight
titleRetrieving all Permisisons on a given Securable Type
collapsetrue
permissions = connector.Permissions.GetForSecurableType(1);

"permissions" object will contain the same data you can see in the JSON response on the left.

You can also retrieve permissions granted on a specific Instance of a Securable Type.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/Permissions/Securable/1/1 will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "SecurableId": 1,
        "SecurableName": null,
        "SecurableTypeId": 1,
        "SecurableTypeName": "InstructionSet",
        "RoleId": 30,
        "RoleName": "MySet Viewers",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 137,
                "OperationId": 1,
                "OperationName": "Viewer",
                "CreatedTimestampUtc": "2020-01-02T12:04:04.963Z",
                "ModifiedTimestampUtc": "2020-01-02T12:04:04.963Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving permissions assigned on a specific instance of a Securable Type
collapsetrue
connector.Permissions.GetForSecurableTypeAndInstance(1, 1);

"permissions" object will contain the same data you can see in the JSON response on the left.

Helper APIs

Consumer API has a number of endpoints that are not directly involved with its RBAC system but instead provide various utility functions around the general principal and permission area.

Who am I?

You can ask the API to return the information about the user who's making the request. The API examines the incoming request, retrieves the name of the user from it, makes sure the user is authenticated, and returns information summary about the user, like user's principal name, SID, display name and email.

This endpoint is useful for systems that cannot assume they're running under a particular account, like a browser or an application running in the context of launching user. In those cases this endpoint can be used to obtain the name of the user, which is then fed to the Permissions endpoint seen above in order to retrieve the permissions of the caller.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/PrincipalSearch/whoami will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "PrincipalName": "Somedomain\\Jane.Doe",
    "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-19970",
    "Email": "Jane.Doe@SomeDomain.com",
    "DisplayName": "Jane Doe",
    "Photo": null
}


Use PrincipalSearch object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleWho am I?
collapsetrue
user = connector.PrincipalSearch.GetCurrentlyLoggedInUser();

"user" object will contain the same data you can see in the JSON response on the left.

Anchor
ADSEARCH
ADSEARCH
Active Directory search

Because in order to add a Principal to Tachyon you have to know the SID of the user, Tachyon's Consumer API exposes endpoints that help you look up users in Active Directory and retrieve information about them, including their SID.

You can perform a search for Active Directory accounts whose common name or sAMAccountName contain given phrase. Details of what exact search is performed are beyond the scope of this page and depend on type of objects being searched for, like users, groups and computers and whether your Tachyon installation is using GC or LDAP.

In the examples below we'll be looking for accounts that contain the phrase "Administrator". How you perform this search depends on your version of Tachyon.

Tachyon versions up to and including 4.1

You simply provide a base64 encoded search string and issue a GET request.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/PrincipalSearch/QWRtaW5pc3RyYXRvcg== will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
	{
		"PrincipalName": "SomeDomain\\CSUserAdministrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1353024091-8145",
		"Email": null,
		"DisplayName": "CSUserAdministrator",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\CSVoiceAdministrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343023091-8024",
		"Email": null,
		"DisplayName": "CSVoiceAdministrator",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Organization Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343324091-6881",
		"Email": null,
		"DisplayName": "Exchange Organization Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Public Folder Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1340024091-7747",
		"Email": null,
		"DisplayName": "Exchange Public Folder Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Recipient Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1340024091-6913",
		"Email": null,
		"DisplayName": "Exchange Recipient Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange View-Only Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343024001-6999",
		"Email": null,
		"DisplayName": "Exchange View-Only Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Security Administrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343021091-58611",
		"Email": null,
		"DisplayName": "Security Administrator",
		"IsGroup": true
	}
]


Use PrincipalSearch object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleSearching for principals in Active Directory
collapsetrue
results = connector.PrincipalSearch.SearchForPrincipals("Administrator");

"results" object will contain the same data you can see in the JSON response on the left.

Here you have greater control over the search. A POST request should be used and in its payload you can specify, apart from the search string, number of results returned, sort column and order.

You can search for "user" and "group" object types and sort in either ascending (using "ASC") or descending order (using "DESC") on following columns: "cn", "mail", "sAMAccountName", "description", "objectSid", "displayName". Column names, object types and sorting direction string are not case sensitive.

You have to provide the SearchText (the text to search for) and at least one object type. Pagesize and sort are optional and if not provided will default to respectively 100 and ascending sorting on display name.

One things that you have to keep in mind when it comes to PageSize property is that, due to internal implementation, it defines the size of the page returned by Active Directory. This means that you can get fewer results than you requested, even if there would have been more to return because Tachyon filters out users already in the system. As an example, if you define the page size to be 10 and the Active Directory has 18 entries that match your search string, it will return 10 entries. Now let us assume that out of those 10 entries 1 user is already in Tachyon. This user will be filtered out of the return data set, so you will receive only 9 entries.

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/PrincipalSearch with following payload:

Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
{
	"SearchText": "Administrator",
	"ObjectTypes": ["user", "group"],
	"PageSize": 100,
	"Sort": {
		"Column": "displayname",
		"Direction": "ASC"
	}
}

will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
	{
		"PrincipalName": "SomeDomain\\CSUserAdministrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1353024091-8145",
		"Email": null,
		"DisplayName": "CSUserAdministrator",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\CSVoiceAdministrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343023091-8024",
		"Email": null,
		"DisplayName": "CSVoiceAdministrator",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Organization Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343324091-6881",
		"Email": null,
		"DisplayName": "Exchange Organization Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Public Folder Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1340024091-7747",
		"Email": null,
		"DisplayName": "Exchange Public Folder Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange Recipient Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1340024091-6913",
		"Email": null,
		"DisplayName": "Exchange Recipient Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Exchange View-Only Administrators",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343024001-6999",
		"Email": null,
		"DisplayName": "Exchange View-Only Administrators",
		"IsGroup": true
	},
	{
		"PrincipalName": "SomeDomain\\Security Administrator",
		"ExternalId": "S-1-5-21-1202660629-789336058-1343021091-58611",
		"Email": null,
		"DisplayName": "Security Administrator",
		"IsGroup": true
	}
]


Use PrincipalSearch object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving 100 entries sorted by displayname
collapsetrue
var searchParams = new ActiveDirectorySearchModel
{
	SearchText = "Administrator",
	ObjectTypes = new List<string> { "user", "group" },
	PageSize = 100,
	Sort = new SortSpec
	{
		Column = "displayname",
		Direction = "ASC"
	}
};

results = connector.PrincipalSearch.SearchForPrincipals(searchParams);

"results" object will contain the same data you can see in the JSON response on the left.

Retrieving Active Directory information about a specific account

You can also retrieve user's information by their principal name, though this endpoint only returns authenticated users who are also Principals in Tachyon (either directly or throught group membership).

This means that in order to obtain information about somedomain\jane.doe using this endpoint, somedomain\jane.doe has to be a domain account that's either a Principal in Tachyon, or belongs to an Active Directory group that is a Principal in Tachyon.

When using the API directly, the principal name has to be base64 encoded. Using the SDK encoding is not necessary because the SDK will perform the encoding internally.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/PrincipalSearch/user/c29tZWRvbWFpblxqYW5lLmRvZQ== will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "PrincipalName": "SomeDomain\\Jane.Doe",
        "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
        "Email": "jane.doe@somedomain.com",
        "DisplayName": "Jane Doe",
        "IsGroup": false
    }
]


Use PrincipalSearch object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieve information about a principal from Active Directory
collapsetrue
results = connector.PrincipalSearch.SearchForUser("SomeDomain\\Jane.Doe");

"results" object will contain the same data you can see in the JSON response on the left.

Retrieving members of an Active Directory group

You can ask Tachyon to retrieve members of an Active Directory group. This group does not have to be a principal in Tachyon for this functionality to work.

When using the API directly the group name has to be base64 encoded. Using the SDK encoding is not necessary because the SDK will perform the encoding internally.

In the example below we'll use an AD group called "Tachyon users" and retrieve its members.

Direct Consumer API callC# code using Consumer SDK library

Making a GET request to https://my.tachyon.server/Consumer/PrincipalSearch/GetMembers/VGFjaHlvbiB1c2Vycw== will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
[
    {
        "PrincipalName": "SomeDomain\\Jane.Doe",
        "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
        "Email": "jane.doe@somedomain.com",
        "DisplayName": "Jane Doe",
        "IsGroup": false
    },
    {
        "PrincipalName": "SomeDomain\\Meetra.Surnik",
        "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-8631",
        "Email": "Meetra.Surnik@somedomain.com",
        "DisplayName": "Meetra Surnik",
        "IsGroup": false
    },
    {
        "PrincipalName": "SomeDomain\\Keiran.Halcyon",
        "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-1138",
        "Email": "Keiran.Halcyon@somedomain.com",
        "DisplayName": "Keiran Halcyon",
        "IsGroup": false
    }
]


Use PrincipalSearch object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleRetrieving members of an Acive Directory group
collapsetrue
results = connector.PrincipalSearch.GetGroupMembers("Tachyon users");

"results" object will contain the same data you can see in the JSON response on the left.


Configuring Tachyon RBAC through the Consumer API

In this section we will look at configuring RBAC emphasizing operations on Principals, Roles and Permissions but also covering Securable Types and Operations later on.

Adding Principals from Active Directory

Adding Principals to Tachyon will be one of the first things you'll do after installing the system. A fresh installation of Tachyon (which in this context means an installation where there was no previous Master database or such database was dropped) will have two Principals - the account used to install the Tachyon Server (and created the database to be specific) and NT AUTHORITY\Network Service account.

These accounts have limited permissions so to properly use the system you should add more Principals. In order to add a principal to Tachyon you will need an External Id, also called SID, for an active directory account that you wish to add as a principal. Although you can obtain account details through various means. In Active Directory search we've seen Tachyon exposes endpoints that return this information and enables you to search for Active Directory accounts.

Here we'll assume you already have the account details and focus on adding an account as a Principal to Tachyon.

In the example below we'll "SomeDomain\Jane.Doe" account and add it to Tachyon.

To add an account as a Principal you'll at the very least need to supply an ExternalId (SID) and Principal Name, though its advised to also supply a Display Name. Also, unless you set the Enabled flag to true, the newly created account will be disabled by default.

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/Principals with following payload:

Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
{
    "PrincipalName": "SomeDomain\\Jane.Doe",
    "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
    "Email": "Jane.Doe@SomeDomain.com",
    "DisplayName": "Jane Doe",
    "IsGroup": false,
    "Enabled": true
}

Will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 3,
    "ExternalId": "S-1-5-21-1202660629-789336058-1343024091-23842",
    "PrincipalName": "SomeDomain\\Jane.Doe",
    "Email": "Jane.Doe@SomeDomain.com",
    "Enabled": true,
    "CreatedTimestampUtc": "2019-11-07T13:14:52.777Z",
    "ModifiedTimestampUtc": "2019-11-07T13:14:52.777Z",
    "SystemPrincipal": false,
    "DisplayName": "Jane Doe",
    "IsGroup": false
}


Use Principals object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleAdding a Principal to Tachyon
collapsetrue
var payload = new Principal
{
    PrincipalName = "SomeDomain\\Jane.Doe",
    ExternalId = "S-1-5-21-1202660629-789336058-1343024091-23842",
    Email = "Jane.Doe@SomeDomain.com",
    DisplayName = "Jane Doe",
    IsGroup = false,
    Enabled = true
};

principal = connector.Principals.Add(payload);

"principal" object will contain the same data you can see in the JSON response on the left.


Note

You cannot add a Principal with the same PrincipalName or ExternalId as another Principal that's already in the system, because both of those values must be unique.

Updating a Principal

Updating a Principal is very similar to adding one. You have to use a PUT verb instead of a POST if using the API directly, or Update method instead of Add if you're using the SDK. You also have to provide an Id that belongs to an existing Principal. Remember, you cannot modify system Principals.

Again, you have to remember that ExternalId and PrincipalName must remain unique so you cannot change Principal's PrincipalName or ExternalId to one that matches another Principal's.

Configuring Roles

Roles are the pivotal point of an RBAC system.

Tachyon comes with a number of pre-defined roles, which should be sufficient to start with, but in time you will most likely create custom roles, either to restrict access to instruction sets or to cover sets of permission required by specific roles within your organization.

Adding, Editing and Removing a Role

First let's look at creating a Role. This can be done either in isolation, where just the role is created and any permissions must be assigned in subsequent call(s), or as a more complete package, where a Role is created along with a set of Permissions, which can include Management Groups.

Regardless of which approach is used, Principals have to be assigned separately.

To create a Role all you require is a name, and this name must be unique. Description can optionally be provided and you can't create system roles.

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/Roles with following payload:

Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
{
    "Name": "Custom role",
    "Description": "this is a description"
}

Will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 31,
    "Name": "Custom role",
    "Description": "this is a description",
    "CreatedTimestampUtc": "2020-01-21T13:36:55.8956916Z",
    "ModifiedTimestampUtc": "2020-01-21T13:36:55.8956916Z",
    "SystemRole": false
}


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleCreating a Role
collapsetrue
var payload = new Role
{
    Name = "Custom role",
    Description = "this is a description"
};

role = connector.Roles.Add(payload);

"role" object will contain the same data you can see in the JSON response on the left.

Creating a Role with Permissions is possible by joining Role creation we've just seen with creating permissions, which is described a bit later.

This effectively means that we take a regular Role creation payload and add a 'Permissions' property to it. That propery is an array of permissions, which we are yet to look at in greater details.

The example below creates a role, which has "Viewer" and "Approver" permissions on Instruction Set with the Id of 1 and "Actioner", "Questioner", "Viewer" and "Approver" permissions on Instruction Set with the Id of 2. It also has permissions on three Management Groups.

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/Roles/Complete with following payload:

Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
{
   "Name": "Complete Role 1",
   "Description": "This is a test role",
   "Permissions": [{
       "SecurableId": 2,
       "SecurableTypeId": 1,
       "Allowed": true,
       "Operations": [{
           "OperationId": 2
       },
       {
           "OperationId": 4
       },
       {
           "OperationId": 3
       },
       {
           "OperationId": 1
       }]
   },
   {
       "SecurableId": 1,
       "SecurableTypeId": 1,
       "Allowed": true,
       "Operations": [{
           "OperationId": 1
       },
       {
           "OperationId": 4
       }]
   }]
}

Will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Permissions": [
        {
            "SecurableId": 1,
            "SecurableName": null,
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet",
            "RoleId": 32,
            "RoleName": "Complete Role 1",
            "Allowed": true,
            "Operations": [
                {
                    "PermissionId": 142,
                    "OperationId": 1,
                    "OperationName": "Viewer",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                },
                {
                    "PermissionId": 143,
                    "OperationId": 4,
                    "OperationName": "Approver",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                }
            ]
        },
        {
            "SecurableId": 2,
            "SecurableName": null,
            "SecurableTypeId": 1,
            "SecurableTypeName": "InstructionSet",
            "RoleId": 32,
            "RoleName": "Complete Role 1",
            "Allowed": true,
            "Operations": [
                {
                    "PermissionId": 138,
                    "OperationId": 2,
                    "OperationName": "Actioner",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                },
                {
                    "PermissionId": 139,
                    "OperationId": 4,
                    "OperationName": "Approver",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                },
                {
                    "PermissionId": 140,
                    "OperationId": 3,
                    "OperationName": "Questioner",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                },
                {
                    "PermissionId": 141,
                    "OperationId": 1,
                    "OperationName": "Viewer",
                    "CreatedTimestampUtc": "2020-01-22T07:18:57.73Z",
                    "ModifiedTimestampUtc": "2020-01-22T07:18:57.73Z"
                }
            ]
        }
    ]
    "Id": 32,
    "Name": "Complete Role 1",
    "Description": "This is a test role",
    "CreatedTimestampUtc": "2020-01-22T07:18:57.7082854Z",
    "ModifiedTimestampUtc": "2020-01-22T07:18:57.7082854Z",
    "SystemRole": false
}


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleCreating a Role with Permissions
collapsetrue
var payload = new Tachyon.SDK.Consumer.Models.Send.RoleWithPermissionsAndManagementGroups
{
    Name = "Complete Role 1",
    Description = "This is a test role",
    Permissions = new AggregatedPermission[]
    {
        new AggregatedPermission
        {
            SecurableId = 2,
            Allowed = true,
            SecurableTypeId = 1,
            Operations = new List<PermissionOperation>
            {
                new PermissionOperation { OperationId = 1 },
                new PermissionOperation { OperationId = 2 },
                new PermissionOperation { OperationId = 3 },
                new PermissionOperation { OperationId = 4 }
            }
        }, 
        new AggregatedPermission
        {
            SecurableId = 1,
            Allowed = true,
            SecurableTypeId = 1,
            Operations = new List<PermissionOperation>
            {
                new PermissionOperation { OperationId = 1 },
                new PermissionOperation { OperationId = 4 }
            }
        }
    }
};

role = connector.Roles.Add(payload);

"role" object will contain the same data you can see in the JSON response on the left.

To update a Role you should use PUT versions of the two endpoints seen above and provide one additional property in the JSON payload - the Id of the Role being modified. If you're using the Consumer SDK, you should call Update method instead of Add and you must provide an Id in the payload object sent to the API.

Since the names of Roles have to be unique, you won't be able to change the name of a Role to one that is the same as another Role.

Changing the Role details with https://my.tachyon.server/Consumer/Roles (or using the Update method in Consumer SDK that takes Role object type) will change just the details of the role will not change the permissions in any way. It will not change which Mangement Groups or Principals are assigned to the Role either.

Changing the Role via https://my.tachyon.server/Consumer/Roles/Complete will not change which Principals are assigned to the Role, but it will change the Permissions and Management Groups. When using this endpoint with PUT verb (or using the Update method in Consumer SDK that takes RoleWithPermissionsAndManagementGroups object type), all of the Permissions for given Role will be replaced with Permissions provided in the payload and all Management Groups will be replaced with Management Groups provided in the payload. This means that if you do not provide Permissions (omit the property, provide a null value or an empty array), all Permissions will be removed from the Role. Likewise, if you do not provide ManagementGroups all Management Groups will be unassigned from the Role.


Deleting a role is straightforward and you just need its Id. You can also delete multiple Roles in one call by providing a collection of Role Ids. In either case, you cannot delete a system Role.

Direct Consumer API callC# code using Consumer SDK library

To delete a single Role make a DELETE request to https://my.tachyon.server/Consumer/Roles/31, which will delete the Role with the Id of 31.

To delete multiple Roles, make a DELETE request and send an array of Ids to https://my.tachyon.server/Consumer/Roles. To delete Roles with Ids 31, 32, 33 and 34 you would send this payload:

Code Block
languagejs
themeMidnight
titleRequest payload
collapsetrue
[31,32,33,34]


Use Roles object inside the Tachyon connector instance.
To delete a single Role:

Code Block
languagec#
themeMidnight
titleDeleting the Role with Id 31
collapsetrue
connector.Roles.Delete(31);

To delete multiple Roles:code

Code Block
languagec#
themeMidnight
titleDeleting Roles with Ids 31,32,33 and 34.
collapsetrue
connector.Roles.DeleteMultiple(new List<int> {31, 32, 33, 34});


Anchor
ROLEPERM
ROLEPERM
Adding and removing Permissions to a Role

The main method of assigning Permissions is to send two collections, one with Permissions that need to be changed or updated and another one with permissions that should be removed.

Crafting the correct payload should be done carefully as omitting an entry can result in deletion of an existing Permission.

PermissionsToSaveOrUpdate collection should have permissions you either want to add or modify. You only need to provide Ids, names are ignored. It is important to understand when the system considers given operation an 'updated' and when a 'creation' as it will behave slightly differently.

Because a Permission is, effectively, a link between a Securable Type and a Role, with possible addition of Securable Id, those three properties define it. Operations are considered a property of a Permission and they are always considered together - i.e. a single Permission can Allow or Deny a set of Operations, but it cannot mix and match.

When you request a Permission to be added or updated, Consumer API will look at the SecurableId, SecurableTypeId and RoleId properties provided and check for any permissions already existing for this combination of values. If none are found, a new permission is added with the operations specified in the payload. If an entry is found, then Operations are examined next. If the existing Permission has Operations that aren't present in the Permission sent to the API, they are removed. Any operations present in the Permission sent to the API that do not exist in the Permission that is already in the system are added.

As you might have noticed, PermissionsToSaveOrUpdate can be used to remove Permissions by omitting Operations you want to remove. Furthermore, if you provide a Permission without any Operations, the entire Permission is removed.

Lets look at an example that should help us better understand how this functionality works.

Let us assume that we have a Permission on Instruction Set "My set" assigned to Role "Custom Role" with just one Operation "View". "My Set" has the Id of 4, "Custom Role" has the Id of 31, "Instruction Set" Securable Type has the Id of 1 and "Viewer" has the Id of 1. This means that the existing Permission will look as follows:

Code Block
languagejs
titleExisting Permission
{
    "Allowed": true,
    "SecurableTypeId": 1,
    "SecurableId": 4,
    "RoleId": 31,
    "Operations": [
		{
        	"OperationId": 1
        }
	]
}

Now let us assume that a request comes into the Consumer API that looks as follows:

Code Block
languagejs
titleRequest payload
{
    "PermissionsToSaveOrUpdate": [
        {
            "Allowed": true,
            "SecurableTypeId": 1,
            "SecurableId": 4,
            "RoleId": 31,
            "Operations": [
				{
		        	"OperationId": 1
		        },
				{
		        	"OperationId": 3
		        }
			]
        }
    ],
    "PermissionsToDelete": []
}

This request matches a Permission we already have, because it has the same SecurableId, SecurableTypeId and RoleId, but the Operations are slightly different - Id of 3 has been added, which represents 'Questioner' Operation. Following the rules outlined above, the API will match this to the existing Permission and see that Operation with the Id of 1 already exists, so no action is needed but the Operation with the Id of 3 doesn't exist, so it needs to be added. Afterwards we will end up with a permission that looks like this:

Code Block
languagejs
titleExisting Permission
{
    "Allowed": true,
    "SecurableTypeId": 1,
    "SecurableId": 4,
    "RoleId": 31,
    "Operations": [
		{
        	"OperationId": 1
        },
		{
        	"OperationId": 3
        }
	]
}

If now we were to make another request with with following payload:

Code Block
languagejs
titleRequest payload
{
    "PermissionsToSaveOrUpdate": [
        {
            "Allowed": true,
            "SecurableTypeId": 1,
            "SecurableId": 4,
            "RoleId": 31,
            "Operations": [
				{
		        	"OperationId": 2
		        },
				{
		        	"OperationId": 4
		        }
			]
        }
    ],
    "PermissionsToDelete": []
}

The Consumer API will again recognise that a Permission already exists that matches the one in the payload and will examine the Operations. Because neither operation 1 nor 3, which do exist in the Permission already in the system are present in the payload, they will be removed. Operations 2 and 4 (Actioner and Approve respectively) do not exist in the Permission so they will be added and changed made will result in a Permission that looks like this:

Code Block
languagejs
titleExisting Permission
{
    "Allowed": true,
    "SecurableTypeId": 1,
    "SecurableId": 4,
    "RoleId": 31,
    "Operations": [
		{
        	"OperationId": 2
        },
		{
        	"OperationId": 4
        }
	]
}

As a last example let's look at what will happen when we send this payload to the API:

Code Block
languagejs
titleRequest payload
{
    "PermissionsToSaveOrUpdate": [
        {
            "Allowed": true,
            "SecurableTypeId": 1,
            "SecurableId": 4,
            "RoleId": 31,
            "Operations": []
        }
    ],
    "PermissionsToDelete": []
}

Again, the system will recognise this as an existing Permission and will remove Operations 2 and 4 because they do not exist in the request payload. But since there are no Operations to add, the entire Permission will be removed.

Lastly, let's look at how an example API call would look like:

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/Permissions with following payload:

Code Block
languagejs
themeMidnight
titlePayload sent to https://my.tachyon.server/Consumer/Permissions
collapsetrue
{
    "PermissionsToSaveOrUpdate": [
        {
            "Allowed": true,
            "SecurableTypeId": 5,
            "SecurableId": null,
            "RoleId": "31",
            "Operations": [
                {
                    "OperationId": 12
                },
                {
                    "OperationId": 13
                }
            ]
        }
    ],
    "PermissionsToDelete": []
}

will yield following response:

Code Block
languagejs
themeMidnight
titleResponse payload
collapsetrue
[
    {
        "SecurableId": null,
        "SecurableName": null,
        "SecurableTypeId": 5,
        "SecurableTypeName": "CustomProperty",
        "RoleId": 31,
        "RoleName": "Custom Role",
        "Allowed": true,
        "Operations": [
            {
                "PermissionId": 191,
                "OperationId": 12,
                "OperationName": "Read",
                "CreatedTimestampUtc": "2020-01-23T14:47:13.023Z",
                "ModifiedTimestampUtc": "2020-01-23T14:47:13.023Z"
            },
            {
                "PermissionId": 192,
                "OperationId": 13,
                "OperationName": "Write",
                "CreatedTimestampUtc": "2020-01-23T14:47:13.023Z",
                "ModifiedTimestampUtc": "2020-01-23T14:47:13.023Z"
            }
        ]
    }
]


Use Permissions object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleCreating Permissions
collapsetrue
var payload = new PermissionsSaveContainer
{
    PermissionsToSaveOrUpdate = new List<AggregatedPermission>
    {
        new AggregatedPermission
        {
            RoleId = 31,
            SecurableTypeId = 5,
            Operations = new List<PermissionOperation>
            {
                new PermissionOperation
                {
                    OperationId = 12
                },
                new PermissionOperation
                {
                    OperationId = 13
                }
            }
        }
    }
};
permissions = connector.Permissions.AddOrUpdate(payload);

"permissions" object will contain the same data you can see in the JSON response on the left.

Configuring Management Groups

Management Groups can only be assigned to a Role which has Permission to at least one Instruction Set. This prerequisite stems from internal implementation and it has to be taken into account when designing Permissions in your system.

The example below assumes that Role  "Custom Role" with the Id of 31 has at least one Instruction Set Permission assigned to it.

You can assign or unassign either a single Management Group or a collection of Management Groups. To assign a single Management Group to a Role you'd issue a POST request to https://my.tachyon.server/Consumer/Roles/[role Id]/ManagementGroups/[management group id], so for instance to assign Management Group wit the Id of 7 to role with the Id of 31 you'd call https://my.tachyon.server/Consumer/Roles/31/ManagementGroups/7.

Making a DELETE request instead of POST will results in the Management Group being unassigned from the Role.

These requests do not require any payload because all information is already present in the URI. Consumer SDK equivalents are Roles.AddPermissionForManagementGroup(...) and Roles.RemovePermissionForManagementGroup(...) respectively, which simply take the Ids of the Role and the Management Group.

To assign or unassign Management Groups in bulk you have to use POST and DELETE respectively to https://my.tachyon.server/Consumer/Roles/ManagementGroups, and below is an example of the payload that should be sent with the request.

Direct Consumer API callC# code using Consumer SDK library

To assign multiple Management Groups to a Role in a single call, make a POST request to https://my.tachyon.server/Consumer/Roles/ManagementGroups with following payload:

Code Block
languagejs
themeMidnight
titlePayload sent to https://my.tachyon.server/Consumer/Roles/ManagementGroups
collapsetrue
{
  "RoleId": 31,
  "ManagementGroupIds": [4,5]
}

which will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Role": {
        "Id": 31,
        "Name": "Custom role",
        "Description": "this is a description",
        "CreatedTimestampUtc": "2020-01-21T13:36:55.897Z",
        "ModifiedTimestampUtc": "2020-01-21T13:36:55.897Z",
        "SystemRole": false
    },
    "ManagementGroups": [
        {
            "Id": 4,
            "Name": "Management group number 3 from repository Default Inventory",
            "Description": "This is the description for Management group number 3 from repository Default Inventory",
            "Expression": "",
            "Type": 2,
            "Count": 0,
            "UsableId": "3",
            "HashOfMembers": "24D13054496E24C95774CD8E983B09C2487D60819C627750B1C16FFDEDB23DF9",
            "CreatedTimestampUtc": "2019-12-02T12:01:21.667Z",
            "ModifiedTimestampUtc": "2020-01-08T16:31:02.807Z"
        },
        {
            "Id": 5,
            "Name": "Management group number 4 from repository Default Inventory",
            "Description": "This is the description for Management group number 4 from repository Default Inventory",
            "Expression": "",
            "Type": 2,
            "Count": 0,
            "UsableId": "4",
            "HashOfMembers": "7784ED3BDA9B79F8635E728E1E0F529200D44F3F7AABAE1A26B2ABA6DB957EDB",
            "CreatedTimestampUtc": "2019-12-02T12:01:21.67Z",
            "ModifiedTimestampUtc": "2020-01-08T16:31:02.893Z"
        }
    ]
}


Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleAssigning Management Groups to a Role
collapsetrue
var payload = new Tachyon.SDK.Consumer.Models.Send.ManagementGroupsForRole
{
	RoleId = 31,
	ManagementGroupIds = new List<int>{ 4, 5 }
};
role = connector.Roles.AddPermissionForManagementGroups(payload);

"role" object will contain the same data you can see in the JSON response on the left.

Unassigning Management Groups from a role is a mirror operation using the DELETE verb on the same web address:

Direct Consumer API callC# code using Consumer SDK library

To unassign multiple Management Groups from a Role in a single call, make a DELETE request to https://my.tachyon.server/Consumer/Roles/ManagementGroups with following payload:

Code Block
languagejs
themeMidnight
titlePayload sent to https://my.tachyon.server/Consumer/Roles/ManagementGroups
collapsetrue
{
  "RoleId": 31,
  "ManagementGroupIds": [4]
}

This call will not return any data.

Use Roles object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleUnassigning Management Groups from a Role
collapsetrue
var payload = new Tachyon.SDK.Consumer.Models.Send.ManagementGroupsForRole
{
	RoleId = 31,
	ManagementGroupIds = new List<int> { 4 }
};
connector.Roles.RemovePermissionForManagementGroups(payload);


Configuring Securable Types and Applicable Operations

We have already seen how to retrieve Securable Types and now we'll look at how we can create and modify them.

All you need to create a Securable Type is a name, which must be unique.

In order to delete a Securable Type, you have to first delete all Permissions that use that Securable Types and all Applicable Operations linked to the Securable Type.

Direct Consumer API callC# code using Consumer SDK library

Making a POST request to https://my.tachyon.server/Consumer/SecurableTypes

Code Block
languagejs
themeMidnight
titlePaylaod sent to https://my.tachyon.server/Consumer/SecurableTypes
collapsetrue
{
    "Name": "Custom securable type"
}

will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 26,
    "Name": "Custom securable type",
    "CreatedTimestampUtc": "2020-01-24T14:36:23.8756464Z",
    "ModifiedTimestampUtc": "2020-01-24T14:36:23.8756464Z",
    "Operations": null
}


Use SecurableTypes object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleCreating a new Securable Type
collapsetrue
var payload = new SecurableType
{
    Name = "Custom securable type"
};
return connector.SecurableTypes.Add(payload);

"securableType" object will contain the same data you can see in the JSON response on the left.

If you wish to update a securable type you'll have to provide its Id:

Direct Consumer API callC# code using Consumer SDK library
Making a PUT request to https://my.tachyon.server/Consumer/SecurableTypes
Code Block
languagejs
themeMidnight
titlePaylaod sent to https://my.tachyon.server/Consumer/SecurableTypes
collapsetrue
{
    "Id": 26,
    "Name": "Modified securable type"
}

will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 26,
    "Name": "Modified securable type",
    "CreatedTimestampUtc": "2020-01-24T14:36:23.8756464Z",
    "ModifiedTimestampUtc": "2020-01-24T14:38:24.8756464Z",
    "Operations": null
}


Use SecurableTypes object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleModifying an existing Securable Type
collapsetrue
var payload = new SecurableType
{
	Id = 26,
	Name = "Modified securable type"
};
return connector.SecurableTypes.Update(payload);

"securableType" object will contain the same data you can see in the JSON response on the left.

and to delete this Sedurable Type:

Direct Consumer API callC# code using Consumer SDK library

Make a DELETE request to https://my.tachyon.server/Consumer/SecurableTypes/26

This call will not yield any response.

Use SecurableTypes object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleDeleting a Securable Type
collapsetrue
connector.SecurableTypes.Delete(26);


It is worth noting that Securable Types are created "empty" and that Applicable Operation have to be created separately.

Dealing with Operations

Applicable Operations exist only in the context of a Securable Type. While Applicable Operations must be unique within a single Securable Type, they do not have to be unique between Securable Types.

To create an Operation you have to provide either Id or Name (but not both) of Securable Type for which the Operation should be created. In the example below we'll use the Securable Type we've just created, which has the Id of 26.

Direct Consumer API callC# code using Consumer SDK library

Make a POST request to https://my.tachyon.server/Consumer/ApplicableOperations to use Securable Type Id

Code Block
languagejs
themeMidnight
titlePayload sent to https://my.tachyon.server/Consumer/ApplicableOperations
collapsetrue
{
  "OperationName": "View",
  "SecurableTypeId": 26
}

or with this payload to use Securable Type Name:

Code Block
languagejs
themeMidnight
titlePayload sent to https://my.tachyon.server/Consumer/ApplicableOperations
collapsetrue
{
  "OperationName": "View",
  "SecurableTypeName": "Modified securable type"
}

Both will yield following response:

Code Block
languagejs
themeMidnight
titleReturn payload
collapsetrue
{
    "Id": 63,
    "OperationName": "View",
    "SecurableTypeId": 26,
    "SecurableTypeName": "Modified securable type"
}


Use ApplicableOperations object inside the Tachyon connector instance.

To use Securable Type Id:

Code Block
languagec#
themeMidnight
titleCreating a new Applicable Operation
collapsetrue
var payload = new ApplicableOperation
{
    SecurableTypeId = 26,
    OperationName = "View"
};
operation = connector.ApplicableOperations.Add(payload);

To use Securable Type Name:

Code Block
languagec#
themeMidnight
titleCreating a new Applicable Operation
collapsetrue
var payload = new ApplicableOperation
{
	SecurableTypeName = "Modified securable type",
	OperationName = "View"
};
operation = connector.ApplicableOperations.Add(payload);

"operation" object will contain the same data you can see in the JSON response on the left.

To delete an Operation you just need its Id.

Direct Consumer API callC# code using Consumer SDK library
Make a DELETE request to https://my.tachyon.server/Consumer/ApplicableOperations/63

Use ApplicableOperations object inside the Tachyon connector instance.

Code Block
languagec#
themeMidnight
titleDeleting an Applicable Operation
collapsetrue
connector.ApplicableOperations.Delete(63);