IAM Policies API
IAM Policies API Reference
Note: This page is primarily intended for developers who will be writing applications that will use DataTrails for provenance. If you are looking for a simple way to test our API you might prefer our Postman collection, the YAML runner or the Developers section of the web UI.
Additional YAML examples can be found in the articles in the Overview section.
IAM Policies API Examples
Create the bearer_token and store in a file in a secure local directory with 0600 permissions.
An ABAC policy is used to share permissions with Non-Administrators within your Tenancy. A Non-Administrator could be a user who has been added using the Invites API or could be an App Registration used for client credentials, which are created as Non-Root by default.
To create an ABAC Policy, you should use the user_attributes keyword. Specify email for invited users, and subject, using the client-id of your credentials, for App Registrations.
You may also set permissions based on the Custom Claims of an
App Registration using JSON Web Tokens (JWTs). To do so, you must include the prefix jwt_ followed by the desired claim as one of the user_attributes in the policy. For example, the key jwt_app_reg_role to match on claim app_reg_role.
An OBAC policy is used to share with the Administrators of an external organization.
To begin sharing with OBAC, you must first import your collaborator’s Organization ID using either the IAM Subjects API or the instructions in the administration section.
This will return a subjects/<UUID> object you would then specify with the subjects keyword to make it an OBAC Policy.
Note: To accept a Subject import request, both organizations must have imported the other’s Subject ID. This acknowledges that the organizations wish to share with each other.
As both ABAC and OBAC use the same filter syntax, it is possible to have a mix of internal and external sharing within a single policy.
IAM Policy Creation
The following example shows how you can mix the user_attributes keyword for ABAC and subjects keyword for OBAC.
Define the access_policies parameters and store in /path/to/jsonfile:
{
"display_name": "Friendly name of the policy",
"description": "Description of the policy",
"filters": [
{ "or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{ "or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{ "or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Create the Access Policy:
curl -v -X POST \
-H "@$HOME/.datatrails/bearer-token.txt" \
-H "Content-type: application/json" \
-d "@/path/to/jsonfile" \
https://app.datatrails.ai/archivist/iam/v1/access_policies
The response is:
{
"identity": "access_policies/3f5be24f-fd1b-40e2-af35-ec7c14c74d53",
"display_name": "Friendly name of the policy",
"description": "Description of the policy",
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Note: Access polices are applied to the Asset. This means that when a policy is created or updated an Event will be recorded in the audit trail of matching Assets from the ActorArchivist Internal.
IAM Policy Retrieval
IAM Access Policy records in DataTrails are tokenized at creation time and referred to in all API calls and smart contracts throughout the system by a unique identity of the form:
access_policies/12345678-90ab-cdef-1234-567890abcdef
If you do not know the Access Policy ID you can fetch IAM Access Policy records using other information you do know, such as the Access Policy name.
Fetch all IAM access_policies (v1)
To fetch all IAM access_policies records, simply GET the iam/access_policies resource:
curl -v -X GET \
-H "@$HOME/.datatrails/bearer-token.txt" \
https://app.datatrails.ai/archivist/iam/v1/access_policies
Fetch specific IAM access Policy by identity (v1)
If you know the unique identity of the IAM access policy Record simply GET the resource:
curl -v -X GET \
-H "@$HOME/.datatrails/bearer-token.txt" \
https://app.datatrails.ai/archivist/iam/v1/access_policies/6a951b62-0a26-4c22-a886-1082297b063b
Fetch IAM Access Policies by name (v1)
To fetch all IAM access_policies with a specific name, GET the iam/access_policies resource and filter on display_name:
curl -g -v -X GET \
-H "@$HOME/.datatrails/bearer-token.txt" \
"https://app.datatrails.ai/archivist/iam/v1/access_policies?display_name=Some%20description"
Each of these calls returns a list of matching IAM Access Policies records in the form:
{
"access_policies": [
{
"identity": "access_policies/6a951b62-0a26-4c22-a886-1082297b063b",
"display_name": "Name to display",
"description": "Description of the policy",
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
},
{
"identity": "access_policies/12345678-0a26-4c22-a886-1082297b063b",
"display_name": "Some other description",
"filters": [
{"or": ["attributes.arc_display_type=door_access_reader"]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
]
}
IAM Policy Deletion
To delete an IAM Access Policy, issue following request:
curl -v -X DELETE \
-H "@$HOME/.datatrails/bearer-token.txt" \
-H "Content-type: application/json" \
https://app.datatrails.ai/archivist/iam/v1/access_policies/47b58286-ff0f-11e9-8f0b-362b9e155667
The response is:
{}
IAM Policy Update
Define the Access Policy parameters to be changed and store in /path/to/jsonfile:
{
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Update the Access Policy:
curl -v -X PATCH \
-H "@$HOME/.datatrails/bearer-token.txt" \
-H "Content-type: application/json" \
-d "@/path/to/jsonfile" \
https://app.datatrails.ai/archivist/iam/v1/access_policies/47b58286-ff0f-11e9-8f0b-362b9e155667
The response is:
{
"identity": "access_policies/3f5be24f-fd1b-40e2-af35-ec7c14c74d53",
"display_name": "Friendly name of the policy",
"description": "Description of the policy",
"filters": [
{"or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
]},
{"or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{"or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"asset_attributes_read": [ "toner_colour", "toner_type" ],
"asset_attributes_write":["toner_colour"],
"behaviours": [ "RecordEvidence" ],
"event_arc_display_type_read": ["toner_type", "toner_colour"],
"event_arc_display_type_write": ["toner_replacement"],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
Matching Assets with IAM Policies
IAM Access Policy records in DataTrails are tokenized at creation time and referred to in all API calls and smart contracts throughout the system by a unique identity of the form:
access_policies/12345678-90ab-cdef-1234-567890abcdef
If you do not know the Access Policy ID you can fetch IAM Access Policy records using other information you do know, such as the Access Policy name.
Fetch all Assets Matching Specific IAM Access Policy (v1)
If you know the unique identity of the IAM Access Policy Record simply GET the resource:
curl -v -X GET \
-H "@$HOME/.datatrails/bearer-token.txt" \
https://app.datatrails.ai/archivist/iam/v1/access_policies/6a951b62-0a26-4c22-a886-1082297b063b/assets
Each of these calls returns a list of matching Asset records in the form:
{
"assets": [
{
"identity": "assets/6a951b62-0a26-4c22-a886-1082297b063b",
"behaviours": [
"RecordEvidence"
],
"attributes": {
"arc_display_type": "Pump",
"arc_firmware_version": "1.0",
"arc_home_location_identity": "locations/866790d8-4ed6-4cc9-8f60-07672609b331",
"arc_serial_number": "vtl-x4-07",
"arc_description": "Pump at A603 North East",
"arc_display_name": "tcl.ccj.003",
"some_custom_attribute": "value",
"arc_primary_image": {
"arc_attribute_type": "arc_attachment",
"arc_blob_hash_value": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"arc_blob_identity": "blobs/1754b920-cf20-4d7e-9d36-9ed7d479744d",
"arc_blob_hash_alg": "SHA256",
"arc_file_name": "somepic.jpeg",
"arc_display_name": "arc_primary_image",
},
},
"confirmation_status": "COMMITTED",
"tracked": "TRACKED"
}
]
}
Fetch all IAM access_policies Matching Specific Asset (v1)
If you know the unique identity of the Asset Record simply GET matching policies:
curl -v -X GET \
-H "@$HOME/.datatrails/bearer-token.txt" \
https://app.datatrails.ai/archivist/iam/v1/assets/6a951b62-0a26-4c22-a886-1082297b063b/access_policies
Each of these calls returns a list of matching IAM access_policies records in the form:
{
"access_policies": [
{
"identity": "access_policies/6a951b62-0a26-4c22-a886-1082297b063b",
"display_name": "Some description",
"filters": [
{ "or": [
"attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
"attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc",
]},
{ "or": [
"attributes.arc_display_type=Valve",
"attributes.arc_display_type=Pump"
]},
{ "or": [
"attributes.ext_vendor_name=SynsationIndustries"
]}
],
"access_permissions": [
{
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"behaviours": [ "RecordEvidence" ],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
},
{
"identity": "access_policies/12345678-0a26-4c22-a886-1082297b063b",
"display_name": "Some other description",
"filters": [
{ "or": ["attributes.arc_display_type=door_access_reader"]}
],
"access_permissions": [
{
"subjects": [
"subjects/6a951b62-0a26-4c22-a886-1082297b063b",
"subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
],
"behaviours": [ "RecordEvidence" ],
"include_attributes": [ "arc_display_name", "arc_display_type" ],
"user_attributes": [
{"or": ["group:maintainers", "group:supervisors"]}
]
}
]
}
]
}
IAM Policies OpenAPI Docs
API to manage Identity Access Management AccessPolicies.
get /archivist/iam/v1/access_policies
List access policies
Description: Returns a paginated list of access_policies
{
"access_policies": [
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"display_name": "Some description",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
],
"identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}
],
"page_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InN0dW50aWR"
}| Response Parameter | Type | Description |
|---|---|---|
| access_policies | array | Describes an Access Policy for OBAC |
| next_page_token | string | Token to retrieve the next page of results or empty if there are none. |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to list the access policy. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
post /archivist/iam/v1/access_policies
Create an access policy
Description: This request creates a new access policy. The display_name is the friendly name.
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"description": "Customers description for the policy",
"display_name": "Customers name for the policy",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
]
}| Parameter | Type | Description |
|---|---|---|
| access_permissions | array | Permissions |
| description | string | Customer description for the access policy. |
| display_name | string | Customer friendly name for the access policy. |
| filters | array | Filter |
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"description": "User description for this policy",
"display_name": "User name for this policy",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
],
"identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}| Response Parameter | Type | Description |
|---|---|---|
| access_permissions | array | Permissions |
| description | string | Customer description for the access policy. |
| display_name | string | Customer friendly name for the access policy. |
| filters | array | Filter |
| identity | string | Unique identification for the access policy, Relative Resource Name |
| tenant | string | Tenant id |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 402 | Returned when the user’s quota of access policies has been reached. |
| 403 | Returned when the user is not authorized to create an access policy. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
delete /archivist/iam/v1/access_policies/{uuid}
Delete an access policy
Description: Delete the identified access policy
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to delete the access policy. |
| 404 | Returned when the identified access policy does not exist. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
get /archivist/iam/v1/access_policies/{uuid}
Get an access policy
Description: Returns the identified access policy
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"description": "User description for this policy",
"display_name": "User name for this policy",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
],
"identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}| Response Parameter | Type | Description |
|---|---|---|
| access_permissions | array | Permissions |
| description | string | Customer description for the access policy. |
| display_name | string | Customer friendly name for the access policy. |
| filters | array | Filter |
| identity | string | Unique identification for the access policy, Relative Resource Name |
| tenant | string | Tenant id |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to read the access policy. |
| 404 | Returned when the identified access policy does not exist. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
patch /archivist/iam/v1/access_policies/{uuid}
Update a access policy details
Description: Perform a full or partial update of the identified access policy
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"description": "User description for this policy",
"display_name": "User name for this policy",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
],
"identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}| Response Parameter | Type | Description |
|---|---|---|
| access_permissions | array | Permissions |
| description | string | Customer description for the access policy. |
| display_name | string | Customer friendly name for the access policy. |
| filters | array | Filter |
| identity | string | Unique identification for the access policy, Relative Resource Name |
| tenant | string | Tenant id |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to update the access policy. |
| 404 | Returned when the identified access policy does not exist. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
get /archivist/iam/v1/access_policies/{uuid}/assets
Returns assets matching access policy
Description: Returns assets matching access policy
{
"assets": [
{
"at_time": "2019-11-27T14:44:19Z",
"attributes": {
"arc_display_name": "My Garden Fence",
"arc_display_type": "Garden Fence",
"colour": "Plain wood"
},
"behaviours": [
"RecordEvidence"
],
"confirmation_status": "PENDING",
"identity": "assets/add30235-1424-4fda-840a-d5ef82c4c96f",
"owner": "0x601f5A7D3e6dcB55e87bf2F17bC8A27AaCD3511",
"proof_mechanism": "MERKLE_LOG",
"public": false,
"tenant_identity": "tenant/8e0b600c-8234-43e4-860c-e95bdcd695a9",
"tracked": "TRACKED"
},
{
"at_time": "2019-11-27T14:44:19Z",
"attributes": {
"arc_display_name": "My IoT Device",
"arc_display_type": "IoT Device",
"arc_firmware_version": "3.2.1"
},
"behaviours": [
"RecordEvidence"
],
"confirmation_status": "PENDING",
"identity": "assets/cef61346-2453-5aeb-921c-e6fa93d5b032",
"owner": "0x601f5A7D3e6dcB55e87bf2F17bC8A27AaCD3511",
"proof_mechanism": "MERKLE_LOG",
"public": false,
"tenant_identity": "tenant/8e0b600c-8234-43e4-860c-e95bdcd695a9",
"tracked": "TRACKED"
}
],
"next_page_token": "abcd"
}| Response Parameter | Type | Description |
|---|---|---|
| assets | array | This describes an Asset. |
| next_page_token | string | Token to retrieve the next page of results or empty if there are none. |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to list the access policy. |
| 404 | Returned when the identified access policy does not exist. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |
API to manage Identity Assets AccessPolicies.
get /archivist/iam/v1/assets/{uuid}/access_policies
Get matching access policies
Description: Get matching access policies for specified asset
{
"access_policies": [
{
"access_permissions": [
{
"asset_attributes_read": [
"attribute1",
"attribute2"
],
"behaviours": [
"behaviour1",
"behaviour2"
],
"subjects": [
"subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
"subjects/3907c132-900b-4481-82da-21ffe699ddb9"
],
"user_attributes": [
{
"or": [
"group:maintainers",
"group:supervisors"
]
}
]
}
],
"display_name": "Some description",
"filters": [
{
"or": [
"location=basingstoke",
"location=cambridge"
]
},
{
"or": [
"asset_type=door_access_reader"
]
}
],
"identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}
],
"page_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InN0dW50aWR"
}| Response Parameter | Type | Description |
|---|---|---|
| access_policies | array | Describes an Access Policy for OBAC |
| next_page_token | string | Token to retrieve the next page of results or empty if there are none. |
| Responses | Description |
|---|---|
| 200 | A successful response. |
| 400 | Returned when the request is badly formed. |
| 401 | Returned when the user is not authenticated to the system. |
| 403 | Returned when the user is not authorized to list the access policy. |
| 404 | Returned when the identified access policy does not exist. |
| 429 | Returned when a user exceeds their subscription’s rate limit for requests. |
| 500 | Returned when the underlying storage system returns an error. |