IAM Policies API

IAM Policies API Reference

Note: This page is primarily intended for developers who will be writing applications that will use DataTrails for provenance. If you are looking for a simple way to test our API you might prefer our Postman collection, the YAML runner or the Developers section of the web UI.

Additional YAML examples can be found in the articles in the Overview section.

IAM Policies API Examples

Create the bearer_token and store in a file in a secure local directory with 0600 permissions.

An ABAC policy is used to share permissions with Non-Administrators within your Tenancy. A Non-Administrator could be a user who has been added using the Invites API or could be an App Registration used for client credentials, which are created as Non-Root by default.

To create an ABAC Policy, you should use the user_attributes keyword. Specify email for invited users, and subject, using the client-id of your credentials, for App Registrations.

You may also set permissions based on the Custom Claims of an App Registration using JSON Web Tokens (JWTs). To do so, you must include the prefix jwt_ followed by the desired claim as one of the user_attributes in the policy. For example, the key jwt_app_reg_role to match on claim app_reg_role.

An OBAC policy is used to share with the Administrators of an external organization.

To begin sharing with OBAC, you must first import your collaborator’s Organization ID using either the IAM Subjects API or the instructions in the administration section.

This will return a subjects/<UUID> object you would then specify with the subjects keyword to make it an OBAC Policy.

Note: To accept a Subject import request, both organizations must have imported the other’s Subject ID. This acknowledges that the organizations wish to share with each other.

As both ABAC and OBAC use the same filter syntax, it is possible to have a mix of internal and external sharing within a single policy.

Note: Learn more about ABAC and OBAC policies in our DataTrails Basics guides.

IAM Policy Creation

The following example shows how you can mix the user_attributes keyword for ABAC and subjects keyword for OBAC.

Define the access_policies parameters and store in /path/to/jsonfile:

{
    "display_name": "Friendly name of the policy",
    "description": "Description of the policy",
    "filters": [
        { "or": [
            "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
            "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
        ]},
        { "or": [
            "attributes.arc_display_type=Valve",
            "attributes.arc_display_type=Pump"
        ]},
        { "or": [
            "attributes.ext_vendor_name=SynsationIndustries"
        ]}
    ],
    "access_permissions": [
        {
            "asset_attributes_read": [ "toner_colour", "toner_type" ],
            "asset_attributes_write":["toner_colour"],
            "behaviours": [ "RecordEvidence" ],
            "event_arc_display_type_read": ["toner_type", "toner_colour"],
            "event_arc_display_type_write": ["toner_replacement"],
            "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
            "subjects": [
                "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
            ],
            "user_attributes": [
                {"or": ["group:maintainers", "group:supervisors"]}
            ]
        }
    ]
}

Create the Access Policy:

curl -v -X POST \
    -H "@$HOME/.datatrails/bearer-token.txt" \
    -H "Content-type: application/json" \
    -d "@/path/to/jsonfile" \
    https://app.datatrails.ai/archivist/iam/v1/access_policies

The response is:

{
    "identity": "access_policies/3f5be24f-fd1b-40e2-af35-ec7c14c74d53",
    "display_name": "Friendly name of the policy",
    "description": "Description of the policy",
    "filters": [
        {"or": [
            "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
            "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
        ]},
        {"or": [
            "attributes.arc_display_type=Valve",
            "attributes.arc_display_type=Pump"
        ]},
        {"or": [
            "attributes.ext_vendor_name=SynsationIndustries"
        ]}
    ],
    "access_permissions": [
        {
            "asset_attributes_read": [ "toner_colour", "toner_type" ],
            "asset_attributes_write":["toner_colour"],
            "behaviours": [ "RecordEvidence" ],
            "event_arc_display_type_read": ["toner_type", "toner_colour"],
            "event_arc_display_type_write": ["toner_replacement"],
            "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
            "subjects": [
                "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
            ],
            "user_attributes": [
                {"or": ["group:maintainers", "group:supervisors"]}
            ]
        }
    ]
}
Note: Access polices are applied to the Asset. This means that when a policy is created or updated an Event will be recorded in the audit trail of matching Assets from the Actor Archivist Internal.

IAM Policy Retrieval

IAM Access Policy records in DataTrails are tokenized at creation time and referred to in all API calls and smart contracts throughout the system by a unique identity of the form:

access_policies/12345678-90ab-cdef-1234-567890abcdef

If you do not know the Access Policy ID you can fetch IAM Access Policy records using other information you do know, such as the Access Policy name.

Fetch all IAM access_policies (v1)

To fetch all IAM access_policies records, simply GET the iam/access_policies resource:

curl -v -X GET \
     -H "@$HOME/.datatrails/bearer-token.txt" \
     https://app.datatrails.ai/archivist/iam/v1/access_policies

Fetch specific IAM access Policy by identity (v1)

If you know the unique identity of the IAM access policy Record simply GET the resource:

curl -v -X GET \
     -H "@$HOME/.datatrails/bearer-token.txt" \
     https://app.datatrails.ai/archivist/iam/v1/access_policies/6a951b62-0a26-4c22-a886-1082297b063b

Fetch IAM Access Policies by name (v1)

To fetch all IAM access_policies with a specific name, GET the iam/access_policies resource and filter on display_name:

curl -g -v -X GET \
     -H "@$HOME/.datatrails/bearer-token.txt" \
     "https://app.datatrails.ai/archivist/iam/v1/access_policies?display_name=Some%20description"

Each of these calls returns a list of matching IAM Access Policies records in the form:

{
    "access_policies": [
        {
            "identity": "access_policies/6a951b62-0a26-4c22-a886-1082297b063b",
            "display_name": "Name to display",
            "description": "Description of the policy",
            "filters": [
                {"or": [
                    "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
                    "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
                ]},
                {"or": [
                    "attributes.arc_display_type=Valve",
                    "attributes.arc_display_type=Pump"
                ]},
                {"or": [
                    "attributes.ext_vendor_name=SynsationIndustries"
                ]}
            ],
            "access_permissions": [
                {
                    "asset_attributes_read": [ "toner_colour", "toner_type" ],
                    "asset_attributes_write":["toner_colour"],
                    "behaviours": [ "RecordEvidence" ],
                    "event_arc_display_type_read": ["toner_type", "toner_colour"],
                    "event_arc_display_type_write": ["toner_replacement"],
                    "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
                    "subjects": [
                        "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                        "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
                    ],
                    "user_attributes": [
                        {"or": ["group:maintainers", "group:supervisors"]}
                    ]
                }
            ]
        },
        {
            "identity": "access_policies/12345678-0a26-4c22-a886-1082297b063b",
            "display_name": "Some other description",
            "filters": [
                {"or": ["attributes.arc_display_type=door_access_reader"]}
            ],
            "access_permissions": [
                {
                    "asset_attributes_read": [ "toner_colour", "toner_type" ],
                    "asset_attributes_write":["toner_colour"],
                    "behaviours": [ "RecordEvidence" ],
                    "event_arc_display_type_read": ["toner_type", "toner_colour"],
                    "event_arc_display_type_write": ["toner_replacement"],
                    "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
                    "subjects": [
                        "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                        "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
                    ],
                    "user_attributes": [
                        {"or": ["group:maintainers", "group:supervisors"]}
                    ]
                }
            ]
        }
    ]
}

IAM Policy Deletion

To delete an IAM Access Policy, issue following request:

curl -v -X DELETE \
    -H "@$HOME/.datatrails/bearer-token.txt" \
    -H "Content-type: application/json" \
    https://app.datatrails.ai/archivist/iam/v1/access_policies/47b58286-ff0f-11e9-8f0b-362b9e155667

The response is:

{}

IAM Policy Update

Define the Access Policy parameters to be changed and store in /path/to/jsonfile:

{
   "filters": [
        {"or": [
            "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
            "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
        ]},
        {"or": [
            "attributes.arc_display_type=Valve",
            "attributes.arc_display_type=Pump"
        ]},
        {"or": [
            "attributes.ext_vendor_name=SynsationIndustries"
        ]}
    ],
    "access_permissions": [
        {
            "asset_attributes_read": [ "toner_colour", "toner_type" ],
            "asset_attributes_write":["toner_colour"],
            "behaviours": [ "RecordEvidence" ],
            "event_arc_display_type_read": ["toner_type", "toner_colour"],
            "event_arc_display_type_write": ["toner_replacement"],
            "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
            "subjects": [
                "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
            ],
            "user_attributes": [
                {"or": ["group:maintainers", "group:supervisors"]}
            ]
        }
    ]
}

Update the Access Policy:

curl -v -X PATCH \
    -H "@$HOME/.datatrails/bearer-token.txt" \
    -H "Content-type: application/json" \
    -d "@/path/to/jsonfile" \
    https://app.datatrails.ai/archivist/iam/v1/access_policies/47b58286-ff0f-11e9-8f0b-362b9e155667

The response is:

{
    "identity": "access_policies/3f5be24f-fd1b-40e2-af35-ec7c14c74d53",
    "display_name": "Friendly name of the policy",
    "description": "Description of the policy",
    "filters": [
        {"or": [
            "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
            "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc"
        ]},
        {"or": [
            "attributes.arc_display_type=Valve",
            "attributes.arc_display_type=Pump"
        ]},
        {"or": [
            "attributes.ext_vendor_name=SynsationIndustries"
        ]}
    ],
    "access_permissions": [
        {
            "asset_attributes_read": [ "toner_colour", "toner_type" ],
            "asset_attributes_write":["toner_colour"],
            "behaviours": [ "RecordEvidence" ],
            "event_arc_display_type_read": ["toner_type", "toner_colour"],
            "event_arc_display_type_write": ["toner_replacement"],
            "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
            "subjects": [
                "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
            ],
            "user_attributes": [
                {"or": ["group:maintainers", "group:supervisors"]}
            ]
        }
    ]
}

Matching Assets with IAM Policies

IAM Access Policy records in DataTrails are tokenized at creation time and referred to in all API calls and smart contracts throughout the system by a unique identity of the form:

access_policies/12345678-90ab-cdef-1234-567890abcdef

If you do not know the Access Policy ID you can fetch IAM Access Policy records using other information you do know, such as the Access Policy name.

Fetch all Assets Matching Specific IAM Access Policy (v1)

If you know the unique identity of the IAM Access Policy Record simply GET the resource:

curl -v -X GET \
     -H "@$HOME/.datatrails/bearer-token.txt" \
     https://app.datatrails.ai/archivist/iam/v1/access_policies/6a951b62-0a26-4c22-a886-1082297b063b/assets

Each of these calls returns a list of matching Asset records in the form:

{
    "assets": [
        {
        "identity": "assets/6a951b62-0a26-4c22-a886-1082297b063b",
        "behaviours": [
            "RecordEvidence"
        ],
        "attributes": {
            "arc_display_type": "Pump",
            "arc_firmware_version": "1.0",
            "arc_home_location_identity": "locations/866790d8-4ed6-4cc9-8f60-07672609b331",
            "arc_serial_number": "vtl-x4-07",
            "arc_description": "Pump at A603 North East",
            "arc_display_name": "tcl.ccj.003",
            "some_custom_attribute": "value",
            "arc_primary_image": {
                "arc_attribute_type": "arc_attachment",
                "arc_blob_hash_value": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
                "arc_blob_identity": "blobs/1754b920-cf20-4d7e-9d36-9ed7d479744d",
                "arc_blob_hash_alg": "SHA256",
                "arc_file_name": "somepic.jpeg",
                "arc_display_name": "arc_primary_image",
            },
        },
        "confirmation_status": "CONFIRMED",
        "tracked": "TRACKED"
        }
    ]
}

Fetch all IAM access_policies Matching Specific Asset (v1)

If you know the unique identity of the Asset Record simply GET matching policies:

curl -v -X GET \
     -H "@$HOME/.datatrails/bearer-token.txt" \
     https://app.datatrails.ai/archivist/iam/v1/assets/6a951b62-0a26-4c22-a886-1082297b063b/access_policies

Each of these calls returns a list of matching IAM access_policies records in the form:

{
    "access_policies": [
        {
            "identity": "access_policies/6a951b62-0a26-4c22-a886-1082297b063b",
            "display_name": "Some description",
            "filters": [
                { "or": [
                    "attributes.arc_home_location_identity=locations/5ea815f0-4de1-4a84-9377-701e880fe8ae",
                    "attributes.arc_home_location_identity=locations/27eed70b-9e2b-4db1-b8c4-e36505350dcc",
                ]},
                { "or": [
                    "attributes.arc_display_type=Valve",
                    "attributes.arc_display_type=Pump"
                ]},
                { "or": [
                    "attributes.ext_vendor_name=SynsationIndustries"
                ]}
            ],
            "access_permissions": [
                {
                    "subjects": [
                        "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                        "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
                    ],
                    "behaviours": [  "RecordEvidence"  ],
                    "include_attributes": [ "arc_display_name", "arc_display_type", "arc_firmware_version" ],
                    "user_attributes": [
                        {"or": ["group:maintainers", "group:supervisors"]}
                    ]
                }
            ]
        },
        {
            "identity": "access_policies/12345678-0a26-4c22-a886-1082297b063b",
            "display_name": "Some other description",
            "filters": [
                { "or": ["attributes.arc_display_type=door_access_reader"]}
            ],
            "access_permissions": [
                {
                    "subjects": [
                        "subjects/6a951b62-0a26-4c22-a886-1082297b063b",
                        "subjects/a24306e5-dc06-41ba-a7d6-2b6b3e1df48d"
                    ],
                    "behaviours": [ "RecordEvidence" ],
                    "include_attributes": [ "arc_display_name", "arc_display_type" ],
                    "user_attributes": [
                        {"or": ["group:maintainers", "group:supervisors"]}
                    ]
                }
            ]
        }
    ]
}

IAM Policies OpenAPI Docs

API to manage Identity Access Management AccessPolicies.

get  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies

List access policies

Description: Returns a paginated list of access_policies

{
  "access_policies": [
    {
      "access_permissions": [
        {
          "asset_attributes_read": [
            "attribute1",
            "attribute2"
          ],
          "behaviours": [
            "behaviour1",
            "behaviour2"
          ],
          "subjects": [
            "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
            "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
          ],
          "user_attributes": [
            {
              "or": [
                "group:maintainers",
                "group:supervisors"
              ]
            }
          ]
        }
      ],
      "display_name": "Some description",
      "filters": [
        {
          "or": [
            "location=basingstoke",
            "location=cambridge"
          ]
        },
        {
          "or": [
            "asset_type=door_access_reader"
          ]
        }
      ],
      "identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
    }
  ],
  "page_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InN0dW50aWR"
}
Response ParameterTypeDescription
access_policiesarrayDescribes an Access Policy for OBAC
next_page_tokenstringToken to retrieve the next page of results or empty if there are none.
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to list the access policy.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

post  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies

Create an access policy

Description: This request creates a new access policy. The display_name is the friendly name.

{
  "access_permissions": [
    {
      "asset_attributes_read": [
        "attribute1",
        "attribute2"
      ],
      "behaviours": [
        "behaviour1",
        "behaviour2"
      ],
      "subjects": [
        "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
        "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
      ],
      "user_attributes": [
        {
          "or": [
            "group:maintainers",
            "group:supervisors"
          ]
        }
      ]
    }
  ],
  "description": "Customers description for the policy",
  "display_name": "Customers name for the policy",
  "filters": [
    {
      "or": [
        "location=basingstoke",
        "location=cambridge"
      ]
    },
    {
      "or": [
        "asset_type=door_access_reader"
      ]
    }
  ]
}
ParameterTypeDescription
access_permissionsarrayPermissions
descriptionstringCustomer description for the access policy.
display_namestringCustomer friendly name for the access policy.
filtersarrayFilter

{
  "access_permissions": [
    {
      "asset_attributes_read": [
        "attribute1",
        "attribute2"
      ],
      "behaviours": [
        "behaviour1",
        "behaviour2"
      ],
      "subjects": [
        "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
        "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
      ],
      "user_attributes": [
        {
          "or": [
            "group:maintainers",
            "group:supervisors"
          ]
        }
      ]
    }
  ],
  "description": "User description for this policy",
  "display_name": "User name for this policy",
  "filters": [
    {
      "or": [
        "location=basingstoke",
        "location=cambridge"
      ]
    },
    {
      "or": [
        "asset_type=door_access_reader"
      ]
    }
  ],
  "identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}
Response ParameterTypeDescription
access_permissionsarrayPermissions
descriptionstringCustomer description for the access policy.
display_namestringCustomer friendly name for the access policy.
filtersarrayFilter
identitystringUnique identification for the access policy, Relative Resource Name
tenantstringTenant id
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
402Returned when the user’s quota of access policies has been reached.
403Returned when the user is not authorized to create an access policy.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

delete  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies/{uuid}

Delete an access policy

Description: Delete the identified access policy

ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to delete the access policy.
404Returned when the identified access policy does not exist.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

get  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies/{uuid}

Get an access policy

Description: Returns the identified access policy

{
  "access_permissions": [
    {
      "asset_attributes_read": [
        "attribute1",
        "attribute2"
      ],
      "behaviours": [
        "behaviour1",
        "behaviour2"
      ],
      "subjects": [
        "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
        "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
      ],
      "user_attributes": [
        {
          "or": [
            "group:maintainers",
            "group:supervisors"
          ]
        }
      ]
    }
  ],
  "description": "User description for this policy",
  "display_name": "User name for this policy",
  "filters": [
    {
      "or": [
        "location=basingstoke",
        "location=cambridge"
      ]
    },
    {
      "or": [
        "asset_type=door_access_reader"
      ]
    }
  ],
  "identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}
Response ParameterTypeDescription
access_permissionsarrayPermissions
descriptionstringCustomer description for the access policy.
display_namestringCustomer friendly name for the access policy.
filtersarrayFilter
identitystringUnique identification for the access policy, Relative Resource Name
tenantstringTenant id
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to read the access policy.
404Returned when the identified access policy does not exist.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

patch  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies/{uuid}

Update a access policy details

Description: Perform a full or partial update of the identified access policy

{
  "access_permissions": [
    {
      "asset_attributes_read": [
        "attribute1",
        "attribute2"
      ],
      "behaviours": [
        "behaviour1",
        "behaviour2"
      ],
      "subjects": [
        "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
        "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
      ],
      "user_attributes": [
        {
          "or": [
            "group:maintainers",
            "group:supervisors"
          ]
        }
      ]
    }
  ],
  "description": "User description for this policy",
  "display_name": "User name for this policy",
  "filters": [
    {
      "or": [
        "location=basingstoke",
        "location=cambridge"
      ]
    },
    {
      "or": [
        "asset_type=door_access_reader"
      ]
    }
  ],
  "identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
}
Response ParameterTypeDescription
access_permissionsarrayPermissions
descriptionstringCustomer description for the access policy.
display_namestringCustomer friendly name for the access policy.
filtersarrayFilter
identitystringUnique identification for the access policy, Relative Resource Name
tenantstringTenant id
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to update the access policy.
404Returned when the identified access policy does not exist.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

get  /archivist/iam/v1/access_policies/archivist/iam/v1/access_policies/{uuid}/assets

Returns assets matching access policy

Description: Returns assets matching access policy

{
  "assets": [
    {
      "at_time": "2019-11-27T14:44:19Z",
      "attributes": {
        "arc_display_name": "My Garden Fence",
        "arc_display_type": "Garden Fence",
        "colour": "Plain wood"
      },
      "behaviours": [
        "RecordEvidence"
      ],
      "confirmation_status": "PENDING",
      "identity": "assets/add30235-1424-4fda-840a-d5ef82c4c96f",
      "owner": "0x601f5A7D3e6dcB55e87bf2F17bC8A27AaCD3511",
      "proof_mechanism": "SIMPLE_HASH",
      "public": false,
      "tenant_identity": "tenant/8e0b600c-8234-43e4-860c-e95bdcd695a9",
      "tracked": "TRACKED"
    },
    {
      "at_time": "2019-11-27T14:44:19Z",
      "attributes": {
        "arc_display_name": "My IoT Device",
        "arc_display_type": "IoT Device",
        "arc_firmware_version": "3.2.1"
      },
      "behaviours": [
        "RecordEvidence"
      ],
      "confirmation_status": "PENDING",
      "identity": "assets/cef61346-2453-5aeb-921c-e6fa93d5b032",
      "owner": "0x601f5A7D3e6dcB55e87bf2F17bC8A27AaCD3511",
      "proof_mechanism": "SIMPLE_HASH",
      "public": false,
      "tenant_identity": "tenant/8e0b600c-8234-43e4-860c-e95bdcd695a9",
      "tracked": "TRACKED"
    }
  ],
  "next_page_token": "abcd"
}
Response ParameterTypeDescription
assetsarrayThis describes an Asset.
next_page_tokenstringToken to retrieve the next page of results or empty if there are none.
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to list the access policy.
404Returned when the identified access policy does not exist.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.

API to manage Identity Assets AccessPolicies.

get  /archivist/iam/v1/assets/archivist/iam/v1/assets/{uuid}/access_policies

Get matching access policies

Description: Get matching access policies for specified asset

{
  "access_policies": [
    {
      "access_permissions": [
        {
          "asset_attributes_read": [
            "attribute1",
            "attribute2"
          ],
          "behaviours": [
            "behaviour1",
            "behaviour2"
          ],
          "subjects": [
            "subjects/9846b867-3e42-4b5d-af56-bcd62c2126d2",
            "subjects/3907c132-900b-4481-82da-21ffe699ddb9"
          ],
          "user_attributes": [
            {
              "or": [
                "group:maintainers",
                "group:supervisors"
              ]
            }
          ]
        }
      ],
      "display_name": "Some description",
      "filters": [
        {
          "or": [
            "location=basingstoke",
            "location=cambridge"
          ]
        },
        {
          "or": [
            "asset_type=door_access_reader"
          ]
        }
      ],
      "identity": "access_policies/08838336-c357-460d-902a-3aba9528dd22"
    }
  ],
  "page_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InN0dW50aWR"
}
Response ParameterTypeDescription
access_policiesarrayDescribes an Access Policy for OBAC
next_page_tokenstringToken to retrieve the next page of results or empty if there are none.
ResponsesDescription
200A successful response.
400Returned when the request is badly formed.
401Returned when the user is not authenticated to the system.
403Returned when the user is not authorized to list the access policy.
404Returned when the identified access policy does not exist.
429Returned when a user exceeds their subscription’s rate limit for requests.
500Returned when the underlying storage system returns an error.