Skip to main content

REST APIs for 23.5

Organization-wide Default User Permissions

This Public Experimental API supplies an organization-wide default user permission and allows users to log into the PCE and view resources. These resources must not be explicitly assigned to any RBAC roles or scopes.

About Default User Permissions

If you use an external identity provider for user management, you might want to block some of those users from the PCE without removing them from your identity provider. Deleting the organization-wide read-only permission allows you to achieve this.

When the read-only user permission is disabled for your organization, users not explicitly assigned this permission cannot log into the PCE and access Illumio resources. If users, without permission, attempt to log into the PCE, their external identity provider authenticates them, but the PCE immediately logs them out.

To disable organization-wide read-only permissions:

  1. Get a collection of all authorization security principals in your organization, and search the response for the one named null. Once you find this authorization security principal, please note its full HREF.

  2. Get the HREF of the permissions object associated with the nullauthorization security principal. Keep a record of the JSON object for this permission if you want to re-enable the permission at a later date.

  3. Delete the permission associated with the null authorization security principal.

Get a Collection of Authorization Security Principals

The first step in disabling the organization-wide read-only permission is to get a collection of all authorization security principals in your organization.

Curl Command Get Auth Security Principals Collection

curl -i -X GET https://pce.mycompany.com:8443/api/v2/orgs/7/auth_security_principals -H "Accept: application/json" -u $KEY:$TOKEN

Example Response Body

The null authorization security principal in the following example is highlighted in blue:

[
.......................................................
  {
      "href": "/orgs/7/auth_security_principals/a23ea011-4191-49e6-a22a-d3dba4fb8058",
      "name": null,
      "display_name": null,
      "type": "group"
   },
.......................................................
]
Get Permission for Null Auth Security Principal

To get the permission object associated with the null authorization security principal, call the GET Permissions API with the query parameter value set to the HREF for the null authorization security principal, similar to the curl command:

curl -i -X GET -H "Accept: application/json" -u $KEY:$TOKEN https://pce.mycompany.com:8443/api/v2/orgs/7/permissions?auth_security_principal=/orgs/7/auth_security_principals/a23ea011-4191-49e6-a22a-d3dba4fb8058

Response

The response returns the HREF of the permission associated with the organization-wide read-only permission.

{
      "href": "/orgs/7/permissions/14c92849-e88e-4930-8804-3245565619e5",
      "role": {
      "href": "/orgs/7/roles/read_only"
   },
      "scope": [],
      "auth_security_principal": {
      "href": "/orgs/7/auth_security_principals/a23ea011-4191-49e6-a22a-d3dba4fb8058"
}
Delete Null Authorization Security Principal Permission

Keep a record of the permission object returned in case you want to re-enable the permission in the future.

Delete the read-only permission HREF to disable it.

Curl Command to Delete Null Authorization Security Principal Permission

curl -i -X DELETE -H "Accept: application/json" -u $KEY:$TOKEN https://pce.mycompany.com:8443/api/v2/orgs/7/permissions?auth_security_principal=/orgs/7/auth_security_principals//orgs/7/permissions/14c92849-e88e-4930-8804-3245565619e5

Response

An HTTP 200 response is returned on successfully deleting the organization-wide read-only permission.

Re-Enable Organization Read-Only Permission

If the organization-wide read-only permission was disabled, you can re-enable it by recreating the permission object. This object must be constructed precisely as the object returned to you when you got the permission. The request body below illustrates the JSON structure of this permission object.

URI to Enable the Organization-Wide Read-Only Permission

POST [api_version][permission_href]

Request Body

{
    "role": {
        "href": "/orgs/7/roles/read_only"
    },
    "auth_security_principal": {
        "href": "/orgs/7/auth_security_principals/a23ea011-4191-49e6-a22a-d3dba4fb8058"
    },
    "scope": []
}

Curl Command to Enable Organization Read-Only Permission

curl -i -X POST https://pce.mycompany.com:8443/api/v2/orgs/7/permissions -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"role": {"href": "/orgs/7/roles/read_only"}, "auth_security_principal":{"href":"/orgs/auth_security_principals/a23ea011-4191-49e6-a22a-d3dba4fb8058"}, "scope": []}'

Response

An HTTP 201 response is returned on successfully recreating the organization-wide read-only permission.

See also: