Required Permissions for API Users
To use the REST APIs, you must be an authorized Illumio user with credentials to log into the PCE.
User Permissions and the API
Authentication to the PCE is based on three user roles that allow users to perform specific API operations:
Organization owner: All
GET,POST,PUT, andDELETEAPIsAdministrator: Most
GET,POST,PUT, andDELETEAPIsRead-only:
GETonly
The PCE also has two other kinds of roles:
Unscoped: Not bound by label scopes
Scoped: Bound by label scopes
Unscoped Roles
API Role Name | UI Role Name | Granted Access |
|---|---|---|
| Global Organization Owner | Perform all actions: Add, edit, or delete any resource, organization setting, or user account. |
| Global Administrator | He performs all actions except he cannot change organization settings and cannot perform user management tasks. |
| Global Read Only | View any resource or organization setting. Cannot perform any operations. |
| Global Policy Object Provisioner | Provision rules containing IP lists, services, label groups, and manage security settings. Cannot provision rulesets, virtual services, or virtual servers, or add, modify, or delete existing policy items. |
Scoped Roles
API Role Name | UI Role Name | Granted Access |
|---|---|---|
| Full Ruleset Manager | Add, edit, and delete all rulesets within the specified scope. Add, edit, and delete rules when the Source matches the specified scope. The rule Destination can match any scope. |
| Limited Ruleset Manager | Add, edit, and delete all rulesets within the specified scope. Add, edit, and delete rules when the Source and Destination match the specified scope. Ruleset Managers with limited privileges cannot manage rules that use IP lists, user groups, label groups, or iptables rules as consumers, or rules that allow internet connectivity. |
| Ruleset Provisioner | Provision rulesets within a specified scope. This role cannot provision virtual servers, virtual services, SecureConnect gateways, security settings, IP lists, services, or label groups. |