Assign Roles with the ViPR REST API

TOC

BacktoTop

Overview of assigning roles using the REST API

Learn how to assign roles to users and groups in ViPR using the ViPR REST API . ViPR has two types of roles: virtual data center roles and tenant-level roles. When you assign a role to a user or group, you are using one of the methods to control authorization in ViPR.

This article applies to EMC ViPR 2.0.

The other method to control authorization is to assign an Access Control List (ACL) to a resource.

BacktoTop

Assign a Virtual Data Center Role to a User or Group

A Security Administrator can assign roles to users or groups that belong to the top-level provider tenant. These roles identify what functions the user or group can perform, such as adding physical assets or creating users, at the level of the entire virtual data center.

Before you begin

  • Authenticate with the ViPR REST API as a SECURITY_ADMIN.
  • If you plan to assign a role to a user or group that is in LDAP or Active Directory, ensure that you meet the following conditions:
    • You have already added an authentication provider to ViPR.
    • You have already mapped those users, for whom you are assigning a virtual data center role, to the provider tenant.
  • The virtual data center level roles include:
    • Security Administrator (SECURITY_ADMIN)
    • System Administrator (SYSTEM_ADMIN)
    • System Monitor (SYSTEM_MONITOR)
    • System Auditor (SYSTEM_AUDITOR)

The EMC ViPR REST API Reference provides a description and complete list of parameters for the REST API methods used in this section.

In the following example, a Security Administrator role is being assigned to the user, username@mycompany.com, using PUT https://<ViPR_VIP>:4443/vdc/role-assignments . The response is an updated list of role assignments for the virtual data center, including the SECURITY_ADMIN role assigned to the user, username@mycompany.com.

Procedure

  1. To apply the SECURITY_ADMIN role assignment to username@mycompany.com, send the following request.
    Request

    PUT https://<ViPR_VIP>:4443/vdc/role-assignments HTTP/1.1 Content-Type: application/xml X-SDS-AUTH-TOKEN: <AUTH_TOKEN> <role_assignment_change> <add> <role>SECURITY_ADMIN</role> <subject_id>username@mycompany.com</subject_id> </add> </role_assignment_change>

    Response

    HTTP/1.1 200 OK Content-Type: application/xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <role_assignments_create> <role_assignment> <role>SYSTEM_ADMIN</role> <subject_id>username@mycompany.com</subject_id> </role_assignment> <role_assignment> <role>SYSTEM_AUDITOR</role> <role>SECURITY_ADMIN</role> <role>SYSTEM_MONITOR</role> <role>SYSTEM_ADMIN</role> <subject_id>username@mycompany.com</subject_id> </role_assignment> <link href="/vdc/role-assignments" rel="self"/> </role_assignments_create>

BacktoTop

Assign a Tenant Role to a User or Group

A Security Administrator or Tenant Administrator with access to a tenant can assign roles to users or groups in that tenant by sending a PUT https://ViPR:4443/tenants/<tenant_URN>/role-assignments. These roles identify what functions the user can do at the tenant level.

Before you begin

  • Authenticate with the ViPR REST API with the SECURITY_ADMIN or TENANT_ADMIN role with access to the tenant.
  • You need the URN of the tenant .
  • If you plan to assign a role to a user or group that is in LDAP or Active Directory, ensure that you meet the following conditions:
    • You have already added an authentication provider to ViPR.
    • You have already configured users and groups for the provider tenant.
  • The tenant level roles include:
    • Tenant Administrator (TENANT_ADMIN)
    • Tenant Approver (TENANT_APPROVER)
    • Project Administrator (PROJECT_ADMIN)

The EMC ViPR REST API Reference provides a description and complete list of parameters for the REST API methods used in this section.

In the following example, a Tenant Administrator role is being assigned to the user,user@mycompany.com, using PUT https://<ViPR_VIP>:4443/tenants/<tenant_URN>/role-assignments . The response is an updated list of role assignments for the tenant.

Procedure

  1. To apply the TENANT_ADMIN role assignment to user@mycompany.com, send the following request:
    Request

    PUT https://<ViPR_VIP>:4443/tenants/urn:storageos:TenantOrg:dbeb4135-e297-40d9-a5d4-9b40c73bdb4b:global/role-assignments HTTP/1.1 Content-Type: application/xml X-SDS-AUTH-TOKEN: <AUTH_TOKEN> <role_assignment_change> <add> <role>TENANT_ADMIN</role> <subject_id>user@mycompany.com</subject_id> </add> </role_assignment_change>

    Response

    HTTP/1.1 200 OK Content-Type: application/xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <role_assignments_create> <link href="/tenants/urn:storageos:TenantOrg:dbeb4135-e297-40d9-a5d4-9b40c73bdb4b:global/role-assignments" rel="self"/> <role_assignment> <role>TENANT_ADMIN</role> <subject_id>user@mycompany.com</subject_id> </role_assignment> <role_assignment> <role>TENANT_ADMIN</role> <subject_id>root</subject_id> </role_assignment> </role_assignments_create>