Skip to content
/Role Assignments

HPE GreenLake for Authorization API (1.0.0-beta)

The HPE GreenLake for Authorization API provides a unified way to manage the authorization function for HPE GreenLake cloud.

Download OpenAPI description
external-authz-v2-config.json
external-authz-v2-config.yaml
Overview
License

HPE End User License Agreement

Languages
Servers

https://global.api.greenlake.hpe.com/

Mock server

https://developer.greenlake.hpe.com/_mock/docs/greenlake/services/authorization/public/openapi/authz-v1beta1/external-authz-v2-config/

Roles

Roles are created in a Workspace, typically by an IAM administrator. They may be created by a Resource Provider (RP) if the RP has been granted the required privileges in the Workspace.

Requirements

  • Roles must include at least one inline permission.
Known limitations
  • There is a max limit of 100 Roles per workspace (in addition to the global predefined roles).

Operations

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Create a role assignment

Request

Create a role assignment.

By creating a role assignment, you grant access to resources. Role assignments allow for controlled management of permissions and responsibilities.

Note: For assistance finding the principal, scope, and role identifiers, see the developer guide.

Security
bearerAuth
Bodyapplication/jsonrequired
principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "principal": "user:123981y2zxhiz1890",
    "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
    "scope": [
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
    ]
  }'

Responses

Created

Headers
Locationstring

URL to the newly created resource.

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"
Example: "authorization/role-assignment"
principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
principalMetadataobjectread-onlyrequired
principalMetadata.​idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"
principalMetadata.​typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"
roleMetadataobjectread-onlyrequired
roleMetadata.​idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"
roleMetadata.​typestringrequired

The type of the role.

Example: "authorization/role"
generationinteger(int64)(Generation)read-onlyrequired
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
Response
application/json
{
  "id": "05f2523c-fe03-47fc-981b-9c4333a37b01",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "e54415a9-4f46-43c0-893e-67ec778c6c45",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all role assignments

Request

Retrieves role assignments by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in and and operators on role, scope and principal attributes.
Example Request:
/authorization/v1beta1/role-assignments?filter=role in ('grn:glp/providers/authorization/roles/storageservices.LimitedAdmin') and principal in ('user:123981y2zxhiz1890')

Note:
- No duplicate attributes in OData filter: Each attribute (role, scope, principal) can only appear once in the OData filter expression. Multiple occurrences will result in a 400 Bad Request error.
- Supported operators: Only the in and and operators are supported.

Security
bearerAuth
Query
limitinteger<= 200

Total number of results to be returned

Default 100
offsetinteger

Zero-based resource offset to start the response from

Default 0
filterstring

The filter query parameter is used to filter the set of resources returned in a collection-level GET. The returned set of resources matches the criteria in the filter query parameter.

Supports in and and operators on role, scope and principal attributes.

Example: filter=role in ('grn:glp/providers/authorization/roles/storageservices.LimitedAdmin') and principal in ('user:123981y2zxhiz1890')
curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(RoleAssignmentGetV1beta1)<= 200 itemsrequired
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"
Example: "authorization/role-assignment"
items[].​principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
items[].​scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
items[].​rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
items[].​principalMetadataobjectread-onlyrequired
items[].​principalMetadata.​idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"
items[].​principalMetadata.​typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"
items[].​roleMetadataobjectread-onlyrequired
items[].​roleMetadata.​idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"
items[].​roleMetadata.​typestringrequired

The type of the role.

Example: "authorization/role"
items[].​generationinteger(int64)(Generation)read-onlyrequired
items[].​createdAtstring(date-time)(CreatedAt)read-onlyrequired
items[].​updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
items[].​sourcestring(Source)
Enum"LOCAL""EXTERNAL"
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Retrieve a role assignment instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"
Example: "authorization/role-assignment"
principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
principalMetadataobjectread-onlyrequired
principalMetadata.​idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"
principalMetadata.​typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"
roleMetadataobjectread-onlyrequired
roleMetadata.​idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"
roleMetadata.​typestringrequired

The type of the role.

Example: "authorization/role"
generationinteger(int64)(Generation)read-onlyrequired
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
sourcestring(Source)
Enum"LOCAL""EXTERNAL"
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00",
  "source": "LOCAL"
}

Update a role assignment instance by ID

Request

Request body must contain id, principal, scope, and role attributes even though they are immutable.

The id can be found at the response body of POST /authorization/v1beta1/role-assignments.

Note: For assistance finding the principal, scope, and role identifiers, see the developer guide.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

Bodyapplication/jsonrequired
idstring(uuid)required

Immutable

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "principal": "user:123981y2zxhiz1890",
    "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
    "scope": [
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
    ]
  }'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"
Example: "authorization/role-assignment"
principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"
scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]
rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"
principalMetadataobjectread-onlyrequired
principalMetadata.​idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"
principalMetadata.​typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"
roleMetadataobjectread-onlyrequired
roleMetadata.​idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"
roleMetadata.​typestringrequired

The type of the role.

Example: "authorization/role"
generationinteger(int64)(Generation)read-onlyrequired
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a role assignment instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No content

Response
No content

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

  • There is a max limit of 500 scopes per Scope Group.
  • There is a max limit of 500 Scope Groups per workspace.

Operations