Create a role assignment

Roles

Roles are created in a Workspace, typically by an IAM administrator. They may be created by a Resource Provider (RP) if the RP has been granted the required privileges in the Workspace.

Requirements

Roles must include at least one inline permission.

Known limitations

There is a max limit of 100 Roles per workspace (in addition to the global predefined roles).

Operations

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Create a role assignment

Request

Create a role assignment.

By creating a role assignment, you grant access to resources. Role assignments allow for controlled management of permissions and responsibilities.

Note: For assistance finding the principal, scope, and role identifiers, see the developer guide.

Security

bearerAuth

Bodyapplication/jsonrequired

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "principal": "user:123981y2zxhiz1890",
    "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
    "scope": [
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
    ]
  }'

Responses

Created

Headers

Locationstring

URL to the newly created resource.

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"

Example: "authorization/role-assignment"

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

principalMetadataobjectread-onlyrequired

principalMetadata.idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"

principalMetadata.typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"

roleMetadataobjectread-onlyrequired

roleMetadata.idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"

roleMetadata.typestringrequired

The type of the role.

Example: "authorization/role"

generationinteger(int64)(Generation)read-onlyrequired

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

Response

application/json

{
  "id": "05f2523c-fe03-47fc-981b-9c4333a37b01",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "e54415a9-4f46-43c0-893e-67ec778c6c45",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all role assignments

Request

Retrieves role assignments by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in and and operators on role, scope and principal attributes.
Example Request:
/authorization/v1beta1/role-assignments?filter=role in ('grn:glp/providers/authorization/roles/storageservices.LimitedAdmin') and principal in ('user:123981y2zxhiz1890')

Note:
- No duplicate attributes in OData filter: Each attribute (role, scope, principal) can only appear once in the OData filter expression. Multiple occurrences will result in a 400 Bad Request error.
- Supported operators: Only the in and and operators are supported.

Security

bearerAuth

Query

limitinteger<= 200

Total number of results to be returned

Default 100

offsetinteger

Zero-based resource offset to start the response from

Default 0

filterstring

The filter query parameter is used to filter the set of resources returned in a collection-level GET. The returned set of resources matches the criteria in the filter query parameter.

Supports in and and operators on role, scope and principal attributes.

Example: filter=role in ('grn:glp/providers/authorization/roles/storageservices.LimitedAdmin') and principal in ('user:123981y2zxhiz1890')

curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

itemsArray of objects(RoleAssignmentGetV1beta1)<= 200 itemsrequired

items[].idstring(uuid)(UUID)read-onlyrequired

items[].typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"

Example: "authorization/role-assignment"

items[].principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

items[].scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

items[].rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

items[].principalMetadataobjectread-onlyrequired

items[].principalMetadata.idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"

items[].principalMetadata.typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"

items[].roleMetadataobjectread-onlyrequired

items[].roleMetadata.idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"

items[].roleMetadata.typestringrequired

The type of the role.

Example: "authorization/role"

items[].generationinteger(int64)(Generation)read-onlyrequired

items[].createdAtstring(date-time)(CreatedAt)read-onlyrequired

items[].updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

items[].sourcestring(Source)

Enum"LOCAL""EXTERNAL"

offsetinteger(Offset)required

countinteger(Count)required

totalinteger(Total)required

Response

application/json

{
  "items": [
    { … }
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Retrieve a role assignment instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"

Example: "authorization/role-assignment"

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

principalMetadataobjectread-onlyrequired

principalMetadata.idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"

principalMetadata.typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"

roleMetadataobjectread-onlyrequired

roleMetadata.idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"

roleMetadata.typestringrequired

The type of the role.

Example: "authorization/role"

generationinteger(int64)(Generation)read-onlyrequired

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

sourcestring(Source)

Enum"LOCAL""EXTERNAL"

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00",
  "source": "LOCAL"
}

Update a role assignment instance by ID

Request

Request body must contain id, principal, scope, and role attributes even though they are immutable.

The id can be found at the response body of POST /authorization/v1beta1/role-assignments.

Note: For assistance finding the principal, scope, and role identifiers, see the developer guide.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

Bodyapplication/jsonrequired

idstring(uuid)required

Immutable

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "principal": "user:123981y2zxhiz1890",
    "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
    "scope": [
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
      "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
    ]
  }'

Responses

OK

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

The type of the resource.

Value"authorization/role-assignment"

Example: "authorization/role-assignment"

principalstringrequired

The security principal identifier {type}:{id}. A principal is the entity that receives a role. The supported types are user, user-group, and api-client.

Example: "user:123981y2zxhiz1890"

scopeArray of strings[ 1 .. 20 ] itemsrequired

Fully qualified scope string in GRN syntax. A scope is the specific resource or set of resources to which the role and its permissions apply. The scopes can be at the workspace level (limited to 1), tenant groups (up to 10), and scope groups (up to 10), and can be combined: Workspace + Tenant Group or Tenant Group + Scope Group.

Example: ["grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d","grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"]

rolestringrequired

The unique role identifier in GRN syntax. A role is a collection of permissions defining what actions the principal can perform.

Example: "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin"

principalMetadataobjectread-onlyrequired

principalMetadata.idstringrequired

The unique identifier of the principal.

Example: "123981y2zxhiz1890"

principalMetadata.typestringrequired

The type of the principal.

Enum"identity/user""identity/user-group""identity/api-client"

roleMetadataobjectread-onlyrequired

roleMetadata.idstring(uuid)required

The unique identifier of the role.

Example: "44f0443c-fd03-47fc-981b-9c4333a37b44"

roleMetadata.typestringrequired

The type of the role.

Example: "authorization/role"

generationinteger(int64)(Generation)read-onlyrequired

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role-assignment",
  "principal": "user:123981y2zxhiz1890",
  "role": "grn:glp/providers/authorization/roles/storageservices.LimitedAdmin",
  "scope": [
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/msp/tenant-groups/d88d38c9-8cf7-4ab8-a808-126b47bb787d",
    "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/21e582d3-fb24-4162-9fca-350defe24d3c"
  ],
  "principalMetadata": {
    "id": "123981y2zxhiz1890",
    "type": "identity/user"
  },
  "roleMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "authorization/role"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a role assignment instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role assignment instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/role-assignments.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/role-assignments/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No content

Response

No content

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

There is a max limit of 500 scopes per Scope Group.
There is a max limit of 500 Scope Groups per workspace.

Operations

HPE GreenLake for Authorization API (1.0.0-beta)

Roles

Role Assignments

Create a role assignment

Request

Responses

Was this helpful?

Retrieve all role assignments

Request

Responses

Was this helpful?

Retrieve a role assignment instance by ID

Request

Responses

Was this helpful?

Update a role assignment instance by ID

Request

Responses

Was this helpful?

Delete a role assignment instance by ID

Request

Responses

Was this helpful?

Scope Groups

HPE GreenLake for Authorization API (1.0.0-beta)

Roles

Role Assignments

Create a role assignment

RequestExpand all

Responses

Was this helpful?

Retrieve all role assignments

Request

Responses

Was this helpful?

Retrieve a role assignment instance by ID

Request

Responses

Was this helpful?

Update a role assignment instance by ID

RequestExpand all

Responses

Was this helpful?

Delete a role assignment instance by ID

Request

Responses

Was this helpful?

Scope Groups

Request

Request