Roles

Roles are created in a Workspace, typically by an IAM administrator. They may be created by a Resource Provider (RP) if the RP has been granted the required privileges in the Workspace.

Requirements

Roles must include at least one inline permission.

Known limitations

There is a max limit of 100 Roles per workspace (in addition to the global predefined roles).

Operations

Create a role

Request

This endpoint creates a new role within the workspace context of the caller.

Security

bearerAuth

Bodyapplication/jsonrequired

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

descriptionstring<= 256 characters

Example: "Storage Limited Admin"

curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/roles \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Storage Limited Admin"
  }'

Responses

Created

Headers

Locationstring

URL to the newly created resource.

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

Value"authorization/role"

Example: "authorization/role"

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

generationinteger(int64)(Generation)read-onlyrequired

grnstringread-onlyrequired

Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

slugstringread-only

Defined only for PREDEFINED roles.

Example: ""

descriptionstring<= 256 characters

Example: "Storage Limited Admin"

releaseStagestringread-only

Empty string for CUSTOM roles.

Enum"ALPHA""BETA""STABLE"

Example: ""

kindstring(CustomKindV1beta1)read-only

Value"CUSTOM"

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all roles

Request

Retrieves role by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in operator on kind and grn attributes.
Example Request:
/authorization/v1beta1/roles?filter=kind in ('PREDEFINED')

Note:
- No duplicate attributes in OData filter: Each attribute (kind, grn) can only appear once in the OData filter expression. Multiple occurrences will result in a 400 Bad Request error.
- Supported operators: Only in operator is supported.

Security

bearerAuth

Query

filterstring

OData style filter for filtering roles. Supports in operator on kind and grn attributes.

Example: filter=kind in ("PREDEFINED")

sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc). Sorting is valid only for the slug and name attributes. If omitted, default sorting direction is ascending and default sorting attribute is name.

Example: sort=name asc

limitinteger<= 200

Total number of results to be returned

Default 100

offsetinteger

Zero-based resource offset to start the response from

Default 0

curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/roles \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

itemsArray of objects(RoleGetV1beta1)<= 200 itemsrequired

items[].idstring(uuid)(UUID)read-onlyrequired

items[].sourcestringread-onlyrequired

Source of the role.

Enum"LOCAL""EXTERNAL"

Example: "LOCAL"

items[].typestringread-onlyrequired

Value"authorization/role"

Example: "authorization/role"

items[].namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

items[].kindstring(KindV1beta1)required

Enum"CUSTOM""PREDEFINED"

items[].generationinteger(int64)(Generation)read-onlyrequired

items[].grnstringread-onlyrequired

Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"

items[].createdAtstring(date-time)(CreatedAt)read-onlyrequired

items[].updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

items[].slugstring<= 64 characters

Empty for CUSTOM roles. Unique name for PREDEFINED roles and the pattern is provider name followed by the actual name (i.e. <providerName>.<name>).

Example: ""

items[].descriptionstring<= 256 characters

Example: "Storage Limited Admin"

items[].releaseStagestringread-only

It is only defined for PREDEFINED roles.

Enum"ALPHA""BETA""STABLE"

Example: ""

countinteger(Count)required

totalinteger(Total)required

offsetinteger(Offset)required

Response

application/json

{
  "items": [
    { … }
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Get a role instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

sourcestringread-onlyrequired

Source of the role.

Enum"LOCAL""EXTERNAL"

Example: "LOCAL"

typestringread-onlyrequired

Value"authorization/role"

Example: "authorization/role"

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

kindstring(KindV1beta1)required

Enum"CUSTOM""PREDEFINED"

generationinteger(int64)(Generation)read-onlyrequired

grnstringread-onlyrequired

Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

slugstring<= 64 characters

Empty for CUSTOM roles. Unique name for PREDEFINED roles and the pattern is provider name followed by the actual name (i.e. <providerName>.<name>).

Example: ""

descriptionstring<= 256 characters

Example: "Storage Limited Admin"

releaseStagestringread-only

It is only defined for PREDEFINED roles.

Enum"ALPHA""BETA""STABLE"

Example: ""

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "source": "LOCAL",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Update a role instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired

idstring(uuid)required

Immutable

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

descriptionstring<= 256 characters

Example: "Storage Limited Admin"

curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "Storage Limited Admin"
  }'

Responses

OK

Bodyapplication/json

idstring(uuid)required

Immutable

typestringread-onlyrequired

Value"authorization/role"

Example: "authorization/role"

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"

generationinteger(int64)(Generation)read-onlyrequired

grnstringread-onlyrequired

Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"

createdAtstring(date-time)(CreatedAt)read-onlyrequired

updatedAtstring(date-time)(UpdatedAt)read-onlyrequired

slugstringread-only

Defined only for PREDEFINED roles.

Example: ""

descriptionstring<= 256 characters

Example: "Storage Limited Admin"

releaseStagestringread-only

Empty string for CUSTOM roles.

Enum"ALPHA""BETA""STABLE"

Example: ""

kindstring(CustomKindV1beta1)read-only

Value"CUSTOM"

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a role instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No Content

Response

No content

Retrieve the role permission list

Request

The permission list is sorted by the permission slug string alphabetically by default.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Query

limitinteger<= 200

The total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0

offsetinteger

Zero-based resource offset to start the response from

Default 0

sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc) or descending (desc). Sorting is valid only for the id attribute (permission slug string). The default sorting direction, if omitted, is ascending.

Example: sort=id desc

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

itemsArray of objects(RolePermissionsGetV1beta1)required

items[].idstringrequired

The permission slug string

Example: "compute.server.edit"

items[].typestringread-onlyrequired

Value"authorization/permission"

Example: "authorization/permission"

offsetinteger(Offset)required

countinteger(Count)required

totalinteger(Total)required

Response

application/json

{
  "items": [
    { … }
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Add items to the role permission list

Request

Use to add items to a role permission list. This operation is synchronous and non-atomic. 'Note: For assistance finding the permission identifiers, see the developer guide.'

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired

itemsArray of objects(RolePermissionsV1beta1)<= 1000 itemsrequired

items[].idstringrequired

The permission slug string

Example: "compute.server.edit"

curl -i -X POST \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions/batch' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "compute.server.edit"
      }
    ]
  }'

Responses

OK

Bodyapplication/json

successCountintegerrequired

Example: 1

errorCountintegerrequired

Example: 1

successesArray of objects(RolePermissionsIdsAddV1beta1)required

successes[].idstringrequired

The permission slug string

Example: "compute.server.edit"

errorsArray of objects(RolePermissionsAddErrorsV1beta1)required

errors[].httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500

errors[].errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"

errors[].messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"

errors[].debugIdstring(DebugId)required

errors[].errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response

application/json

{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    { … }
  ],
  "errors": [
    { … }
  ]
}

Delete items from the role permission list

Request

The ID of the permission to be deleted can be found in the response body of GET /authorization/v1beta1/roles/{id}/permissions/batch. This operation is synchronous and atomic.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

Note: The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired

itemsArray of objects(RolePermissionsIdsV1beta1)<= 1000 itemsrequired

items[].idstringrequired

The permission slug string

Example: "compute.server.edit"

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions/bulk' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "compute.server.edit"
      }
    ]
  }'

Responses

OK

Bodyapplication/json

successCountintegerrequired

Example: 1

errorCountintegerrequired

Example: 1

successesArray of objects(RolePermissionsIdsV1beta1)required

successes[].idstringrequired

The permission slug string

Example: "compute.server.edit"

errorsArray of objects(RolePermissionsIdsErrorsV1beta1)required

errors[].idstringrequired

The permission slug that caused the error

Example: "compute.server.read"

errors[].httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500

errors[].errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"

errors[].messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"

errors[].debugIdstring(DebugId)required

errors[].errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response

application/json

{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    { … }
  ],
  "errors": [
    { … }
  ]
}

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

There is a max limit of 500 scopes per Scope Group.
There is a max limit of 500 Scope Groups per workspace.

Operations

HPE GreenLake for Authorization API (1.0.0-beta)

Roles

Create a role

Request

Responses

Was this helpful?

Retrieve all roles

Request

Responses

Was this helpful?

Get a role instance by ID

Request

Responses

Was this helpful?

Update a role instance by ID

Request

Responses

Was this helpful?

Delete a role instance by ID

Request

Responses

Was this helpful?

Retrieve the role permission list

Request

Responses

Was this helpful?

Add items to the role permission list

Request

Responses

Was this helpful?

Delete items from the role permission list

Request

Responses

Was this helpful?

Role Assignments

Scope Groups

HPE GreenLake for Authorization API (1.0.0-beta)

Roles

Create a role

Request

Responses

Was this helpful?

Retrieve all roles

Request

Responses

Was this helpful?

Get a role instance by ID

Request

Responses

Was this helpful?

Update a role instance by ID

Request

Responses

Was this helpful?

Delete a role instance by ID

Request

Responses

Was this helpful?

Retrieve the role permission list

Request

Responses

Was this helpful?

Add items to the role permission list

RequestExpand all

Responses

Was this helpful?

Delete items from the role permission list

RequestExpand all

Responses

Was this helpful?

Role Assignments

Scope Groups

Request

Request