Skip to content
/Scope Groups

HPE GreenLake for Authorization API (1.0.0-beta)

The HPE GreenLake for Authorization API provides a unified way to manage the authorization function for HPE GreenLake cloud.

Download OpenAPI description
external-authz-v2-config.json
external-authz-v2-config.yaml
Overview
License

HPE End User License Agreement

Languages
Servers

https://global.api.greenlake.hpe.com/

Mock server

https://developer.greenlake.hpe.com/_mock/docs/greenlake/services/authorization/public/openapi/authz-v1beta1/external-authz-v2-config/

Roles

Roles are created in a Workspace, typically by an IAM administrator. They may be created by a Resource Provider (RP) if the RP has been granted the required privileges in the Workspace.

Requirements

  • Roles must include at least one inline permission.
Known limitations
  • There is a max limit of 100 Roles per workspace (in addition to the global predefined roles).

Operations

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

  • There is a max limit of 500 scopes per Scope Group.
  • There is a max limit of 500 Scope Groups per workspace.

Operations

Create a scope group

Request

A scope group is a collection of scopes that can be assigned to a role assignment. This allows a single role assignment to cover multiple scopes.

Note:

  • A scope group cannot contain another scope group (no nesting). Once created, a scope group will belong to a organization/workspace based on the caller context. The returned grn attribute will include this context and can be used as a globally unique identifier.

Security
bearerAuth
Bodyapplication/jsonrequired
namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "sg1"
  }'

Responses

Created

Headers
Locationstring

URL to the newly created resource.

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all scope groups

Request

Retrieves scope groups by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in operator on name or grn attributes.
Example Request:
/authorization/v1beta1/scope-groups?filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')

Note:
- Supported operators: Only in operator is supported.

Security
bearerAuth
Query
limitinteger<= 30

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0
offsetinteger

Zero-based resource offset to start the response from

Default 0
filterstring

OData style filter for filtering scope groups. Supports in operator on name or grn attributes.

Example: filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')
sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc) or descending (desc). Sorting is valid only for name attribute. Default sorting direction if omitted is ascending.

Example: sort=name desc
curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(ScopeGroupV1beta1)required
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
items[].​namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
items[].​descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
items[].​grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"
items[].​generationinteger(int64)(Generation)read-only
items[].​createdAtstring(date-time)(CreatedAt)read-only
items[].​updatedAtstring(date-time)(UpdatedAt)read-only
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Retrieve a scope group instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Update a scope group instance by ID

Request

Request body must contains both 'id' and 'name' attributes even though they are immutable.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
idstring(uuid)required

The unique identifier and immutable

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "sg1"
  }'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a scope group instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No Content

Response
No content

Retrieve the scope group scope list

Request

The scope list is sorted by description and GRN alphabetically by default.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Query
limitinteger<= 200

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0
offsetinteger

Zero-based resource offset to start the response from

Default 0
curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(ScopeGroupScopesGetV1beta1)required
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​typestringread-onlyrequired

The type of the resource.

Value"authorization/scope-group/scope"
Example: "authorization/scope-group/scope"
items[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"
items[].​descriptionstringrequired
Example: "host 123"
items[].​regionstringread-only
Example: "us-east-2"
items[].​allScopesbooleanread-only
Example: false
items[].​resourceTypeDisplayNamestringread-only
Example: "Hosts"
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Add items to the scope group scope list

Request

This operation is synchronous and non-atomic.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found at the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
itemsArray of objects(ScopeGroupScopesV1beta1)<= 500 itemsrequired
items[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"
items[].​descriptionstringrequired
Example: "host 123"
curl -i -X POST \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/batch' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123",
        "description": "host 123"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired
Example: 1
errorCountintegerrequired
Example: 1
successesArray of objects(ScopeGroupScopeIdsAddV1beta1)required
successes[].​idstring(uuid)(UUID)read-onlyrequired
successes[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"
errorsArray of objects(ScopeGroupScopeAddErrorsV1beta1)required
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500
errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"
errors[].​messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request."
errors[].​debugIdstring(DebugId)required
errors[].​errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response
application/json
{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    {}
  ],
  "errors": [
    {}
  ]
}

Delete items from the scope group scope list

Request

The ID of the scope to be deleted can be found in the response body of GET /authorization/v1beta1/scope-groups/{id}/scopes/batch. This operation is synchronous and atomic.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found at the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
itemsArray of objects(ScopeGroupScopeIdsV1beta1)<= 500 itemsrequired
items[].​idstring(uuid)required
Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"
curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/bulk' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "e7b8f8e1-9ad5-432d-a858-499d9f279647"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired
Example: 1
errorCountintegerrequired
Example: 1
successesArray of objects(ScopeGroupScopeIdsV1beta1)required
successes[].​idstring(uuid)required
Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"
errorsArray of objects(ScopeGroupScopeIdsErrorsV1beta1)required
errors[].​idstring(uuid)(UUID)read-onlyrequired
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500
errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"
errors[].​messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"
errors[].​debugIdstring(DebugId)required
errors[].​errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response
application/json
{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    {}
  ],
  "errors": [
    {}
  ]
}