Scope Groups

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

There is a max limit of 500 scopes per Scope Group.
There is a max limit of 500 Scope Groups per workspace.

Operations

Create a scope group

Request

A scope group is a collection of scopes that can be assigned to a role assignment. This allows a single role assignment to cover multiple scopes.

Note:

A scope group cannot contain another scope group (no nesting). Once created, a scope group will belong to a organization/workspace based on the caller context. The returned grn attribute will include this context and can be used as a globally unique identifier.

Security

bearerAuth

Bodyapplication/jsonrequired

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "sg1"
  }'

Responses

Created

Headers

Locationstring

URL to the newly created resource.

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

Value"authorization/scope-group"

Example: "authorization/scope-group"

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"

generationinteger(int64)(Generation)read-only

createdAtstring(date-time)(CreatedAt)read-only

updatedAtstring(date-time)(UpdatedAt)read-only

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all scope groups

Request

Retrieves scope groups by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in operator on name or grn attributes.
Example Request:
/authorization/v1beta1/scope-groups?filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')

Note:
- Supported operators: Only in operator is supported.

Security

bearerAuth

Query

limitinteger<= 30

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0

offsetinteger

Zero-based resource offset to start the response from

Default 0

filterstring

OData style filter for filtering scope groups. Supports in operator on name or grn attributes.

Example: filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')

sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc) or descending (desc). Sorting is valid only for name attribute. Default sorting direction if omitted is ascending.

Example: sort=name desc

curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

itemsArray of objects(ScopeGroupV1beta1)required

items[].idstring(uuid)(UUID)read-onlyrequired

items[].typestringread-onlyrequired

Value"authorization/scope-group"

Example: "authorization/scope-group"

items[].namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

items[].descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

items[].grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"

items[].generationinteger(int64)(Generation)read-only

items[].createdAtstring(date-time)(CreatedAt)read-only

items[].updatedAtstring(date-time)(UpdatedAt)read-only

offsetinteger(Offset)required

countinteger(Count)required

totalinteger(Total)required

Response

application/json

{
  "items": [
    { … }
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Retrieve a scope group instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

Value"authorization/scope-group"

Example: "authorization/scope-group"

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"

generationinteger(int64)(Generation)read-only

createdAtstring(date-time)(CreatedAt)read-only

updatedAtstring(date-time)(UpdatedAt)read-only

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Update a scope group instance by ID

Request

Request body must contains both 'id' and 'name' attributes even though they are immutable.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired

idstring(uuid)required

The unique identifier and immutable

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "sg1"
  }'

Responses

OK

Bodyapplication/json

idstring(uuid)(UUID)read-onlyrequired

typestringread-onlyrequired

Value"authorization/scope-group"

Example: "authorization/scope-group"

namestring<= 150 charactersrequired

Must be unique within the context it is being created (the organization or the organization and the workspace). Most ASCII chars are allowed, except [&, <, >, |, :, ,] and leading or trailing space. Immutable.

Example: "sg1"

descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""

grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78"

generationinteger(int64)(Generation)read-only

createdAtstring(date-time)(CreatedAt)read-only

updatedAtstring(date-time)(UpdatedAt)read-only

Response

application/json

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/05f0523c-fd03-47fc-981b-9c4333a37b78",
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a scope group instance by ID

Request

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No Content

Response

No content

Retrieve the scope group scope list

Request

The scope list is sorted by description and GRN alphabetically by default.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Query

limitinteger<= 200

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0

offsetinteger

Zero-based resource offset to start the response from

Default 0

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json

itemsArray of objects(ScopeGroupScopesGetV1beta1)required

items[].idstring(uuid)(UUID)read-onlyrequired

items[].typestringread-onlyrequired

The type of the resource.

Value"authorization/scope-group/scope"

Example: "authorization/scope-group/scope"

items[].grnstringrequired

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"

items[].descriptionstringrequired

Example: "host 123"

items[].regionstringread-only

Example: "us-east-2"

items[].allScopesbooleanread-only

Example: false

items[].resourceTypeDisplayNamestringread-only

Example: "Hosts"

offsetinteger(Offset)required

countinteger(Count)required

totalinteger(Total)required

Response

application/json

{
  "items": [
    { … }
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Add items to the scope group scope list

Request

This operation is synchronous and non-atomic.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found at the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired

itemsArray of objects(ScopeGroupScopesV1beta1)<= 500 itemsrequired

items[].grnstringrequired

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"

items[].descriptionstringrequired

Example: "host 123"

curl -i -X POST \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/batch' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123",
        "description": "host 123"
      }
    ]
  }'

Responses

OK

Bodyapplication/json

successCountintegerrequired

Example: 1

errorCountintegerrequired

Example: 1

successesArray of objects(ScopeGroupScopeIdsAddV1beta1)required

successes[].idstring(uuid)(UUID)read-onlyrequired

successes[].grnstringrequired

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east/providers/bmaas/host/123"

errorsArray of objects(ScopeGroupScopeAddErrorsV1beta1)required

errors[].httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500

errors[].errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"

errors[].messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request."

errors[].debugIdstring(DebugId)required

errors[].errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response

application/json

{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    { … }
  ],
  "errors": [
    { … }
  ]
}

Delete items from the scope group scope list

Request

The ID of the scope to be deleted can be found in the response body of GET /authorization/v1beta1/scope-groups/{id}/scopes/batch. This operation is synchronous and atomic.

Security

bearerAuth

Path

idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found at the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired

itemsArray of objects(ScopeGroupScopeIdsV1beta1)<= 500 itemsrequired

items[].idstring(uuid)required

Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/bulk' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "e7b8f8e1-9ad5-432d-a858-499d9f279647"
      }
    ]
  }'

Responses

OK

Bodyapplication/json

successCountintegerrequired

Example: 1

errorCountintegerrequired

Example: 1

successesArray of objects(ScopeGroupScopeIdsV1beta1)required

successes[].idstring(uuid)required

Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"

errorsArray of objects(ScopeGroupScopeIdsErrorsV1beta1)required

errors[].idstring(uuid)(UUID)read-onlyrequired

errors[].httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500

errors[].errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"

errors[].messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"

errors[].debugIdstring(DebugId)required

errors[].errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response

application/json

{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    { … }
  ],
  "errors": [
    { … }
  ]
}

HPE GreenLake for Authorization API (1.0.0-beta)

Role Assignments

Scope Groups

Create a scope group

Request

Responses

Was this helpful?

Retrieve all scope groups

Request

Responses

Was this helpful?

Retrieve a scope group instance by ID

Request

Responses

Was this helpful?

Update a scope group instance by ID

Request

Responses

Was this helpful?

Delete a scope group instance by ID

Request

Responses

Was this helpful?

Retrieve the scope group scope list

Request

Responses

Was this helpful?

Add items to the scope group scope list

Request

Responses

Was this helpful?

Delete items from the scope group scope list

Request

Responses

Was this helpful?

HPE GreenLake for Authorization API (1.0.0-beta)

Role Assignments

Scope Groups

Create a scope group

Request

Responses

Was this helpful?

Retrieve all scope groups

Request

Responses

Was this helpful?

Retrieve a scope group instance by ID

Request

Responses

Was this helpful?

Update a scope group instance by ID

Request

Responses

Was this helpful?

Delete a scope group instance by ID

Request

Responses

Was this helpful?

Retrieve the scope group scope list

Request

Responses

Was this helpful?

Add items to the scope group scope list

RequestExpand all

Responses

Was this helpful?

Delete items from the scope group scope list

RequestExpand all

Responses

Was this helpful?

Request

Request