Skip to content
API reference
/
/
Create a scope group

HPE GreenLake for Authorization API (1.0.0-beta)

The HPE GreenLake for Authorization API provides a unified way to manage the authorization function for HPE GreenLake cloud.

Download OpenAPI description
external-authz-v2-config.json
external-authz-v2-config.yaml
Overview
License

HPE End User License Agreement

Languages
Servers

https://global.api.greenlake.hpe.com/

Mock server

https://developer.greenlake.hpe.com/_mock/docs/greenlake/services/authorization/public/openapi/authz-v1beta1/external-authz-v2-config/

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Note: Users can manage roles and retrieve a role identifier (ID / GRN) using the Web Interface. Once the role ID / GRN is retrieved then a role assignment can be created using the API described below.

Operations

Scope Groups

A scope group is composed of scopes and allows a single role assignment against multiple scopes.

Known limitations

  • There is a max limit of 500 scopes per scope group.
  • There is a max limit of 500 scope groups per workspace.

Operations

Create a scope group

Request

A scope group is a collection of scopes that can be assigned to a role assignment. This allows a single role assignment to cover multiple scopes.

Note:

  • A scope group cannot contain another scope group (no nesting). Once created, a scope group will belong to a organization/workspace based on the caller context. The returned grn attribute will include this context and can be used as a global unique identifier.

Security
bearerAuth
Bodyapplication/jsonrequired
namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "sg1"
  }'

Responses

Created

Headers
Locationstring

URL to the newly created resource.

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08"
serviceMetadataobject(ServiceMetadata)read-only
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "serviceMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "/service-catalog/service-offer"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all scope groups

Request

Retrieves scope groups by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in operator on serviceMetadata/id, name or grn attributes.
Example Request:
/authorization/v1beta1/scope-groups?filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')

Note:
- No duplicate attributes in OData filter: Each attribute (serviceMetadata/id, name, grn) can only appear once in the OData filter expression. Multiple occurrences will result in a 400 Bad Request error.
- Only one attribute in OData filter: Only one attribute (serviceMetadata/id, name or grn) can be used at a time, otherwise it will result in a 400 Bad Request error.
- Supported operators: Only in operator is supported.

Security
bearerAuth
Query
limitinteger<= 200

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0
offsetinteger

Zero-based resource offset to start the response from

Default 0
filterstring

OData style filter for filtering scope groups. Supports in operator on serviceMetadata/id, name or grn attributes.

Example: filter=grn in ('grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/default/providers/authorization/scope-groups/123')
sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc) or descending (desc). Sorting is valid only for name attribute. Default sorting direction if omitted is ascending.

Example: sort=name desc
curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(ScopeGroupV1beta1)required
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
items[].​namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
items[].​descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
items[].​grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08"
items[].​serviceMetadataobject(ServiceMetadata)read-only
items[].​generationinteger(int64)(Generation)read-only
items[].​createdAtstring(date-time)(CreatedAt)read-only
items[].​updatedAtstring(date-time)(UpdatedAt)read-only
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Retrieve a scope group instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08"
serviceMetadataobject(ServiceMetadata)read-only
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "serviceMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "/service-catalog/service-offer"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Update a scope group instance by ID

Request

Request body must contain id attribute even though it is immutable.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
idstring(uuid)required

The unique identifier of the object. Immutable

namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "sg1"
  }'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/scope-group"
Example: "authorization/scope-group"
namestring<= 150 charactersrequired

Must be unique within the context it is being created (organization or organization + workspace). Most ASCII characters are allowed, except [&, <, >, |, :, ,] and leading or trailing space.

Example: "sg1"
descriptionstring<= 256 characters

A short description of the scope group.

Example: "This group gives access to resource \"host/123\""
grnstringread-only

The HPE GreenLake Resource Notation (GRN) is the standardized, URI-compatible syntax used to define and specify this scope within the HPE GreenLake.

Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08"
serviceMetadataobject(ServiceMetadata)read-only
generationinteger(int64)(Generation)read-only
createdAtstring(date-time)(CreatedAt)read-only
updatedAtstring(date-time)(UpdatedAt)read-only
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/scope-group",
  "name": "sg1",
  "description": "This group gives access to resource \"host/123\"",
  "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/default/providers/authorization/scope-groups/497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "serviceMetadata": {
    "id": "44f0443c-fd03-47fc-981b-9c4333a37b44",
    "type": "/service-catalog/service-offer"
  },
  "generation": 1,
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a scope group instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No Content

Response
No content

Retrieve the scope group scopes list

Request

Retrieves a list of scopes for a specific scope group. Results are sorted by description and GRN alphabetically by default.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Query
limitinteger<= 500

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0
offsetinteger

Zero-based resource offset to start the response from

Default 0
curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(ScopeGroupScopesGetV1beta1)required
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​typestringread-onlyrequired
Value"authorization/scope-group/scope"
Example: "authorization/scope-group/scope"
items[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east-2/providers/bmaas/host/123"
items[].​descriptionstringrequired
Example: "host 123"
items[].​regionstringread-onlyrequired
Example: "us-east-2"
items[].​allScopesbooleanread-onlyrequired
Example: false
items[].​resourceTypeDisplayNamestringread-onlyrequired
Example: "Hosts"
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Add scopes to a scope group

Request

Add new scopes to an existing scope group. This operation is synchronous and non-atomic.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
itemsArray of objects(ScopeGroupScopesV1beta1)<= 500 itemsrequired
items[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east-2/providers/bmaas/host/123"
items[].​descriptionstring<= 256 charactersrequired
Example: "host 123"
curl -i -X POST \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/batch' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "grn": "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east-2/providers/bmaas/host/123",
        "description": "host 123"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired

How many items were processed successfully

Example: 1
errorCountintegerrequired

How many items were not processed and resulted in errors

Example: 2
successesArray of objects(ScopeGroupScopeIdsAddV1beta1)required
successes[].​idstring(uuid)(UUID)read-onlyrequired
successes[].​typestringrequired
Value"authorization/scope-group/scope"
Example: "authorization/scope-group/scope"
successes[].​grnstringrequired
Example: "grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b60/regions/us-east-2/providers/bmaas/host/123"
successes[].​descriptionstringrequired
Example: "host 123"
successes[].​regionstringrequired
Example: "us-east-2"
successes[].​allScopesbooleanrequired
Example: false
successes[].​resourceTypeDisplayNamestringrequired
Example: "Hosts"
errorsArray of objects(ScopeGroupScopeAddErrorsV1beta1)required
Example: [{"httpStatusCode":409,"errorCode":"HPE_GL_AUTHORIZATION_RESOURCE_CONFLICT","message":"Scope already exists in scope group","debugId":"","errorDetails":[{"type":"hpe.greenlake.metadata","source":"hpe.greenlake.authorization","metadata":[{"description":"scope 2 description","grn":"grn:glp/workspaces/05f0523c-fd03-47fc-981b-9c4333a37b70/regions/us-east-2/providers/bmaas/host/456"}]}]},{"httpStatusCode":400,"errorCode":"HPE_GLERROR_BAD_REQUEST","message":"field \\\"items[0].description\\\" must not be empty: field \\\"items[0].grn\\\" with value \\\"\\\" must be a GRN: missing GRN root tag","debugId":"","errorDetails":[{"type":"hpe.greenlake.bad_request","issues":[{"source":"field","subject":"items[0].description","description":"field \"items[0].description\" must not be empty"},{"source":"field","subject":"items[0].grn","description":"field \"items[0].grn\" with value \"\" must be a GRN: missing GRN root tag"}]}]}]
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

errors[].​messagestringrequired

A user-friendly error message

errors[].​debugIdstring(DebugId)required
errors[].​errorDetailsArray of objects(ErrorDetailScopeAdd)

Additional detailed information about the error

Response
application/json
{
  "successCount": 1,
  "errorCount": 2,
  "successes": [
    {}
  ],
  "errors": [
    {},
    {}
  ]
}

Delete scopes from a scope group

Request

Delete scopes from an existing scope group. The scope group ID can be found in the response body of GET /authorization/v1beta1/scope-groups while the scope ID to be deleted can be found in the response body of GET /authorization/v1beta1/scope-groups/{id}/scopes. This operation is synchronous and non-atomic.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The scope group instance identifier. ID can be found in the response body of POST /authorization/v1beta1/scope-groups.

Bodyapplication/jsonrequired
itemsArray of objects(ScopeGroupScopeIdsV1beta1)<= 500 itemsrequired
items[].​idstring(uuid)required
Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"
curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/scope-groups/{id}/scopes/bulk' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "e7b8f8e1-9ad5-432d-a858-499d9f279647"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired

How many items were processed successfully

Example: 1
errorCountintegerrequired

How many items were not processed and resulted in errors

Example: 1
successesArray of objects(ScopeGroupScopeIdsV1beta1)required
successes[].​idstring(uuid)required
Example: "e7b8f8e1-9ad5-432d-a858-499d9f279647"
errorsArray of objects(ScopeGroupScopeIdsErrorsV1beta1)required
errors[].​idstring(uuid)(UUID)read-onlyrequired
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500
errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"
errors[].​messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"
errors[].​debugIdstring(DebugId)required
Response
application/json
{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    {}
  ],
  "errors": [
    {}
  ]
}