Skip to content
/Roles

HPE GreenLake for Authorization API (1.0.0-beta)

The HPE GreenLake for Authorization API provides a unified way to manage the authorization function for HPE GreenLake cloud.

Download OpenAPI description
external-authz-v2-config.json
external-authz-v2-config.yaml
Overview
License

HPE End User License Agreement

Languages
Servers

https://global.api.greenlake.hpe.com/

Mock server

https://developer.greenlake.hpe.com/_mock/docs/greenlake/services/iam/authorization/authz-v2/external/openapi/authz-v2alpha2/external-authz-v2-config/

Roles

Roles are created in a Workspace, typically by an IAM administrator. They may be created by a Resource Provider (RP) if the RP has been granted the required privileges in the Workspace.

Requirements

  • Roles must include at least one inline permission.
Known limitations
  • There is a max limit of 100 Roles per workspace (in addition to the global predefined roles).

Operations

Create a role

Request

Security
bearerAuth
Bodyapplication/jsonrequired
namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
descriptionstring<= 256 characters
Example: "Storage Limited Admin"
curl -i -X POST \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/roles \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Storage Limited Admin"
  }'

Responses

Created

Headers
Locationstring

URL to the newly created resource.

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
typestringread-onlyrequired
Value"authorization/role"
Example: "authorization/role"
namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
generationinteger(int64)(Generation)read-onlyrequired
grnstringread-onlyrequired
Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
slugstringread-only

Defined only for PREDEFINED roles.

Example: ""
descriptionstring<= 256 characters
Example: "Storage Limited Admin"
releaseStagestringread-only

Empty string for CUSTOM roles.

Enum"ALPHA""BETA""STABLE"
Example: ""
kindstring(CustomKindV1beta1)read-only
Value"CUSTOM"
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Retrieve all roles

Request

Retrieves role by applying OData 4.0 filters. Use the filter parameter to provide a filter string. Supports in operator on kind and grn attributes.
Example Request:
/authorization/v1beta1/roles?filter=kind in ('PREDEFINED')

Note:
- No duplicate attributes in OData filter: Each attribute (kind, grn) can only appear once in the OData filter expression. Multiple occurrences will result in a 400 Bad Request error.
- Supported operators: Only in operator is supported.

Security
bearerAuth
Query
filterstring

OData style filter for filtering roles. Supports in operator on kind and grn attributes.

Example: filter=kind in ("PREDEFINED")
sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc). Sorting is valid only for slug and name attributes. If omitted, default sorting direction is ascending and default sorting attribute is name.

Example: sort=name asc
limitinteger<= 200

Total number of results to be returned

Default 100
offsetinteger

Zero-based resource offset to start the response from

Default 0
curl -i -X GET \
  https://global.api.greenlake.hpe.com/authorization/v1beta1/roles \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(RoleGetV1beta1)<= 200 itemsrequired
items[].​idstring(uuid)(UUID)read-onlyrequired
items[].​sourcestringread-onlyrequired

Source of the role.

Enum"LOCAL""EXTERNAL"
Example: "LOCAL"
items[].​typestringread-onlyrequired
Value"authorization/role"
Example: "authorization/role"
items[].​namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
items[].​kindstring(KindV1beta1)required
Enum"CUSTOM""PREDEFINED"
items[].​generationinteger(int64)(Generation)read-onlyrequired
items[].​grnstringread-onlyrequired
Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"
items[].​createdAtstring(date-time)(CreatedAt)read-onlyrequired
items[].​updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
items[].​slugstring<= 64 characters

Empty for CUSTOM roles. Unique name for PREDEFINED roles and the pattern is provider name followed by the actual name (i.e. <providerName>.<name>).

Example: ""
items[].​descriptionstring<= 256 characters
Example: "Storage Limited Admin"
items[].​releaseStagestringread-only

It is only defined for PREDEFINED roles.

Enum"ALPHA""BETA""STABLE"
Example: ""
countinteger(Count)required
totalinteger(Total)required
offsetinteger(Offset)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Get a role instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
idstring(uuid)(UUID)read-onlyrequired
sourcestringread-onlyrequired

Source of the role.

Enum"LOCAL""EXTERNAL"
Example: "LOCAL"
typestringread-onlyrequired
Value"authorization/role"
Example: "authorization/role"
namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
kindstring(KindV1beta1)required
Enum"CUSTOM""PREDEFINED"
generationinteger(int64)(Generation)read-onlyrequired
grnstringread-onlyrequired
Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
slugstring<= 64 characters

Empty for CUSTOM roles. Unique name for PREDEFINED roles and the pattern is provider name followed by the actual name (i.e. <providerName>.<name>).

Example: ""
descriptionstring<= 256 characters
Example: "Storage Limited Admin"
releaseStagestringread-only

It is only defined for PREDEFINED roles.

Enum"ALPHA""BETA""STABLE"
Example: ""
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "source": "LOCAL",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Update a role instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired
idstring(uuid)required

Immutable

namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
descriptionstring<= 256 characters
Example: "Storage Limited Admin"
curl -i -X PUT \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "Storage Limited Admin"
  }'

Responses

OK

Bodyapplication/json
idstring(uuid)required

Immutable

typestringread-onlyrequired
Value"authorization/role"
Example: "authorization/role"
namestring<= 100 charactersrequired

Friendly name for user interface. Allowed char set is [a-z A-Z 0-9 -(dash) (space)]

Example: "Storage Limited Admin"
generationinteger(int64)(Generation)read-onlyrequired
grnstringread-onlyrequired
Example: "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002"
createdAtstring(date-time)(CreatedAt)read-onlyrequired
updatedAtstring(date-time)(UpdatedAt)read-onlyrequired
slugstringread-only

Defined only for PREDEFINED roles.

Example: ""
descriptionstring<= 256 characters
Example: "Storage Limited Admin"
releaseStagestringread-only

Empty string for CUSTOM roles.

Enum"ALPHA""BETA""STABLE"
Example: ""
kindstring(CustomKindV1beta1)read-only
Value"CUSTOM"
Response
application/json
{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "type": "authorization/role",
  "slug": "",
  "name": "Storage Limited Admin",
  "description": "Storage Limited Admin",
  "releaseStage": "",
  "kind": "CUSTOM",
  "generation": 1,
  "grn": "grn:glp/workspaces/428466023dbe11eeb7837e8589f701ca/regions/default/providers/authorization/custom-roles/123e4567-e89b-12d3-a456-426614174002",
  "createdAt": "2023-04-06T22:45:59.759943+00:00",
  "updatedAt": "2023-04-06T22:45:59.759943+00:00"
}

Delete a role instance by ID

Request

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

No Content

Response
No content

Retrieve the role permission list

Request

The permission list is sorted by permission slug string alphabetically by default.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Query
limitinteger<= 200

Total number of results to be returned. If the parameter is not provided, it will return all records found.

Default 0
offsetinteger

Zero-based resource offset to start the response from

Default 0
sortstring

Sort results by a single attribute and allow setting a sorting direction as ascending (asc) or descending (desc). Sorting is valid only for the id attribute (permission slug string). Default sorting direction if omitted is ascending.

Example: sort=id desc
curl -i -X GET \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

OK

Bodyapplication/json
itemsArray of objects(RolePermissionsGetV1beta1)required
items[].​idstringrequired

The permission slug string

Example: "compute.server.edit"
items[].​typestringread-onlyrequired
Value"authorization/permission"
Example: "authorization/permission"
offsetinteger(Offset)required
countinteger(Count)required
totalinteger(Total)required
Response
application/json
{
  "items": [
    {}
  ],
  "count": 1,
  "total": 1,
  "offset": 0
}

Add items to the role permission list. This operation is synchronous and non-atomic.

Request

Note: For assistance finding the permission identifiers, see the developer guide.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired
itemsArray of objects(RolePermissionsV1beta1)<= 1000 itemsrequired
items[].​idstringrequired

The permission slug string

Example: "compute.server.edit"
curl -i -X POST \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions/batch' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "compute.server.edit"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired
Example: 1
errorCountintegerrequired
Example: 1
successesArray of objects(RolePermissionsIdsAddV1beta1)required
successes[].​idstringrequired

The permission slug string

Example: "compute.server.edit"
errorsArray of objects(RolePermissionsAddErrorsV1beta1)required
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500
errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"
errors[].​messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"
errors[].​debugIdstring(DebugId)required
errors[].​errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response
application/json
{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    {}
  ],
  "errors": [
    {}
  ]
}

Delete items from the role permission list. This operation is synchronous and atomic.

Request

The ID of the permission to be deleted can be found in the response body of GET /authorization/v1beta1/roles/{id}/permissions/batch.

Security
bearerAuth
Path
idstring(uuid)(UUID)read-onlyrequired

Note: The role instance identifier. The ID can be found in the response body of POST /authorization/v1beta1/roles.

Bodyapplication/jsonrequired
itemsArray of objects(RolePermissionsIdsV1beta1)<= 1000 itemsrequired
items[].​idstringrequired

The permission slug string

Example: "compute.server.edit"
curl -i -X DELETE \
  'https://global.api.greenlake.hpe.com/authorization/v1beta1/roles/{id}/permissions/bulk' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "items": [
      {
        "id": "compute.server.edit"
      }
    ]
  }'

Responses

OK

Bodyapplication/json
successCountintegerrequired
Example: 1
errorCountintegerrequired
Example: 1
successesArray of objects(RolePermissionsIdsV1beta1)required
successes[].​idstringrequired

The permission slug string

Example: "compute.server.edit"
errorsArray of objects(RolePermissionsIdsErrorsV1beta1)required
errors[].​idstringrequired

The permission slug that caused the error

Example: "compute.server.read"
errors[].​httpStatusCodeintegerrequired

The HTTP equivalent status code

Example: 500
errors[].​errorCodestringrequired

A unique machine-friendly identifier for the error from a global list of enumerated identifier strings.

Example: "HPE_GL_ERROR_INTERNAL_SERVER_ERROR"
errors[].​messagestringrequired

A user-friendly error message

Example: "The server encountered an unexpected condition which prevented it from fulfilling the request"
errors[].​debugIdstring(DebugId)required
errors[].​errorDetailsArray of objects(RetryData)

Additional detailed information about the error

Response
application/json
{
  "successCount": 1,
  "errorCount": 1,
  "successes": [
    {}
  ],
  "errors": [
    {}
  ]
}

Role Assignments

Role assignments are composed of three pieces (principal, role, and scope). Role assigments associate a user, group, or service (principal) with a specific role (along with its permissions) at a particular scope (a resource or group of resources) to grant them access and specify their responsibilities within HPE GreenLake.

Note: There is a maximum limit of 50 role assignments per user per workspace.

Operations

Scope Groups

Scope Group is composed of scopes and allows a single Role Assignment against multiple scopes.

Known limitations

  • There is a max limit of 500 scopes per Scope Group.
  • There is a max limit of 500 Scope Groups per workspace.

Operations