REST API

Identity and Access Management API documentation version v1

{schema}://{host}/api/{version}

  • schema: required(one of http, https - default: http)
  • host: required(string - default: localhost)
  • version: required(v1)

Users

Operations on users.

/users post get

post /users

Registers a new user.

Secured by IAM with actions:
  • iam:user:create

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • firstName: optional (string)

    User's first name.

  • lastName: optional (string)

    User's last name.

  • email: required(string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

    User's email (required when keycloakIDAsUsername enabled).

  • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

    Username (required when keycloakIDAsUsername disbaled).

  • password: required(string)

    User's password.

  • confirmPassword: required(string)

    Confirmation of user's password.

  • enabled: optional (boolean)

    Whether the user is enabled or not. Default is false.

  • path: optional (string)

    User's path that will be used in KRN.

  • policyIDs: optional (array of )

    Policies that must be attached to the user.

  • groups: optional (array of )

    Groups that the user must be assigned to.

  • sendVerifyEmail: optional (boolean)

    Send verify email to user flag.

  • redirectUri: optional (string)

    Redirect Uri after user verify.

Example:

{
  "firstName": "John",
  "lastName": "Foo",
  "email": "johnfoo@gmail.com",
  "enabled": true,
  "username": "foojohn",
  "password": "YesYkYKpLd6n3dVZ",
  "confirmPassword": "YesYkYKpLd6n3dVZ",
  "path": "/org1",
  "policyIDs": [
      "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ="
  ],
  "groups": [
      "a3JuOmlhbTprYWE6Omdyb3VwL0Zvbw=="
  ],
  "sendVerifyEmail": true,
  "redirectUri": "http://example.com/"
}

HTTP status code 201

The user is successfully registered.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • krn: required(string - pattern: ^[a-zA-Z0-9_)

      User's KRN.

    • policyIDs: optional (array of )

      Policies that are attached to user.

    • groups: optional (array of )

      Groups that the user is assigned to.

    • sendVerifyEmail: optional (boolean)

      Send verify email to user flag.

    • redirectUri: optional (string)

      Redirect Uri after user verify.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnVzZXIvb3JnMS9qb2hu",
      "created": "2021-10-18T10:19:17.530472734Z",
      "keycloakID": "e9800d15-7b45-4504-93ef-08788c3d15b1",
      "updated": "2021-10-18T10:19:17.530472734Z",
      "tenantID": "kaa",
      "email": "john@gmail.com",
      "enabled": true,
      "firstName": "John",
      "lastName": "Martin",
      "username": "john",
      "krn": "krn:iam:kaa::user/org1/john",
      "path": "/org1",
      "groups": [
          "a3JuOmlhbTprYWE6Omdyb3VwL0Zvbw=="
      ],
      "policyIDs": [
          "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ="
      ],
      "sendVerifyEmail": true,
      "redirectUri": "http://example.com/"
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

get /users

Retrieves users.

Secured by IAM with actions:
  • iam:user:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc
  • email: optional (string)

    Filter user by email.

    Example:

    josephmorgan@gmail.com
  • path: optional (string)

    Filter user by path.

    Example:

    /org1

HTTP status code 200

Users are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of RetrieveUser)

    Items: RetrieveUser

    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • defaultGroup: optional (string)

      User's default group.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

  • count: required(integer)

    Total amount of users.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Total returned elements.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvcm9iYmll",
          "keycloakID": "68a8372d-cc0a-4a42-8a56-099ac466e0bd",
          "created": "2021-10-18T08:47:54.219531Z",
          "updated": "2021-10-18T08:47:54.219531Z",
          "tenantID": "kaa",
          "email": "robbie@example.com",
          "enabled": true,
          "firstName": "",
          "lastName": "",
          "username": "robbie",
          "krn": "krn:iam:kaa::user/robbie",
          "path": "/"
      },
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvb3JnMS9qb2hu",
          "keycloakID": "6f1e8e4b-e9fd-483e-8655-cd9e7bccf5df",
          "created": "2021-10-18T10:19:17.530472Z",
          "updated": "2021-10-18T10:19:17.530472Z",
          "tenantID": "kaa",
          "email": "john@gmail.com",
          "enabled": true,
          "firstName": "John",
          "lastName": "Martin",
          "username": "john",
          "krn": "krn:iam:kaa::user/org1/john",
          "path": "/org1"
      },
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvdmljdG9y",
          "keycloakID": "ddc2eedd-6625-4227-9044-d838018d8bf4",
          "created": "2021-10-15T10:58:50.317315Z",
          "updated": "2021-10-15T10:58:50.317315Z",
          "tenantID": "kaa",
          "email": "victor@email.com",
          "enabled": true,
          "firstName": "Victor",
          "lastName": "Charles",
          "username": "victor",
          "krn": "krn:iam:kaa::user/victor",
          "path": "/"
      },
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvZnJhbmNlc0BnbWFpbC5jb20=",
          "keycloakID": "e5904d33-ea08-41b7-ab33-1001863d73c9",
          "created": "2021-10-15T09:58:17.989254Z",
          "updated": "2021-10-15T09:58:17.989254Z",
          "tenantID": "kaa",
          "email": "rances@gmail.com",
          "enabled": true,
          "firstName": "Frances",
          "lastName": "Nathan",
          "username": "frances@gmail.com",
          "krn": "krn:iam:kaa::user/frances@gmail.com",
          "path": "/"
      },
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvd2luaWZyZWQ=",
          "keycloakID": "74554cff-b260-4055-afab-fd068e433495",
          "created": "2021-10-15T14:54:53.679871Z",
          "updated": "2021-10-15T15:33:57.90856Z",
          "tenantID": "kaa",
          "email": "winifred@gmail.com",
          "enabled": true,
          "firstName": "Winifred",
          "lastName": "Theodora",
          "username": "winifred",
          "krn": "krn:iam:kaa::user/winifred",
          "path": "/"
      },
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvY2Fyb2xpbmU=",
          "keycloakID": "5ed9f438-7afc-4bad-abad-4f06612b2bab", 
          "created": "2021-10-18T08:14:47.481435Z",
          "updated": "2021-10-18T08:14:47.481435Z",
          "tenantID": "kaa",
          "email": "caroline@gmail.com",
          "enabled": true,
          "firstName": "Caroline",
          "lastName": "Melina",
          "username": "caroline",
          "krn": "krn:iam:kaa::user/caroline",
          "path": "/"
      }
  ],
  "count": 6,
  "page": 1,
  "pageSize": 10
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/paths get

get /users/paths

Retrieves unique user paths.

Secured by IAM with actions:
  • iam:user:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

User paths are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of )

Example:

{
  "data": [
    "/org1",
    "/org2"
  ]
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/delete post

post /users/delete

Bulk deletes users.

Secured by IAM with actions:
  • iam:user:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • userIDs: required(string)

Example:

{
  "userIDs": [
    "a3JuOmlhbTprYWE6OnVzZXIvcGF0aC9mb3dsZXI="
  ]
}

HTTP status code 204

Users successfully deleted.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me get put delete

get /users/me

Retrieve currently authenticated user's information.

Secured by IAM with actions:
  • iam:me:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

The user is successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • defaultGroup: optional (string)

      User's default group.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu",
      "keycloakID": "054b6a1a-3cb1-489b-a6ef-0579bdf3e275",
      "created": "2021-10-18T11:08:09.4919Z",
      "updated": "2021-10-18T11:08:09.4919Z",
      "tenantID": "kaa",
      "email": "josephmorgan@gmail.com",
      "enabled": true,
      "firstName": "Joseph",
      "lastName": "Morgan",
      "username": "josephmorgan",
      "krn": "krn:iam:kaa::user/josephmorgan",
      "path": "/"
  }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /users/me

Updates currently authenticated user's information.

Secured by IAM with actions:
  • iam:me:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

    User's email.

  • firstName: optional (string)

    User's first name.

  • lastName: optional (string)

    User's last name.

  • defaultGroup: optional (string)

    User's default group.

  • enabled: optional (boolean)

    Whether the user is enabled or not.

Example:

{
  "firstName": "MorganUpdated",
  "lastName": "JosephUpdated",
  "email": "josephm@gmail.com",
  "enabled": true
}

HTTP status code 204

The user is successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

delete /users/me

Deletes currently authenticated user.

Secured by IAM with actions:
  • iam:me:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 204

The user is successfully deleted.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/krn get

get /users/me/krn

Retrieve the currently authenticated user KRN.

Secured with IAM (authentication only, no authorization required).

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

User krn successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(string)

Example:

{
    "data": "krn:iam:kaa::user/org1/eytan"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/attributes get put

get /users/me/attributes

Retrieve currently authenticated user's attributes.

Secured by with scopes:
  • iam:me:read

HTTP status code 200

User attributes are successfully retrieved.

Body

Media type: application/json

Type: json

Content:

{
    "required":true,
    "type":"object",
    "properties":{
        "data":{
            "required":true,
            "type":"array",
            "items":[
                {
                    "required":true,
                    "type":"string"
                }
            ]
        }
    }
}

Example:

{
    "data": {
        "lastLogin": [
            "23.11.2021"
        ],
        "path": [
            "/testpath"
        ],
        "userInfo": [
            "Micheal",
            "Mark"
        ]
    }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by

put /users/me/attributes

Updates currently authenticated user's attributes.

Secured by with scopes:
  • iam:me:update

Body

Media type: application/json

Type: json

Content:

{
    "required":true,
    "type":"object",
    "properties":{
        "attributes":{
            "required":true,
            "type":"array",
            "items":[
                {
                    "required":true,
                    "type":"string"
                }
            ]
        }
    }
}

Example:

{
    "attributes": {
        "lastLogin": [
            "23.11.2021"
        ],
        "userInfo": [
            "Micheal",
            "Mark"
        ]
    }
}

HTTP status code 204

The user's attributes are successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by

/users/me/password/change post

post /users/me/password/change

Changes the currently authenticated user's password.

Secured by IAM with actions:
  • iam:me:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • oldPassword: required(string)

    User's old password.

  • newPassword: required(string)

    User's new password.

  • confirmPassword: required(string)

    User's new password confirmation.

Example:

{
  "oldPassword": "YesYkYKpLd6n3dVZ",
  "newPassword": "KPJ9KP33afQqG7ke",
  "confirmPassword": "KPJ9KP33afQqG7ke"
}

HTTP status code 204

The user's password is successfully changed.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/password/reset post

post /users/me/password/reset

Reset the currently authenticated user's password.

Secured by IAM with actions:
  • iam:me:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • newPassword: required(string)

    User's new password.

  • confirmPassword: required(string)

    User's new password confirmation.

Example:

{
  "newPassword": "hh8VkeHymc3j8NYJ",
  "confirmPassword": "hh8VkeHymc3j8NYJ"
}

HTTP status code 204

The user's password is successfully reset.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/groups get

get /users/me/groups

Retrieves the currently authenticated user's membership groups.

Secured by IAM with actions:
  • iam:me:read
  • iam:group:me:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc

HTTP status code 200

Membership groups are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Group)

    Items: Group

    • id: required(string)

      Group ID.

    • tenantID: required(string)

      Tenant ID of the group.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Group name.

    • displayName: required(string)

      Group display name.

    • path: required(string)

      Group path.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Group KRN.

    • created: required(datetime)

      Group registration date in ISO 8601 format (UTC timezone).

    • updated: required(datetime)

      Group last update date in ISO 8601 format (UTC timezone).

  • count: required(integer)

    Total amount of users.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Total returned elements.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvbw==",
          "created": "2021-10-18T14:34:57.286561+04:00",
          "updated": "2021-10-18T14:34:57.286561+04:00",
          "tenantID": "kaa",
          "name": "Foo",
          "path": "/Foo",
          "krn": "krn:iam:kaa::group/Foo"
      }
  ],
  "count": 1,
  "page": 1,
  "pageSize": 10
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/groups/add post

post /users/me/groups/add

Adds currently authenticated user to the groups.

Secured by IAM with actions:
  • iam:me:update
  • iam:group:me:add
  • iam:me:group:add

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • groupIDs: required(string)

    Group IDs.

Example:

{
  "groupIDs": [
    "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw=="
  ]
}

HTTP status code 200

User is successfully added to groups.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: required(string)

      User's path that is used in KRN.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

    • groups: required(array of )

      Groups that the user is assigned to.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu",
      "keycloakID":"0b63d362-9bb0-442d-8104-61cc1abfffcf",
      "created": "2021-10-18T11:08:09.4919Z",
      "updated": "2021-10-18T11:55:48.367213Z",
      "tenantID": "kaa",
      "email": "josephm@gmail.com",
      "enabled": true,
      "firstName": "MorganUpdated",
      "lastName": "JosephUpdated",
      "username": "josephmorgan",
      "krn": "krn:iam:kaa::user/josephmorgan",
      "path": "/",
      "groups": [
          "a3JuOmlhbTprYWE6Omdyb3VwL0Jvbw=="
      ]
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/groups/remove post

post /users/me/groups/remove

Removes currently authenticated user from groups.

Secured by IAM with actions:
  • iam:me:update
  • iam:group:me:remove
  • iam:me:group:remove

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • groupIDs: required(string)

    Group IDs.

Example:

{
  "groupIDs": [
    "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw=="
  ]
}

HTTP status code 204

User is successfully removed from groups.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/groups/{groupID}/add post

post /users/me/groups/{groupID}/add

Adds currently authenticated user to the group.

Secured by IAM with actions:
  • iam:group:me:add
  • iam:group:user:add

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 204

User successfully added to the group.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/groups/{groupID}/remove post

post /users/me/groups/{groupID}/remove

Removes currently authenticated from the group.

Secured by IAM with actions:
  • iam:group:me:remove

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 204

User successfully removed from the group.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/policies get

get /users/me/policies

Returns policies that currently authenticated the user is attached to.

Secured by IAM with actions:
  • iam:me:read
  • iam:me:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

Policies that user is attached to are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ=",
          "krn": "krn:iam:kaa::policy/Admin_user_read",
          "name": "Admin_user_read",
          "description": "Allow user to read admin user",
          "type": "identity",
          "origin": "api",
          "version": "1.0.0",
          "statements": [
              {
                  "actions": [
                      "iam:user:read"
                  ],
                  "resources": [
                      "krn:iam:kaa::user/admin@example.com"
                  ],
                  "principals": [
                      "krn:iam:kaa::user/admin@example.com",
                      "krn:iam:kaa::user/john",
                      "krn:iam:kaa::user/org1/john",
                      "krn:iam:kaa::user/josephmorgan"
                  ],
                  "description": "Allow user read action on list of principals",
                  "effect": "allow"
              }
          ]
      }
  ],
  "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAEMqFjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWWWF3LW9ma3FRQ21fU3FsT2NDdzluUQAAAAAAAABAXRYzSmk0MnpLYlFWRzNya1I1cy0xdE1nAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
  "sort": "[\"allow\",\"krn:iam:kaa:user/admin@example.com\",\"a3JuOmlhbTprYWE6cG9saWN5L0FkbWluX3VzZXJfcmVhZA==\",4294967308]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/policies/eligible get

get /users/me/policies/eligible

Returns policies that currently authenticated the user is eligible to be attached to.

Secured by IAM with actions:
  • iam:me:read
  • iam:me:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
    "data": [
        {
            "id": "a3JuOmlhbTo6a2FhOnBvbGljeS9hZG1pbi1hY2Nlc3M=",
            "krn": "krn:iam::kaa:policy/admin-access",
            "name": "admin-access",
            "type": "identity",
            "description": "admin access policy",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/org1/rayan",
                        "krn:iam:kaa::group/org1"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctcG9sLWZpbmFs",
            "krn": "krn:iam:kaa::policy/new-pol-final",
            "name": "new-pol-final",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam::kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/org1/rayan"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctdGVzdC1wb2w=",
            "krn": "krn:iam:kaa::policy/new-test-pol",
            "name": "new-test-pol",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS91c2Vycy1yZWFkb25seQ==",
            "krn": "krn:iam:kaa::policy/users-readonly",
            "name": "users-readonly",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "iam:user:read"
                    ],
                    "resources": [
                        "krn:iam:kaa::user/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                },
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa::policy/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        }
    ],
    "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAENIFjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWSjlwWWxWdEZTUWluSllmZmVkZUMzZwAAAAAAAACjEBZjdDRNcjhXSlRObXZJeVEydTctVHVnAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
    "sort": "[\"allow\",\"krn:iam:kaa:policy/*\",\"a3JuOmlhbTprYWE6cG9saWN5L3VzZXJzLXJlYWRvbmx5\",17]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/policies/attach post

post /users/me/policies/attach

Attaches the currently authenticated user to the policies.

Secured by IAM with actions:
  • iam:me:update
  • iam:me:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

The user is successfully attached to the policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/policies/detach post

post /users/me/policies/detach

Detaches the currently authenticated user from policies.

Secured by IAM with actions:
  • iam:me:update
  • iam:me:policy:detach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

The user is successfully detached from the policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/me/policy get put

get /users/me/policy

Retrieves the currently authenticated user's resource policy.

Secured by IAM with actions:
  • iam:me:read
  • iam:me:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

HTTP status code 200

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

Example:

{
    "data": {
        "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2FuLXJlc291cmNlIg==",
        "krn": "krn:iam:kaa::user/josephmorgan",
        "name": "krn:iam:kaa::user/josephmorgan",
        "description": "Individual resource policy",
        "type": "resource",
        "origin": "api",
        "version": "1.0.0",
        "statements": [
            {
                "actions": [
                    "*"
                ],
                "resources": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "principals": [
                    "krn:iam:kaa::user/admin@example.com"
                ],
                "effect": "allow"
            },
            {
                "actions": [
                    "iam:user:read",
                    "iam:user:update"
                ],
                "resources": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "principals": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "effect": "allow"
            }
        ]
    }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /users/me/policy

Updates currently authenticated user's resource policy.

Secured by IAM with actions:
  • iam:me:update
  • iam:me:policy:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • statements: required(array of ResourcePolicyUpdateData)

    List of statements.

    Items: ResourcePolicyUpdateData

    • actions: required(array of )

      List of actions that specified.

    • principals: required(array of )

      List of principals that specified.

    • description: optional (string)

      Description of the statement.

    • effect: required(string)

      Principal effect.

Example:

{
    "statements":[
        {
            "actions":[
                "*"
            ],
            "principals":[
                "krn:iam:kaa::user/admin@example.com"
            ],
            "effect":"allow",
            "description":"Allow admin@example.com user on all actions"
        },
        {
            "actions":[
                "iam:user:read",
                "iam:user:update"
            ],
            "principals":[
                "krn:iam:kaa:;user/josephmorgan"
            ],
            "description":"Allow josephmorgan user on read and update actions",
            "effect":"allow"
        },
        {
            "actions":[
                "iam:user:*"
            ],
            "principals":[
                "krn:iam:kaa::user/patricia"
            ],
            "description":"Allow patricia all user on actions",
            "effect":"allow"
        }
    ]
}

HTTP status code 204

Successfully updated resource policy.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID} get put delete

get /users/{userID}

Retrieves a specific user.

Secured by IAM with actions:
  • iam:user:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 200

The user is successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • defaultGroup: optional (string)

      User's default group.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu",
      "keycloakID": "054b6a1a-3cb1-489b-a6ef-0579bdf3e275",
      "created": "2021-10-18T11:08:09.4919Z",
      "updated": "2021-10-18T11:08:09.4919Z",
      "tenantID": "kaa",
      "email": "josephmorgan@gmail.com",
      "enabled": true,
      "firstName": "Joseph",
      "lastName": "Morgan",
      "username": "josephmorgan",
      "krn": "krn:iam:kaa::user/josephmorgan",
      "path": "/"
  }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /users/{userID}

Updates specific user.

Secured by IAM with actions:
  • iam:user:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

    User's email.

  • firstName: optional (string)

    User's first name.

  • lastName: optional (string)

    User's last name.

  • defaultGroup: optional (string)

    User's default group.

  • enabled: optional (boolean)

    Whether the user is enabled or not.

Example:

{
  "firstName": "MorganUpdated",
  "lastName": "JosephUpdated",
  "email": "josephm@gmail.com",
  "enabled": true
}

HTTP status code 204

The user is successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

delete /users/{userID}

Deletes a specific user.

Secured by IAM with actions:
  • iam:user:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 204

The user is successfully deleted.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/attributes get put

get /users/{userID}/attributes

Retrieves a specific user attributes.

Secured by with scopes:
  • iam:user:read

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 200

User attributes are successfully retrieved.

Body

Media type: application/json

Type: json

Content:

{
    "required":true,
    "type":"object",
    "properties":{
        "data":{
            "required":true,
            "type":"array",
            "items":[
                {
                    "required":true,
                    "type":"string"
                }
            ]
        }
    }
}

Example:

{
    "data": {
        "lastLogin": [
            "23.11.2021"
        ],
        "path": [
            "/testpath"
        ],
        "userInfo": [
            "Micheal",
            "Mark"
        ]
    }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by

put /users/{userID}/attributes

Updates a specific user attributes.

Secured by with scopes:
  • iam:user:update

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: json

Content:

{
    "required":true,
    "type":"object",
    "properties":{
        "attributes":{
            "required":true,
            "type":"array",
            "items":[
                {
                    "required":true,
                    "type":"string"
                }
            ]
        }
    }
}

Example:

{
    "attributes": {
        "lastLogin": [
            "23.11.2021"
        ],
        "userInfo": [
            "Micheal",
            "Mark"
        ]
    }
}

HTTP status code 204

User attributes are successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by

/users/{userID}/password/change post

post /users/{userID}/password/change

Changes the user's password.

Secured by IAM with actions:
  • iam:user:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • oldPassword: required(string)

    User's old password.

  • newPassword: required(string)

    User's new password.

  • confirmPassword: required(string)

    User's new password confirmation.

Example:

{
  "oldPassword": "YesYkYKpLd6n3dVZ",
  "newPassword": "KPJ9KP33afQqG7ke",
  "confirmPassword": "KPJ9KP33afQqG7ke"
}

HTTP status code 204

The user's password is successfully changed.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/password/reset post

post /users/{userID}/password/reset

Reset the user's password.

Secured by IAM with actions:
  • iam:user:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • newPassword: required(string)

    User's new password.

  • confirmPassword: required(string)

    User's new password confirmation.

Example:

{
  "newPassword": "hh8VkeHymc3j8NYJ",
  "confirmPassword": "hh8VkeHymc3j8NYJ"
}

HTTP status code 204

User password is successfully reset.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/groups get

get /users/{userID}/groups

Get membership groups.

Secured by IAM with actions:
  • iam:group:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc

HTTP status code 200

Membership groups are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Group)

    Items: Group

    • id: required(string)

      Group ID.

    • tenantID: required(string)

      Tenant ID of the group.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Group name.

    • displayName: required(string)

      Group display name.

    • path: required(string)

      Group path.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Group KRN.

    • created: required(datetime)

      Group registration date in ISO 8601 format (UTC timezone).

    • updated: required(datetime)

      Group last update date in ISO 8601 format (UTC timezone).

  • count: required(integer)

    Total amount of users.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Total returned elements.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvbw==",
          "created": "2021-10-18T14:34:57.286561+04:00",
          "updated": "2021-10-18T14:34:57.286561+04:00",
          "tenantID": "kaa",
          "name": "Foo",
          "path": "/Foo",
          "krn": "krn:iam:kaa::group/Foo"
      }
  ],
  "count": 1,
  "page": 1,
  "pageSize": 10
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/groups/add post

post /users/{userID}/groups/add

Adds the user to groups.

Secured by IAM with actions:
  • iam:group:user:add
  • iam:user:group:add

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • groupIDs: required(string)

    Group IDs.

Example:

{
  "groupIDs": [
    "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw=="
  ]
}

HTTP status code 200

User is successfully added to groups.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: required(string)

      User's path that is used in KRN.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

    • groups: required(array of )

      Groups that the user is assigned to.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu",
      "keycloakID":"0b63d362-9bb0-442d-8104-61cc1abfffcf",
      "created": "2021-10-18T11:08:09.4919Z",
      "updated": "2021-10-18T11:55:48.367213Z",
      "tenantID": "kaa",
      "email": "josephm@gmail.com",
      "enabled": true,
      "firstName": "MorganUpdated",
      "lastName": "JosephUpdated",
      "username": "josephmorgan",
      "krn": "krn:iam:kaa::user/josephmorgan",
      "path": "/",
      "groups": [
          "a3JuOmlhbTprYWE6Omdyb3VwL0Jvbw=="
      ]
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/groups/remove post

post /users/{userID}/groups/remove

Removes the user from groups.

Secured by IAM with actions:
  • iam:group:user:remove
  • iam:user:group:remove

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • groupIDs: required(string)

    Group IDs.

Example:

{
  "groupIDs": [
    "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw=="
  ]
}

HTTP status code 204

User is successfully removed from groups.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/policies get

get /users/{userID}/policies

Returns policies that user is attached to.

Secured by IAM with actions:
  • iam:user:read
  • iam:user:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 200

Policies that user is attached to are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ=",
          "krn": "krn:iam:kaa::policy/Admin_user_read",
          "name": "Admin_user_read",
          "description": "Allow user to read admin user",
          "type": "identity",
          "origin": "api",
          "version": "1.0.0",
          "statements": [
              {
                  "actions": [
                      "iam:user:read"
                  ],
                  "resources": [
                      "krn:iam:kaa::user/admin@example.com"
                  ],
                  "principals": [
                      "krn:iam:kaa::user/admin@example.com",
                      "krn:iam:kaa::user/john",
                      "krn:iam:kaa::user/org1/john",
                      "krn:iam:kaa::user/josephmorgan"
                  ],
                  "description": "Allow user read action on list of principals",
                  "effect": "allow"
              }
          ]
      }
  ],
  "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAEMqFjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWWWF3LW9ma3FRQ21fU3FsT2NDdzluUQAAAAAAAABAXRYzSmk0MnpLYlFWRzNya1I1cy0xdE1nAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
  "sort": "[\"allow\",\"krn:iam:kaa:user/admin@example.com\",\"a3JuOmlhbTprYWE6cG9saWN5L0FkbWluX3VzZXJfcmVhZA==\",4294967308]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/policies/eligible get

get /users/{userID}/policies/eligible

Returns policies that the user is eligible to be attached to.

Secured by IAM with actions:
  • iam:user:read
  • iam:user:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 200

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
    "data": [
        {
            "id": "a3JuOmlhbTo6a2FhOnBvbGljeS9hZG1pbi1hY2Nlc3M=",
            "krn": "krn:iam::kaa:policy/admin-access",
            "name": "admin-access",
            "type": "identity",
            "description": "admin access policy",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/org1/rayan",
                        "krn:iam:kaa::group/org1"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctcG9sLWZpbmFs",
            "krn": "krn:iam:kaa::policy/new-pol-final",
            "name": "new-pol-final",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam::kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/org1/rayan"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctdGVzdC1wb2w=",
            "krn": "krn:iam:kaa::policy/new-test-pol",
            "name": "new-test-pol",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS91c2Vycy1yZWFkb25seQ==",
            "krn": "krn:iam:kaa::policy/users-readonly",
            "name": "users-readonly",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "iam:user:read"
                    ],
                    "resources": [
                        "krn:iam:kaa::user/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                },
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa::policy/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        }
    ],
    "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAENIFjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWSjlwWWxWdEZTUWluSllmZmVkZUMzZwAAAAAAAACjEBZjdDRNcjhXSlRObXZJeVEydTctVHVnAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
    "sort": "[\"allow\",\"krn:iam:kaa:policy/*\",\"a3JuOmlhbTprYWE6cG9saWN5L3VzZXJzLXJlYWRvbmx5\",17]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/policies/attach post

post /users/{userID}/policies/attach

Attaches user to policies.

Secured by IAM with actions:
  • iam:user:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

The user is successfully attached to the policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/policies/detach post

post /users/{userID}/policies/detach

Detaches user from policies.

Secured by IAM with actions:
  • iam:user:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

The user is successfully detached from the policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/users/{userID}/policy get put

get /users/{userID}/policy

Get user resource policy.

Secured by IAM with actions:
  • iam:user:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

HTTP status code 200

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

Example:

{
    "data": {
        "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2FuLXJlc291cmNlIg==",
        "krn": "krn:iam:kaa::user/josephmorgan",
        "name": "krn:iam:kaa::user/josephmorgan",
        "description": "Individual resource policy",
        "type": "resource",
        "origin": "api",
        "version": "1.0.0",
        "statements": [
            {
                "actions": [
                    "*"
                ],
                "resources": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "principals": [
                    "krn:iam:kaa::user/admin@example.com"
                ],
                "effect": "allow"
            },
            {
                "actions": [
                    "iam:user:read",
                    "iam:user:update"
                ],
                "resources": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "principals": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "effect": "allow"
            }
        ]
    }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /users/{userID}/policy

Updates resource policy of the user.

Secured by IAM with actions:
  • iam:group:policy:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • userID: required(string)

    User ID.

    Example:

    a3JuOmlhbTprYWE6dXNlci90ZXN0cGF0aC90c3Nzc2VzM3Qz

Body

Media type: application/json

Type: object

Properties

  • statements: required(array of ResourcePolicyUpdateData)

    List of statements.

    Items: ResourcePolicyUpdateData

    • actions: required(array of )

      List of actions that specified.

    • principals: required(array of )

      List of principals that specified.

    • description: optional (string)

      Description of the statement.

    • effect: required(string)

      Principal effect.

Example:

{
    "statements":[
        {
            "actions":[
                "*"
            ],
            "principals":[
                "krn:iam:kaa::user/admin@example.com"
            ],
            "effect":"allow",
            "description":"Allow admin@example.com user on all actions"
        },
        {
            "actions":[
                "iam:user:read",
                "iam:user:update"
            ],
            "principals":[
                "krn:iam:kaa:;user/josephmorgan"
            ],
            "description":"Allow josephmorgan user on read and update actions",
            "effect":"allow"
        },
        {
            "actions":[
                "iam:user:*"
            ],
            "principals":[
                "krn:iam:kaa::user/patricia"
            ],
            "description":"Allow patricia all user on actions",
            "effect":"allow"
        }
    ]
}

HTTP status code 204

Successfully updated resource policy.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

Groups

Operations on groups.

/groups post get

post /groups

Creates a new group.

Secured by IAM with actions:
  • iam:group:create

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

    Group name.

  • displayName: optional (string)

    Group display name.

  • parentID: optional (string)

    ID of the parent group.

  • users: optional (array of )

    User IDs that will be added to the group.

  • policyIDs: optional (array of )

    Policy IDs that that will be attached to the group.

Example:

{
  "name": "boo",
  "displayName": "boo group",
  "parentID": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvbw==",
  "users": [
    "a3JuOmlhbTprYWE6OnVzZXIvZWR3YXJk"
  ],
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ="
  ]
}

HTTP status code 201

Group is successfully created.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Group ID.

    • tenantID: required(string)

      Tenant ID of the group.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Group name.

    • displayName: required(string)

      Group display name.

    • path: required(string)

      Group path.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Group KRN.

    • created: required(datetime)

      Group registration date in ISO 8601 format (UTC timezone).

    • updated: required(datetime)

      Group last update date in ISO 8601 format (UTC timezone).

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvby9ib28=",
      "created": "2021-10-18T12:27:15.55267632Z",
      "updated": "2021-10-18T12:27:15.55267632Z",
      "tenantID": "kaa",
      "name": "boo",
      "displayName": "boo group",
      "path": "/Foo/boo",
      "krn": "krn:iam:kaa::group/Foo/boo"
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

get /groups

Returns group list.

Secured by IAM with actions:
  • iam:group:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc

HTTP status code 200

Groups are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Group)

    Items: Group

    • id: required(string)

      Group ID.

    • tenantID: required(string)

      Tenant ID of the group.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Group name.

    • displayName: required(string)

      Group display name.

    • path: required(string)

      Group path.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Group KRN.

    • created: required(datetime)

      Group registration date in ISO 8601 format (UTC timezone).

    • updated: required(datetime)

      Group last update date in ISO 8601 format (UTC timezone).

  • count: required(integer)

    Total amount of groups.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Page size.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL2dyb3VwMS9ncm91cDI=",
          "created": "2021-10-15T10:49:23.00967Z",
          "updated": "2021-10-15T10:49:23.00967Z",
          "tenantID": "kaa",
          "name": "group2",
          "displayName": "group2",
          "path": "/group1/group2",
          "krn": "krn:iam:kaa::group/group1/group2"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL29yZzE=",
          "created": "2021-10-15T09:58:43.037383Z",
          "updated": "2021-10-15T09:58:43.037383Z",
          "tenantID": "kaa",
          "name": "org1",
          "displayName": "organization 1",
          "path": "/org1",
          "krn": "krn:iam:kaa::group/org1"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL2dyb3VwMS9ncm91cDIvZ3JvdXAyLTM=",
          "created": "2021-10-15T14:57:49.898256Z",
          "updated": "2021-10-15T14:57:49.898256Z",
          "tenantID": "kaa",
          "name": "group2-3",
          "displayName": "group 2-3",
          "path": "/group1/group2/group2-3",
          "krn": "krn:iam:kaa::group/group1/group2/group2-3"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvby9ib28=",
          "created": "2021-10-18T12:27:15.552676Z",
          "updated": "2021-10-18T12:27:15.552676Z",
          "tenantID": "kaa",
          "name": "boo",
          "displayName": "boo group",
          "path": "/Foo/boo",
          "krn": "krn:iam:kaa::group/Foo/boo"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw==",
          "created": "2021-10-18T12:24:43.692049Z",
          "updated": "2021-10-18T12:24:43.692049Z",
          "tenantID": "kaa",
          "name": "boo",
          "displayName": "boo group",
          "path": "/boo",
          "krn": "krn:iam:kaa::group/boo"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL2dyb3VwMS9ncm91cDItMQ==",
          "created": "2021-10-15T10:50:16.532018Z",
          "updated": "2021-10-15T10:50:16.532018Z",
          "tenantID": "kaa",
          "name": "group2-1",
          "displayName": "organization 2-1",
          "path": "/group1/group2-1",
          "krn": "krn:iam:kaa::group/group1/group2-1"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Jvbw==",
          "created": "2021-10-18T11:59:50.222882Z",
          "updated": "2021-10-18T11:59:50.222882Z",
          "tenantID": "kaa",
          "name": "Boo",
          "displayName": "organization boo",
          "path": "/Boo",
          "krn": "krn:iam:kaa::group/Boo"
      },
      {
          "id": "ImtybjppYW06a2FhOjpncm91cC9Gb28=",
          "created": "2021-10-18T10:02:07.04474Z",
          "updated": "2021-10-18T10:02:07.04474Z",
          "tenantID": "kaa",
          "name": "Foo",
          "displayName": "organization Foo",
          "path": "/Foo",
          "krn": "krn:iam:kaa::group/Foo"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL29yZzEvYm9v",
          "created": "2021-10-18T12:25:59.595453Z",
          "updated": "2021-10-18T12:25:59.595453Z",
          "tenantID": "kaa",
          "name": "boo",
          "displayName": "boo",
          "path": "/org1/boo",
          "krn": "krn:iam:kaa::group/org1/boo"
      },
      {
          "id": "a3JuOmlhbTprYWE6Omdyb3VwL2dyb3VwMQ==",
          "created": "2021-10-15T10:49:04.079399Z",
          "updated": "2021-10-15T10:49:04.079399Z",
          "tenantID": "kaa",
          "name": "group1",
          "displayName": "group1",
          "path": "/group1",
          "krn": "krn:iam:kaa::group/group1"
      }
  ],
  "count": 11,
  "page": 1,
  "pageSize": 10
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/delete post

post /groups/delete

Bulk group delete.

Secured by IAM with actions:
  • iam:group:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • groupIDs: required(string)

    Group IDs.

Example:

{
  "groupIDs": [
    "a3JuOmlhbTprYWE6Omdyb3VwL2Jvbw=="
  ]
}

HTTP status code 204

Groups successfully deleted.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID} get put delete

get /groups/{groupID}

Returns group information.

Secured by IAM with actions:
  • iam:group:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 200

Group successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Group ID.

    • tenantID: required(string)

      Tenant ID of the group.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Group name.

    • displayName: required(string)

      Group display name.

    • path: required(string)

      Group path.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Group KRN.

    • created: required(datetime)

      Group registration date in ISO 8601 format (UTC timezone).

    • updated: required(datetime)

      Group last update date in ISO 8601 format (UTC timezone).

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvby9ib28=",
      "created": "2021-10-18T12:27:15.55267632Z",
      "updated": "2021-10-18T12:27:15.55267632Z",
      "tenantID": "kaa",
      "name": "boo",
      "displayName": "boo group",
      "path": "/Foo/boo",
      "krn": "krn:iam:kaa::group/Foo/boo"
  }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /groups/{groupID}

Update group display name.

Secured by IAM with actions:
  • iam:group:udpate

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • displayName: required(string)

Example:

{
    "displayName": "updated org1"
}

HTTP status code 204

Group display name successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

delete /groups/{groupID}

Deletes a single group.

Secured by IAM with actions:
  • iam:group:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 204

Group is successfully deleted.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/members get

get /groups/{groupID}/members

Returns group members.

Secured by IAM with actions:
  • iam:group:user:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc

HTTP status code 200

Members are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of RetrieveUser)

    List of group members.

    Items: RetrieveUser

    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • defaultGroup: optional (string)

      User's default group.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

  • count: required(integer)

    Total amount of users.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Total returned elements.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnVzZXIvZWR3YXJk",
          "keycloakID":"9c19cd39-ffb4-4bae-a72d-01fbd7e6ec72",
          "created": "2021-10-15T09:58:17.989254Z",
          "updated": "2021-10-15T09:58:17.989254Z",
          "tenantID": "kaa",
          "email": "edward@gmail.com",
          "enabled": true,
          "firstName": "Edward",
          "lastName": "Davidson",
          "username": "edward@mail.com",
          "krn": "krn:iam:kaa::user/edward",
          "path": "/"
      }
  ],
  "count": 1,
  "page": 1,
  "pageSize": 10
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/members/eligible get

get /groups/{groupID}/members/eligible

Returns eligible group members.

Secured by IAM with actions:
  • iam:group:user:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc
  • email: optional (string)

    Filter user by email.

    Example:

    josephmorgan@gmail.com
  • path: optional (string)

    Filter user by path.

    Example:

    /org1

HTTP status code 200

Eligible group members are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of RetrieveUser)

    List of group members.

    Items: RetrieveUser

    • id: required(string)

      User ID.

    • keycloakID: required(string)

      User keycloakID.

    • created: required(datetime)

      User creation date.

    • updated: required(datetime)

      User update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • email: optional (string - pattern: ^[a-z0-9]+[\._]?[a-z0-9]+[@][a-z]+[.][a-z]{2,3}$)

      User's email.

    • username: required(string - pattern: ^[a-zA-Z0-9_\-@.]*$)

      Username.

    • enabled: required(boolean)

      Whether the user is enabled or not.

    • path: optional (string)

      User's path that is used in KRN.

    • defaultGroup: optional (string)

      User's default group.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      User's KRN.

  • count: required(integer)

    Total amount of users.

  • page: required(integer)

    Page number.

  • pageSize: required(integer)

    Total returned elements.

Example:

{
    "data": [
        {
            "id": "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu",
            "keycloakID": "22178aa8-5c89-4862-919c-de0b9ad056c5",
            "created": "2021-10-18T11:08:09.4919Z",
            "updated": "2021-10-18T11:55:48.367213Z",
            "tenantID": "kaa",
            "email": "josephm@gmail.com",
            "enabled": true,
            "firstName": "MorganUpdated",
            "lastName": "JosephUpdated",
            "username": "josephmorgan",
            "krn": "krn:iam:kaa::user/josephmorgan",
            "path": "/"
        }
    ],
    "count": 1,
    "page": 0,
    "pageSize": 10
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/members/add post

post /groups/{groupID}/members/add

Adds users to a group.

Secured by IAM with actions:
  • iam:group:user:add
  • iam:user:group:add

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • userIDs: required(array of )

    User IDs to be added to the group.

Example:

{
  "userIDs": [
    "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu"
  ]
}

HTTP status code 204

Users are successfully added.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/members/remove post

post /groups/{groupID}/members/remove

Removes users from a group.

Secured by IAM with actions:
  • iam:group:user:remove
  • iam:user:group:remove

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • userIDs: required(array of )

    User IDs to be removed from the group.

Example:

{
  "userIDs": [
    "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu"
  ]
}

HTTP status code 204

Users are successfully removed.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/policies get

get /groups/{groupID}/policies

Gets group policies.

Secured by IAM with actions:
  • iam:group:read
  • iam:group:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 200

Group policies are successfully retrived.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQi",
          "krn": "krn:iam:kaa::policy/Admin_user_read",
          "name": "Admin_user_read",
          "description": "Allow user to read admin user",
          "type": "identity",
          "origin": "api",
          "version": "1.0.0",
          "statements": [
              {
                  "actions": [
                      "iam:group:*"
                  ],
                  "resources": [
                      "krn:iam:kaa::user/admin@example.com"
                  ],
                  "principals": [
                      "krn:iam:kaa::user/admin@example.com",
                      "krn:iam:kaa::user/john",
                      "krn:iam:kaa::user/org1/john",
                      "krn:iam:kaa::user/path/caro",
                      "krn:iam:kaa::user/josephmorgan",
                      "krn:iam:kaa::group/boo",
                      "krn:iam:kaa::group/org1/boo",
                      "krn:iam:kaa::group/Foo/boo"
                  ],
                  "effect": "allow"
              }
          ]
      }
  ],
  "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAEP2FjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWSjlwWWxWdEZTUWluSllmZmVkZUMzZwAAAAAAAACj8RZjdDRNcjhXSlRObXZJeVEydTctVHVnAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
  "sort": "[\"allow\",\"krn:iam:kaa:user/admin@example.com\",\"a3JuOmlhbTprYWE6cG9saWN5L0FkbWluX3VzZXJfcmVhZA==\",4294967311]"
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/policies/eligible get

get /groups/{groupID}/policies/eligible

Gets eligible group policies.

Secured by IAM with actions:
  • iam:group:read
  • iam:group:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 200

Eligible group policies are successfully retrived.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
    "data": [
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9hZG1pbi1hY2Nlc3M=",
            "krn": "krn:iam:kaa::policy/admin-access",
            "name": "admin-access",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/Hi/test2",
                        "krn:iam:kaa::group/org1"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctcG9sLWZpbmFs",
            "krn": "krn:iam:kaa::policy/new-pol-final",
            "name": "new-pol-final",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com",
                        "krn:iam:kaa::user/Hui/test2",
                        "krn:iam:kaa::user/josephmorgan"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS9uZXctdGVzdC1wb2w=",
            "krn": "krn:iam:kaa::policy/new-test-pol",
            "name": "new-test-pol",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa:*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        },
        {
            "id": "a3JuOmlhbTprYWE6OnBvbGljeS91c2Vycy1yZWFkb25seQ==",
            "krn": "krn:iam:kaa::policy/users-readonly",
            "name": "users-readonly",
            "type": "identity",
            "origin": "api",
            "version": "1.0.0",
            "statements": [
                {
                    "actions": [
                        "iam:user:read"
                    ],
                    "resources": [
                        "krn:iam:kaa::user/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                },
                {
                    "actions": [
                        "*"
                    ],
                    "resources": [
                        "krn:iam:kaa::policy/*"
                    ],
                    "principals": [
                        "krn:iam:kaa::user/admin@example.com"
                    ],
                    "effect": "allow"
                }
            ]
        }
    ],
    "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZKOXBZbFZ0RlNRaW5KWWZmZWRlQzNnAAAAAAAAAKRvFmN0NE1yOFdKVE5tdkl5UTJ1Ny1UdWcAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWWWF3LW9ma3FRQ21fU3FsT2NDdzluUQAAAAAAAABBHhYzSmk0MnpLYlFWRzNya1I1cy0xdE1nAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
    "sort": "[\"allow\",\"krn:iam:kaa:policy/*\",\"a3JuOmlhbTprYWE6cG9saWN5L3Jvb3QtcG9saWN5\",2]"
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/policies/attach post

post /groups/{groupID}/policies/attach

Attaches policies to a group.

Secured by IAM with actions:
  • iam:group:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

Group is successfully attached to policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/policies/detach post

post /groups/{groupID}/policies/detach

Detaches policies from a group.

Secured by IAM with actions:
  • iam:group:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • policyIDs: required(array of )

    Policy IDs.

Example:

{
  "policyIDs": [
    "a3JuOmlhbTprYWE6OnBvbGljeS9Hcm91cC1wb2xpY3k="
  ]
}

HTTP status code 204

Group is successfully detached from policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/groups/{groupID}/policy get put

get /groups/{groupID}/policy

Gets group's resource policies.

Secured by IAM with actions:
  • iam:group:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 200

Successfully retrived group resource policies.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

Example:

{
    "data": {
        "id": "a3JuOmlhbTprYWE6Omdyb3VwL0Zvby9ib28=",
        "krn": "krn:iam:kaa::group/Foo/boo",
        "name": "krn:iam:kaa::group/Foo/boo",
        "description": "Individual resource policy",
        "type": "resource",
        "origin": "api",
        "version": "1.0.0",
        "statements": [
            {
                "actions": [
                    "iam:group:read",
                    "iam:group:delete"
                ],
                "resources": [
                    "krn:iam:kaa::group/Foo/boo"
                ],
                "principals": [
                    "krn:iam:kaa::user/josephmorgan"
                ],
                "description": "Allow principals josephmorgan to read and delete Foo/boo",
                "effect": "allow"
            },
            {
                "actions": [
                    "iam:group:read"
                ],
                "resources": [
                    "krn:iam:kaa::group/Foo/boo"
                ],
                "principals": [
                    "krn:iam:kaa::group/Foo/boo"
                ],
                "description": "Allow principals Foo/boo to read resource group/Foo/boo",
                "effect": "allow"
            }
        ]
    }
}

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /groups/{groupID}/policy

Updates resource policy of the group.

Secured by IAM with actions:
  • iam:group:policy:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • groupID: required(string)

    Group ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • statements: required(array of ResourcePolicyUpdateData)

    List of statements.

    Items: ResourcePolicyUpdateData

    • actions: required(array of )

      List of actions that specified.

    • principals: required(array of )

      List of principals that specified.

    • description: optional (string)

      Description of the statement.

    • effect: required(string)

      Principal effect.

Example:

{
    "statements":[
        {
            "actions":[
                "*"
            ],
            "principals":[
                "krn:iam:kaa::user/josephmorgan"
            ],
            "description": "Allow principals josephmorgan to do all",
            "effect":"allow"
        },
        {
            "actions":[
                "iam:group:read"
            ],
            "principals":[
                "krn:iam:kaa::group/Foo/boo"
            ],
            "description": "Allow principals Foo/boo to read",
            "effect":"allow"
        },
        {
            "actions":[
                "iam:group:*"
            ],
            "principals":[
                "krn:iam:kaa::user/patricia"
            ],
            "description": "Allow patricia all on group action",
            "effect":"allow"
        }
    ]
}

HTTP status code 204

Successfully updated group resource policies.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

Policies

Operations on policies.

/policies post get

post /policies

Creates policy.

Secured by IAM with actions:
  • iam:policy:create

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

    Policy name.

  • description: optional (string)

    Policy description.

  • type: required(one of identity, resource)

    Policy type.

  • statements: required(array of CreatePolicyStatement)

    Policy statements.

    Items: CreatePolicyStatement

    • actions: required(array of )

      Action list.

    • resources: required(array of )

      Resource list.

    • description: optional (string)

      Description of the statement.

    • role: optional (string)

      Statement role identifier.

    • effect: required(one of allow, deny)

      Principal effect.

Example:

{
  "name": "Allow-all-on-user1",
  "description": "policy description",
  "type": "identity",
  "statements": [
    {
      "actions": [
        "iam:user:*"
      ],
      "resources": [
        "krn:iam:kaa::policy/user1"
      ],
      "effect": "allow",
      "description": "Allow all on user operation at user1"
    }
  ]
}

HTTP status code 201

Policy is successfully created.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)

    Policy.

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

Example:

{
  "data": {
      "id": "a3JuOmlhbTprYWE6OnBvbGljeS9BbGxvdy1hbGwtb24tdXNlcjE=",
      "krn": "krn:iam:kaa::policy/Allow-all-on-user1",
      "name": "Allow-all-on-user1",
      "description": "Allow all on user1",
      "type": "identity",
      "origin": "api",
      "version": "1.0.0",
      "statements": [
          {
              "actions": [
                  "iam:user:*"
              ],
              "resources": [
                  "krn:iam:kaa::user/user1"
              ],
              "principals": [
                  "krn:iam:kaa::user/admin@example.com"
              ],
              "effect": "allow"
          }
      ]
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

get /policies

Returns policies.

Secured by IAM with actions:
  • iam:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • sort: optional (string - default: id)

    Sorting field.

    Example:

    name
  • sortOrder: optional (one of asc, desc - default: desc)

    Sort order.

    Example:

    asc

HTTP status code 200

Policies are successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(array of Policy)

    Policy list.

    Items: Policy

    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

  • pit: required(string)

    Pit number.

  • sort: required(string)

    Sort type.

Example:

{
  "data": [
      {
          "id": "a3JuOmlhbTprYWE6OnBvbGljeS9BZG1pbl91c2VyX3JlYWQ=",
          "krn": "krn:iam:kaa::policy/Admin_user_read",
          "name": "Admin_user_read",
          "description": "Allow user to read admin user",
          "type": "identity",
          "origin": "api",
          "version": "1.0.0",
          "statements": [
              {
                  "actions": [
                      "iam:user:read"
                  ],
                  "resources": [
                      "krn:iam:kaa::user/admin@example.com"
                  ],
                  "principals": [
                      "krn:iam:kaa::user/admin@example.com",
                      "krn:iam:kaa::user/john",
                      "krn:iam:kaa::user/org1/john",
                      "krn:iam:kaa::user/josephmorgan"
                  ],
                  "description": "Allow user read action on list of principals",
                  "effect": "allow"
              }
          ]
      }
  ],
  "pit": "g-azAwIHa2FhLWlhbRZJdG1kUzlRdVR3YWJaSUE3UEhMTG9RABZzakJqZnhpZVFvMjZITWhXcVRrT2tRAAAAAAAAAEMqFjlOZzk0Yk1iUkVxM0RreGp6cjFLZ0EAB2thYS1pYW0WSXRtZFM5UXVUd2FiWklBN1BITExvUQEWWWF3LW9ma3FRQ21fU3FsT2NDdzluUQAAAAAAAABAXRYzSmk0MnpLYlFWRzNya1I1cy0xdE1nAAEWSXRtZFM5UXVUd2FiWklBN1BITExvUQAA",
  "sort": "[\"allow\",\"krn:iam:kaa:user/admin@example.com\",\"a3JuOmlhbTprYWE6cG9saWN5L0FkbWluX3VzZXJfcmVhZA==\",4294967308]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/policies/evaluate/resources post

post /policies/evaluate/resources

Returns a subset of resources provided in the request, against which a given action is permitted.

Secured with IAM (authentication only, no authorization required).

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • action: required(string - pattern: ^[a-z:*\-]*$)

    Action.

  • resources: required(array of )

    List of resource KRNs.

Example:

{
  "action": "iam:user:read",
  "resources": ["krn:iam:kaa::user/admin@example.com", "krn:iam:kaa::user/morgan"]
}

HTTP status code 200

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/policies/evaluate/actions post

post /policies/evaluate/actions

Provides a list of all permitted actions on the resources specified in the request.

Secured with IAM (authentication only, no authorization required).

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Body

Media type: application/json

Type: object

Properties

  • actions: optional (array of )

    List of requested actions.

  • resources: required(array of )

    List of resource KRNs.

Example:

{
  "actions": ["iam:user:read"],
  "resources": ["krn:iam:kaa:user/admin@example.com"]
}

HTTP status code 200

Evaluation results.

Body

Media type: application/json

Type: json

Content:

{
    "required":true,
    "type":"object",
    "properties":{
        "data":{
            "required":true,
            "type":"object",
            "properties":{
                "required":true,
                "type":"object",
                "resources":{
                    "required":true,
                    "type":"object"
                }
            }
        },
        "pit":{
            "required":true,
            "type":"string"
        },
        "sort":{
            "required":true,
            "type":"array"
        }
    }
}

Example:

{
  "data": {
      "resources": {
          "krn:iam:kaa:user/admin@example.com": {
              "allow": [
                  "iam:user:read",
                  "*"
              ],
              "deny": null
          },
          "krn:iam:kaa:user/morgan": {
              "allow": [
                  "iam:user:read",
                  "*"
              ],
              "deny": null
          }
      }
  },
  "pit": "n5qzAwIHa2FhLWlhbRZkTThXa0ZIR1RVQ0pqRDgwTXZETVRRABY3QkdMZ1IxRVNZQ0NVU1pOVGhvb293AAAAAAAAAADJFkNpc2hVd3E1UWwyTDBTTEN2SUZjR3cAB2thYS1pYW0WZE04V2tGSEdUVUNKakQ4ME12RE1UUQEWN0JHTGdSMUVTWUNDVVNaTlRob29vdwAAAAAAAAAAyhZDaXNoVXdxNVFsMkwwU0xDdklGY0d3AAEWZE04V2tGSEdUVUNKakQ4ME12RE1UUQAA",
  "sort": "[\"allow\",\"krn:iam:kaa:*\",\"a3JuOmlhbTprYWE6OnBvbGljeS9hZG1pbi1hY2Nlc3M=\",4]"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/policies/{policyID} get put delete

get /policies/{policyID}

Returns policy information.

Secured by IAM with actions:
  • iam:policy:read

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • policyID: required(string)

    Policy ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 200

Policy is successfully retrieved.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: required(string)

      Policy ID.

    • krn: required(string - pattern: ^[a-zA-Z0-9_\-/:*@.]*$)

      Policy KRN.

    • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

      Name of the policy.

    • description: required(string)

      Policy description.

    • type: required(one of identity, resource)

      Policy type.

    • origin: required(string)

      Policy origin.

    • version: required(string)

      Policy version.

    • statements: required(array of Statement)

      Policy statements.

      Items: Statement

      • actions: required(array of )

        Action list.

      • resources: required(array of )

        Resource list.

      • principals: optional (array of )

        Principal list.

      • description: optional (string)

        Description of the statement.

      • effect: required(one of allow, deny)

        Principal effect.

Example:

{
  "data": {
    "id": "a3JuOmlhbTprYWE6OnBvbGljeS9wb2xpY3ktbmFtZQ==",
    "name": "policy-name",
    "krn": "krn:iam:kaa::policy/policy-name",
    "description": "Individual resource policy",
    "type": "resource",
    "origin": "api",
    "version": "1.0.0",
    "statements": [
      {
        "actions": [
          "iam:user:read",
          "iam:user:update",
          "iam:user:delete"
        ],
        "resources": [
          "krn:iam:kaa::policy/user1"
        ],
        "principals": [
          "krn:iam:kaa::user/admin@example.com"
        ],
        "description": "Allow user actions on principal admin@example.com",
        "effect": "allow"
      }
    ]
  }
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

put /policies/{policyID}

Updates policy.

Secured by IAM with actions:
  • iam:policy:update

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • policyID: required(string)

    Policy ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • name: required(string - pattern: ^[a-zA-Z0-9_\-]*$)

    Name of the policy.

  • description: required(string)

    Policy description.

  • type: required(one of identity, resource)

    Policy type.

  • statements: required(array of CreatePolicyStatement)

    Policy statements.

    Items: CreatePolicyStatement

    • actions: required(array of )

      Action list.

    • resources: required(array of )

      Resource list.

    • description: optional (string)

      Description of the statement.

    • role: optional (string)

      Statement role identifier.

    • effect: required(one of allow, deny)

      Principal effect.

Example:

{ 
  "name": "policy-name",
  "description": "policy description",
  "type": "identity",
  "statements": [
    {
      "actions": [
        "iam:user:read",
        "iam:user:update",
        "iam:user:delete"
      ],
      "resources": [
        "krn:iam:kaa::policy/user1"
      ],
      "description": "Allow all on user operation at user1",
      "effect": "allow"
    }
  ]
}

HTTP status code 204

Policy is successfully updated.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

delete /policies/{policyID}

Deletes policy.

Secured by IAM with actions:
  • iam:policy:delete

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • policyID: required(string)

    Policy ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

HTTP status code 204

Policy is successfully deleted.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/policies/{policyID}/principals/attach post

post /policies/{policyID}/principals/attach

Attaches principals to a policy.

Secured by IAM with actions:
  • iam:policy:attach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • policyID: required(string)

    Policy ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • principals: required(array of )

    Principal IDs.

Example:

{
  "principals": [
    "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu"
  ]
}

HTTP status code 204

Principals are successfully attached to a policy.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/policies/{policyID}/principals/detach post

post /policies/{policyID}/principals/detach

Detaches principals from a policy.

Secured by IAM with actions:
  • iam:policy:detach

IAM supports JWT access tokens for authenticating and authorizing all API requests.

URI Parameters

  • policyID: required(string)

    Policy ID.

    Example:

    a3JuOmlhbTprYWE6Z3JvdXAvY2FsaWZvcm5pYQo=

Body

Media type: application/json

Type: object

Properties

  • principals: required(array of )

    Principal IDs.

Example:

{
  "principals": [
    "a3JuOmlhbTprYWE6OnVzZXIvam9zZXBobW9yZ2Fu"
  ]
}

HTTP status code 204

Principals are successfully detached from a policy.

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

Migrate

Migrate users and groups from Keycloak to IAM (works when migrationEndpoints enabled in the configuration).

/tenant/migrate/users post

post /tenant/migrate/users

Asynchronous user migration from Keycloak to IAM.

Secured with IAM (authentication only, no authorization required).

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • tenant: optional (string)

    Tenant ID.

    Example:

    kaa

HTTP status code 202

Migration is on the process (in case query parameter specified, will migrate for one tenant, and return taskID but without query parameters migrates for all tenants returns only status code).

Body

Media type: application/json

Type: object

Properties

  • taskID: optional (string)

    Task ID.

Example:

{
    "taskID": "0dfe658a-a15c-407d-9c4e-95960b837cf2"
}

HTTP status code 400

Invalid request.

HTTP status code 401

Request is not authenticated.

HTTP status code 403

Principal does not have sufficient permissions to perform this operation.

Secured by IAM

Headers

  • Authorization: optional (string)

    Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

/tenant/migrate/users/tasks get

get /tenant/migrate/users/tasks

Tasks for authenticated tenants (to provide tenant as a query parameter is only available for tenant Kaa).

Secured with IAM (authentication only, no authorization required).

IAM supports JWT access tokens for authenticating and authorizing all API requests.

Query Parameters

  • page: optional (number - default: 1)

    Page number.

    Example:

    1
  • pageSize: optional (number - default: 10)

    Page size.

    Example:

    10
  • status: optional (one of InProgress, Completed, Failed)

    Status of task.

    Example:

    Completed
  • tenant: optional (string)

    Tenant ID.

    Example:

    kaa

HTTP status code 200

Migration tasks status.

Body

Media type: application/json

Type: object

Properties

  • data: required(object)
    • id: optional (string)

      Task ID.

    • created: required(datetime)

      Task creation date.

    • updated: required(datetime)

      Task update date.

    • tenantID: required(string)

      Tenant ID that user belongs to.

    • status: required(one of InProgress, Completed, Failed)

      Task ID.

    • messages: required(object)

      Message based on task status.

      • errors: required(string)

        Message of raised error from migration operation.

      • userMigration: required(boolean)

        Indicates whether it is users or groups migration.

    • page: required(string)

      Page number.

    • pageSize: required(string)

      Page size number.

    Example:

    {
        "data": [
            {
                "id": "8d530302-679f-4a31-ad55-aea8061d4081",
                "created": "2021-12-10T15:26:00.540385+04:00",
                "updated": "2021-12-10T15:26:07.344133+04:00",
                "tenantID": "e02e0679-2de5-48af-a2f0-c650356dc739",
                "status": "Completed",
                "messages": null,
                "errors": "",
                "userMigration": true
            },
            {
                "id": "c0d757c2-764b-433a-aa8c-0ebf6428888e",
                "created": "2021-12-10T15:26:07.345959+04:00",
                "updated": "2021-12-10T15:26:07.347192+04:00",
                "tenantID": "a0fe5076-42ca-4c94-92f5-bc5c964045f2",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "19189680-ac2f-4ec4-8c3f-b795c1c3277c",
                "created": "2021-12-10T15:26:07.348684+04:00",
                "updated": "2021-12-10T15:26:07.349952+04:00",
                "tenantID": "d9300595-5720-45b7-8fc5-b118e79f9ab3",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "aa405b40-40e0-4e0b-b90e-2f17986f6aed",
                "created": "2021-12-10T15:26:07.351316+04:00",
                "updated": "2021-12-10T15:26:07.352675+04:00",
                "tenantID": "1ee320c5-2a17-4c25-95ba-e20214a50f49",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "563c15c8-1382-411e-98d5-7b3efc432b57",
                "created": "2021-12-10T15:26:07.354651+04:00",
                "updated": "2021-12-10T15:26:07.356091+04:00",
                "tenantID": "45e7d6af-4bec-43b2-b885-98ebd8e73b63",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "c8c2b84c-270d-458e-983f-23a4c159dfc7",
                "created": "2021-12-10T15:26:07.357629+04:00",
                "updated": "2021-12-10T15:26:07.414962+04:00",
                "tenantID": "130c79ee-150d-4a6f-8749-0302bc01d743",
                "status": "Failed",
                "messages": null,
                "errors": "404 Not Found: Realm does not exist",
                "userMigration": true
            },
            {
                "id": "9cafd71e-a12b-4bba-94f0-21a012994357",
                "created": "2021-12-10T15:26:07.419286+04:00",
                "updated": "2021-12-10T15:26:07.421147+04:00",
                "tenantID": "5f313fee-7337-4f70-a152-7a0c194fc1cb",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "03184c80-e0a2-491e-aa71-c72d7cd419c8",
                "created": "2021-12-10T15:26:07.424028+04:00",
                "updated": "2021-12-10T15:26:07.426239+04:00",
                "tenantID": "c95f1b60-4f7d-4b1e-b7b5-35c3b4f0a0f8",
                "status": "Failed",
                "messages": null,
                "errors": "tenant is deleted",
                "userMigration": true
            },
            {
                "id": "1400930c-a369-4287-ae38-843a30d4d0cb",
                "created": "2021-12-10T15:26:07.428167+04:00",
                "updated": "2021-12-10T15:26:07.500517+04:00",
                "tenantID": "d2fb4972-4f1e-478f-8539-ed50720a3fce",
                "status": "Failed",
                "messages": null,
                "errors": "404 Not Found: Realm does not exist",
                "userMigration": true
            },
            {
                "id": "c63b5ce4-25cb-404f-9511-77a17b0d8ec3",
                "created": "2021-12-10T16:03:16.135469+04:00",
                "updated": "2021-12-10T16:03:24.465874+04:00",
                "tenantID": "e02e0679-2de5-48af-a2f0-c650356dc739",
                "status": "Completed",
                "messages": null,
                "errors": "",
                "userMigration": true
            }
        ],
        "page": 1,
        "pageSize": 10
    }
    

    HTTP status code 400

    Invalid request.

    HTTP status code 401

    Request is not authenticated.

    HTTP status code 403

    Principal does not have sufficient permissions to perform this operation.

    Secured by IAM

    Headers

    • Authorization: optional (string)

      Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

    /tenant/migrate/users/tasks/{task-id} get

    get /tenant/migrate/users/tasks/{task-id}

    Returns tasks by its ID.

    Secured with IAM (authentication only, no authorization required).

    IAM supports JWT access tokens for authenticating and authorizing all API requests.

    URI Parameters

    • task-id: required(string)

    HTTP status code 200

    Migration task status by task ID.

    Body

    Media type: application/json

    Type: object

    Properties

    • data: required(object)
      • id: optional (string)

        Task ID.

      • created: required(datetime)

        Task creation date.

      • updated: required(datetime)

        Task update date.

      • tenantID: required(string)

        Tenant ID that user belongs to.

      • status: required(one of InProgress, Completed, Failed)

        Task ID.

      • messages: required(object)

        Message based on task status.

        • errors: required(string)

          Message of raised error from migration operation.

        • userMigration: required(boolean)

          Indicates whether it is users or groups migration.

      Example:

      {
          "data":{
              "id":"c63b5ce4-25cb-404f-9511-77a17b0d8ec3",
              "created":"2021-12-10T16:03:16.135469+04:00",
              "updated":"2021-12-10T16:03:24.465874+04:00",
              "tenantID":"e02e0679-2de5-48af-a2f0-c650356dc739",
              "status":"Completed",
              "messages":null,
              "errors":"",
              "userMigration":true
          }
      }

      HTTP status code 400

      Invalid request.

      HTTP status code 401

      Request is not authenticated.

      HTTP status code 403

      Principal does not have sufficient permissions to perform this operation.

      Secured by IAM

      Headers

      • Authorization: optional (string)

        Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

      /tenant/migrate/groups post

      post /tenant/migrate/groups

      Asynchronous groups migration from Keycloak to IAM.

      Secured with IAM (authentication only, no authorization required).

      IAM supports JWT access tokens for authenticating and authorizing all API requests.

      Query Parameters

      • tenant: optional (string)

        Tenant ID.

        Example:

        kaa

      HTTP status code 202

      Migration is on the process (in case query parameter specified, will migrate for one tenant, and return taskID but without query parameters migrates for all tenants returns only status code).

      Body

      Media type: application/json

      Type: object

      Properties

      • taskID: optional (string)

        Task ID.

      Example:

      {
          "taskID": "0dfe658a-a15c-407d-9c4e-95960b837cf2"
      }

      HTTP status code 400

      Invalid request.

      HTTP status code 401

      Request is not authenticated.

      HTTP status code 403

      Principal does not have sufficient permissions to perform this operation.

      Secured by IAM

      Headers

      • Authorization: optional (string)

        Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

      /tenant/migrate/groups/tasks get

      get /tenant/migrate/groups/tasks

      Tasks for authenticated tenants (to provide tenant as a query parameter is only available for tenant Kaa).

      Secured with IAM (authentication only, no authorization required).

      IAM supports JWT access tokens for authenticating and authorizing all API requests.

      Query Parameters

      • page: optional (number - default: 1)

        Page number.

        Example:

        1
      • pageSize: optional (number - default: 10)

        Page size.

        Example:

        10
      • status: optional (one of InProgress, Completed, Failed)

        Status of task.

        Example:

        Completed
      • tenant: optional (string)

        Tenant ID.

        Example:

        kaa

      HTTP status code 200

      Migration tasks status.

      Body

      Media type: application/json

      Type: object

      Properties

      • data: required(object)
        • id: optional (string)

          Task ID.

        • created: required(datetime)

          Task creation date.

        • updated: required(datetime)

          Task update date.

        • tenantID: required(string)

          Tenant ID that user belongs to.

        • status: required(one of InProgress, Completed, Failed)

          Task ID.

        • messages: required(object)

          Message based on task status.

          • errors: required(string)

            Message of raised error from migration operation.

          • userMigration: required(boolean)

            Indicates whether it is users or groups migration.

        • page: required(string)

          Page number.

        • pageSize: required(string)

          Page size number.

        Example:

        {
            "data": [
                {
                    "id": "8d530302-679f-4a31-ad55-aea8061d4081",
                    "created": "2021-12-10T15:26:00.540385+04:00",
                    "updated": "2021-12-10T15:26:07.344133+04:00",
                    "tenantID": "e02e0679-2de5-48af-a2f0-c650356dc739",
                    "status": "Completed",
                    "messages": null,
                    "errors": "",
                    "userMigration": true
                },
                {
                    "id": "c0d757c2-764b-433a-aa8c-0ebf6428888e",
                    "created": "2021-12-10T15:26:07.345959+04:00",
                    "updated": "2021-12-10T15:26:07.347192+04:00",
                    "tenantID": "a0fe5076-42ca-4c94-92f5-bc5c964045f2",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "19189680-ac2f-4ec4-8c3f-b795c1c3277c",
                    "created": "2021-12-10T15:26:07.348684+04:00",
                    "updated": "2021-12-10T15:26:07.349952+04:00",
                    "tenantID": "d9300595-5720-45b7-8fc5-b118e79f9ab3",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "aa405b40-40e0-4e0b-b90e-2f17986f6aed",
                    "created": "2021-12-10T15:26:07.351316+04:00",
                    "updated": "2021-12-10T15:26:07.352675+04:00",
                    "tenantID": "1ee320c5-2a17-4c25-95ba-e20214a50f49",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "563c15c8-1382-411e-98d5-7b3efc432b57",
                    "created": "2021-12-10T15:26:07.354651+04:00",
                    "updated": "2021-12-10T15:26:07.356091+04:00",
                    "tenantID": "45e7d6af-4bec-43b2-b885-98ebd8e73b63",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "c8c2b84c-270d-458e-983f-23a4c159dfc7",
                    "created": "2021-12-10T15:26:07.357629+04:00",
                    "updated": "2021-12-10T15:26:07.414962+04:00",
                    "tenantID": "130c79ee-150d-4a6f-8749-0302bc01d743",
                    "status": "Failed",
                    "messages": null,
                    "errors": "404 Not Found: Realm does not exist",
                    "userMigration": true
                },
                {
                    "id": "9cafd71e-a12b-4bba-94f0-21a012994357",
                    "created": "2021-12-10T15:26:07.419286+04:00",
                    "updated": "2021-12-10T15:26:07.421147+04:00",
                    "tenantID": "5f313fee-7337-4f70-a152-7a0c194fc1cb",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "03184c80-e0a2-491e-aa71-c72d7cd419c8",
                    "created": "2021-12-10T15:26:07.424028+04:00",
                    "updated": "2021-12-10T15:26:07.426239+04:00",
                    "tenantID": "c95f1b60-4f7d-4b1e-b7b5-35c3b4f0a0f8",
                    "status": "Failed",
                    "messages": null,
                    "errors": "tenant is deleted",
                    "userMigration": true
                },
                {
                    "id": "1400930c-a369-4287-ae38-843a30d4d0cb",
                    "created": "2021-12-10T15:26:07.428167+04:00",
                    "updated": "2021-12-10T15:26:07.500517+04:00",
                    "tenantID": "d2fb4972-4f1e-478f-8539-ed50720a3fce",
                    "status": "Failed",
                    "messages": null,
                    "errors": "404 Not Found: Realm does not exist",
                    "userMigration": true
                },
                {
                    "id": "c63b5ce4-25cb-404f-9511-77a17b0d8ec3",
                    "created": "2021-12-10T16:03:16.135469+04:00",
                    "updated": "2021-12-10T16:03:24.465874+04:00",
                    "tenantID": "e02e0679-2de5-48af-a2f0-c650356dc739",
                    "status": "Completed",
                    "messages": null,
                    "errors": "",
                    "userMigration": true
                }
            ],
            "page": 1,
            "pageSize": 10
        }
        

        HTTP status code 400

        Invalid request.

        HTTP status code 401

        Request is not authenticated.

        HTTP status code 403

        Principal does not have sufficient permissions to perform this operation.

        Secured by IAM

        Headers

        • Authorization: optional (string)

          Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.

        /tenant/migrate/groups/tasks/{task-id} get

        get /tenant/migrate/groups/tasks/{task-id}

        Returns tasks by its ID.

        Secured with IAM (authentication only, no authorization required).

        IAM supports JWT access tokens for authenticating and authorizing all API requests.

        URI Parameters

        • task-id: required(string)

        HTTP status code 200

        Migration task status by task ID.

        Body

        Media type: application/json

        Type: object

        Properties

        • data: required(object)
          • id: optional (string)

            Task ID.

          • created: required(datetime)

            Task creation date.

          • updated: required(datetime)

            Task update date.

          • tenantID: required(string)

            Tenant ID that user belongs to.

          • status: required(one of InProgress, Completed, Failed)

            Task ID.

          • messages: required(object)

            Message based on task status.

            • errors: required(string)

              Message of raised error from migration operation.

            • userMigration: required(boolean)

              Indicates whether it is users or groups migration.

          Example:

          {
              "data":{
                  "id":"c63b5ce4-25cb-404f-9511-77a17b0d8ec3",
                  "created":"2021-12-10T16:03:16.135469+04:00",
                  "updated":"2021-12-10T16:03:24.465874+04:00",
                  "tenantID":"e02e0679-2de5-48af-a2f0-c650356dc739",
                  "status":"Completed",
                  "messages":null,
                  "errors":"",
                  "userMigration":false
              }
          }

          HTTP status code 400

          Invalid request.

          HTTP status code 401

          Request is not authenticated.

          HTTP status code 403

          Principal does not have sufficient permissions to perform this operation.

          Secured by IAM

          Headers

          • Authorization: optional (string)

            Used to send a valid JWT access token. Example: "Authorization: Bearer 'access_token'" where 'access_token' must be replaced by a valid JWT access token. This header is needed only if API authentication is enabled for the service. The service authorizes resource access using the Kaa IAM.