28.2 Accessing and Using the Role Service

The Roles Service exposes resources to retrieve roles information. The service allows a user is able to retrieve lists of roles or access specific roles by filter expression or identity ID.

IMPORTANT:To view role detail and role assignments by using the role/{role id} and role/{role id}/assignments end points, you need to be a Role Administrator and a Provisioning Administrator. The Role Administrator must have appropriate permissions on the Provisioning domain. To provide these permissions:

  1. Log into the User Application as the Provisioning Administrator.

  2. Give all domain rights to the Role Administrator including rights on the Provisioning domain.

  3. Login to iManager.

  4. Add Role Administrator as a trustee of Role-Config in iManager.

28.2.1 Available Resources

There are several types of resources available for the service. These resources are described in the sections that follow:

Roles Service

The service provides a resource URI for every object exposed. The Roles resource supports the following URI patterns:

  • Resource for returning a collection of roles

  • Resource for returning a specific role instance

  • Resource for returning assignments for a specific role instance

  • Resources for returning SoDs for a specific role instance

Services for Filtering, Debugging, and Displaying Schema Information

The service supports the following parameters to allow you to perform operations on the primary roles data set:

  • A filter parameter to enable the filtering of result sets

  • A debug matrix parameter to enable you to return the JSON structures in a human readable format

  • A schema matrix parameter to enable you to return the schema for the data set

28.2.2 Complete URI Syntax

The following table shows the complete URI syntax for all resource end points associated with the Identities Service, along with a description for each URI and a list of supported HTTP methods:

Table 28-1 Resource URIs

URI

Description

roles

GET -Will return a list of roles with minimum information and a list of role URI links that include the role GUIDPOST – Not supportedPUT – Future. The PUT operation with the appropriate JSON structure will be used to create a new role. The Role JSON structure will be the same as the one used for the /roles/{RoleID} GET end pointDELETE – Not Supported

roles?filter={role filter expression}

GET -The above list can then be filtered by entering a role filter expression on the URI.

roles/{RoleId}

GET -The Role ID parameter will be a GUID to identify a specific role within the LDAP realmPOST – Future. Provide ability to modify a specific role.PUT – Not supportedDELETE – Future. Will remove the role.

roles/{RoleId}/assignments

GET - Will return a list of assignments for a specific role. This will include assignments to other users, groups, and containers assigned to a role. It does not include role relationship information (information about roles assigned to another to a role).

PUT – Future. The PUT operation with the appropriate JSON structure will be used to assign the role to another role, user, group, or container.POST – Not supportedDELETE – Not supported

roles/{RoleId}/assignments/{assignmentID}

GET – Display information on a specific role assignment. The assignment ID will be a GUID representing either a role, group, user or container.PUT – Not supportedPOST – Not supportedDELETE – Future. Remove the specific assignment

roles/{RoleId}/sods

GET - Will return a list of sods for a specific role. This information will be crucial for clients that want to assign roles. Before the assignment, this REST end point should be executed to determine if any SODs exist for that particular role.PUT – Not supportedPOST – Not supportedDELETE – Not supported

roles/{RoleId}/sods/{sodID}

GET – Display information on a specific sod.PUT – Not supportedPOST – Not supportedDELETE – Not supported

Table 28-2 Matrix Parameters for Debugging and Displaying the Schema

URI

Description

roles;debug

This debug matrix parameter displays the identities JSON structure in human readable format, as opposed to compressed format. This matrix parameter can be put anywhere in the URI.

roles;schema

The schema matrix parameter can be put anywhere in the URI and in combination with the “Accept” header type will return the appropriate schema document for the content type. In this case a JSON schema document is returned for the workitems.

28.2.3 JSON Representations Received by the Client

This section shows the JSON structures received by the client for each resource. In each case, the HTTP method is GET.

Roles Endpoint

The roles end point (/roles) returns a collection (JSON Array) of roles.

[
   {
      "Links": [{
         "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/assignments",
         "Type": "Assignments",
         "Value": "Assignments"
      },
             {
         "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/sods",
         "Type": "SODS",
         "Value": "SODS"
      }],
      "DN": "cn=Scheduler System Access,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
      "GUID": "372c47071345ae463db5372c47071345",
      "Link": "/POC/roa/v1/roles/372c47071345ae463db5372c47071345",
      "Name": "Scheduler System Access",
      "Description": "Scheduler System Access",
      "CategoryKey": ["system"],
      "RoleLevel": {
         "Name": "Permission Role",
         "Description": "Permission to connected systems",
         "level": "10"
      }
   },
   {
      "Links": [{
         "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/assignments",
         "Type": "Assignments",
         "Value": "Assignments"
      },
            {
         "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods",
         "Type": "SODS",
         "Value": "SODS"
      }],
      "DN": "cn=ER Access-West,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
      "GUID": "3059a9b358c8ba4f0ab53059a9b358c8",
      "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8",
      "Name": "ER Access(West Campus)",
      "Description": "ER Access (West Campus)",
      "CategoryKey": ["building"],
      "RoleLevel": {
         "Name": "Permission Role",
         "Description": "Permission to connected systems",
         "level": "10"
      }
   },
…..
]

Roles/{RoleId} Endpoint

The roles/{RoleId} endpoint returns specific role information.

{
      "Links": [{
         "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/assignments",
         "Type": "Assignments",
         "Value": "Assignments"
      },
             {
         "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/sods",
         "Type": "SODS",
         "Value": "SODS"
      }],
      "DN": "cn=Scheduler System Access,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
      "GUID": "372c47071345ae463db5372c47071345",
      "Link": "/POC/roa/v1/roles/372c47071345ae463db5372c47071345",
      "Name": "Scheduler System Access",
      "Description": "Scheduler System Access",
      "CategoryKey": ["system"],
      "RoleLevel": {
         "Name": "Permission Role",
         "Description": "Permission to connected systems",
         "level": "10"
      }
}

Roles/{RoleId}/assignments Endpoint

This endpoint returns a list of assignments for a specific role.

{
   "Containers": [],
   "Groups": [],
   "Roles": [
      {
         "DN": "cn=Write Prescriptions,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
         "GUID": "7cee8c618a2e8a436eb87cee8c618a2e",
         "Value": "Write Prescription",
         "link": "/RIS/v1/roles/7cee8c618a2e8a436eb87cee8c618a2e"
      },
      {
         "DN": "cn=Administer Drugs,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
         "GUID": "edcc5430f3e1a74041acedcc5430f3e1",
         "Value": "Administer Drug",
         "Link": "/RIS/v1/roles/edcc5430f3e1a74041acedcc5430f3e1"
      },
      {
         "DN": "cn=Order Medical Tests,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
         "GUID": "1a3381b0b849c04c1f981a3381b0b849",
         "Value": "",
         "Link": "/RIS/v1/roles/1a3381b0b849c04c1f981a3381b0b849"
      },
      {
         "DN": "cn=Perform Medical Tests,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
         "GUID": "4146615061202f4231b6414661506120",
         "Value": "",
         "Link": "/RIS/v1/roles/4146615061202f4231b6414661506120"
      }
   ],
   "Users": [{
      "DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell",
      "GUID": "26b65d8611075849e2b226b65d861107",
      "Value": "Allison Blake",
      "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107"
   }],
   "DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
   "GUID": "80146f8473973942ceb380146f847397",
   "Link": "/RIS/v1/roles/80146f8473973942ceb380146f847397",
   "Name": "Doctor",
   "Description": "Doctor"
}

Roles/{RoleId}/assignments/{assignmentID} Endpoint

This endpoint returns information on a specific role assignment.

{
 "Users": [{
      "DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell",
      "GUID": "26b65d8611075849e2b226b65d861107",
      "Value": "Allison Blake",
      "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107"
   }],
   "DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell",
   "GUID": "80146f8473973942ceb380146f847397",
   "Link": "/RIS/v1/roles/80146f8473973942ceb380146f847397",
   "Name": "Doctor",
   "Description": "Doctor"
}

Roles/{RoleId}/sods Endpoint

This endpoint return a list of SoDs for a specific role. This information is crucial for clients that want to assign roles. Before the assignment, this REST end point should be executed to determine if any SODs exist.

[
{ 
  "DN": "cn=SOD,cn=SodDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
  "GUID": "80146f8473973942ceb380146f847397", 
  "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods/80146f8473973942ceb380146f847397", 
  "Name" : "sod name", 
  "Description" : "sod description", 
  "Quorum" : "50%", 
  "ApprovalType" : "SOD approval type", 
  "Roles" : [ {"DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
               "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", 
               "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", 
               "Name": "Doctor", 
               "Description": "Doctor"}, 
        {"DN": "cn=Nurse,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
               "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", 
               "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", 
               "Name": "Nurse", 
               "Description": "Nurse"} 
                   ] 
  "RequestDefinition" : { 
               "Value": "Role Approval", 
                "DN": "cn=Role Approval,cn=RequestDefs,cn=AppConfig,cn=CaribouDriver,cn=TestDrivers,o=novell", 
               "GUID": "c24dc77790ea497eb07617341c01e718", 
                "Link": "/RIS/wf/definition/c24dc77790ea497eb07617341c01e718" 
        }, 
  "Approvers" : [ {"DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", 
                   "GUID": "26b65d8611075849e2b226b65d861107", 
               "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", 
       "Value" : "Allison Blake"}, 
      {"DN": "cn=mmackenzie,ou=users,ou=medical-idmsample,o=novell", 
                   "GUID": "26b65d8611075849e2b226b65d861107", 
               "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", 
       "Value" : "Margo Mackenzie"} 
} ,
….
]

Roles/{RoleId}/sods/{sodID}

This endpoint returns information on a specific SoD.

{ 
  "DN": "cn=SOD,cn=SodDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
  "GUID": "80146f8473973942ceb380146f847397", 
  "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods/80146f8473973942ceb380146f847397", 
  "Name" : "sod name", 
  "Description" : "sod description", 
  "Quorum" : "50%", 
  "ApprovalType" : "SOD approval type", 
  "Roles" : [ {"DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
               "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", 
               "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", 
               "Name": "Doctor", 
               "Description": "Doctor"}, 
        {"DN": "cn=Nurse,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", 
               "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", 
               "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", 
               "Name": "Nurse", 
               "Description": "Nurse"} 
                   ] 
  "RequestDefinition" : { 
               "Value": "Role Approval", 
                "DN": "cn=Role Approval,cn=RequestDefs,cn=AppConfig,cn=CaribouDriver,cn=TestDrivers,o=novell", 
               "GUID": "c24dc77790ea497eb07617341c01e718", 
                "Link": "/RIS/wf/definition/c24dc77790ea497eb07617341c01e718" 
        }, 
  "Approvers" : [ {"DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", 
                   "GUID": "26b65d8611075849e2b226b65d861107", 
               "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", 
       "Value" : "Allison Blake"}, 
      {"DN": "cn=mmackenzie,ou=users,ou=medical-idmsample,o=novell", 
                   "GUID": "26b65d8611075849e2b226b65d861107", 
               "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", 
       "Value" : "Margo Mackenzie"} 
} 

28.2.4 Event Status Codes

This section shows the event status codes for the available resources:

Table 28-3 Event Status Codes

URI

Status codes

roles

HTTP GET - Status 200 - OK

HTTP PUT – Status 200 - OK

roles/{RoleId}

HTTP GET - Status 200 - OK

HTTP POST – Status 200 – OK

HTTP DELETE – Status 204 – No Content

roles/{RoleId}/assignments

HTTP GET - Status 200 - OK

HTTP PUT – Status 200 - OK

roles/{RoleId}/assignments/{assignmentID}

HTTP GET - Status 200 - OK

HTTP DELETE – Status 204 – No Content

roles/{RoleId}/sods

HTTP GET - Status 200 - OK

roles/{RoleId}/sods/{sodID}

HTTP GET - Status 200 - OK

The Jersey implemented error conditions are used. When server errors are found, Jersey returns the appropriate 400 and 500 level codes.