The Roles Service exposes resources to retrieve roles information. The service allows a user is able to retrieve lists of roles or access specific roles by filter expression or identity ID.
IMPORTANT:To view role detail and role assignments by using the role/{role id} and role/{role id}/assignments end points, you need to be a Role Administrator and a Provisioning Administrator. The Role Administrator must have appropriate permissions on the Provisioning domain. To provide these permissions:
Log into the User Application as the Provisioning Administrator.
Give all domain rights to the Role Administrator including rights on the Provisioning domain.
Login to iManager.
Add Role Administrator as a trustee of Role-Config in iManager.
There are several types of resources available for the service. These resources are described in the sections that follow:
The service provides a resource URI for every object exposed. The Roles resource supports the following URI patterns:
Resource for returning a collection of roles
Resource for returning a specific role instance
Resource for returning assignments for a specific role instance
Resources for returning SoDs for a specific role instance
The service supports the following parameters to allow you to perform operations on the primary roles data set:
A filter parameter to enable the filtering of result sets
A debug matrix parameter to enable you to return the JSON structures in a human readable format
A schema matrix parameter to enable you to return the schema for the data set
The following table shows the complete URI syntax for all resource end points associated with the Identities Service, along with a description for each URI and a list of supported HTTP methods:
Table 28-1 Resource URIs
URI |
Description |
---|---|
roles |
GET -Will return a list of roles with minimum information and a list of role URI links that include the role GUIDPOST – Not supportedPUT – Future. The PUT operation with the appropriate JSON structure will be used to create a new role. The Role JSON structure will be the same as the one used for the /roles/{RoleID} GET end pointDELETE – Not Supported |
roles?filter={role filter expression} |
GET -The above list can then be filtered by entering a role filter expression on the URI. |
roles/{RoleId} |
GET -The Role ID parameter will be a GUID to identify a specific role within the LDAP realmPOST – Future. Provide ability to modify a specific role.PUT – Not supportedDELETE – Future. Will remove the role. |
roles/{RoleId}/assignments |
GET - Will return a list of assignments for a specific role. This will include assignments to other users, groups, and containers assigned to a role. It does not include role relationship information (information about roles assigned to another to a role). PUT – Future. The PUT operation with the appropriate JSON structure will be used to assign the role to another role, user, group, or container.POST – Not supportedDELETE – Not supported |
roles/{RoleId}/assignments/{assignmentID} |
GET – Display information on a specific role assignment. The assignment ID will be a GUID representing either a role, group, user or container.PUT – Not supportedPOST – Not supportedDELETE – Future. Remove the specific assignment |
roles/{RoleId}/sods |
GET - Will return a list of sods for a specific role. This information will be crucial for clients that want to assign roles. Before the assignment, this REST end point should be executed to determine if any SODs exist for that particular role.PUT – Not supportedPOST – Not supportedDELETE – Not supported |
roles/{RoleId}/sods/{sodID} |
GET – Display information on a specific sod.PUT – Not supportedPOST – Not supportedDELETE – Not supported |
Table 28-2 Matrix Parameters for Debugging and Displaying the Schema
URI |
Description |
---|---|
roles;debug |
This debug matrix parameter displays the identities JSON structure in human readable format, as opposed to compressed format. This matrix parameter can be put anywhere in the URI. |
roles;schema |
The schema matrix parameter can be put anywhere in the URI and in combination with the “Accept” header type will return the appropriate schema document for the content type. In this case a JSON schema document is returned for the workitems. |
This section shows the JSON structures received by the client for each resource. In each case, the HTTP method is GET.
The roles end point (/roles) returns a collection (JSON Array) of roles.
[ { "Links": [{ "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/assignments", "Type": "Assignments", "Value": "Assignments" }, { "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/sods", "Type": "SODS", "Value": "SODS" }], "DN": "cn=Scheduler System Access,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "372c47071345ae463db5372c47071345", "Link": "/POC/roa/v1/roles/372c47071345ae463db5372c47071345", "Name": "Scheduler System Access", "Description": "Scheduler System Access", "CategoryKey": ["system"], "RoleLevel": { "Name": "Permission Role", "Description": "Permission to connected systems", "level": "10" } }, { "Links": [{ "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/assignments", "Type": "Assignments", "Value": "Assignments" }, { "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods", "Type": "SODS", "Value": "SODS" }], "DN": "cn=ER Access-West,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", "Name": "ER Access(West Campus)", "Description": "ER Access (West Campus)", "CategoryKey": ["building"], "RoleLevel": { "Name": "Permission Role", "Description": "Permission to connected systems", "level": "10" } }, ….. ]
The roles/{RoleId} endpoint returns specific role information.
{ "Links": [{ "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/assignments", "Type": "Assignments", "Value": "Assignments" }, { "Link": "/RIS/v1/roles/372c47071345ae463db5372c47071345/sods", "Type": "SODS", "Value": "SODS" }], "DN": "cn=Scheduler System Access,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "372c47071345ae463db5372c47071345", "Link": "/POC/roa/v1/roles/372c47071345ae463db5372c47071345", "Name": "Scheduler System Access", "Description": "Scheduler System Access", "CategoryKey": ["system"], "RoleLevel": { "Name": "Permission Role", "Description": "Permission to connected systems", "level": "10" } }
This endpoint returns a list of assignments for a specific role.
{ "Containers": [], "Groups": [], "Roles": [ { "DN": "cn=Write Prescriptions,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "7cee8c618a2e8a436eb87cee8c618a2e", "Value": "Write Prescription", "link": "/RIS/v1/roles/7cee8c618a2e8a436eb87cee8c618a2e" }, { "DN": "cn=Administer Drugs,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "edcc5430f3e1a74041acedcc5430f3e1", "Value": "Administer Drug", "Link": "/RIS/v1/roles/edcc5430f3e1a74041acedcc5430f3e1" }, { "DN": "cn=Order Medical Tests,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "1a3381b0b849c04c1f981a3381b0b849", "Value": "", "Link": "/RIS/v1/roles/1a3381b0b849c04c1f981a3381b0b849" }, { "DN": "cn=Perform Medical Tests,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "4146615061202f4231b6414661506120", "Value": "", "Link": "/RIS/v1/roles/4146615061202f4231b6414661506120" } ], "Users": [{ "DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Value": "Allison Blake", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107" }], "DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "80146f8473973942ceb380146f847397", "Link": "/RIS/v1/roles/80146f8473973942ceb380146f847397", "Name": "Doctor", "Description": "Doctor" }
This endpoint returns information on a specific role assignment.
{ "Users": [{ "DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Value": "Allison Blake", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107" }], "DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "80146f8473973942ceb380146f847397", "Link": "/RIS/v1/roles/80146f8473973942ceb380146f847397", "Name": "Doctor", "Description": "Doctor" }
This endpoint return a list of SoDs for a specific role. This information is crucial for clients that want to assign roles. Before the assignment, this REST end point should be executed to determine if any SODs exist.
[ { "DN": "cn=SOD,cn=SodDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "80146f8473973942ceb380146f847397", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods/80146f8473973942ceb380146f847397", "Name" : "sod name", "Description" : "sod description", "Quorum" : "50%", "ApprovalType" : "SOD approval type", "Roles" : [ {"DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", "Name": "Doctor", "Description": "Doctor"}, {"DN": "cn=Nurse,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", "Name": "Nurse", "Description": "Nurse"} ] "RequestDefinition" : { "Value": "Role Approval", "DN": "cn=Role Approval,cn=RequestDefs,cn=AppConfig,cn=CaribouDriver,cn=TestDrivers,o=novell", "GUID": "c24dc77790ea497eb07617341c01e718", "Link": "/RIS/wf/definition/c24dc77790ea497eb07617341c01e718" }, "Approvers" : [ {"DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", "Value" : "Allison Blake"}, {"DN": "cn=mmackenzie,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", "Value" : "Margo Mackenzie"} } , …. ]
This endpoint returns information on a specific SoD.
{ "DN": "cn=SOD,cn=SodDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "80146f8473973942ceb380146f847397", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8/sods/80146f8473973942ceb380146f847397", "Name" : "sod name", "Description" : "sod description", "Quorum" : "50%", "ApprovalType" : "SOD approval type", "Roles" : [ {"DN": "cn=Doctor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", "Name": "Doctor", "Description": "Doctor"}, {"DN": "cn=Nurse,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=PicassoDriver,cn=TestDrivers,o=novell", "GUID": "3059a9b358c8ba4f0ab53059a9b358c8", "Link": "/RIS/v1/roles/3059a9b358c8ba4f0ab53059a9b358c8", "Name": "Nurse", "Description": "Nurse"} ] "RequestDefinition" : { "Value": "Role Approval", "DN": "cn=Role Approval,cn=RequestDefs,cn=AppConfig,cn=CaribouDriver,cn=TestDrivers,o=novell", "GUID": "c24dc77790ea497eb07617341c01e718", "Link": "/RIS/wf/definition/c24dc77790ea497eb07617341c01e718" }, "Approvers" : [ {"DN": "cn=ablake,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", "Value" : "Allison Blake"}, {"DN": "cn=mmackenzie,ou=users,ou=medical-idmsample,o=novell", "GUID": "26b65d8611075849e2b226b65d861107", "Link": "/RIS/v1/identities/26b65d8611075849e2b226b65d861107", "Value" : "Margo Mackenzie"} }
This section shows the event status codes for the available resources:
Table 28-3 Event Status Codes
URI |
Status codes |
---|---|
roles |
HTTP GET - Status 200 - OK HTTP PUT – Status 200 - OK |
roles/{RoleId} |
HTTP GET - Status 200 - OK HTTP POST – Status 200 – OK HTTP DELETE – Status 204 – No Content |
roles/{RoleId}/assignments |
HTTP GET - Status 200 - OK HTTP PUT – Status 200 - OK |
roles/{RoleId}/assignments/{assignmentID} |
HTTP GET - Status 200 - OK HTTP DELETE – Status 204 – No Content |
roles/{RoleId}/sods |
HTTP GET - Status 200 - OK |
roles/{RoleId}/sods/{sodID} |
HTTP GET - Status 200 - OK |
The Jersey implemented error conditions are used. When server errors are found, Jersey returns the appropriate 400 and 500 level codes.