GET Permissions/Object/(guid}/(ptype)/{principal}

Retrieves explicit and implicit permissions about the principal on the specified object. The principal identity can originate from an AD, LDAP, or local identity provider.

Requirements

  • Permissions: The caller must have Manage permission to the specified object. Use credentials that match the identity provider. For example, if the principal is an AD group, the caller must use AD credentials.
  • Token scope:  Security

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

Object

In the request URL, specify the word Object.

{guid}

In the request URL, specify the GUID of the object. Depending on your environment, the GUID may be expressed with or without curly braces {}. For example, {3d6b61d-1c71-4603-883f-25b8c2ceecdd}.

For example, if you want effective permissions for a policy, either call POST Config/DnToGuid or get the GUID from the Support Attributes tab.

(ptype)

In the request URL, type one of the following words for the identity provider type:

  • AD: Active Directory identity provider.
  • LDAP: Light Directory Access Protocol.
  • local: Trust Protection Platform identity provider.

(pname)

In the request URL, specify the identity provider name that appears in Trust Protection Platform.

{principal}

In the request URL, specify the Universal Identifier for the principal identity that has permissions to the object. For example, call POST Identity/Browse or get the Universal ID from the Users and Groups tab.

GetIdenityGuid

  • For all identity providers except AD, enclose the Universal ID in curly braces.
  • For an AD Universal Identifier, omit the curly braces.

  • If your calling application, such as Postman, requires curly braces {}, enclose the Universal ID in curly braces. Otherwise omit the curly braces.

Returns

Response description

Name

Description

HTTP 200

For valid requests, Permissions/Object/guid/provider/ principal returns a HTTP 200 message and the following data:

  • EffectivePermissions: One set of explicit principal identity permissions. For more information, see Effective Permissions parameters.
  • ImplicitPermissions: Appears only when there are implicit or inherited right assignments to the object. If there are no implicit or inherited right assignments, only the explicit permissions appear in the return value. For more information, see Effective Permissions parameters.

HTTP 400

For invalid requests, one of the following errors may be present:

  • Unable to verify principal. Either correct the principal Guid or assign the principal identity to the appropriate object Guid in Trust Protection Platform. For the Principal parameter, try adding or omitting the curly braces. See the Principal parameter for details.
  • Failed to lookup DN: Unable to read object details of GUID {object Guid}; ObjectDoesNotExist. Obtain the correct object Guid value, from Trust Protection Platform.

Example 1: Get permissions from a local Trust Protection Platform provider

Request for example 1

GET https://test.example/vedsdk/permissions/object/{3415e47d-835c-4949-af5b-c226817f7d40}/local/{a58437d1-e6d4-46f8-b790-bc1bedb943f1} 
Authorization:Bearer 4MyGeneratedBearerTknz==

Response for Example 1

HTTP/1.1 200 OK
{

   "ExplicitPermissions":{

      "IsAssociateAllowed":false,

      "IsCreateAllowed":false,

      "IsDeleteAllowed":false,

      "IsManagePermissionsAllowed":false,

      "IsPolicyWriteAllowed":true,

      "IsPrivateKeyReadAllowed":false,

      "IsPrivateKeyWriteAllowed":false,

      "IsReadAllowed":false,

      "IsRenameAllowed":false,

      "IsRevokeAllowed":true,

      "IsViewAllowed":true,

      "IsWriteAllowed":false

   },

   "ImplicitPermissions":{

      "IsAssociateAllowed":false,

      "IsCreateAllowed":false,

      "IsDeleteAllowed":false,

      "IsManagePermissionsAllowed":false,

      "IsPolicyWriteAllowed":true,

      "IsPrivateKeyReadAllowed":false,

      "IsPrivateKeyWriteAllowed":false,

      "IsReadAllowed":true,

      "IsRenameAllowed":false,

      "IsRevokeAllowed":true,

      "IsViewAllowed":true,

      "IsWriteAllowed":true

   }

}

Example 2: Get a principal from an AD provider

Request for eExample 2

GET https://test.example/vedsdk/permissions/object/{3415e47d-835c-4949-af5b-c226817f7d40}/AD/AD1/a58437d1-e6d4-46f8-b790-bc1bedb943f1
Authorization:Bearer 4MyGeneratedBearerTknz==

Response for Example 2

HTTP/1.1 200 OK	
{
   "ExplicitPermissions":{
      "IsAssociateAllowed":false,
      "IsCreateAllowed":false,
      "IsDeleteAllowed":false,
      "IsManagePermissionsAllowed":false,
      "IsPolicyWriteAllowed":false,
      "IsPrivateKeyReadAllowed":false,
      "IsPrivateKeyWriteAllowed":false,
      "IsReadAllowed":true,
      "IsRenameAllowed":false,
      "IsRevokeAllowed":false,
      "IsViewAllowed":true,
      "IsWriteAllowed":false
   },
   "ImplicitPermissions":{
      "IsAssociateAllowed":false,
      "IsCreateAllowed":false,
      "IsDeleteAllowed":false,
      "IsManagePermissionsAllowed":false,
      "IsPolicyWriteAllowed":false,
      "IsPrivateKeyReadAllowed":false,
      "IsPrivateKeyWriteAllowed":false,
      "IsReadAllowed":true,
      "IsRenameAllowed":false,
      "IsRevokeAllowed":false,
      "IsViewAllowed":true,
      "IsWriteAllowed":false
   }
}