General usage informations
Authentication
BasicAuth
If HTTP Basic Authentication is activated you must send the user credentials on every request. If the credentials are not correct you willl get an HTTP Error 401 as a response. In curl you can send the requeired information with the "-u" option.
curl -u username:password.
If you do not use curl, set an extra header with the follwing:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
where dXNlcm5hbWU6cGFzc3dvcmQ= is the Base64 Encoding for username:password
Bearer token (not yet implemented)
Multi-Tenancy
If multi-tenancy is activated there must be sent an extra custom header in each request. If the header is not sent the evaluation of the request is canceled (with error 406). The same thing happens when the tenant's ID is not found (with error 404). The name of the custom header is "X-TENANT-ID" and can be sent with curl using the option "-H":
curl -H 'X-TENANT-ID: customer_1'
It is possible to protect tenants with a password. To access password protected tenants, the password must be sent as an additional header in every request. The correct header for this is 'TENANT-PASSWORD'. An example with curl would look like the following:
curl -H 'TENANT-PASSWORD: secret'
How to use
Sessions
A session is needed to provide a state for queries on permissions. RBAC has the concept of activation and deactivation of roles to allow least priviledge policies. A session is therefore a combination of an ID, the user the session belongs to and an activated role set. A session can also store even more information like start time, expiration time and other parameters the application wants to give the RBAC system as additional information to make decisions.
How to create a new session
To create a session you have to give a session-ID which is unique and does not already exist. When creating a new session you can already specify a role set that is active in this session from the beginning. The set of roles have to exist and be applicable for the user. After you have called this and no error has occured the new session is present in the RBAC system and can be used.
Value | Description | |
---|---|---|
URL | /sessions/[{session}] | The session may be any string from the asccii character set. Usually it is a good idea to give a UUID to ensure that the session is unique. If no value for session is given a new random UUID is generated and used as ID. |
HTTP-Method | POST | |
MUST | userid | Use the string here that has been assigned to an already created user in your system. Usually this is a UUID. |
MAY | roles | |
Body | { "userid": "9957a0a0-998b-11e8-895e-4ccc6a0a4596", "roles": [ "USERROLE_1", "USERROLE_2" ] } | A JSON string containing the user's login that has to exists in the RBAC system and an optional set of roles. |
Return value | { "session-id": "9557a2a0-978b-11c8-895e-4ccc6a0545e1" } |
Result codes and messages
Code | Message | Description |
---|---|---|
200 | - | The session has been created and can be used. |
400 | createSession takes exactly three parameters: session ID as url parameter, userid as MUST (in body) and an array of roles as MAY (in body) | You have not given all MUST parameters. |
401 | - | You have to authorise to use this URL. |
404 | The user is not known | The user cannot be found in the system so you cannot create a session for this user. |
406 | The session allready exists so you can not create it | The session-ID already exists and cannot be used to create another session. |
409 | This user-role-combination is invalid | You specified roles that the user may not activate. |
500 | various | Anything else went wrong. |
Example
curl -H 'Content-Type: application/json' -X POST -d '{"userid": "9957a0a0-998b-11e8-895e-4ccc6a0a4596", "roles": ["BasicUser"]}' -i https://.../pdp/sessions/ curl -H 'Content-Type: application/json' -X POST -d '{"userid": "9957a0a0-998b-11e8-895e-4ccc6a0a4596", "roles": ["BasicUser"]}' -i https://.../pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee
How to get information on an existing session
To get information on a existing session, you have to give the session-ID and will retrieve an JSON-formatted result with information.
Value | Description | |
---|---|---|
URL | /sessions/{session} | The session may be any string from the asccii character set. Usually it is a good idea to give a UUID to ensure that the session is unique. |
HTTP-Method | GET | |
Body | ||
Return value | 200 / JSON { "sessionkey": "9fa253949f8a49d7924749f6da2759ee", "userid": "9957a0a0-998b-11e8-895e-4ccc6a0a4596", "roles": [ "testrole"], "permissions": { "read-permission": { "operations": ["read"] } } } | A JSON string containing the session-ID, the user's login, the active set of roles and the permissions of the session. |
Result
Code | Message | Description |
---|---|---|
200 | - | The session has been found and the information are returned in the body. |
404 | The session is not known | The session cannot be found in the system. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -X GET -i https://example.org/pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee
How to delete an existing session
To delete a session you have to give a session-ID which is existing. After you have called this and no error has occured the session is removed from the RBAC system and cannot be used anymore.
Value | Description | |
---|---|---|
URL | /sessions/{session} | The session session must exist in the RBAC system. |
HTTP-Method | DELETE | |
Body | - | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The session has been deleted and cannot be used anymore. |
404 | The session does not exist. | The session could not be deleted as there was no session with the given session-ID |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X DELETE https://example.org/pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee
How to activate a role for an existing session
Description
To activate a role for a session you have to specify the role in the payload. You can also activate multiple roles with one call. The system checks if the roles exist and are valid for the user that owns the session. If no error occures the session has a changed role set afterwards.
Value | Description | |
---|---|---|
URL | /sessions/{session}/activateRole | The session session must exist in the RBAC system. |
HTTP-Method | PATCH | |
MUST | ||
MAY | roles | If you do not specify any roles nothing happens. |
Body | { "roles": [ "USERROLE_1", "USERROLE_2" ] } | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The session has been updated. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X PATCH -d '{"roles": ["BasicUser", "AdvancedUser"]}' https://example.org/pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee/activateRole
How to deactivate a role for an existing session
Description
To deactivate a role for a session you have to specify the role in the payload. You can also deactivate multiple roles with one call. The system checks if the roles exist and are valid for the user that owns the session. If no error occures the session has a changed role set afterwards.
Value | Description | |
---|---|---|
URL | /sessions/{session}/deactivateRole | The session session must exist in the RBAC system. |
HTTP-Method | PATCH | |
MAY | roles | If you do not specify any roles nothing happens. |
Body | { "roles": [ "USERROLE_1" ] } | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The session has been updated. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X PATCH -d '{"roles": ["BasicUser", "AdvancedUser"]}' https://example.org/pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee/deactivateRole
Roles
A role is needed to make permissions independent from users. Permissions are not defined on users directly but on roles. A user can then be assigned to a role and inherit the permissions of the assigned role.
How to create a new role without any hierarchy
Description
To create a role you have to give a rolename which is unique and does not already exist.
Value | Description | |
---|---|---|
URL | /roles/{role} | The role may be any string from the asccii character set. Usually it is a good idea to use a name that describes the the real life duty like "secretary". |
HTTP-Method | POST | |
Body | - | |
Return value | 200 / No data | If the role has been created no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The role has been created. |
400 | Rolename must be provided and not be empty | You did not provide a rolename. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X POST https://example.org/pdp/roles/BasicUser
How to create a new role beneeth another role
Description
To create a new role beneath another existing role you have to give the full path of the hierarchy of existing roles followed by the name of the new role. The new role then inherits all rights of the roles in the hierarchy.
Value | Description | |
---|---|---|
URL | /roles/EXISTINGROLE/{role} | The role may be any string from the asccii character set. Usually it is a good idea to use a name that describes the the real life duty like "secretary". The EXISTINGROLE must be present in the RBAC system at the specified position of the hierarchy. |
HTTP-Method | POST | |
Body | - | |
Return value | 200 / No data | If the role has been created no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The role has been created. |
400 | Rolename must be provided and not be empty | You did not provide a rolename. |
404 | The role is unknown | The parent role does not exist |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X POST https://example.org/pdp/roles/BasicUser/Admin
How to get information on a role
Description
To get information on a role, you have to give the rolename of an already existing role.
Value | Description | |
---|---|---|
URL | /roles/{rolepath} | The rolepath is the full path to the role like BasicUser/SpecialUser |
HTTP-Method | GET | |
Body | - | |
Return value | 200 / JSON { "rolename": "superadmin", "users": ["9957a0a0-998b-11e8-895e-4ccc6a0a4596"], "permissions": { "read-permission": { "operations": ["read"] } } } | If the role exists the available information on the role are returned as a JSON string. These are:
|
Result
Code | Message | Description |
---|---|---|
200 | - | The role has been created. |
404 | The role is not known | The role cannot be found in the system. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i https://example.org/pdp/roles/BasicUser
How to delete an existing role
Description
To delete a role you have to give the full path to the role. After you have called this and no error has occured the role and all its subroles are removed from the RBAC system and cannot be used anymore.
Value | Description | |
---|---|---|
URL | /roles/{path} | The role role must exist in the RBAC system. And must not have child roles |
HTTP-Method | DELETE | |
Body | - | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The role has been deleted and cannot be used anymore. |
404 | The role is unknown. | The role could not be deleted as there was no role at the given path |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X DELETE https://example.org/pdp/roles/BasicUser/SpecialUser
Users
How to create a new user
Description
Creating a new user is not part of the RBAC standard but implemented anyway because RBAC needs to know if a user is valid in the system. To decide if a user is valid in the system it has to be created. The system can use an existing LDAP to validate that a user exists but also can create its own with this method if there is no such LDAP.
Value | Description | |
---|---|---|
URL | /users/ | |
HTTP-Method | POST | |
MUST | username | The username may be any string from the asccii character set but must not already be present in the system. |
Body | { "username": "exampleUser", "password": "secret" } | The password you give here in cleartext is stored in the LDAP database as a SSHA hash value. If not password is specified in the body a random value is generated to ensure that nobody can use the entry for authentication. |
Return value | 200 / { "userid": "fcfcc6da-88fd-4078-a702-9525ebb32fe2", "username": "exampleUser" } | If the user has been created no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The roles have been assigned to the user. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X POST -d '{"password": "secret"}' -i https://example.org/pdp/users/
How to get information about an existing user
Description
To get information on a existing user, you have to give the userid and will retrieve an JSON-formatted result with information.
Value | Description | |
---|---|---|
URL | /users/{userid} | The userid is the user's UUID. |
HTTP-Method | GET | |
Body | ||
Return value | 200 / JSON | A JSON string containing the userid and a list of all the roles the user is assigned to as well as a list of roles the user has authorization for. (This may vary if you use hierarchical roles as a user is authorised for all parent roles of the roles he is assigned to.) |
Result
Code | Message | Description |
---|---|---|
200 | - | The session has been found and the information are returned in the body. |
404 | The user is not known | The user cannot be found in the system. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i https://example.org/pdp/users/9957a0a0-998b-11e8-895e-4ccc6a0a4596
How to delete an existing user
Description
To delete a user you have to give the userid. After you have called this and no error has occured the role is removed from the RBAC system and cannot be used anymore.
Value | Description | |
---|---|---|
URL | /users/{userid} | The user userid must exist in the RBAC system. |
HTTP-Method | DELETE | |
Body | - | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The user has been deleted and cannot be used anymore. |
404 | The user is not known | The user cannot be found in the system. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X DELETE https://example.org/pdp/users/9957a0a0-998b-11e8-895e-4ccc6a0a4596
How to assign a user to roles
Description
A user gets permissions by beeing assigned to a role. This assignment is important when a new session is created or an existing session is modified because only roles that are assigned to a user can be activated. Assigning the user to a role usually is the only thing in daily business of an organization that has to be done. Roles and resources as well as the resulting permissions are quite static.
Value | Description | |
---|---|---|
URL | /users/{userid}/assignRoles | The userid has to exist in the system as well as the roles in the body. |
HTTP-Method | PATCH | |
MUST | roles | The list of roles the user should be assigned to. The list has to be sent and must not be empty. |
Body | { "roles": [ "USERROLE_1", "USERROLE_2" ] } | |
Return value | 200 / No data | If the roles have been assigned no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The roles have been assigned to the user. |
400 | You must provide a list of roles | You didn't send the list of roles correctely in the body of the request. |
404 |
| The user's userid or one of the given roles have not been found in the system. Which one can be decided by reading the message. If this error occurs no changes are done to the roleset, especially no role is added even if it exists and could be assigned to the user. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X PATCH -d '{"roles": ["Admin"]}' -i https://example.org/pdp/users/9957a0a0-998b-11e8-895e-4ccc6a0a4596/assignRoles
How to deassign a user from roles
Description
A user gets permissions by beeing assigned to a role. This assignment is important when a new session is created or an existing session is modified because only roles that are assigned to a user can be activated. Assigning the user to a role usually is the only thing in daily business of an organization that has to be done. So if a user must not have a permissios anymore, the user has to be deassigned from the role that allows him to things.
Value | Description | |
---|---|---|
URL | /users/{userid}/deassignRoles | The userid has to exist in the system. If the roles are not assigned to the user they are just skipped. |
HTTP-Method | PATCH | |
MUST | roles | The list of roles the user should be deassigned from. The list has to be sent and must not be empty. |
Body | { "roles": [ "USERROLE_1", "USERROLE_2" ] } | |
Return value | 200 / No data | If the roles have been deassigned no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The roles have been assigned to the user. |
400 | You must provide a list of roles | You didn't send the list of roles correctely in the body of the request. |
404 |
| The user's userid or one of the given roles have not been found in the system. Which one can be decided by reading the message. If this error occurs no changes are done to the roleset, especially no role is removed even if it exists and is assigned to the user. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X PATCH -d '{"roles": ["Admin"]}' -i https://example.org/pdp/users/9957a0a0-998b-11e8-895e-4ccc6a0a4596/deassignRoles
Resources
How to create a new resource
Description
Resources can be anything that must be restricted. A resource can be a document, a door or a functionality on a web page. A resource has operations defined that can be executed. On a door this could be "open" and "close", on a document it could be "read" and "write". These operations then can be granted to roles that are allowed to execute them.
Value | Description | |
---|---|---|
URL | /resources/{resource} | The resource name may be any string from the asccii character set but must not already be present in the system. |
HTTP-Method | POST | |
MAY | operations | The operations specified can be used when assigning rights to roles. You can use any ascii character in the name for operations and you can have as many operations as you like. Usually it is a good idea to use the same operations set for the same kind of objects even if the operation of the current resource will never be assigned to a role. A door could therefore have the operations ["open", "close", "lock", "unlock"]. |
Body | { "operations": [ "read", "write" ] } | |
Return value | 200 / No data | If the resource has been created no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The resource has been created. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X POST -d '{"operations": ["open", "close"]}' -i https://example.org/pdp/resources/door1
How to get information on an existing resource
Description
Value | Description | |
---|---|---|
URL | /resources/{resource} | The resource may be any string from the asccii character set and must already be present in the system. |
HTTP-Method | GET | |
Body | ||
Return value | 200 / JSON | If the resource exists the basic information on a resource like the name is returned as well as information on permissions and operations that are directly and indirectly granted to to roles. |
Result
Code | Message | Description |
---|---|---|
200 | - | The information on the resource are returned in the body. |
404 | The resource is not known or not uniqueue | The resource is not found in the system. If you are sure that the resource should exists it might be that the resource has been created twice be another process that operates on the directory but this should not happen anyway. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X GET -i https://example.org/pdp/resources/door1
How to delete an existing resource
Description
To delete a resource you have to give the full path to the resource. After you have called this and no error has occured the resource is removed from the RBAC system and cannot be used anymore.
Value | Description | |
---|---|---|
URL | /resoruces/{resource} | The resource resource must exist in the RBAC system. |
HTTP-Method | DELETE | |
Body | - | |
Return value | 200 / No data |
Result
Code | Message | Description |
---|---|---|
200 | - | The user has been deleted and cannot be used anymore. |
404 | The resource is not known or not unique | The resource cannot be found in the system. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -i -X DELETE https://example.org/pdp/resources/door1
How to grant a permission for a role on a resource
Description
A user gets permissions by beeing assigned to a role. This assignment is important when a new session is created or an existing session is modified because only roles that are assigned to a user can be activated. Assigning the user to a role usually is the only thing in daily business of an organization that has to be done. So if a user must not have a permissios anymore, the user has to be deassigned from the role that allows him to things.
Value | Description | |
---|---|---|
URL | /resources/{resource}/grantPermission | The resource has to exist in the system. If the roles are not assigned to the user they are just skipped. |
HTTP-Method | PATCH | |
MUST | permissions | The list of permissions to grant on this resource. A permission is a combination of a role with an operation. Both have to exist. The list must not be empty. |
Body | { "permissions": [ { "role": "USERROLE_1", "operation:" "open" }, { "role": "USERROLE_1", "operation": "close" } ] } | |
Return value | 200 / No data | If the permission has been granted no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The roles have been assigned to the user. |
404 |
| The id of the resource or one of the given roles have not been found in the system. Which one can be decided by reading the message. If this error occurs no changes are done to the set of permissions, especially no permission is aded. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X PATCH -d '{"permissions": [{"role": "Admin", "operation": "open"}, {"role": "Admin", "operation": "close"}]}' -i https://example.org/pdp/resources/door1/grantPermission
How to check if an operation on a resource is permitted
Description
To check if an operation is allowed for a specific session all three information are needed and encoded in the URL. If the operation is permitted because there are active roles in the session that permit the operation on the resource the status code 200 is returned. Otherwise the access is not permitted.
Value | Description | |
---|---|---|
URL | /resources/{resource}/checkAccess?session={session}&operation={operation} | Check if the operation on the resource is allowed for the session. |
HTTP-Method | GET | |
Body | ||
Return value | 200 / No data | If the permission has been granted no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The operation is permitted on the given resource for the specified session. |
403 | - | The id of the resource or one of the given roles have not been found in the system. Which one can be decided by reading the message. If this error occurs no changes are done to the set of permissions, especially no permission is aded. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X GET -i https://example.org/pdp/resources/resource_1/checkAccess?operation=read&session=899cd8d1-72dc-4600-82c3-e91c21eb08ee
How to check if an operation on multiple resources is permitted
Description
To check if an operation is allowed for a specific session all three information are needed and encoded in the URL. If the operation is permitted because there are active roles in the session that permit the operation on the resource the status code 200 is returned. Otherwise the access is not permitted.
Value | Description | |
---|---|---|
URL | /resources/{filter}/checkMultiAccess?session={session}&operation={operation} | Check if the operation on the resources coresponding to the filter is allowed for the session. |
URL2 | /resources/{filter}/checkMultiAccess/detailed/?session={session}&operation={operation} | Check if the operation on the resources coresponding to the filter is allowed for the session. Returns all resources found by the filter together with their corresponding permission result. |
HTTP-Method | GET | |
Body | ||
Return value | 200 / No data | If the permission has been granted no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The operation is permitted on the given resource for the specified session. |
403 | - | The id of the resource or one of the given roles have not been found in the system. Which one can be decided by reading the message. If this error occurs no changes are done to the set of permissions, especially no permission is aded. |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X GET -i https://example.org/pdp/resources/t*t/checkMultiAccess?operation=read&session=899cd8d1-72dc-4600-82c3-e91c21eb08ee
Tenants
How to create a new tenant
Description
Tenants are logically separated partitions of the system within the same instance. Every tenant has its own users, roles, sessions, resources and therefore its own permissions. If multitentancy is active then the tenant has to always be specified in the header of a request. Otherwise the system does not accept the request. To create such a new tenant only the name (ID) is needed that will be sent in the header in future operations.
Value | Description | |
---|---|---|
URL | /tenants/{tenant} | The tenant name may be any string from the asccii character set but must not already be present in the system. |
HTTP-Method | POST | |
Body | {"password": "secret"} | The password is optional. But if password protected tenancy is used, then of course accessing tenants without password is not possible |
Return value | 200 / No data | If the resource has been created no data is returned, just the status code. |
Result
Code | Message | Description |
---|---|---|
200 | - | The tenant has been created. |
406 |
| The tenant is already present in the directory |
500 | various | Anything else went wrong. |
Example
The following example uses the hostname "example.org" and the default path to the PDP (/pdp/) as document root.
curl -H 'Content-Type: application/json' -X POST -d '{}' -i https://example.org/pdp/tenants/customer_X/
How to remove an existing tenant (not yet implemented)
How to deactivate an existing tenant (not yet implemented)
Example
If your system does not trust the certificate please add "–insecure" to the commandline call. To see how it all works the following commands can be used:
Step | Call | Description | Return |
---|---|---|---|
1 | curl -H 'Content-Type: application/json' -X POST -d '{"username": "joe", "password": "secret"}' -i https://example.org/pdp/users/ | Create the user "joe" | 200 |
2 | curl -i -X POST https://example.org/pdp/roles/BasicUser curl -i -X POST https://example.org/pdp/roles/Admin | Create two roles "BasicUser" and "Admin" | 200 |
3 | curl -H 'Content-Type: application/json' -X POST -d '{"operations": ["open", "close"]}' \ -i https://example.org/pdp/resources/front_door | Create the resource "front_door" that knows the operations "open" and "close" | 200 |
4 | curl -H 'Content-Type: application/json' -X PATCH -d '{"roles": ["BasicUser"]}' \ -i https://example.org/pdp/users/9957a0a0-998b-11e8-895e-4ccc6a0a4596/assignRoles | Assign the user with the UUID "9957a0a0-998b-11e8-895e-4ccc6a0a4596" to the role "BasicUser" | 200 |
5 | curl -H 'Content-Type: application/json' -X PATCH -d '{"permissions": [{"role": "Admin", "operation": "open"}, {"role": "BasicUser", "operation": "close"}]}' \ -i https://example.org/pdp/resources/front_door/grantPermission | Permit the operation "open" on "front_door" for the "Admin" role and the operation "close" on "front_door" for the "BasicUser" role | 200 |
6 | curl -H 'Content-Type: application/json' -X POST -d '{"userid": "9957a0a0-998b-11e8-895e-4ccc6a0a4596", "roles": ["BasicUser"]}' \ -i https://example.org/pdp/sessions/899cd8d1-72dc-4600-82c3-e91c21eb08ee | Initialise a new session for the user with the UUID "9957a0a0-998b-11e8-895e-4ccc6a0a4596" and activate the role "BasicUser". | 200 |
7 | curl --insecure -H 'Content-Type: application/json' -X GET \ -i https://example.org/pdp/resources/front_door/checkAccess?session=899cd8d1-72dc-4600-82c3-e91c21eb08ee&operation=open | Check if the session "899cd8d1-72dc-4600-82c3-e91c21eb08ee" that belongs to the user with the UUID "9957a0a0-998b-11e8-895e-4ccc6a0a4596" is allowed to "open" the "front_door" | 403 |
8 | curl --insecure -H 'Content-Type: application/json' -X GET \ -i https://example.org/pdp/resources/front_door/checkAccess?session=899cd8d1-72dc-4600-82c3-e91c21eb08ee&operation=close | Check if the session "899cd8d1-72dc-4600-82c3-e91c21eb08ee" that belongs to the user with the UUID "9957a0a0-998b-11e8-895e-4ccc6a0a4596" is allowed to "close" the "front_door" | 200 |