Access rights

Attention

To make requests for viewing, assigning, revoking access rights, the application must receive an access token with the system permission blitz_rights_full_access.

Tip

To view the access rights of a user where he is a subject, you can also use an access token with the user permission blitz_user_rights.

The access right is assigned from the access subject to the access object.

Access subjects:

• users,

• applications (prefix its).

Access objects:

• users,

• user groups (prefix grps),

• applications (prefix its).

List of user rights

Method

GET https://login.company.com/blitz/api/v3/rights/of/<sub>

Obtaining access rights by the access subject who is the user.

Examples

Request

GET /blitz/api/v3/rights/of/BIP-1SEQ41A HTTP/1.1
Authorization: Bearer cNwIX…Nz

Response

The user BIP-1SEQ41A has the right ORG_ADMIN to the user group 1147746651733, the right APP_ADMIN to the application test_app2, the right change_password to the user account BIP-3SGR7TA

{
    "grps|1147746651733|orgs": {
        "ORG_ADMIN": [
            "set_from_api",
            "another_one_tag"
        ]
    },
    "its|test_app2": {
        "APP_ADMIN": [
            "set_from_api"
        ]
    },
    "BIP-3SGR7TA": {
        "change_password": [
            "parent"
        ]
    }
}

List of application rights

Method

GET https://login.company.com/blitz/api/v3/rights/of/its/<app_id>

Obtaining access rights by the access subject that is the application.

Examples

Request

GET /blitz/api/v3/rights/of/its/test_app HTTP/1.1
Authorization: Bearer cNwIX…Nz

Response

The application test_app has the right SYS_MON to the application test_app2, the right change_password to the user account BIP‑3SGR7TA, the right ORG_ADMIN to the user group 1147746651733

{
    "its|test_app2": {
        "SYS_MON": [
            "set_from_api"
        ]
    },
    "BIP-3SGR7TA": {
        "change_password": [
            "set_from_api"
        ]
    },
    "grps|1147746651733|orgs": {
        "ORG_ADMIN": [
            "set_from_api"
        ]
    }
}

Rights in relation to the user

Method

GET https://login.company.com/blitz/api/v3/rights/on/<sub>

Obtaining access rights for an access object that is a user.

Examples

Request

GET /blitz/api/v3/rights/on/BIP-3SGR7TA HTTP/1.1
Authorization: Bearer cNwIX…Nz

Response

The user BIP‑1SEQ41A and the application test_app have the right change_password for the account BIP-3SGR7TA

{
    "BIP 1SEQ41A": [
        "change_password"
    ],
    "its|test_app": [
        "change_password"
    ]
}

Rights in relation to a group of users

Method

GET https://.../blitz/api/v3/rights/on/grps/<grp_id>?objectExt=<profile>

Obtaining access rights for an access object that is a group.

Examples

Request

GET /blitz/api/v3/rights/on/grps/1147746651733?objectExt=orgs HTTP/1.1
Authorization: Bearer cNwIX…Nz

Response

The user BIP‑1SEQ41A, and the application test_app has the right ORG_ADMIN for the account of the group 1147746651733 from the profile orgs`

{
    "BIP 1SEQ41A": [
        "ORG_ADMIN"
    ],
    "its|test_app": [
        "ORG_ADMIN"
    ]
}

Rights in relation to the application

Method

GET https://login.company.com/blitz/api/v3/rights/on/its/<app_id>

Obtaining access rights for an access object that is an application.

Examples

Request

GET /blitz/api/v3/rights/on/its/test_app2 HTTP/1.1
Authorization: Bearer cNwIX…Nz

Response

The user BIP‑1SEQ41A has the APP_ADMIN right to the test_app2 application account, and the test_app application has the SYS_MON right

{
    "BIP 1SEQ41A": [
        "APP_ADMIN"
    ],
    "its|test_app": [
        "SYS_MON"
    ]
}

Error

If the access token is expired, the service will return the error HTTP 401 Unauthorized and JSON

{
    "type": "security_error",
    "error": "bad_access_token",
    "desc": "expired_access_token"
}

Assignment of rights

Method

PUT https://login.company.com/blitz/api/v3/rights

Assigning access rights.

Request body

• subject is the identifier of the subject to whom the right is assigned (user or application identifier);

• subjectType is the type of the subject. The parameter is specified only if the right is assigned to the application. In this case, the value its is used;

• object is the identifier of the object to which the right is assigned (the identifier of a user, user group, or application);

• objectType is the type of the object. The parameter is specified only if the right is assigned to a user group (value grps) or to an application (value its);

• rights is an array with a list of assigned rights to the subject on the object;

• tags is an array with a list of tags of assigned rights.

Returns

• In case of successful assignment of access rights - HTTP 204 No Content.

• If the access token is expired - HTTP 401 Unauthorized.

• If the subject or object does not exist - HTTP 400 Bad Request

Examples

Request

Assigning access rights to a user to another user

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "BIP-3SGR7TA",
    "rights": ["change_password"],
    "tags": ["set_from_api"]
}

Assigning user access rights to a group

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "1147746651733",
    "objectType": "grps",
    "rights": ["ORG_ADMIN"],
    "tags": ["set_from_api"]
}

Assigning user access rights to an application

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "test_app2",
    "objectType": "its",
    "rights": ["APP_ADMIN"],
    "tags": ["set_from_api"]
}

Assigning access rights to an application to a user

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "BIP-3SGR7TA",
    "rights": ["change_password"],
    "tags": ["set_from_api"]
}

Assigning access rights to an application for a group

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "1147746651733",
    "objectType": "grps",
    "rights": ["ORG_ADMIN"],
    "tags": ["set_from_api"]
}

Assigning access rights to an application to another application

PUT /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "test_app2",
    "objectType": "its",
    "rights": ["SYS_MON"],
    "tags": ["set_from_api"]
}

Error

The access token has expired

{
    "type": "security_error",
    "error": "bad_access_token",
    "desc": "expired_access_token"
}

The assigned right does not exist

{
    "type": "process_error",
    "error": "unknown_right",
    "desc": "The specified right is unknown",
    "params": {
        "right": "change_password1"
    }
}

The user specified as the subject or object does not exist

{
    "type": "process_error",
    "error": "unknown_user",
    "desc": "The specified user is unknown",
    "params": {
        "userId": "ivanov1"
    }
}

The group specified as an object does not exist

{
    "type": "process_error",
    "error": "unknown_group",
    "desc": "The specified group is unknown",
    "params": {
        "grpId": "1147746651734"
    }
}

The specified application subject or object does not exist

{
    "type": "process_error",
    "error": "unknown_rp",
    "desc": "The specified relying party is unknown",
    "params": {
        "rpId": "test_app3"
    }
}

Revocation of rights

Method

DELETE https://login.company.com/blitz/api/v3/rights

Revocation of access rights.

Request body

• subject is the identifier of the subject whose right is being revoked (user or application ID);

• subjectType is the type of the subject. The parameter is specified only in case of revocation of the application’s rights. In this case, the value its is used;

• object is the identifier of the object to which the right is being revoked (the identifier of a user, user group, or application);

• objectType is the type of the object. The parameter is specified only in case of revocation of the right to a user group (value``grps``) or to an application (value its);

• rights is an array with a list of revoked rights of the subject to the object;

• tags is an array with a list of tags of revoked rights.

  Warning

  If an access right has been assigned to an access subject for an access object with multiple tags, then all tags must also be specified to revoke the access right. If revocation of access rights is not called with full indication of tags, then only the revoked tags will be deleted during revocation, and the access right of the access subject to the access object will remain as long as at least one of the tags remains.

Returns

• In case of successful revocation of the access right, the service will return HTTP 204 No Content.

• If the access token is expired - HTTP 401 Unauthorized.

• If the revoked right, subject or object does not exist - HTTP 400 Bad Request

Examples

Request

Revoking a user’s access rights to another user

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "BIP-3SGR7TA",
    "rights": ["change_password"],
    "tags": ["set_from_api"]
}

Revoking a user’s access rights to a group

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "1147746651733",
    "objectType": "grps",
    "rights": ["ORG_ADMIN"],
    "tags": ["set_from_api"]
}

Revoking the user’s access rights to the application

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "BIP-1SEQ41A",
    "object": "test_app2",
    "objectType": "its",
    "rights": ["APP_ADMIN"],
    "tags": ["set_from_api"]
}

Revoking the application’s access rights to the user

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "BIP-3SGR7TA",
    "rights": ["change_password"],
    "tags": ["set_from_api"]
}

Revoking the application’s access rights to the group

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "1147746651733",
    "objectType": "grps",
    "rights": ["ORG_ADMIN"],
    "tags": ["set_from_api"]
}

Revoking the application’s access rights to another application

DELETE /blitz/api/v3/rights HTTP/1.1
Authorization: Bearer cNwIXNz
Content-Type: application/json

{
    "subject": "test_app",
    "subjectType": "its",
    "object": "test_app2",
    "objectType": "its",
    "rights": ["SYS_MON"],
    "tags": ["set_from_api"]
}

Response

The access token has expired

{
    "type": "security_error",
    "error": "bad_access_token",
    "desc": "expired_access_token"
}

The revoked right does not exist

{
    "type": "process_error",
    "error": "unknown_right",
    "desc": "The specified right is unknown",
    "params": {
        "right": "change_password1"
    }
}

The user specified as the subject or object does not exist

{
    "type": "process_error",
    "error": "unknown_user",
    "desc": "The specified user is unknown",
    "params": {
        "userId": "ivanov1"
    }
}

The group specified as an object does not exist

{
    "type": "process_error",
    "error": "unknown_group",
    "desc": "The specified group is unknown",
    "params": {
        "grpId": "1147746651734"
    }
}

The specified application subject or object does not exist

{
    "type": "process_error",
    "error": "unknown_rp",
    "desc": "The specified relying party is unknown",
    "params": {
        "rpId": "test_app3"
    }
}

The rights of the master user in relation to the slave

Method

POST https://login.company.com/blitz/api/v3/users/rights/change

Assigning and revoking the rights of the master user in relation to the slave user.

Attention

A revocation request can be executed by an application not only using a user access token obtained for permission named blitz_user_rights, but also using a system access token obtained for permission named blitz_rm_rights. In this case, the revocation request may include the``subject`` of any users (to revoke a user’s rights, it will not be necessary for this particular user to log in and receive an access token – the system can revoke the rights of any user).

Headers

A header with a permission access token named blitz_user_rights received by the lead user account should be added to the request.

Request body

Assignment of rights

A completed update block with a list of rights that should be added as a result of the operation.

Each right is described by the parameters:

• subject is the identifier (sub) of the lead user account;

• object is the identifier (sub) of the slave user account;

• rights is the list of rights in the array form that the main user account receives in relation to the subordinate user account. For example, to change the account password , specify the change_password right, to change attributes, specify the change_attrs right, and so on;

• tags is a list of tags indicating the reasons for which this user received rights.

Revocation of rights

A completed delete block with a list of rights that should be revoked as a result of the operation.

Each right is described by the parameters:

• subject is the identifier (sub) of the lead user account;

• object is the identifier (sub) of the slave user account;

• rights is a list of rights in the form of an array that are revoked from the master account in relation to the slave account;

• tags is a list of tags indicating the reasons for which this user received rights.

If the rights are not assigned or revoked during the execution of the request, then either an empty update block or an empty delete block must be present in the request body, respectively. Several assignable/revocable rights can be specified in a single request, but only the user to whom the access token used to call the service was received must be specified as the subject (subject).

Examples

Request

Assignment of rights

POST /blitz/api/v3/users/rights/change HTTP/1.1
Authorization: Bearer cNwIXTg
Content-Type: application/json

{
   "update":[
      {
         "subject":"6561d0d9-5583-4bb5-a681-b591358e5fcd",
         "object":"5cffd68f-2cb8-4f7a-b0f3-9fa69a1fbbcd",
         "rights":[
            "change_password"
         ],
         "tags":[
            "parent"
         ]
      },
      {
         "subject":"6561d0d9-5583-4bb5-a681-b591358e5fcd",
         "object":"b855957d-bf24-48d4-bb63-cce4f5064590d",
         "rights":[
            "change_password"
         ],
         "tags":[
            "parent"
         ]
      }
   ],
   "delete":[
   ]
}

Revocation of rights

POST /blitz/api/v3/users/rights/change HTTP/1.1
Authorization: Bearer cNwIXTg
Content-Type: application/json

{
   "update":[
   ],
   "delete":[
      {
         "subject":"b855957d-bf24-48d4-bb63-cce4f5064590d",
         "object":"5cffd68f-2cb8-4f7a-b0f3-9fa69a1fbbcd",
         "rights":[
            "change_password"
         ],
         "tags":[
            "parent"
         ]
      }
   ]
}

Error

In case of an error, the request is rejected in its entirety and a list of errors is returned

{
   "errors" : [
      {
         "code" : "validation_error",
         "params" : {},
         "desc" : "(For subject 'dea75b73-a2ba-4b60-a41c-bb640968826b') Incorrect right '' to object '5cffd68f-2cb8-4f7a-b0f3-9fa69a1fbbcd'"
      },
      {
         "params" : {},
         "code" : "validation_error",
         "desc" : "(For subject 'dea75b73-a2ba-4b60-a41c-bb640968826b') Incorrect tag '' for right 'write' to object '5cffd68f-2cb8-4f7a-b0f3-9fa69a1fbbcd'"
      },
      {
         "desc" : "(For subject 'dea75b73-a2ba-4b60-a41c-bb640968826b') Incorrect object ''",
         "code" : "validation_error",
         "params" : {}
      },
      {
         "desc" : "Incorrect subject ''",
         "code" : "validation_error",
         "params" : {}
      }
   ]
}