API Permissions
This section contains an overview of all the available permissions a principal (user or api client) can possess in the application and their description. The global permissions exist globally in contrast to the other types of permissions that exist and are valid only conditionally on specific resources. For example, a user can have a Realm Permission for Realm A, but not for Ream B. In the endpoint description of each endpoint, a section is dedicated to the required permissions for that specific endpoint. These permissions are to be understood such that they apply to the involved resources during the call, inputs and outputs for example.
Global Permissions
Global permissions are not linked to a specific resource
| Permission | Description |
|---|---|
ADMIN |
Full permissions for all Realms and belonging resources (Policies, End Entities, Certificate Requests, Certificates), as well as full User/API Client permissions and maintenance operation(deletion of archived entities) |
REALMS_FULL_READ |
Permission to read all Realms and belonging resources (Policies, End Entities, Certificate Requests, Certificates) |
REALMS_CREATE |
Permission to create Realms |
APICLIENTS_READ |
Permission to read all API Clients |
APICLIENTS_CREATE |
Permission to create API Clients |
APICLIENTS_UPDATE |
Permission to update API Clients (name, default policy, …) |
APICLIENTS_DELETE |
Permission to delete API Clients |
USERS_READ |
Permission to read all Users |
USERS_CREATE |
Permission to create Users |
USERS_UPDATE |
Permission to update Users (name, email, …) |
Realm Permissions
Realm permissions are always assigned to a specific Realm, specified by the Realm ID
| Permission | Description |
|---|---|
FULL_READ |
Permission to read the Realm and belonging resources (Policies, End Entities, Certificate Requests, Certificates) |
READ |
Permission to read the Realm |
UPDATE |
Permission to update and archive the Realm |
POLICIES_READ |
Permission to read all Policies within the Realm |
POLICIES_CREATE |
Permission to create Policies within the Realm |
POLICIES_UPDATE |
Permission to update Policies within the Realm |
POLICIES_CERTS_READ |
Permission to read all Certificates and Certificate Requests within the Realm |
POLICIES_CERTS_CREATE |
Permission to create Certificates/Certificate Requests within the Realm |
POLICIES_CERTS_REVOKE |
Permission to revoke a Certificate within the Realm. If your intended use case is to revoke all certificates in a realm, please also additionally set the FULL_READ permission to the user/api client. |
POLICIES_CERTREQS_APPROVE |
Permission to approve/decline a Certificate Request within the Realm |
ENDENTITIES_READ |
Permission to read all End Entities within the Realm |
ENDENTITIES_CREATE |
Permission to create End Entities within the Realm |
ENDENTITIES_UPDATE |
Permission to update End Entities within the Realm |
Policy Permissions
Policy permissions are always assigned to a specific Policy, specified by the Policy ID
| Permission | Description |
|---|---|
READ |
Permission to read the Policy |
UPDATE |
Permission to update and archive the Policy, required for End Entity Password operations |
CERTS_READ |
Permission to read all Certificates and Certificate Requests connected with the policy |
CERTS_CREATE |
Permission to create a Certificate Request connected with the Policy |
CERTS_REVOKE |
Permission to revoke a Certificate connected with the Policy |
CERTREQS_APPROVE |
Permission to approve/decline Certificate Requests connected with the Policy |
End Entity Permissions
End Entity permissions are always assigned to a specific End Entity, specified by the End Entity ID
| Permission | Description |
|---|---|
READ |
Permission to read the End Entity and set End Entity alias |
UPDATE |
Permission to update and archive the End Entity, required for end entity password operations |