18. Permissions
Permissions are used to manage access to resources by subaccounts. A main account user can choose to expose only certain resources to certain subaccounts. Moreover, wildcard permissions entries are also possible to give a subaccount access to all resources within a specific type of services.
When subaccount creates new resources it will automatically get permission entries to those particular resources.
Get permissions
Returns a list of objects that describe the permissions. For main account, all the defined permissions are returned. For subaccounts, only the applicable permissions are returned.
Request
Normal response for a main account (main_account_user1)
{
"permissions": {
"permission": [
{
"target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
"target_type": "managed_loadbalancer",
"user": "sub_account_user1"
},
{
"target_identifier": "0603a187-3ede-4aae-883e-85ea3e69babc",
"target_type": "object_storage",
"user": "sub_account_user1"
},
{
"target_identifier": "0973a187-3ede-4jze-133e-85ea3e61b5bc",
"target_type": "managed_object_storage",
"user": "sub_account_user1"
},
{
"options": {
"storage": "yes"
},
"target_identifier": "tag1",
"target_type": "tag_access",
"user": "sub_account_user1"
},
{
"target_identifier": "*",
"target_type": "router",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "server",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "storage",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "managed_database",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "managed_loadbalancer",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "tag_access",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "object_storage",
"user": "main_account_user1"
},
{
"target_identifier": "*",
"target_type": "network",
"user": "main_account_user1"
}
]
}
}
For descriptions of the attributes refer to Grant Permission.
Normal response for a subaccount (sub_account_user1)
{
"permissions": {
"permission": [
{
"target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
"target_type": "managed_loadbalancer",
"user": "sub_account_user1"
},
{
"target_identifier": "0603a187-3ede-4aae-883e-85ea3e69babc",
"target_type": "object_storage",
"user": "sub_account_user1"
},
{
"target_identifier": "9303a187-3ede-4lwe-884v-25ea3e69babc",
"target_type": "object_storage",
"user": "sub_account_user1"
},
{
"options": {
"storage": "yes"
},
"target_identifier": "tag1",
"target_type": "tag_access",
"user": "sub_account_user1"
}
]
}
}
For descriptions of the attributes refer to Grant Permission.
Grant permission
Grants a permission to a subaccount. Only main account user can grant permissions.
The call to grant is idempotent. This means that if there already is an existing permission with matching target type,
identifier and user, it will be replaced with the new one. Note that omitting options attribute means "don't change options".
Grants where the user attribute refers to a main account don't make any changes as the main account has implicit
access to all resources.
It is currently not possible to grant permissions to users that are not part of the main account used to manage the permissions.
Request
{
"permission": {
"options": {},
"target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
"target_type": "managed_loadbalancer",
"user": "sub_account_user1"
}
}
Normal response
{
"permission": {
"options": {},
"target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
"target_type": "managed_loadbalancer",
"user": "sub_account_user1"
}
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| target_identifier | Valid UUID / * |
yes | Specifies a resource to grant access to or a wildcard |
| target_type | Valid target type, see below | yes | Specifies the target type to grant access to |
| user | Valid subaccount username | yes | Specifies the user who to grant the access |
| options | Valid options object, see below | no | Specifies target type specific options |
Valid target types
| Target type | Description |
|---|---|
server |
Virtual server |
storage |
Storage for a virtual server |
network |
Private SDN Network |
router |
Private SDN Router |
network_gateway |
Network gateway |
object_storage |
Object Storage |
managed_database |
Managed Database |
managed_loadbalancer |
Managed Load Balancer |
managed_object_storage |
Managed Object Storage |
tag_access |
Accounts that have access to this tag have automatically access to virtual servers with this tag |
Valid options
| Option | Applicable target type | Accepted value | Description |
|---|---|---|---|
| storage | tag_access | yes / no |
Whether the tag referenced server's storages are accessible |
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | TARGET_TYPE_INVALID | Invalid target type. |
| 400 Bad Request | TARGET_IDENTIFIER_INVALID | Invalid target identifier. |
| 400 Bad Request | USER_INVALID | Invalid user name. |
| 400 Bad Request | INVALID_OPTIONS | Either unknown or not supported options. |
| 403 Forbidden | ACTION_FORBIDDEN | A subaccount cannot manage permissions. |
| 403 Forbidden | ACCOUNT_FORBIDDEN | The account referenced by user attribute either doesn't exist or is not part of the main account. |
Revoke permission
Revokes a permission from a subaccount user account. Only main account can revoke permissions.
The call to grant is idempotent. This means that if there is no existing permission for with matching target type, identifier and user
this call will do nothing. Revoking a wildcard permission doesn't remove more specific ones. Note that the options attribute
has no meaning when revoking.
Revokes where the user attribute refers to a main account don't make any changes as the main account has implicit
access to all resources.
Request
{
"permission": {
"target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
"target_type": "managed_loadbalancer",
"user": "sub_account_user1"
}
}
Normal response
Attributes
For descriptions of the attributes refer to Grant Permission.