Permissions

Permissions are used to manage access to resources by subaccounts. A main account user can choose to expose only certain resources to certain subaccounts. Moreover, wildcard permissions entries are also possible to give a subaccount access to all resources within a specific type of services.

When subaccount creates new resources it will automatically get permission entries to those particular resources.

Get permissions

Returns a list of objects that describe the permissions. For main account, all the defined permissions are returned. For subaccounts, only the applicable permissions are returned.

Request

GET /1.3/permission HTTP/1.1

Normal response for a main account (main_account_user1)

HTTP/1.1 200 OK
{
  "permissions": {
    "permission": [
      {
        "target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
        "target_type": "managed_loadbalancer",
        "user": "sub_account_user1"
      },
      {
        "target_identifier": "0603a187-3ede-4aae-883e-85ea3e69babc",
        "target_type": "object_storage",
        "user": "sub_account_user1"
      },
      {
        "options": {
          "storage": "yes"
        },
        "target_identifier": "tag1",
        "target_type": "tag_access",
        "user": "sub_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "router",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "server",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "storage",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "managed_database",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "managed_loadbalancer",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "tag_access",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "object_storage",
        "user": "main_account_user1"
      },
      {
        "target_identifier": "*",
        "target_type": "network",
        "user": "main_account_user1"
      }
    ]
  }
}

For descriptions of the attributes refer to Grant Permission.

Normal response for a subaccount (sub_account_user1)

HTTP/1.1 200 OK
{
  "permissions": {
    "permission": [
      {
        "target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
        "target_type": "managed_loadbalancer",
        "user": "sub_account_user1"
      },
      {
        "target_identifier": "0603a187-3ede-4aae-883e-85ea3e69babc",
        "target_type": "object_storage",
        "user": "sub_account_user1"
      },
      {
        "options": {
          "storage": "yes"
        },
        "target_identifier": "tag1",
        "target_type": "tag_access",
        "user": "sub_account_user1"
      }
    ]
  }
}

For descriptions of the attributes refer to Grant Permission.

Grant permission

Grants a permission to a subaccount. Only main account user can grant permissions.

The call to grant is idempotent. This means that if there already is an existing permission with matching target type, identifier and user, it will be replaced with the new one. Note that omitting options attribute means "don't change options".

Grants where the user attribute refers to a main account don't make any changes as the main account has implicit access to all resources.

It is currently not possible to grant permissions to users that are not part of the main account used to manage the permissions.

Request

POST /1.3/permission/grant HTTP/1.1
{
  "permission": {
    "options": {},
    "target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
    "target_type": "managed_loadbalancer",
    "user": "sub_account_user1"
  }
}

Normal response

HTTP/1.1 200 OK
{
  "permission": {
    "options": {},
    "target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
    "target_type": "managed_loadbalancer",
    "user": "sub_account_user1"
  }
}

Attributes

Attribute Accepted value Required Description
target_identifier Valid UUID / * yes Specifies a resource to grant access to or a wildcard
target_type Valid target type, see below yes Specifies the target type to grant access to
user Valid subaccount username yes Specifies the user who to grant the access
options Valid options object, see below no Specifies target type specific options

Valid target types

Target type Description
server Virtual server
storage Storage for a virtual server
network Private SDN Network
router Private SDN Router
object_storage Object Storage
managed_database Managed Database
managed_loadbalancer Managed Load Balancer
tag_access Accounts that have access to this tag have automatically access to virtual servers with this tag

Valid options

Option Applicable target type Accepted value Description
storage tag_access yes / no Whether the tag referenced server's storages are accessible

Error response

HTTP status Error code Description
400 Bad Request TARGET_TYPE_INVALID Invalid target type.
400 Bad Request TARGET_IDENTIFIER_INVALID Invalid target identifier.
400 Bad Request USER_INVALID Invalid user name.
400 Bad Request INVALID_OPTIONS Either unknown or not supported options.
403 Forbidden ACTION_FORBIDDEN A subaccount cannot manage permissions.
403 Forbidden ACCOUNT_FORBIDDEN The account referenced by user attribute either doesn't exist or is not part of the main account.

Revoke permission

Revokes a permission from a subaccount user account. Only main account can revoke permissions.

The call to grant is idempotent. This means that if there is no existing permission for with matching target type, identifier and user this call will do nothing. Revoking a wildcard permission doesn't remove more specific ones. Note that the options attribute has no meaning when revoking.

Revokes where the user attribute refers to a main account don't make any changes as the main account has implicit access to all resources.

Request

POST /1.3/permission/revoke HTTP/1.1
{
  "permission": {
    "target_identifier": "0ad9408c-8563-4abf-b862-dbde5b581123",
    "target_type": "managed_loadbalancer",
    "user": "sub_account_user1"
  }
}

Normal response

HTTP/1.1 204 No Content

Attributes

For descriptions of the attributes refer to Grant Permission.