Skip to main content
Version: v41

role_handle

A simple role handle for getting & updating user roles

idstring<uuid>
namestring
commentstring

A comment describing the object

Example: A comment
principal_public_key_stringsstring[]

Principal public keys, returned only from /users/resolve

permit_agentboolean

Permit agent, returned only from /users/resolve

access_group_idstring<uuid>

Scopes host and connection permissions to an access group

permissionspermission (string)[]

Array of permissions

Possible values: [licenses-manage, api-clients-manage, idp-clients-view, idp-clients-manage, connections-view, connections-manage, connections-playback, connections-terminate, connections-manual, connections-trail, connections-authorize, ueba-view, ueba-manage, hosts-view, hosts-manage, privx-host-provisioning, network-targets-view, network-targets-manage, role-target-resources-view, role-target-resources-manage, roles-view, roles-manage, sources-view, sources-manage, sources-data-push, users-view, users-manage, logs-view, logs-manage, workflows-manage, workflows-view, vault-manage, vault-add, access-groups-manage, workflows-requests-on-behalf, workflows-requests, authorized-keys-manage, settings-manage, settings-view, requests-view, certificates-view, webauthn-credentials-manage, mobilegw-view, mobilegw-manage, target-domains-view, target-domains-manage]

context object

Contextual limitation

enabledboolean

Are contextual limitations enabled

block_roleboolean

If set to true and contextual limitations do not allow role/object, then the role/object is blocked. Otherwise the role/object is granted and an audit event is triggered.

validitystring[]

Possible values: [MON, TUE, WED, THU, FRI, SAT, SUN]

start_timestring

Start time of day as HH:MM when contextual limit allows access

end_timestring

End time of day as HH:MM when contextual limit allows access

timezonestring

Time zone of start_time and end_time

ip_masksstring[]
explicitboolean

Is the role explicitly granted to the user

Default value: false
implicitboolean

Has the user implicitly gained the role or not.

Default value: false
systemboolean
Default value: false
grant_typestring

Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window.

Possible values: [PERMANENT, TIME_RESTRICTED, FLOATING]

grant_validity_periods object[]

Array of validity periods for this role. This array replaces grant_start and grant_end attributes in role object.

  • Array [
  • grant_startstring<date-time>

    Date & time after which the role is granted to the user in ISO8601

    Example: 2017-01-01T15:05:05Z
    grant_endstring<date-time>

    Date & time after which the role is removed from the user in ISO8601

    Example: 2017-01-02T15:05:05Z
  • ]
  • floating_lengthinteger

    Duration for which the grant should last after initial connection, specified in hours

    Example: 24
    role_handle
    {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "comment": "A comment",
    "principal_public_key_strings": [
    "string"
    ],
    "permit_agent": true,
    "access_group_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "permissions": [
    "licenses-manage"
    ],
    "context": {
    "enabled": true,
    "block_role": true,
    "validity": [
    "MON"
    ],
    "start_time": "string",
    "end_time": "string",
    "timezone": "string",
    "ip_masks": [
    "string"
    ]
    },
    "explicit": false,
    "implicit": false,
    "system": false,
    "grant_type": "PERMANENT",
    "grant_validity_periods": [
    {
    "grant_start": "2017-01-01T15:05:05Z",
    "grant_end": "2017-01-02T15:05:05Z"
    }
    ],
    "floating_length": 24
    }