Skip to main content
Version: v41

role_handle

A simple role handle for getting & updating user roles

idstring<uuid>
namestring
commentstring

A comment describing the object

Example: A comment
principal_public_key_stringsstring[]

Principal public keys, returned only from /users/resolve

permit_agentboolean

Permit agent, returned only from /users/resolve

access_group_idstring<uuid>

Scopes host and connection permissions to an access group

permissionspermission (string)[]

Array of permissions

Possible values: [licenses-manage, api-clients-manage, idp-clients-view, idp-clients-manage, connections-view, connections-manage, connections-playback, connections-terminate, connections-manual, connections-trail, connections-authorize, ueba-view, ueba-manage, hosts-view, hosts-manage, privx-host-provisioning, network-targets-view, network-targets-manage, role-target-resources-view, role-target-resources-manage, roles-view, roles-manage, sources-view, sources-manage, sources-data-push, users-view, users-manage, logs-view, logs-manage, workflows-manage, workflows-view, vault-manage, vault-add, access-groups-manage, workflows-requests-on-behalf, workflows-requests, authorized-keys-manage, settings-manage, settings-view, requests-view, certificates-view, webauthn-credentials-manage, mobilegw-view, mobilegw-manage, target-domains-view, target-domains-manage]

context object

Contextual limitation

enabledboolean

Are contextual limitations enabled

block_roleboolean

If set to true and contextual limitations do not allow role/object, then the role/object is blocked. Otherwise the role/object is granted and an audit event is triggered.

validitystring[]

Possible values: [MON, TUE, WED, THU, FRI, SAT, SUN]

start_timestring

Start time of day as HH:MM when contextual limit allows access

end_timestring

End time of day as HH:MM when contextual limit allows access

timezonestring

Time zone of start_time and end_time

ip_masksstring[]
explicitboolean

Is the role explicitly granted to the user

Default value: false
implicitboolean

Has the user implicitly gained the role or not.

Default value: false
systemboolean
Default value: false
grant_typestring

Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window.

Possible values: [PERMANENT, TIME_RESTRICTED, FLOATING]

grant_validity_periods object[]

Array of validity periods for this role. This array replaces grant_start and grant_end attributes in role object.

  • Array [
    • grant_startstring<date-time>

    Date & time after which the role is granted to the user in ISO8601

    Example: 2017-01-01T15:05:05Z
    grant_endstring<date-time>

    Date & time after which the role is removed from the user in ISO8601

    Example: 2017-01-02T15:05:05Z
  • ]
    • floating_lengthinteger

    Duration for which the grant should last after initial connection, specified in hours

    Example: 24
    role_handle
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "string",
      "comment": "A comment",
      "principal_public_key_strings": [
        "string"
      ],
      "permit_agent": true,
      "access_group_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "permissions": [
        "licenses-manage"
      ],
      "context": {
        "enabled": true,
        "block_role": true,
        "validity": [
          "MON"
        ],
        "start_time": "string",
        "end_time": "string",
        "timezone": "string",
        "ip_masks": [
          "string"
        ]
      },
      "explicit": false,
      "implicit": false,
      "system": false,
      "grant_type": "PERMANENT",
      "grant_validity_periods": [
        {
          "grant_start": "2017-01-01T15:05:05Z",
          "grant_end": "2017-01-02T15:05:05Z"
        }
      ],
      "floating_length": 24
    }