Version: v41

user

A user object

idstring<uuid>

The UUID of the returned object

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

source_user_idstring

The originating unique identifer for the user (UUID from local user store, principal from LDAP, ..) - only returned by the Role Store API

createdstring<date-time>

When the object was created

Example: 2017-01-01T15:05:05Z

updatedstring<date-time>

When the object was created

Example: 2017-01-01T15:05:05Z

updated_bystring<uuid>

ID of the user who updated the object

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

authorstring<uuid>

ID of the user who originally authored the object

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

commentstring

A comment describing the object

Example: A comment

tagsstring[]

Array of tag strings

principalstring

The principal name of the user. For IAM Local User Store users, the username.

distinguished_namestring

The distinguished name of the user

given_namestring

First name

full_namestring

Full name

job_titlestring

Job title

companystring

Company

departmentstring

Department

emailstring

Email address

telephonestring

Phone number

localestring

User's locale. Language code ISO 639-1 & country code ISO 3166-1 separated by a "_"

Example: fi_FI

roles object[]

The array of role IDs the user has. Boolean "explicit" denotes whether the role is granted explicitly or implicitly via a mapping.

Array [

idstring<uuid>

namestring

commentstring

A comment describing the object

Example: A comment

principal_public_key_stringsstring[]

Principal public keys, returned only from /users/resolve

permit_agentboolean

Permit agent, returned only from /users/resolve

access_group_idstring<uuid>

Scopes host and connection permissions to an access group

permissionspermission (string)[]

Array of permissions

Possible values: [licenses-manage, api-clients-manage, idp-clients-view, idp-clients-manage, connections-view, connections-manage, connections-playback, connections-terminate, connections-manual, connections-trail, connections-authorize, ueba-view, ueba-manage, hosts-view, hosts-manage, privx-host-provisioning, network-targets-view, network-targets-manage, role-target-resources-view, role-target-resources-manage, roles-view, roles-manage, sources-view, sources-manage, sources-data-push, users-view, users-manage, logs-view, logs-manage, workflows-manage, workflows-view, vault-manage, vault-add, access-groups-manage, workflows-requests-on-behalf, workflows-requests, authorized-keys-manage, settings-manage, settings-view, requests-view, certificates-view, webauthn-credentials-manage, mobilegw-view, mobilegw-manage, target-domains-view, target-domains-manage]

context object

Contextual limitation

enabledboolean

Are contextual limitations enabled

block_roleboolean

If set to true and contextual limitations do not allow role/object, then the role/object is blocked. Otherwise the role/object is granted and an audit event is triggered.

validitystring[]

Possible values: [MON, TUE, WED, THU, FRI, SAT, SUN]

start_timestring

Start time of day as HH:MM when contextual limit allows access

end_timestring

End time of day as HH:MM when contextual limit allows access

timezonestring

Time zone of start_time and end_time

ip_masksstring[]

explicitboolean

Is the role explicitly granted to the user

Default value: false

implicitboolean

Has the user implicitly gained the role or not.

Default value: false

systemboolean

Default value: false

grant_typestring

Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window.

Possible values: [PERMANENT, TIME_RESTRICTED, FLOATING]

grant_validity_periods object[]

Array of validity periods for this role. This array replaces grant_start and grant_end attributes in role object.

Array [

grant_startstring<date-time>

Date & time after which the role is granted to the user in ISO8601

Example: 2017-01-01T15:05:05Z

grant_endstring<date-time>

Date & time after which the role is removed from the user in ISO8601

Example: 2017-01-02T15:05:05Z

]

floating_lengthinteger

Duration for which the grant should last after initial connection, specified in hours

Example: 24

]

attributes object[]

Custom user attributes array.

Array [

keystringrequired

Example: aws_account

valuestringrequired

Example: admin-bob

]

permissionspermission (string)[]

Array of permissions

sourcestring

Source ID

mfa object

statusstring

Possible values: [ENABLED, DISABLED, UNINITIALIZED]

seed object

seed_stringstring

The MFA seed in textual format

seed_qr_codestring

The MFA-seed QR code in base64 encoded format (PNG file)

stale_access_tokenboolean

The access token used for fetching the user object has permissions that are out of sync. The requester should refresh the access token before the next REST API call. This field is set only by /users/current endpoint.

authorized_keys object[]

Array [

idstring<uuid>

Unique identifier for authorized key

Example: 2765b005-4ce1-4b2b-a9ca-ee6c4d6f2792

usernamestring

Username of the authorized key owner

Example: joe@privx.com

user_idstring<uuid>

User id of the authorized key owner

Example: f2f448d8-0397-4894-982f-9a58a43921db

sourcestring<uuid>

User source ID

namestringrequired

Name for authorized key

Example: work

commentstring

Comment for authorized key

Example: Joe's work laptop key

public_keystringrequired

Public key data in ssh authorized key format

Example:

AAAAB3NzaC1yc2EAAAADAQABAAABAQDqoMogqErOw7lL3GD6Ez7Hv1FZBk0Iyk2pBFUhqb9sjY9IEw8P9OWFwLMhWQ4LNvekPAnmr03pMHSSP7Pw98+Izy0HxcHZGKcrDOIjnHF5Fog3w4rBYa6OxdcJRxctifx5szqmM4JkUNS1RJY5E4ns4xCgFV46Satph02M+eP9PXGh+ZecSNtdLoOovVuolEUdb8dINgto8zsjEuAQ+76qOEgAIuSsYlzGGZPyPnATtkUi/rK9fcAfbhSqSXNxFqf7wejEKwA1kFt8hSW2bUWJH268fqnejFwHjBTzjBw89dji6141ajAP8/Q2gZug0bb1U70PE4afE3fFh2VCfhwT

not_beforestring<date-time>

Start of key validity period

Example: 2020-07-31T17:32:28Z

not_afterstring<date-time>

End of key validity period

Example: 2022-07-31T17:32:28Z

expires_ininteger

Time in seconds to key expiry. Value is not set if key is not yet valid.

source_addressstring[]

fingerprintsstring[]

]

webauthn_credentials object[]

Array [

idstring<uuid>required

Credential UUID

credential_idstring

Webauthn credential ID

namestring

Credential name

commentstring

Optional comment

last_usedstring<date-time>

Timestamp of last login event using this credential

Example: 2017-01-01T15:05:05Z

createdstring<date-time>

Creation timestamp

Example: 2017-01-01T15:05:05Z

authorstring<uuid>

ID of the user who originally authored the object

updatedstring<date-time>

Update timestamp

Example: 2017-01-01T15:05:05Z

updated_bystring<uuid>

ID of the user who updated the object

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

]

user
{
  "id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "created": "2017-01-01T15:05:05Z",
  "updated": "2017-01-01T15:05:05Z",
  "updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "comment": "A comment",
  "tags": [
    "string"
  ],
  "principal": "string",
  "distinguished_name": "string",
  "given_name": "string",
  "full_name": "string",
  "job_title": "string",
  "company": "string",
  "department": "string",
  "email": "string",
  "telephone": "string",
  "locale": "fi_FI",
  "roles": [
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "string",
      "comment": "A comment",
      "principal_public_key_strings": [
        "string"
      ],
      "permit_agent": true,
      "access_group_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "permissions": [
        "licenses-manage"
      ],
      "context": {
        "enabled": true,
        "block_role": true,
        "validity": [
          "MON"
        ],
        "start_time": "string",
        "end_time": "string",
        "timezone": "string",
        "ip_masks": [
          "string"
        ]
      },
      "explicit": false,
      "implicit": false,
      "system": false,
      "grant_type": "PERMANENT",
      "grant_validity_periods": [
        {
          "grant_start": "2017-01-01T15:05:05Z",
          "grant_end": "2017-01-02T15:05:05Z"
        }
      ],
      "floating_length": 24
    }
  ],
  "attributes": [
    {
      "key": "aws_account",
      "value": "admin-bob"
    }
  ],
  "permissions": [
    "licenses-manage"
  ],
  "source": "string",
  "mfa": {
    "status": "ENABLED",
    "seed": {
      "seed_string": "string",
      "seed_qr_code": "string"
    }
  },
  "stale_access_token": true,
  "authorized_keys": [
    {
      "id": "2765b005-4ce1-4b2b-a9ca-ee6c4d6f2792",
      "username": "joe@privx.com",
      "user_id": "f2f448d8-0397-4894-982f-9a58a43921db",
      "source": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "work",
      "comment": "Joe's work laptop key",
      "public_key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDqoMogqErOw7lL3GD6Ez7Hv1FZBk0Iyk2pBFUhqb9sjY9IEw8P9OWFwLMhWQ4LNvekPAnmr03pMHSSP7Pw98+Izy0HxcHZGKcrDOIjnHF5Fog3w4rBYa6OxdcJRxctifx5szqmM4JkUNS1RJY5E4ns4xCgFV46Satph02M+eP9PXGh+ZecSNtdLoOovVuolEUdb8dINgto8zsjEuAQ+76qOEgAIuSsYlzGGZPyPnATtkUi/rK9fcAfbhSqSXNxFqf7wejEKwA1kFt8hSW2bUWJH268fqnejFwHjBTzjBw89dji6141ajAP8/Q2gZug0bb1U70PE4afE3fFh2VCfhwT",
      "not_before": "2020-07-31T17:32:28Z",
      "not_after": "2022-07-31T17:32:28Z",
      "expires_in": 0,
      "source_address": [
        "192.168.100.0/24"
      ],
      "fingerprints": [
        "SHA256:bdeYZ2qiEwCOCuf0oTvya/aH4Vo+nJLIauDKm/D8btM"
      ]
    }
  ],
  "webauthn_credentials": [
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "credential_id": "string",
      "name": "string",
      "comment": "string",
      "last_used": "2017-01-01T15:05:05Z",
      "created": "2017-01-01T15:05:05Z",
      "author": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "updated": "2017-01-01T15:05:05Z",
      "updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059"
    }
  ]
}