Arpio API Guide - RBAC Provisioning

Jump to:

 

This is a supplementary guide to the Arpio API Guide, which has instructions on finding your Arpio account ID and creating an API key.


The Arpio API supports RBAC Role and Group administration. Request and response bodies for the RBAC API endpoints are in JSON format. Requests should include the Content-Type: ”application/json” header.

Roles

For calls to the role endpoints, the body will need to contain a JSON payload with the following optional and non-optional variables in the structure shown below.

{

  "name": "exampleName",

  "externalId": "exampleExternalID",

  "policies": [

    {

      "accessLevel": "app_test",

      "allApps": null,

      "appIds": [

        "FUbtuv2hiy8yaU2OdX9vyc"

      ]

    }

  ]

}

 

With the following variables:

  • name
    • A required field containing an identifying name to use for the role
  • externalId
    • An optional field to use with  SAML/SSO assertion and map Directory roles/groups to Arpio roles/groups. Required for SAML provider role/group assertion. 
  • Policies
    • A list of policies for this role. A policy grants an access level to a set of applications or all applications. Account-level policies should not set the allApps or appIds fields. Each policy can contain the following fields:
      • accessLevel - a field to identify what level of access the role should have
        • "account_read" - can read everything in the Arpio account, but cannot modify anything.
        • "app_read" - can read all application information.
        • "app_manage” - app_read access, plus the ability to change application settings.
        • "app_test" -  app_manage access, plus the ability to perform tests and modify sandbox settings.
        • "app_recover" - app_test access, plus the ability to recover applications with failback.
        • "app_admin" - Can perform every action on the application
        • "account_admin" - Can perform every action on all applications in the account, manage account-level settings and users.
      • allApps - an optional boolean field to scope the accessLevel to all applications under the account. 
        • Accepts the following values:
          • true - all applications under account
          • false, null - Only specific applications specified in appIds list field
      • appIds - an optional field that takes a list of application IDs as provided by Arpio for each application under the account. 
        • List in the form [“app1id”, “app2id”, “app3id”]

 

Endpoints


/api/accounts/{account_id}/roles

&&

/api/accounts/{account_id}/roles/{role_id}


Example calls

1. List roles for an account

curl -X GET "https://api.arpio.io/api/accounts/{account_id}/roles" \
-H "X-Api-Key: $ARPIO_API_KEY" 

Returns a list of roles with all fields and role ID, which is used to get specific role information

 

2. Create a new role

curl -X POST "https://api.arpio.io/api/accounts/{account_id}/roles" \
-H "X-Api-Key: $ARPIO_API_KEY" \
-H "Content-Type: application/json"\
-d "{json data}"

 

3. Get a specific role

curl -X GET "https://api.arpio.io/api/accounts/{account_id}/roles/{role_id}" \
-H "X-Api-Key: $ARPIO_API_KEY" 

 

4. Update a new role

curl -X PUT "https://api.arpio.io/api/accounts/{account_id}/roles/{role_id}" \
-H "X-Api-Key: $ARPIO_API_KEY" \
-H "Content-Type: application/json" \
-d "{json data}"

Overrides existing role with new data provided in the body



5. Delete a role

curl -X DELETE "https://api.arpio.io/api/accounts/{account_id}/roles/{role_id}" \
-H "X-Api-Key: $ARPIO_API_KEY" 

 


Groups

For API calls to the group endpoints, the JSON will need the following variables in the listed format:

{

  "name":"examplename",

  "externalId":"exampleExternalId",

  "roles": [

    "exampleRoleId1", "exampleRoleId2"

  ],
  "accountSubjects": [

    "subjectId1", "subjectId2"

  ]

}

 

With the following variables:

  • name
    • A required field containing an identifying name to use for the group
  • externalId
    • An optional field to allow SAML/SSO assertion. Required for SAML provider role/group assertion. 
  • roles
    • An optional field that takes a list of role ID’s as provided by: curl -X GET "https://api.arpio.io/api/accounts/{account_id}/roles" 
      • List in the form [“role1id”, “role2id”, “exampleroleid”]
  • accountSubjects
    • An optional field containing a list of user ID’s as provided by curl -X GET "https://api.arpio.io/api/accounts/{account_id}/subjects"
      • List in the form [“user1id”, “user2id”, “exampleuserid”]

Endpoints

/api/accounts/{account_id}/subjectGroups/
&&

/api/accounts/{account_id}/subjectGroups/{account_subject_group_id}

Example calls

A. List account groups

curl -x GET "/api/accounts/{account_id}/subjectGroups" \

-H "X-Api-Key: $ARPIO_API_KEY" 


B. Create a new account group

curl -x POST "/api/accounts/{account_id}/subjectGroups" \

-H "X-Api-Key: $ARPIO_API_KEY" \

-H "Content-Type: application/json" \

-d "{json data}"


C. Get a specific account group

curl -x GET "/api/accounts/{account_id}/subjectGroups/{account_subject_group_id}" \

-H "X-Api-Key: $ARPIO_API_KEY" 


D. Update an account group

curl -x PUT "/api/accounts/{account_id}/subjectGroups/{account_subject_group_id}" \

-H "X-Api-Key: $ARPIO_API_KEY" \

-H "Content-Type: application/json" \

-d "{json data}"


E. Delete an account group

curl -x DELETE "/api/accounts/{account_id}/subjectGroups/{account_subject_group_id}" \

-H "X-Api-Key: $ARPIO_API_KEY"