Adding Roles to Users in IQ Server via REST API

Sonatype Lifecycle & Repository Firewall Best Practices
, , ,
1

I frequently get asked by our customers how to they can programmatically manage user permissions in IQ Server.

You will first need to understand the Organization and Application Hierarchy and Inheritance. Once you have a good handle on that, take some time to read through the Role Management documentation to get an understanding of the different roles and permissions in the IQ Server. You can then refer to the documentation for the REST APIs.

There are three “roleMembers” resources that you will need to GET or PUT depending on which level of the hierarchy you are updating:

  • /api/v2/organizations/ROOT_ORGANIZATION_ID/roleMembers
  • /api/v2/organizations/{organizationInternalId}/roleMembers
  • /api/v2/applications/{applicationInternalId}/roleMembers

Starting with a brand new IQ Server Release 54, I have added one user account and assigned it the developer role at the sandbox application level:

image
image1380×480 79.3 KB

For this exercise, I will add another user to the developer role for the sandbox application. NOTE: The UUIDs will be different in your instance of IQ Server.

Step 1. Get the Internal Application ID

curl -X GET 'http://localhost:8070/api/v2/applications?publicId=sandbox-application'

This returns the following JSON. We’ll need the “internal” ID field for the next step 943c3ca4833d4dd58067cf6985987291

{
    "applications": [
        {
            "id": "943c3ca4833d4dd58067cf6985987291",
            "publicId": "sandbox-application",
            "name": "Sandbox Application",
            "organizationId": "99321cd896dd4d3284382b4e89abd400",
            "contactUserName": null,
            "applicationTags": []
        }
    ]
}

Step 2. Get the current Role Members for the Sandbox Application

curl -X GET  'http://localhost:8070/api/v2/applications/943c3ca4833d4dd58067cf6985987291/roleMembers'

This returns the following JSON. We’ll need to save the whole thing so we can update it in the next step.

{
    "memberMappings": [
        {
            "roleId": "2cb71b3468d649789163ea2e212b541e",
            "members": []
        },
        {
            "roleId": "90c7c98683b4471cb77a916744540bcc",
            "members": []
        },
        {
            "roleId": "1da70fae1fd54d6cb7999871ebdb9a36",
            "members": [
                {
                    "type": "USER",
                    "userOrGroupName": "testuser"
                }
            ]
        },
        {
            "roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
            "members": []
        }
    ]
}

Step 3. Add the new user to the JSON and PUT the new Role Members list back to the Sandbox Application

curl -X PUT 'http://localhost:8070/api/v2/applications/943c3ca4833d4dd58067cf6985987291/roleMembers' \
  -d '    {
        "memberMappings": [
            {
                "roleId": "2cb71b3468d649789163ea2e212b541e",
                "members": []
            },
            {
                "roleId": "90c7c98683b4471cb77a916744540bcc",
                "members": []
            },
            {
                "roleId": "1da70fae1fd54d6cb7999871ebdb9a36",
                "members": [
                    {
                        "type": "USER",
                        "userOrGroupName": "testuser"
                    },
                    {
                        "type": "USER",
                        "userOrGroupName": "demouser"
                    }
                ]
            },
            {
                "roleId": "1cddabf7fdaa47d6833454af10e0a3ef",
                "members": []
            }
        ]
    }'

Profit:

image
image1376×478 79.6 KB

3 Likes
2

Any ideas on how to do step 3 using jq?

3 
jq -rcM --arg roleId 1da70fae1fd54d6cb7999871ebdb9a36 --arg newUser demouser '.memberMappings[] |= . + (select(.roleId == $roleId)["members"] += [{ "type": "USER", "userOrGroupName": $newUser}])' orgrolemembers.json