Accessing and using the Role-Based Access Control Service API
Use the Role-Based Access Control Service API to manage the lifecycle of role-based access control policies from the command line.
About this task
Complete role-based access tasks such as creating, viewing, updating, and deleting roles. Add and delete a set of users or user groups from a specific role. Grant permissions to a specific role. View a list of roles, users, user groups, and permissions that are defined in the system.
You can create scripts for automating such tasks as defining new roles and assigning users, user groups, and permissions to these roles.
- Access tokens
-
Use the OpenID Connect (OIDC) protocol to get an access token from the OIDC server on the Cloud APM server. The access token gives you authorised access to the API for running operations until the token expires after 30 minutes.
- Basic authorisation
-
Use a base64 tool to encode your Cloud APM console user ID and password into a single base64 string. The input string format is userId:password, such as apmadmin:apmpass. The output is a string such as: YXBtYWRtaW46YXBtcGFzcw==
Use base64_encoded_string in the authorisation header of every request as shown in the curl command examples.
Note the Cloud APM console user ID must be added to a role with appropriate permissions.
Disabling OIDC authentication, which is required before you can enable single sign-on (SSO) between Cloud APM and other IBM® products such as Tivoli® Common Reporting that require LTPA for single sign-on, does not affect the API. The RESTful API continues to use the Cloud APM internal OIDC server, even if OIDC is disabled for single sign-on between the Cloud APM console and other product user interfaces.
Role-Based Access Control Service API requests must be issued by using https to the port 9443 of the Cloud APM server.
Procedure
Example
POST /1.0/authzn/roles
curl -X POST \
https://apm_server:9443/1.0/authzn/roles \
-H 'Referer: https://apm_server:9443' \
-H 'authorization: Bearer Your_Access_Token' \
-H 'content-type: application/json' \
-d '{
"description": "Your Role Description",
"id": "/authzn/roles/Your_Role_Id",
"label": "Your Role Name"
}'