Post

4 followers Follow
0
Avatar

Question: How to modify permissions via the REST API?

Hi All,

I was wondering about allowing the mass setting/editing of permissions via an api.  E.g. Someone asks me to add a certain group to all existing templates, (this just happened today)   We have scripted this in other tools (Jenkins etc.)  Is there a way to do that now?

Thanks!

Bernie

Bernie Bonn

Please sign in to leave a comment.

11 comments

0
Avatar

Hi Bernie

> I was also wondering about allowing the mass setting/editing of permissions via an api.

In the 4.0.x HTTP API, you could use calls such as PUT /releases/{releaseId}/permissions or PUT /roles/permissions/global. I'm not sure about updating permissions or roles for a template, though - perhaps try PUT /releases/templates/{templateId}?

I'll ping the team to see if they can provide more details on that, and what options will be available in the public API in the next version.

Regards

Andrew

Andrew Phillips 0 votes
0
Avatar

Hi,

We currently don't support updating security using the public API. It's possible but unsupported to update it using the internal API.

Regards,

 

Florent

Florent Le Gall 0 votes
0
Avatar

Hi Guys,

Is the answer to this still no? Is REL-2160 still planned for 5.0, that being the ability to allow read only on all templates and releases be default.

Thanks!
Bernie

Bernie Bonn 0 votes
0
Avatar

Hi Bernie

What I can tell you is that the feature is not planned for the upcoming release (4.8) and have not included in the plan for a subsequent version.

For now, the way to work would be to use the internal API to update permissions.

Another thing you can do is to create a template called MASTER and set the default teams and permissions. For example an 'Everyone' team that links to the 'Everyone' role that contains the 'all' LDAP user group. Give this team read permission on the release. Now the procedure to create a new template would be to copy the MASTER template rather than using the 'New template' button.

Hope this helps,

Hes.

Hes Siemelink 0 votes
0
Avatar

Thanks Hes,

Sorry if this is a silly question, but could you explain the difference between the public and internal API and maybe include links to the different docs.

Also , if you had any quick tips or examples on setting permissions or a similar operation that would be great.

Thanks!
Bernie

Bernie Bonn 0 votes
0
Avatar

Hi Bernie

The Public API is guaranteed to work across versions. We support it and won't change it.

This is the documentation link: https://docs.xebialabs.com/xl-release/latest/rest-api/

The internal API is what the browser application (mostly) uses to communicate with the backend. Since some calls are very screen-specific, we haven't made this publicly supported. We also want to have the liberty to change the calls if needed.

The internal API was viewable on our web site from XL Release 3.0 - 4.0 but it was not fully documented. We remedied that with the introduction of the Public API in XL Release 4.5, which is fully documented and supported. Unfortunately, the Public API covers less than the internal API, so sometimes we point out that you can do stuff with the (unsupported) internal API which otherwise would not be possible.

Having said that, we will not change the internal API much, and will strive to have a public alternative is available when we do.

I hope this makes it a little bit clearer.

It wold also help us if you have an overview of all the http calls you make in your scripts, so we know that and can contact you when a change is coming up.

Kind regards,

Hes.

Hes Siemelink 0 votes
0
Avatar

Hey Guys,

Looking at taking a different tact. I was wondering if you know if it is possible to add a new team to a template via the API. Maybe using this PUT /teams/{teamId}, but i think I would need to know the ID of the team and it is not actually added to the template yet. My goal is to create an everyone role, then programatically add that role to a team on every template giving them View Release permissions only.

Wondering if this is possible or if you can give me a nudge in the right direction.

Thanks as always!
Bernie

Bernie Bonn 0 votes
0
Avatar

Hi Bernie

Wondering if this is possible or if you can give me a nudge in the right direction

I hope my response to your question over in the thread about copying a template will help. From what I can see, you will need two calls: a POST to create the new team, and then a PUT to set its members and properties.

Hopefully, this will get us a bit closer to the goal ;-)

Regards

Andrew

Andrew Phillips 0 votes
0
Avatar

Hi Andrew,

Thanks so much for your response. I thought I was duplicating what you were doing here:
https://support.xebialabs.com/hc/communities/public/questions/202477455-How-To-Copy-a-template-using-the-internal-4-0-x-XL-Release-REST-API?locale=en-us. But I assume there was a subtle difference.

So I was confused as to why mine wasn't working, but I am happy to have better direction now. I think this will defintely get us closer to our goal of being able to give all groups read only on templates and releases. I also have new teams coming in who want to to added to all templates so this script will come in handy.

I was just wondering generic process-wise. For scripts like these that are more of a utility, do you still create and run them in XLR templates and tasks. I am thinking something like the XLD CLI would be handy for administrative stuff like this in XLR. Any thoughts around that? Or is there already a way to abstract away from the UI, or do you lose access to all the objects etc.

Thanks As Always Andrew!

Bernie

Bernie Bonn 0 votes
0
Avatar

Hi Bernie

You can also put reusable scripts in a "custom endpoint": an extension you write that is accessible through a REST call.

More information here: https://docs.xebialabs.com/xl-release/how-to/declare-custom-rest-endpoints-in-xl-release.html

You have access to the Public API here.

A question for you: does it work for you to have a single global role 'Read Access role' and have one Team on each template that has only one member, the 'Read Access role' and has view permission on the template and created release?

That way you only have to update the members of the 'Read Access role' once and it is applied to all templates / releases.

Kind regards!

Hes Siemelink 0 votes