Check Permission

Checks whether a role has a privilege on a resource. For example, is this Host authorized to execute (fetch the value of) this Secret?

Kinds of resources

Kind

Description

User

one unique human

Host

a single logical machine (in the broad sense, not just physical)

Layer

a collection of hosts that have the same privileges

Group

a collection of users and groups that have the same privileges

Policy

privileges on policies enable a user to create and modify objects and permissions

Variable

a secret such as a password, API key, SSH key, etc

Webservice

an HTTP(S) web service which performs sensitive operations

 

Entity IDs must be URL-encoded

URI

 
GET /resources/{account}/{kind}/{identifier}?check=true&role={role}&privilege={privilege}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples:

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Example with curl

Suppose your account name is “myorg” and you want to check whether Host “application” can execute (fetch the value of) Variable “db-password”:

 
endpoint='https://eval.conjur.org/resources'
account='myorg'
var_id='db-password'
host_id='application'

curl -i -H "$(conjur authn authenticate -H)" \
     '$endpoint/$account/variable/$var_id?check=true&role=$account:host:$host_id&privilege=execute'

Request Headers

Field

Description

Example

Authorization

Conjur access token

Token token=“eyJkYX…Rhb=”

Response

Code

Description

204

The role has the specified privilege on the resource

401

The request lacks valid authentication credentials

404

The role or resource was not found; or the role does not have the specified permission

Example URI

 
GET /resources/myorg/variable/db?check=true&role=myorg:host:application&privilege=execute

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

kind

String

Yes

kind of resource to test

Example: variable

identifier

String

Yes

password (string) - the identifier of the resource to test

Example: db

role

String

Yes

the fully qualified identifier of the role to test

Example: myorg:host:application

privilege

String

Yes

the privilege to test on the resource

Example: execute

Request

Headers

 
Authorization: Token token="eyJkYX...Rhb="