Show Permitted Roles

Lists the roles which have the named permission on a resource.

Kinds of resources

Kind

Description

User

one unique human

Host

a single logical machine (in the broad sense, not just physical)

Layer

a collection of hosts that have the same privileges

Group

a collection of users and groups that have the same privileges

Policy

privileges on policies enable a user to create and modify objects and permissions

Variable

a secret such as a password, API key, SSH key, etc

Webservice

an HTTP(S) web service which performs sensitive operations

 

Entity IDs must be URL-encoded

URI

 
GET /resources/{account}/{kind}/{identifier}?permitted_roles=true&privilege={privilege}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples:

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Example with curl and jq

Suppose your organization name is “myorg” and you want to find out which roles have execute privileges on the Variable db-password, and can thus fetch the secret:

 
curl -H "$(conjur authn authenticate -H)" \
     'https://eval.conjur.org/resources/myorg/variable/db-password?permitted_roles=true&privilege=execute' \
     | jq .

Request Headers

Field

Description

Example

Authorization

Conjur access token

Token token=“eyJkYX…Rhb=”

Response

Code

Description

200

Permitted roles returned as a JSON list

401

The request lacks valid authentication credentials

403

The authenticated user lacks the necessary privilege

404

The specified resource does not exist

422

A request parameter was missing or invalid

Example URI

 
GET /resources/myorg/variable/db?permitted_roles=true&privilege=execute

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

kind

String

Yes

kind of resource requested

Example: variable

identifier

String

Yes

password (string) - the identifier of the resource

Example: db

privilege

String

Yes

roles permitted to exercise this privilege are shown

Example: execute

Request

Headers

 
Authorization: Token token="eyJkYX...Rhb="

Response 200

Headers

 
Content-Type: application/json

Body

 
[

"myorg:policy:database",

"myorg:user:db-admin",

"myorg:host:database/db-host"

]