permission to create and delete sepecifc target server to custom role

nandishnandy
Participant III

I have given a permission to create and delete target server to custom role,

{"resourcePermission" : [ {"path" : "/environments/*/targetservers/","permissions" : [ "get", "put" ]},

{"path" : "/environments/*/targetservers/{targetservername}","permissions" : [ "get", "put", "delete" ]}

]}

once the user login he can able to create target server, but delete specific target server not working.please let me know anything am doing wrong.

Regards

Nandeesha

0 7 906
7 REPLIES 7

estebansp
Participant II

Hello Nandeesha,

Try sending an asterisk (*) instead of the {targetservername} variable on your second resource path, like this:

{
 "resourcePermission" : [ 
   {
    "path" : "/environments/*/targetservers",
    "permissions" : [ "get","put"]
   }, 
   {
    "path" : "/environments/*/targetservers/*",
    "permissions" : [ "get","put", "delete" ]
   }
  ]
}

One thing to note here: Those permissions you are setting will targetallenvironments.

If you want to target only one environment, saytestfor instance, then use the environment name instead of an asterisk. Like this:

{
 "resourcePermission" : [ 
   {
    "path" : "/environments/*/targetservers",
    "permissions" : [ "get","put"]
   }, 
   {
    "path" : "/environments/test/targetservers/*",
    "permissions" : [ "get","put", "delete" ]
   }
  ]
}

I hope this helps answering your question.

Regards,

Esteban Solano.

Hi Nandeesha, sorry I deleted your reply to my original answer. I posted that answer with a Test user, and so I was re-posting my answer with my true apigee user.

I'll re-post your followup question, and my other reply to that question next.

Regards,

Nandeesha wrote:

Thanks Esteban Solano.

I have given permission as you suggested with bit change as follows

{"resourcePermission":[{"path":"/environments/*/targetservers","permissions":["get","put"]},{"path":"/environments/test/targetservers/Sample-*","permissions":["get","put","delete"]}]}

I can able to create a target server & delete target server only which name start withSample(as defined in the permission)

This works for create and delete but in case of update, we are able to update other target servers as well

Please suggest How to restrict user for updating other target servers which names are not from sample

Thanks In Advance

Hi again Nandeesha,

Permissions you have set previously are kept. So perhaps the previous permissions to get, put, and delete on all (*) target servers for all (*) environments are all still active.

What you need to do is send a "Delete Permission for Resource" request to remove the permissions you don't want.

For instance, you'll probably need to send the following delete request:

DELETE /v1/organizations/{your-org}/userroles/{your-custom-role}/permissions/put
?path=/environments/*/targetservers/*

That will delete the put verb on your custom role, for all servers on all your environments.

You'll probably need to send this other delete request:

DELETE /v1/organizations/{your-org}/userroles/{your-custom-role}/permissions/put
?path=/environments/test/targetservers/*

That will delete the put verb on your custom role for all servers on your test environment.

That would depend on what permissions you've already granted on your custom role. You can easily check them with the "List Permissions for All Resources Associated with a Role". Then look a the granted permissions on the resource, and remove them with the above delete requests.

GET /v1/organizations/{your-org}/userroles/{your-custom-role}/permissions

I hope this will help. Let me know if you still can't get it to work.

Regards,

Esteban S.

Thanks Esteban Solano.

As you suggested i will do that and let you know the outcome.

Regards

Nandeesha

Thanks Esteban Solano.

It's working as expected.

Regards

Nandeesha

Not applicable

I followed the instructions above but on our UI users are not able to add new target servers. They can edit the existing ones but the button is greyed out with a message of insufficient permissions. Any specific permission we are missing?