IBM Performance Management

Using the Role Based Access Control Service API

Use the Role Based Access Control Service API to complete user access tasks from the command line. You can create scripts for automating such tasks as assigning user roles.

About this task

This task has you use the OpenID Connect (OIDC) protocol to get an access token from the OIDC server on the Performance Management server. The access token gives you authorized access to the API for running operations until the token expires after 30 minutes.

Disabling OIDC authentication, which is required before you can enable single sign-on (SSO) between Performance Management and other IBM products that require LTPA for SSO, does not affect the API. The RESTful API continues to rely on OIDC and does not interfere with SSO. (See Disabling OpenID Connect authentication for the Performance Management console.)

Procedure

  1. On the system where the Performance Management server is installed, open the following file and copy the client ID and client secret: 
    /opt/ibm/wlp/usr/shared/config/clientSecrets.xml
    The following example shows what the file contains: 
    <server>
  <variable name="client.secret.apmui" value="{xor}J2oZKWQsHXVxeCJwBGscfQ40d2N+cBUPZmltKRNz" />
  <variable name="client.id.apmui" value="rpapmui" />
</server>
  2. Use an XOR decoder to get the actual password value. Example: x5Fv;sB*.'}/[4C"Qk(<!/JP962vL
  3. To get an access token, contact the token endpoint of the OIDC server with the four required items: username, password, client_id, and client_secret. In this curl example, the client_secret has the value secret: 
    curl --tlsv1.2 -v -k -d grant_type=password&client_id=rpapmui&client_secret=secret&username=apmadmin&password=apmpass&scope=openid https://example.mycompany.com:8099/oidc/endpoint/OP/token
    Output:
    {"access_token":"jnz4Ad0zpeCpYcUlUf7o4A40tz5trnIW9GutICG8","token_type":"Bearer","expires_in":1800,"scope":"openid","refresh_token":"VsCWUhPHBRpidD2F1PVyZ2LNGMuQPTN837t3OoqZj71FcBfsGE"}
  4. Extract the access_token value. Looking at the output in the previous example, the value is jnz4Ad0zpeCpYcUlUf7o4A40tz5trnIW9GutICG8.
  5. Enter requests to the Authorization API that include the access_token in the authorization header. Access is authorized until the token expires, 1800 seconds after issuance. This example is a GET request for permissions that specifies the header (curl option -H) from the previous example: 
    curl --tlsv1.2 -v -k -H "Authorization: Bearer jnz4Ad0zpeCpYcUlUf7o4A40tz5trnIW9GutICG8" https://example.mycompany.com:9443/1.0/authzn/permissions
  6. Open the API Explorer in your browser: https://developer.ibm.com/api
  7. In the My APIs search box, enter performance management and click Search icon.
  8. Select the IBM Performance Management: Role Based Access Control Service API.