Team management APIs

APIs to manage teams.

Base path: https://<cluster_address>/idmgmt/identity/api/v1/teams

Where, <cluster_address> is defined in Foundational service endpoint

Create a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams
Command
POST
Command output format
application/json

The sample curl command resembles the following code:

 curl -k -X POST --header 'Content-Type: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d '{"teamId":"test-team","name":"test-team","users":[],"usergroups":[],"serviceids":[]}' https://<cluster_address>/idmgmt/identity/api/v1/teams

The output resembles the following code:

{
    "teamId": "test-team",
    "name": "test-team",
    "users": [],
    "usergroups": [],
    "serviceids": [],
    "accountId": "id-mycluster-account",
    "type": "Custom",
    "directoryList": []
}

Assign users and user groups to a team by providing the team payload

Provide the entire team payload in the curl command to add users and user groups to a team.

Note: You must import users and user groups from your LDAP server before you add them to a team. For the APIs to import users and user groups, see Import users from your LDAP directory and Import user groups from your LDAP directory.

Note: You cannot add an AccountAdministrator to a team by using the team management APIs. You must use the multitenancy account management API to add an AccountAdministrator to a team. See Add users to an account.

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{team-ID}
Command
PUT
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X PUT --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{"teamId":"test-team","name":"Test Team","users":[{"userId":"testuser","userBaseDN":"uid=testuser,ou=people,dc=ibm,dc=com","roles":[{"id":"crn:v1:icp:private:iam::::role:Operator"}]}],"usergroups":[{"name":"security","userGroupDN":"cn=security,cn=platform,ou=cloud,ou=isl,ou=groups,dc=ibm,dc=com","roles":[{"id":"crn:v1:icp:private:iam::::role:Operator"}]}]}' "https://<cluster_address>/idmgmt/identity/api/v1/teams/test-team"

The response resembles the following code:

{
    "teamId": "test-team",
    "name": "Test Team",
    "users": [
        {
            "userId": "testuser",
            "userBaseDN": "uid=testuser,ou=people,dc=ibm,dc=com",
            "roles": [
                {
                    "id": "crn:v1:icp:private:iam::::role:Operator"
                }
            ]
        }
    ],
    "usergroups": [
        {
            "name": "security",
            "userGroupDN": "cn=security,cn=platform,ou=cloud,ou=isl,ou=groups,dc=ibm,dc=com",
            "roles": [
                {
                    "id": "crn:v1:icp:private:iam::::role:Operator"
                }
            ]
        }
    ],
    "serviceids": [],
    "accountId": "id-mycluster-account",
    "type": "Custom",
    "directoryList": [
        "d77de310-ca65-11e9-9c54-5bd9ecf04530"
    ]
}

Assign users to a team by providing the user information

Provide only the user-related data to add users to a team.

Note: You must import the user from your LDAP server before you add the user to a team. For the API to import users, see Import users from your LDAP directory.

Note: You cannot add an AccountAdministrator to a team by using the team management APIs. You must use the multitenancy account management API to add an AccountAdministrator to a team. See Add users to an account.

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{team-ID}
Command
POST
Command output format
application/json

The sample curl command resembles the following code:

Note: To get the baseDN, use the API to Search for users in your LDAP directory.

curl --location --request POST 'https://<cluster_address>/idmgmt/identity/api/v1/teams/test-team/users' \
--header 'Authorization: Bearer $ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "users": [
        {
            "baseDN": "uid=testuser@in.ibm.com,ou=People,dc=ibm,dc=com",
            "directoryId": "acae8550-fc3b-11ea-99f3-018edd55e9a4",
            "roles": [
                {
                    "id": "crn:v1:icp:private:iam::::role:Viewer"
                }
            ]
        }
    ]
}

Following is a sample response:

{"teamId":"test-team","name":"test-team","users":[{"userId":"kubeadmin","directoryId":"ROKS","userBaseDN":"kubeadmin","baseDN":"kubeadmin","firstName":"kubeadmin","lastName":"","email":"","roles":[{"id":"crn:v1:icp:private:iam::::role:ClusterAdministrator"}]},{"userId":"anna","firstName":"anna","lastName":"","email":"","userBaseDN":"anna","directoryId":"acae8550-fc3b-11ea-99f3-018edd55e9a4","roles":[{"id":"crn:v1:icp:private:iam::::role:Administrator"}]}],"usergroups":[],"serviceids":[],"accountId":"id-mycluster-account","type":"System","directoryList":["ROKS"]}

Note: If you try to add a user who is already added to the team, you see the following 409 error:

User already exists in team and role update is not supported

Assign resources to a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams
Command
POST
Command output format
application/json

The sample curl command resembles the following code:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d '{"crn": "crn:v1:icp:private:k8:mycluster.icp:n/default:::"}' 'https://<cluster_address>/idmgmt/identity/api/v1/teams/<team-ID>/resources' --insecure

The format of the resource that you are assigning to the team is "crn:v1:icp:private:k8:mycluster:n/default:::", where mycluster is the cluster name. In the sample command, the default namespace is assigned to the team.

Note: You should not use the default namespace in the production environment.

The response resembles the following code:

{
    "crn": "crn:v1:icp:private:k8:mycluster:n/default:::",
    "serviceName": "k8",
    "region": "mycluster",
    "namespaceId": "default",
    "scope": "namespace"
}

Using wildcard characters in the CRN attribute resource value

You can use wildcard characters in the value of the CRN attribute resource. See the following sample curl command:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d '
{"crn":"crn:v1:icp:private:eventstreams:mycluster:n/kube-system:r/kafka2:topic:topic*"}' <--- Wildcard character asterisk \
"https://<cluster_address>/idmgmt/identity/api/v1/teams/team-$i/resources" --insecure

In the sample command, an asterisk is used. All CRNs with resource name that starts with topic are accessible, if all the CRN attributes match the access policy definition, and the user has the required permissions.

Following is a sample authorization check:

curl -k -X POST \
  https://<cluster_address>/iam-pdp/v1/authz \
  -H 'Accept: application/json' \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
  "action": "action.read",
  "subject": {
    "id": "",
    "type": ""
  },
  "resource": {
    "crn": "crn:v1:icp:private:eventstreams:mycluster:n/kube-system:r/kafka2:topic:topic1",
    "attributes": {
      "serviceName": "",
      "accountId": ""
    }
  }
}'

Following is a sample output:

{"decision":"Permit","obligations":[{"actions":["action.read"],"crns":["crn:v1:icp:private:eventstreams:mycluster:n/kube-system:r/kafka2:topic:topic1"],"decision":"Permit","max-age":86400,"obligationId":"bf69c79fbe636dc8"}]}

Add Helm chart resources to a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
cluster_lb_address
Path
/helm-api/api/v2/releasesCRNs
/helm-api/api/v2/charts
/helm-api/api/v2/repos
Command
POST
Command output format
application/json

The sample curl command resembles the following code:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d '{"crn":"crn:v1:icp:private:helm-catalog:mycluster:r/local-charts::helm-repos:"}' "https://mycluster.icp:8443/idmgmt/identity/api/v1/teams/team-$i/resources" --insecure

The format of the resource that you are assigning to the team is "crn:v1:icp:private:helm-catalog:mycluster:r/local-charts::helm-repos:". In the sample command, the local-charts repository is assigned to the team.

The response resembles the following code:

{"crn":"crn:v1:icp:private:helm-catalog:mycluster.icp:r/local-charts:::","serviceName":"k8","region":"mycluster.icp","repository":"local-charts","scope":"helm-repos"}

Get information about a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{id}
Command
GET
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X GET --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/test-team'

The output resembles the following code:

{"teamId":"test-team","name":"Test Team","users":[{"userId":"testuser","userBaseDN":"uid=testuser,ou=people,dc=ibm,dc=com","roles":[{"id":"crn:v1:icp:private:iam::::role:Operator"}]}],"usergroups":[{"name":"security","userGroupDN":"cn=security,cn=platform,ou=cloud,ou=isl,ou=groups,dc=ibm,dc=com","roles":[{"id":"crn:v1:icp:private:iam::::role:Operator"}]}]}

Get information about all teams

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams
Command
GET
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X GET --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams'

The output resembles the following code:

 {
    "teamId": "test-team",
    "name": "test-team",
    "users": [
        {
            "userId": "mark",
            "directoryId": "d77de310-ca65-11e9-9c54-5bd9ecf04530",
            "firstName": "Mark",
            "lastName": "",
            "email": "mark@ibm.com",
            "lastLogin": "",
            "userBaseDN": "uid=mark,ou=people,dc=ibm,dc=com",
            "type": "LDAP",
            "directoryName": "openldap",
            "roles": [
                {
                    "id": "crn:v1:icp:private:iam::::role:Viewer"
                }
            ]
        }
    ],
    "usergroups": [],
    "serviceids": [],
    "accountId": "110a-6bdb",
    "type": "Custom",
    "directoryList": [
        "d77de310-ca65-11e9-9c54-5bd9ecf04530"
    ]
}

Get resources that are assigned to a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{id}/resources
Command
GET
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X GET --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/{id}/resources'

The output resembles the following code:

[{"crn":"crn:v1:icp:private:k8:mycluster:n/default:::","serviceName":"k8","region":"mycluster","namespaceId":"default","scope":"namespace"}]

Update a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams
Command
PUT
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X PUT --header 'Content-Type: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d '{"teamId":"test-team","name":"Test Team","users":[{"userId":"aaa","roles":[{"id":"crn:v1:icp:private:iam::::role:Administrator"}]},{"userId":"bbb","roles":[{"id":"crn:v1:icp:private:iam::::role:Editor"}]},{"userId":"ccc","roles":[{"id":"crn:v1:icp:private:iam::::role:Editor"}]},{"userId":"ddd","roles":[{"id":"crn:v1:icp:private:iam::::role:Viewer"}]}]}' 'https://<cluster_address>/idmgmt/identity/api/v1/teams/test-team'

The output resembles the following code:

{"teamId":"test-team","name":"Test Team","users":[{"userId":"aaa","roles":[{"id":"crn:v1:icp:private:iam::::role:Administrator"}]},{"userId":"bbb","roles":[{"id":"crn:v1:icp:private:iam::::role:Editor"}]},{"userId":"ccc","roles":[{"id":"crn:v1:icp:private:iam::::role:Editor"}]},{"userId":"ddd","roles":[{"id":"crn:v1:icp:private:iam::::role:Viewer"}]}],"usergroups":[],"_rev":"2-9238053d5bc6a27237a444e0a2e2cc5b","_id":"f-122","loopback__model__name":"Team"}

Delete a resource from a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{id}
Command
DELETE
Command output format
application/json

To delete a resource from a team, you must first get all the resources for the team (platform) so that you can retrieve the CRN. The sample curl command resembles the following code:

curl -k -X GET --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/{id}/resources'

The output resembles the following code:

[
{"crn":"crn:v1:icp:private:k8:mycluster:n/kube-system:::","serviceName":"k8","region":"mycluster","namespaceId":"kube-system"},
{"crn":"crn:v1:icp:private:k8:mycluster:n/default:::","serviceName":"k8","region":"mycluster","namespaceId":"default"}
]

Next, you must encode the CRN. You can use the urlencode command (on Ubuntu), as shown in the following sample code, or you can use a Python script.

urlencode 'crn:v1:icp:private:k8:mycluster:n/default:::'

The output resembles the following code:

crn%3Av1%3Aicp%3Aprivate%3Ak8%3Amycluster%3An%2Fdefault%3A%3A%3A

Finally, you can delete the resource from the team (platform) by using the encoded CRN. The sample curl command resembles the following code:

curl -k -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" --header "Accept: application/json" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/{id}/resources/rel/crn%3Av1%3Aicp%3Aprivate%3Ak8%3Amycluster%3An%2Fdefault%3A%3A%3A'

If needed, you can get the list of resources to confirm that the resource is removed. The sample curl command resembles the following code:

curl -k -X GET --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/platform/resources'

The output resembles the following code:

[
{"crn":"crn:v1:icp:private:k8:mycluster:n/kube-system:::","serviceName":"k8","region":"mycluster","namespaceId":"kube-system"}
]

Remove a user from a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{team-id}
Command
DELETE
Command output format
application/json

The sample curl command resembles the following code:

Note: To get the userID, use the API to Get information about a team.

curl --location --request DELETE 'https://<cluster_address>/idmgmt/identity/api/v1/teams/test-team/users' \
--header 'Authorization: Bearer $ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "users": [
        {
            "userId": "testuser@in.ibm.com"
        }
    ]
}'

The output of the curl command is 204 status code.

Note: If you try to remove a user who is not in the team, you see the following 404 error:

User not found in team, nothing to delete

Delete a team

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idmgmt/identity/api/v1/teams/{id}
Command
DELETE
Command output format
application/json

The sample curl command resembles the following code:

curl -k -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" 'https://<cluster_address>/idmgmt/identity/api/v1/teams/a-1'

The output resembles the following code:

{"count":1}