Entitlements API (Open Data for Industries)

Authorize access to services and data on the Open Data for Industries installation.

Use the Entitlements API to create groups and enforce user privileges.

The Entitlements API groups define a common set of permissions. All users who are added to a particular group obtain the same set of permissions.

The Entitlements API relies on JSON Web Tokens (JWT) to provide native authorization.

The Entitlements API groups have the following use cases:

Create data groups to authorize access to data.

For example, you can use the data group data.welldb.viewer for assigning viewers privileges over a resource.
Create service groups to authorize access to services.

For example, you can use the service group service.storage.viewer for authorizing the viewer access to the Storage service endpoints.
Create user groups to hierarchically combine the user and service identities.

For example, you can use the user group users.datalake.viewers for giving viewer level authorization to user and service identities added to the group.

Each group has either an OWNER, or a MEMBER role assigned. The only difference between the two roles is that if you are the owner of a group, you can manage the members of that group.

Note: Iffyou are using the Entitlements API before version 2.0.4 of the Open Data for Industries, you need to migrate your users. For more information, see Migrating user accounts from Entitlements V1 to Entitlements V2.

To use the API, see the Entitlements API reference.

Learn more

Group names
User groups
Data groups
Service groups
Authorization
Bootstrap groups structure and relationship
Authorizing an overarching permission to user account
Migrating user accounts from Entitlements V1 to Entitlements V2
Important Entitlements API endpoints explained
Entitlements API endpoint permissions

Group names

A group name is an email address that has the following format:

{groupType}.{serviceName|resourceName}.{permission}@{data-partition-id}.{domain}.com

Replace the following values:

Variable	Description
`groupType`	The type of group to be created. Values: data, service, users
`serviceName`	The name of the Open Data for Industries component. For example, storage, search, entitlements
`resourceName`	The resource name to be governed by group. For example, `welldb`, `npd`, `ihs`, `datalake`, `public`.
`data-partition-id`	The identifier of the group. A group is unique to each data partition, which means that access is defined per data partition. If you grant a service permission to one data partition, a user does not have that service permission in another data partition. For example, `client_1`, `common`
`permission`	The permission that is granted to the group. For example, `viewers`, `editors`, `admins`
`domain`	The user group domain name. For example, `instance.odi.client.org`

Group naming convention

Open Data for Industries uses the following naming convention rules:

Group names start with the word that determines the group type. For example, data groups start with the word data, service groups start with the word service, and user groups start with the word user.
Group names are case-insensitive. For more information, see Create group in the API reference.

Note: A group's name might differ from the stated structure. Such is the case with certain default and overarching groups that are part of the bootstrapped process as part of the Entitlements service provisioning. They might not need all that context.

User groups

User groups provide an abstraction from permission and user management. Clients or services can be directly added to user groups to obtain the permissions associated with that user group. The following user groups exist by default.

User group	Description
users@{data-partition-id}.{domain}	This group contains all users of the partition. The user principal or identity needs to belong to this group for you to be able to access the partition. Note: All the user identities that are created on the IDP for authentication need to have this group.
users.data.root@{data-partition-id}.{domain}	This group provides permission to all data entities on the partition. It is getting associated to all the custom data entity groups and custom user groups as part of their creation.
users.datalake.viewers@{data-partition-id}.{domain}	This user group is meant for viewer level authorization.
users.datalake.editors@{data-partition-id}.{domain}	This user group is meant for editor level authorization and to authorize the creation of data with the Storage API.
users.datalake.admins@{data-partition-id}.{domain}	This user group is meant for admin level authorization.
users.datalake.ops@{data-partition-id}.{domain}	This user group is meant for operations level authorization. Association with this group provides the highest level of access to all the services and data in a partition.
users.<resource_name>.<permission>@{data-partition-id}.{domain}	Custom user groups meant for aggregating permissions to manage resources.

Data groups

Data groups provide permission or set of permissions and privileges to enforce data access management. Open Data for Industries has default data groups that are associated with the users@<data-partition-id><domain> group.

Data resources or objects within partition can be authorized through custom data groups to obtain the permissions associated with those resources. These custom data groups are part of the access control list (ACL), which is associated with each resource. The ACL defines the authorization of the actions, which can be performed on the resources.

The following data groups exist by default.

Data group	Description
data.default.owners@{data-partition-id}.{domain}	This group gets associate to users@<data-partition-id><domain> and provides the default owners privileges.
data.default.viewers@{data-partition-id}.{domain}	This group gets associate to users@<data-partition-id><domain> and provides default viewers privileges.
data.<entity \| resourceName>.<permission>@{data-partition-id}.{domain}	Custom data groups meant for aggregating permissions to manage specific data resources under a partition.

Service groups

Service groups provide authorization to service endpoints. User identities or principals need to be associated with these groups or its child groups to be authorized to access the endpoints.

Service identities or principals also must be associated with these groups to enable one service or a set of services to call another service or a set of specific services.

Service	Service Groups (@{data-partition-id}.{domain})	Bootstrapped	Description
Entitlements	service.entitlements.admin	Yes	The service groups required to be authorized for accessing Entitlements service endpoints. Some Entitlements service endpoints also require the users.datalake.ops@{data-partition-id}.{domain} group to be associated with the principal.
Entitlements	service.entitlements.user	Yes
Legal	service.legal.editor	Yes	The service groups required to be authorized for accessing the Legal service endpoints.
	service.legal.user	Yes
	service.legal.admin	Yes
Schema	service.schema-service.editors	Yes	The service groups required to be authorized for accessing the Schema service endpoints.
	service.schema-service.viewers	Yes
	service.schema-service.admin	Yes
Storage	service.storage.admin	Yes	The service groups required to be authorized for accessing the Storage service endpoints.
	service.storage.creator	Yes
	service.storage.viewer	Yes
Indexer	service.indexer.admin	Yes	The service groups required to be authorized for accessing the Indexer service endpoints.
	service.indexer.creator	Yes
	service.indexer.viewer	Yes
Search	service.search.user	Yes	The service groups required to be authorized for accessing the Search service endpoints.
Search	service.search.admin	Yes
File	service.file.editors	Yes	The service groups required to be authorized for accessing the File service endpoints.
File	service.file.viewers	Yes
Workflow	service.workflow.creator	Yes	The service groups required to be authorized for accessing the Workflow service endpoints.
	service.workflow.viewer	Yes
	service.workflow.admin	Yes
Policy	service.policy.admin	Yes	The service groups required to be authorized for accessing the Policy service endpoints.
	service.policy.creator	Yes
	service.policy.viewer	Yes
CSV Parser	service.csv-parser.admin	Yes	The service groups required to be authorized for accessing the CSV Parser DAG service endpoints.
	service.csv-parser.creator	Yes
	service.csv-parser.viewer	Yes
Unit	service.unit.admin	Yes	The service groups required to be authorized for accessing the Unit service endpoints.
	service.unit.creator	Yes
	service.unit.viewer	Yes
Ingestion	service.ingest.admin	Yes	The service groups required to be authorized for accessing the Ingestion service endpoints.
	service.ingest.creator	Yes
	service.ingest.viewer	Yes
Seismic	service.seismic-store.viewer	Yes	The service groups required to be authorized for accessing the Seismic service endpoints.
	service.seismic-store.admin	Yes
	service.seismic-store.creator	Yes
Binary DMS	service.binarydms.admin	Yes	The service groups required to be authorized for accessing the Binary DMS service endpoints.
	service.binarydms.creator	Yes
	service.binarydms.viewer	Yes
External Data Source DMS	service.edsdms.admin	Yes	The service groups required to be authorized for accessing the EDS DMS service endpoints.
	service.edsdms.creator	Yes
	service.edsdms.viewer	Yes
	service.edsdms.user	Yes
Messaging	service.messaging.user	Yes	The service groups required to be authorized for accessing the Messaging service endpoints.
Plugin	service.plugin.user	Yes	The service groups required to be authorized for accessing the Plugin service endpoints.
Delivery	service.delivery.viewer	Yes	The service groups required to be authorized for accessing the Delivery service endpoints.
Cron Scheduling	cron.job	Yes	The service groups required to be authorized for accessing the Cron Scheduling service endpoints.

Authorization

For authentication, OAuth tokens are required from the Entitlements API. If the exchanged token is valid, then Entitlement API is used to grant authorization to the requested resources in the partition.

To retrieve the OAuth token, see the Token procurement endpoint.

The Entitlements API also requires users or service accounts to have the following authorization items as part of the request to access the API.

Valid data partition user account: The Entitlements API verifies user account member identity in the JSON Web Token (JWT) of the authorization header against specified data-partition-id. The data-partition-id is also provided in a header.

Valid data partition service account: The Entitlements API verifies service account member identity in the JWT of the authorization header against specified data-partition-id. The data-partition-id is also provided in a header.

User and service account authorization

Open Data for Industries uses service group authorization to determine whether the user or service account that is calling another service has the proper permissions to start it. User or service account must provide a JWT to identify themselves to the API that they are calling. The JW token must be provided in the Authorization header of the API call. If a service is calling another service, the calling service must provide a valid OAuth token to identify itself to the called API.

In each data partition where a service account is provisioned for access, you must associate the service account with the service groups.

To authorize access to an identity, call the GET /api/entitlements/v2/groups by providing:

A JSON Web Token in the authorization header.
The required data partition identifier in the data_partition_id attribute in the header.

For more information, see List groups in the Open Data for Industries API reference.

The Entitlements API returns a list of all the groups that the user or service account can access, if the following requirements are met.

The service account is a member of the specified data partition.
The service account is a member of service.entitlements.user group in the specified data partition.

If one of these conditions is not met, the Entitlements API returns an Unauthorized error.

If all the conditions are met, the Entitlements API inspects the list of groups to determine whether the requested group; for example, service.my_service.user, is on the list. Depending on result, the API authorizes access.

Before you authorize access for any resource through the Entitlements API, you must:

Ensure that you have the access token and it is part of the request's header when you are calling any of the Open Data for Industries APIs.
Ensure that the user or service account is a member of the specified data partition.
Add the user or the service account email for the service, which uses the Open Data for Industries APIs in a specific data partition, to the users@{data-partition-id}.{domain} group of the specified data partition. For example, storage_viewer@{data-partition-id}.{domain} must be added to users@{data-partition-id}.{domain}.
Ensure that the user or service account can use the Entitlements API.

Add the user or the service account email for the service, which uses the Entitlements API to authorize the service in a specific data partition, to the users of the Entitlements API. The group is named service.entitlements.user. For example, storage_viewer@{data-partition-id}.{domain} must be added to service.entitlements.user@{data-partition-id}.{domain}.

To authorize calls to the Open Data for Industries APIs

In each data partition where a service is used, create a group with the permissions or roles that the service supports.

For example, if you create a service that is called my_service, for the user and admin roles, you must create the service.my_service.user and service.my_service.admin groups for all relevant data partitions.
Add all users that are authorized to call a specific API to the group that has the role that you want on the service.
For example, to grant a user role to the user joe@customer.com for the service my_service in the data partition my_data_partition, add joe@customer.com to service.my_service.user@my_data_partition.{domain}.

Data authorization: After the user or service account is authorized to access the Storage API in Open Data for Industries, the data authorization uses the associated group permissions on the data. The Access Control List (ACL) that is provided in the record to be ingested is directly applied on MinIO objects. Thus, the Storage API uses the user authorization mechanism to determine whether the user has access to the record.

Bootstrap groups structure and relationship

Open Data for Industries as part of the provisioning scripts has a mechanism to bootstrap a minimum and mandatory group structure and relationships.

This mechanism enforces minimum permissions on the default partition, which is created as part of the Open Data for Industries system provisioning.

The Entitlements API implements the POST /tenant-provisioning endpoint to bootstrap the basic service permission groups for a new partition. The Entitlements API does the same process for default partitions.

Endpoint sample command

curl --location --request POST $cpdBaseUrl/osdu-entitlements-v2/api/entitlements/v2/tenant-provisioning \
--header 'data-partition-id: <<data_partition_id>> \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--data-raw ""

Note:

The API can be applied multiple times without any effect on the state of the system.
The API needs to be ran for newly provisioned partitions before the partition can be used.
It is not allowed to delete the groups and the relations that are created between them as part of the bootstrap process. However, new associations can be created by using the Entitlements API endpoints.

Relationship between role groups

Groups' structure for default data permissions.
Groups' structure for custom group permissions.
Groups' structure and association of users and service groups.: Check the association of user and service permissions that each user group has.

POST /tenant-provisioning groups

The following table lists all the groups, which are created in the POST /tenant-provisioning endpoint.

Group Category	Group Names (@{data-partition-id}.{domain})	Description
Root user group	users	This group contains all users of the partition. The identity needs to belong to this group to access the partition.
Data admin group	users.data.root	This group provides permission to all data entities on the partition. It gets associated to all the custom data entity groups and the custom user groups as part of the creation of these groups.
Basic Core permission groups	users.datalake.ops users.datalake.admins users.datalake.editors users.datalake.viewers	The wrapped core permission groups. The identity needs to belong to one of them to be able to access the partition.
Default data group	data.default.owners data.default.viewers	The default data groups for a partition. All users of the partition can access it.
Service groups	service.entitlements.admin service.entitlements.user service.legal.editor service.legal.user service.legal.admin service.schema-service.editors service.schema-service.viewers service.schema-service.admin service.storage.admin service.storage.creator service.storage.viewer service.indexer.admin service.indexer.creator service.indexer.viewer service.search.user service.search.admin service.file.editors service.file.viewers service.workflow.creator service.workflow.viewer service.workflow.admin service.policy.admin service.policy.creator service.policy.viewer service.csv-parser.admin service.csv-parser.creator service.csv-parser.viewer service.unit.admin service.unit.creator service.unit.viewer service.ingest.admin service.ingest.creator service.ingest.viewer service.seismic-store.viewer service.seismic-store.admin service.seismic-store.creator service.binarydms.admin service.binarydms.creator service.binarydms.viewer service.edsdms.admin service.edsdms.creator service.edsdms.viewer service.edsdms.user service.messaging.user service.plugin.user service.delivery.viewer	Service groups for all the mandatory and default Open Data for Industries service endpoints.

POST /tenant-provisioning group relationships

The following table illustrates all the group relationships that are created in the POST /tenant-provisioning endpoint.

Child group(@{data-partition-id}.{domain})	Parent groups(@{data-partition-id}.{domain})
users	data.default.owners data.default.viewers
users.datalake.viewers	service.storage.viewer  service.search.user service.entitlements.user service.legal.user service.plugin.user service.messaging.user service.schema-service.viewers service.file.viewers service.workflow.viewer service.indexer.viewer service.unit.viewer service.ingest.viewer service.seismic-store.viewer service.binarydms.viewer service.edsdms.viewer service.edsdms.user service.csv-parser.viewer service.policy.viewer service.delivery.viewer service.legal.viewer service.policy.user
users.datalake.editors	All parents of users.datalake.viewers service.storage.creator service.legal.editor service.schema-service.editors service.file.editors service.workflow.creator service.indexer.creator service.unit.creator service.ingest.creator service.seismic-store.creator service.binarydms.creator service.edsdms.creator service.csv-parser.creator service.policy.creator
users.datalake.admins	All parents of users.datalake.editors service.search.admin service.entitlements.admin service.workflow.admin
users.datalake.ops	All parents of users.datalake.admins service.storage.admin service.legal.admin service.schema-service.admin service.indexer.admin service.unit.admin service.ingest.admin service.seismic-store.admin service.binarydms.admin service.edsdms.admin service.edsdms.user service.csv-parser.admin service.policy.admin service.file.admin

Authorizing an overarching permission to user account

Follow the steps to provide a user you have already created on an Identity Provider (such as Keycloak) with an overarching permission to access all the resources authorized by Open Data for Industries.

Use Entitlements API to set up the user.

Create a user in the IDP (Keycloak). For more information, see Managing Open Data for Industries users through Keycloak. Ignore this step if the user already exists.
Acquire the JWT access token for a user that has OWNER privileges over the group that needs to be assigned to the user.
You need access token of a user that has admin privileges to access the Entitlements API endpoints and is an OWNER to the groups users@{data-partition-id}.{domain} and users.datalake.ops@{data-partition-id}.{domain}.
Associate the following groups for the user, or the principal identified by its mail ID:
1. users@{data-partition-id}.{domain}
2. users.datalake.ops@{data-partition-id}.{domain}
Use the CURL command template:
```
curl --location -g --request POST '{{entitlement-v2-host}}/api/entitlements/v2/groups/{{group_email}}/members' \ 
--header 'data-partition-id: {{data-partition-id}}' \ 
--header 'Authorization: Bearer {{access_token}}' \ 
--header 'Content-Type: application/json' \ 
--data-raw '{ "email" : "{{user_email_id}}", "role" : "{{user_role}}" }'
```
user_email_id

The email identity of the user or principal.

user_role

The role can be either OWNER, or MEMBER.

Remember: Replace {{access token}} with your actual one before you run the command.

Note: The command associates the user with the two overarching groups. Therefore, you need to run two commands per user.

Note: Open Data for Industries installation process provisions a super user with overarching permissions called admin-sa.

FAQ:

User with an OWNER role is able to create new members such as an admin user.
User with a MEMBER role has all rights to access assigned services. The MEMBER user doesn’t have rights to create new MEMBER.
It is recommended to create new user with MEMBER role.
You can choose any data partition ID and domain name combination other than opendes.ibm.com as it is the default data partition identity on Open Data for Industries.
To successfully start the Entitlements API, you need to add a Member or a Group to an existing Group. In this case, you must have a KeyCloak user who has the required permissions.
It is assumed that while you migrate the Entitlements v1 API to Entitlements v2 API, all the KeyCloak users are pre-provisioned. You need to add those users into one or more specific groups to give them the required permissions.
You can assign individual role or a set of roles, which are identified by Child Groups as required. For more information, see POST /tenant-provisioning group relationships.

Migrating user accounts from Entitlements V1 to Entitlements V2

To migrate the users from Entitlements V1 to Entitlements V2, follow these steps.

Acquire the JWT access token for a user that has OWNER privileges over the group that needs to be assigned to the user.
You need to obtain an access token for a user that has admin privileges to access the Entitlements API endpoints and is an OWNER of all the groups.

If you don't have such an overarching user, you can create one by following the steps in Authorizing an overarching permission to user account.
Associate the following groups for the user, or the principal identified by its mail ID:
1. users@{data-partition-id}.{domain}
2. Any other associated groups with the user in the Entitlement V1.
Use the CURL command template:
```
curl --location -g --request POST '{{entitlement-v2-host}}/api/entitlements/v2/groups/{{group_email}}/members' \ 
--header 'data-partition-id: {{data-partition-id}}' \ 
--header 'Authorization: Bearer {{access_token}}' \ 
--header 'Content-Type: application/json' \ 
--data-raw '{ "email" : "{{user_email_id}}", "role" : "{{user_role}}" }'
```
user_email_id

The email identity of the user or principal.

user_role

The role can be either OWNER, or MEMBER.

Remember: Replace {{access token}} with your actual one before you run the command.

Note: The command associates the user with the groups. Therefore, you need to run the command per user for each group.

Important Entitlements API endpoints explained

POST /api/entitlements/v2/groups

Creates the group within the data partition that is provided in the data partition ID request header. This endpoint is used to create service and data groups.

This endpoint creates a group with the following email mnemonics: {group_name}@{data-partition-id}.{domain}.

{{data-partition-id}}: Placed or provided in the request header.
{{domain}}: The domain of the Open Data for Industries application, which is configured during installation. It can be retrieved from config maps.

{{JWT}}: Received as authorization token in the header. The user of the token is made OWNER of the group.
Note: The user or service whose token is used, must belong to service.entitlements.admin@{data-partition-id}.{domain}.com group.

{{group_name}}: The name of the group, which is following the group nomenclature that is defined for Open Data for Industries. The only exception is the part, which includes ‘@’, and the part after it.; For example, you need to provide only storage.well.editors from storage.well.editors@{data-partition-id}.{domain}.

curl --request POST --url 'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups' \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}' \
  --data '{
             "name": "{{group_name}}",
             "description": "This is a user or service group with permission defined."
         }'

GET /api/entitlements/v2/groups

Lists all the groups for data partition, which are provided as data partition ID in the request header parameter.

The result is a flat list of all the groups that are associated with the partition identity.

{{data-partition-id}}: Placed or provided in the request header.

{{JWT}}: Received as authorization token in the header. The user of the token is made an OWNER of the group.

curl --request GET \
  --url 'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups' \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}'

POST /api/entitlements/v2/groups/{{group_email}}/members

Adds members to a group. Used to associate users or groups to groups or child groups.

The member added can either be a user or a group. The group email value is {group_name}@{data-partition-id}.{domain}.

{{data-partition-id}}: Placed or provided in the request header.
{{domain}}: The domain of the Open Data for Industries application, which is configured during installation. It can be retrieved from config maps.
{{JWT}}: Received as authorization token in header.
Note: The user or service whose token is used, must belong to service.entitlements.admin@{data-partition-id}.{domain}.com group.

{{group_email}}: The name of the group. It follows the group nomenclature, which is defined for Open Data for Industries. The group email has a structure such as {group_name}@{data-partition-id}.{domain}.
{{group_member_email}}: The member email identity, which is to be associated with the group.

{{group_member_role}}: Member role can be either OWNER, or MEMBER.

curl --request POST   --url  'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups/{{group_email}}/members' \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}' \
  --data '{
            "email": "{{group_member_email}}",
            "role": "{{group_member_role}} "
          }'

GET /api/entitlements/v2/groups/{{group_email}}/members

Retrieves members that belong to a group_email within the data partition, which is provided in the data-partition-id request header.

Associate users or groups to groups or child groups

{{data-partition-id}}: Placed or provided in the request header.

{{JWT}}: Received as authorization token in header.
Note: The user or service whose token is used, must belong to users.datalake.admins@{data-partition-id}.{domain}.com group, or is the OWNER of the {{group_email}}.

{{group_email}}: The name of the group. It follows the group nomenclature, which is defined for Open Data for Industries. The group email has a structure such as {group_name}@{data-partition-id}.{domain}
{{role}}: Query parameter role can be specified to filter group members by role of OWNER or MEMBER.
{{includeType}}: Retrieve whether a member is of a type USER or GROUP.

curl --request GET   --url 'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups/{{group_email}}/members?includeType=false&role=OWNER' \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}'

DELETE /api/entitlements/v2/groups/{{group_email}}/members/{{group_member_email}}

Deletes or removes a member, which is identified in the path parameter ‘group_member_email’ from group ‘group_email’ within the data partition. The deleted member can either be a user, or a group.

Used to disassociate users or groups from groups or child groups.

{{data-partition-id}}: Placed or provided in the request header.
{{JWT}}: Received as authorization token in header.; Note: The user or service whose token is used, must belong to service.entitlements.user@{data-partition-id}.{domain}.com group, or is the OWNER of the {{group_email}}.
{{group_email}}: The name of the group. It follows the group nomenclature, which is defined for Open Data for Industries. The group email has a structure such as {group_name}@{data-partition-id}.{domain}.
{{group_member_email}}: The member email identity, which is disassociated with the group.

curl --request DELETE   --url 'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups/{{group_email}}/members/{{group_member_email}}' \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}'

DELETE /api/entitlements/v2/groups/{{group_email}}

Deletes the Entitlements group, which is identified in the path parameter ‘group_email’ within the data partition, provided in data-partition-id request header parameter.

{{data-partition-id}}: Placed or provided in the request header.
{{JWT}}: Received as authorization token in header.
Note: The user or service whose token is used, must belong to service.entitlements.user@{data-partition-id}.{domain}.com group, or is the OWNER of the {{group_email}}.
{{group_email}}: The name of the group. It follows the group nomenclature, which is defined for Open Data for Industries. The group email has a structure such as {group_name}@{data-partition-id}.{domain}.

curl --request DELETE   --url 'https://{{cpd_cluster_url}}/{{entitlement_service_context}}/api/entitlements/v2/groups/{{group_email}} \
  --header 'authorization: Bearer {{JWT}}' \
  --header 'content-type: application/json' \
  --header 'data-partition-id: {{data-partition-id}}'

Entitlements API endpoint permissions

The following permissions are required to use the Entitlements API.

Endpoint URL	Method	Minimum permissions required
/api/entitlements/v2/tenant-provisioning	POST	service.entitlements.admin
/api/entitlements/v2/groups	POST	service.entitlements.admin
/api/entitlements/v2/groups	GET	service.entitlements.user
/api/entitlements/v2/groups/{group_email}	DELETE	service.entitlements.admin
/api/entitlements/v2/groups/{group_email}	PATCH	service.entitlements.user
/api/entitlements/v2/groups/{group_email}/members	POST	service.entitlements.user
/api/entitlements/v2/groups/{group_email}/members	GET	service.entitlements.user
/api/entitlements/v2/groups/{group_email}/members/{member_email}	DELETE	service.entitlements.user
/api/entitlements/v2/members/{member_email}/groups	GET	service.entitlements.admin
/api/entitlements/v2/members/{member_email}	DELETE	service.entitlements.admin