/scalemgmt/v3/authorization/domains: POST

Creates a role-based access control (RBAC) domain.

Availability

Available on all IBM Storage Scale editions.

Description

The POST authorization/domains request creates a RBAC domain. A domain is a logical grouping of resources, users or roles, and actions. No built-in restrictions on which resources can be included in a domain. To run this request, you must have the RBAC permission for the create action on the /scalemgmt/v3/authorization/domains resource.

A domain consists of the following components:

Resources: A resource is represented by a URL endpoint. This URL endpoint can refer to a file system, fileset, disk, NSD, and other IBM Storage scale objects. A wildcard (*) can be used to match on any resource. For example, /scalemgmt/v3/filesystems/fs0/filesets/* matches all filesets in the fs0 file system for the specified action.
Actions: Actions are the various operations that can be performed on a specific resource. Not all actions apply to every resource. The supported actions are create, delete, get, list, update, link, unlink, mount, unmount, and cani or impersonate.
User: The person making the request.
Effect: The rule that allows or denies access. Rule evaluation follows these conditions:
- Default deny.
- The system checks for an allow rule that matches the request.
- If an explicit deny rule exists, it overrides an allow rule.
To grant permission, an explicit allow rule must exist without any conflicting deny rules. The deny rule is useful when using wildcards (*), as it allows all actions except those explicitly denied.
Time: The time of the request.
Membership: Membership is the relationship between a user and their role within a domain.
Permission: The relationship between a role, action, effect, and resource within a domain.
Resource group: A collection of resources that can be reused in various roles.
Attribute: The attribute is used for an advanced use case to define custom attributes that can be evaluated for attribute-based access control (ABAC).

Request URL

https://<IP address or host name of API server>:<port>/scalemgmt/v3/authorization/domains

Request headers

Accept: application/json

Parameters

The following parameters can be used in the request URL to customize the request:

Table 1. List of parameters
Parameter name	Description and applicable keywords	Required/optional
domain	The name of the RBAC domains.	Required.
X-StorageScaleDomain	The domain to be authorized against for the request. The default value is `StorageScaleDomain`.	Optional.

Request data

No request data.

Response data

201: A successful response and the domain was created.

{
  "attributes": {},
  "id": 0,
  "memberships": {
    "additionalProp1": {
      "name": "string",
      "roles": [
        "string"
      ]
    },
    "additionalProp2": {
      "name": "string",
      "roles": [
        "string"
      ]
    },
    "additionalProp3": {
      "name": "string",
      "roles": [
        "string"
      ]
    }
  },
  "name": "string",
  "permissions": {
    "additionalProp1": {
      "policies": [
        {
          "action": "string",
          "effect": "string",
          "resource": "string"
        }
      ],
      "role": "string"
    },
    "additionalProp2": {
      "policies": [
        {
          "action": "string",
          "effect": "string",
          "resource": "string"
        }
      ],
      "role": "string"
    },
    "additionalProp3": {
      "policies": [
        {
          "action": "string",
          "effect": "string",
          "resource": "string"
        }
      ],
      "role": "string"
    }
  },
  "resource_groups": {
    "additionalProp1": {
      "name": "string",
      "resources": [
        "string"
      ]
    },

default: An unexpected error response.

{
  "code": 0,
  "details": [
    {
      "@type": "string",
      "additionalProp1": "string",
      "additionalProp2": "string",
      "additionalProp3": "string"
    }
  ],
  "message": "string"
}

Examples

The following example creates the domain1 RBAC domain with the defined permissions:

Request data:

curl -X 'POST' \
  'https://localhost:46443/scalemgmt/v3/authorization/domains' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "domain1",
    "permissions": {
      "NSDOperationRole": {
        "policies": [
          {
            "action": "create",
            "resource": "nsd",
            "effect": "allow"
          },
          {
            "action": "delete",
            "resource": "nsd",
            "effect": "allow"
          },
          {
            "action": "get",
            "resource": "nsd",
            "effect": "allow"
          }
        ]
      },
      "FS1FilesetRole": {
        "policies": [
          {
            "action": "create",
            "resource": "filesets",
            "effect": "allow"
          },
          {
            "action": "delete",
            "resource": "filesets",
            "effect": "allow"
          },
          {
            "action": "link",
            "resource": "filesets",
            "effect": "allow"
          },
          {
            "action": "unlink",
            "resource": "filesets",
            "effect": "allow"
          },
          {
            "action": "get",
            "resource": "filesets",
            "effect": "allow"
          }
        ]
      }
    },
    "memberships": {
      "alice": {
        "roles": [
          "NSDOperationRole"
        ]
      },
      "bob": {
        "roles": [
          "FS1FilesetRole"
        ]
      },
      "eve": {
        "roles": [
          "FS1Filesystem"
        ]
      }
    },
    "resource_groups": {
      "nsd": {
        "resources": [
          "/scalemgmt/v1alpha1/nsds",
          "/scalemgmt/v1alpha1/nsds/*",
          "/scalemgmt/v1alpha1/operations",
          "/scalemgmt/v1alpha1/operations/*"
        ]
      },
      "filesets": {
        "resources": [
          "/scalemgmt/v1alpha1/filesystems/fs1/filesets",
          "/scalemgmt/v1alpha1/filesystems/fs1/filesets/*"
        ]
      },
      "filesystem_fs1": {
        "resources": [
          "/scalemgmt/v1alpha1/filesystems",
          "/scalemgmt/v1alpha1/filesystems/*"
        ]
      }
    }
  }' -n

Response data:

{
	"id": 3448080974,
	"name": "domain1",
	"permissions": {
		"FS1FilesetRole": {
			"role": "",
			"policies": [
				{
					"resource": "filesets",
					"action": "create",
					"effect": "allow"
				},
				{
					"resource": "filesets",
					"action": "delete",
					"effect": "allow"
				},
				{
					"resource": "filesets",
					"action": "link",
					"effect": "allow"
				},
				{
					"resource": "filesets",
					"action": "unlink",
					"effect": "allow"
				},
				{
					"resource": "filesets",
					"action": "get",
					"effect": "allow"
				}
			]
		},
		"NSDOperationRole": {
			"role": "",
			"policies": [
				{
					"resource": "nsd",
					"action": "create",
					"effect": "allow"
				},
				{
					"resource": "nsd",
					"action": "delete",
					"effect": "allow"
				},
				{
					"resource": "nsd",
					"action": "get",
					"effect": "allow"
				}
			]
		}
	},
	"memberships": {
		"alice": {
			"name": "",
			"roles": [
				"NSDOperationRole"
			]
		},
		"bob": {
			"name": "",
			"roles": [
				"FS1FilesetRole"
			]
		},
		"eve": {
			"name": "",
			"roles": [
				"FS1Filesystem"
			]
		}
	},
	"resource_groups": {
		"filesets": {
			"name": "",
			"resources": [
				"/scalemgmt/v1alpha1/filesystems/fs1/filesets",
				"/scalemgmt/v1alpha1/filesystems/fs1/filesets/*"
			]
		},
		"filesystem_fs1": {
			"name": "",
			"resources": [
				"/scalemgmt/v1alpha1/filesystems",
				"/scalemgmt/v1alpha1/filesystems/*"
			]
		},
		"nsd": {
			"name": "",
			"resources": [
				"/scalemgmt/v1alpha1/nsds",
				"/scalemgmt/v1alpha1/nsds/*",
				"/scalemgmt/v1alpha1/operations",
				"/scalemgmt/v1alpha1/operations/*"
			]
		}
	},
	"attributes": null
}