GitHubContribute in GitHub: Open doc issue|Edit online

The apiusers endpoint

Use the apiusers endpoint to create users who can use the API for user administration.

This endpoint supports the following methods.

GET

GET /APIusers

This operation returns all API users in the same format as GET /users.

There are two attributes for each API user: name
The name that is used to log in to SCIM.

DN
An LDAP DN that can be used in LDAP.

GET /apiuser/name

This operation returns the api user with the specified name.

POST

POST /APIusers

This operation adds an API user.

The body must contain two attributes,

name and

password.

{
  "name":"someName",
  "password":"secret:"
}

This name and password is used by the new API user later to log in to SCIM.

The body might contain more attributes, such as API key, role, or access.

PATCH

PATCH /APIuser/username

This operation modifies the API user.

The body must contain the attributes that need to be changed, for example, the password.

DELETE

DELETE /APIusers/username

Deletes the specified API user.

In SCIM, when the API users log in to SCIM, they must provide their name and password in the usual HTTP Basic Authentication header. They must also provide an HTTP Header TenantName containing the tenant name for the SCIM Service to know which tenant they represent. An API user can do everything that a user can do, except administer API users.

In LDAP, the new API users are person objects that are stored in a container that is named ou=API,ou=<tenantname>,<tenantBase>. To give the new API users the correct access rights in LDAP, an aclEntry attribute is added to the user and group container for each tenant, with the following value:

group:groupName:normal:rwsc:system:rsc:restricted:rsc:object:ad:at.userpassword:rwsc

Where, groupName is a new group that contains all the API users for that tenant.