The apiusers
endpoint
Use the apiusers
endpoint to create users who can use the API for user administration.
This endpoint supports the following methods.
GET
GET /APIusers
This operation returns all API users in the same format as GET /users
.
There are two attributes for each API user: name
The name that is used to log in to SCIM.
DN
An LDAP DN that can be used in LDAP.
GET /apiuser/name
This operation returns the api user with the specified name.
POST
POST /APIusers
This operation adds an API user.
The body must contain two attributes,
name and
password.
{
"name":"someName",
"password":"secret:"
}
This name and password is used by the new API user later to log in to SCIM.
The body might contain more attributes, such as API key
, role
, or access
.
PATCH
PATCH /APIuser/username
This operation modifies the API user.
The body must contain the attributes that need to be changed, for example, the password.
DELETE
DELETE /APIusers/username
Deletes the specified API user.
In SCIM, when the API users log in to SCIM, they must provide their name and password in the usual HTTP Basic Authentication header. They must also provide an HTTP Header TenantName
containing the tenant name for the SCIM Service
to know which tenant they represent. An API user can do everything that a user can do, except administer API users.
In LDAP, the new API users are person objects that are stored in a container that is named ou=API,ou=<tenantname>,<tenantBase>
. To give the new API users the correct access rights in LDAP, an aclEntry attribute is added to the user and group container for each tenant, with the following value:
group:groupName:normal:rwsc:system:rsc:restricted:rsc:object:ad:at.userpassword:rwsc
Where, groupName
is a new group that contains all the API users for that tenant.