trimble.iam.permissions.get
Namespace Reference
Definition
Provides a function to get permissions assigned to an user from the IAM (Identity and access management).
trimble.iam.permissions.get
trimble.iam.permissions.get(userId, on, scopedToApplicationId, token)Parameters
userId string
The user ID for which to retrieve permissions.
on string
The on query parameter used to specific the entity(application/account/group) on which operations should be performed.
scopedToApplicationId string
The scopedToApplicationId query string used to specify the application the entity should be scoped to.
token string
The access token used to authenticate the request. This is typically the user’s JSON Web Token acquired from Trimble Identity.
Returns
A Rego array containing all permissions for the user.
[ { "id": "UUID", "action": "Computers", "resource": "Quality", "description": "creating add permissions to the device resources" }]Remarks
IAM Environment Configuration
The IAM environment takes the value of the TAM environment. Ensure that the TAM environment is correctly configured to reflect the desired settings for IAM.
Token
The token argument must be a valid JWT. In most cases, we recommend using the existing methods to inject tokens as part of the request to the appliance decision endpoint (see Input query format). The appliance validates all tokens that are injected via the POST request.
For example, specifying bearer authentication for the auth member of the POST request body of the decision API will allow you to access the token in Rego as input.caller_auth.jwt. The JWT used to authenticate the request to the appliance is also accessible via input.appliance_auth.jwt.
Errors
This built-in exits immediately if any errors are encountered during policy evaluation and returns a 500 status with error details from the appliance decision endpoint. These errors include:
- Any non-2xx or invalid response from EMS. This built-in expects the response from EMS to contain a 2xx status code and a valid JSON body that contains paginated results.
- Invalid Rego arguments.
Endpoints
The following base URLs are used for obtaining user permissions from IAM:
| Environment | URL |
|---|---|
stage | https://cloud.stage.api.trimblecloud.com/platform/iam/1.0 |
prod | https://cloud.api.trimble.com/platform/iam/1.0 |
Caching
You can specify caching directives for data obtained from IAM during package registration. No data is cached by default unless cache durations for the URLs above are specified during package registration.
Query Parameters
on
Format: Trn
Possible values: Value must match regular expression
trn:2:iam:us:(account|application|group):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}Example: trn:2:iam:us:account:12345678-1234-1234-1234-123456789012
scopedToApplicationId
Format: uuid
Example: 12345678-1234-1234-1234-123456789012