Identity and Access Management - Cloud Services Platform Operations Index

Remove the Auto Entitlement Policy from the organization.

Access Policy

List the Auto Entitlement Policies for an Organization

Access Policy

Create Auto Entitlement Policy for an Organization

Access Policy

Get the Auto Entitlement Policy by the identifier for an Organization

Access Policy

Update an Auto Entitlement Policy Detail of an Organization

Access Policy

Remove Domains from an Auto Entitlement Policy of an Organization

Access Policy

Add set of domains to the Auto Entitlement Policy of an Organization

Access Policy

Get all active and requested consents for a particular organization

Access Policy

Revoke consent before it expires

Access Policy

Approve or reject the consent.

Access Policy

Select the alternate set of IdP URLs to be active

Access Policy

Return either 'primary' or 'alternate' depending on the set of URLs selected for this IdP

Access Policy

Select the primary set of IdP URLs to be active

Access Policy

Display the content of the given access token if the token is valid. Also includes the group_ids and group_names if the client is registered with group_id, group_names scopes. If the token is invalid or expired, an error will be returned. If group_ids and group_names are both requested, they will be in the same order in both the claims. If the token was obtained using an API token, the groups information will be available only if the openid scope was selected.

Access Policy

Get organization details.

Access Policy

Update organization details.
Note: The type of the organization can only be changed by the Platform operator. If you want to reset the organization type pass an empty string.

Access Policy

Activates the deactivated tokens provided. Max 15 tokens can be activated in a request. Note: Partial success, please read response which tokenIds could not be activated

Access Policy

Deactivates the tokens provided. Max 15 tokens can be deactivated in a request. Note: Partial success, please read response which tokenIds could not be deactivated

Access Policy

Remove OAuth clients from organization

Access Policy

Get OAuth clients that were granted with roles in the organization. Default start page is 1, default limit is 200.

Access Policy

Assign roles to the specified OAuth client/s in the organization.
User with Developer Role can assign only Organization Member and Developer.
Note: in case of partial success the caller must read the response to see which client ids have not been added successfully

Access Policy

Search groups in organization having display name which "contains" search term.
Search results limited to first 20 results. Please refine the search term for accurate results.
Organization members will receive basic group information. Organization owners will additionally receive role details of the groups.

Access Policy

Unlinks the organization from the IdP Registration.
Validation: Caller must be organization owner and their IdP should be same as passed in request.

Access Policy

Gets IDP Details linked to the organization
Validation: Only Organization Owner with same IdP can retrieve the details.

Access Policy

Links the organization to the IdP Registration of the given domain.
Validation: Caller must be organization owner and their IdP should be linked to domain in request.

Access Policy

Get invitations for specific organization. If expand parameter is passed to the request user invitation roles will be returned in the response.

Access Policy

Create/Revoke Organization User Invitation.
Note: When passing the action query param with value revoke the invitations for the given usernames will be revoked.

Access Policy

Revoke invitation of a user (by invitation ID).

Access Policy

Get invitation of a user in an organization (by invitation id).

Access Policy

Get list of organization roles. Expand parameter is supported. If it is true, organization roles will be returned in the response.

Access Policy

Get sub-organizations of the specified parent organization.

Access Policy

Activates the deactivated tokens provided. Max 15 tokens can be activated in a request. Note: Partial success, please read response which tokenIds could not be activated

Access Policy

Deactivates the tokens provided. Max 15 tokens can be deactivated in a request. Note: Partial success, please read response which tokenIds could not be deactivated

Access Policy

Search all users who have at least one of the specified roles and/or resource.
Search by resource can be exact match or by resource starting with given term. At most one of the filters resource or resourceStartsWith may be provided.
For all users found by these search criteria the result contains all users roles, no matter if they are part of the search criteria or not.
To search by resource starting with given term provide resourceStartsWith.
If resource is empty then unscoped role assignments will be returned.
When role is provided and resource is null all role assignments will be returned.
When filterResults flag is true the result is filtered by search parameters from the request: resource, resourceStartsWith and roles names.
In this case the result contains just the roles that match the search criteria.
Paginated results - by default start index of results is 1 and default number of search results per page is 200.
Searching access restricted to Organization Owners, Read-only operators and Service Owners (for organizations that have access to the service).

Access Policy

Remove users from organization by user ids.
User ids will be of the format : e.g. vmware.com:820e7ca5-4024-407e-8db4-f552d5d03403.
Pay attention: in case of partial success the caller must read the response to see which users have not been added successfully

Access Policy

Get response encapsulating organization users.
Fetched page is according to the page start and page limit passed as optional parameters.
Optionally provide "serviceDefinitionId" to filter users having access to a service. Organization Members are permitted to see only basic user information. Organization owners, read-only administrators and organization admins will see also organization and service roles of the users and userProfile if expandProfile is passed.

Access Policy

Remove groups from organization.
Note:

1. Removing an organization custom group permanently deletes the group.
2. DEPRECATED: Response field failed will be deprecated. You can use the field failures instead.

Access Policy

Get groups of a specific organization.

Access Policy

Create a new custom group in organization.

Access Policy

Get all groups within organization that have certain role(s) and/or resource, including subgroups if they have a role assigned to their parent group (which affects them as well).
For all groups found by these search criteria the result contains all groups roles, no matter if they are part of the search criteria or not.
Search by resource can be exact match or by resource starting with given term. At most one of the filters resource or resourceStartsWith may be provided.
To search by resource starting with given term provide resourceStartsWith.
If resource is empty then unscoped role assignments will be returned.
When role is provided and resource is null all role assignments will be returned.
When filterResults flag is true the result is filtered by search parameters from the request: resource, resourceStartsWith and roles names.
In this case the result contains just the roles that match the search criteria.
Paginated results - by default start index of results is 1 and default number of search results per page is 200.

Access Policy

Get details of a group within organization.

Access Policy

Update details of a custom group within organization.

Access Policy

Get nested enterprise groups from custom group

Access Policy

Get roles of a group within organization.

Access Policy

Update roles of a group within organization.
Note: Email notification for updating group roles of group with more than 500 users will not be sent to its users.

Access Policy

Removes users from custom group within organization.
Note: Only users of custom groups can be removed.

Access Policy

Get users in group within organization. Optionally filtered by given firstName, lastName or email with 'contains' match. Optionally filter the users by using onlyDirectUsers with true to return only direct users and not return the users from nested groups.

Access Policy

Adds users to custom group within organization.
Note: Users can only be added to custom groups.

Access Policy

Delete Organization Managed OAuth Apps.
Pay attention: in case of partial success the caller must read the response to see which apps haven't been removed

Access Policy

Get all Organization Managed OAuth Apps that were created and are owned by the organization.

Access Policy

Create Organization Managed OAuth App. The created app will be owned by the organization.
Client ID and Client Secret are generated automatically if not provided. Clients can be created with open redirect Urls, using allowOpenRedirectUris = true. In this case, the redirectUris field must not be specified. Such clients will allow redirection to any custom url. This feature can only be used in non-production environments.
Important:

• If the grant type is client_delegate the refreshTokenTTL is limited to 14 days.
• Refresh token ttl should higher than access token ttl. Default access token ttl is 10 minutes. Default refresh token ttl is 90 days.
• If client deletion is in progress, 409 error will be thrown. Please try again later.

Access Policy

Search all clients who have at least one of the specified roles and/or resource.
Search by resource can be exact match or by resource starting with given term. At most one of the filters resource or resourceStartsWith may be provided.
For all clients found by these search criteria the result contains all clients roles, no matter if they are part of the search criteria or not.
To search by resource starting with given term provide resourceStartsWith.
If resource is empty then unscoped role assignments will be returned.
When role is provided and resource is null all role assignments will be returned.
Paginated results - by default start index of results is 1 and default number of search results per page is 15.

Access Policy

Get Organization Managed OAuth App that was created and is owned by the organization

Access Policy

Update Organization Managed OAuth App that was created and is owned by the organization
Important:

• Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).
• If the grant type is client_delegate the refreshTokenTTL is limited to 14 days.
• Refresh token ttl should higher than access token ttl. Default access token ttl is 10 minutes. Default refresh token ttl is 90 days.

Access Policy

Once the rotation is done, the new secret will become the client's only valid secret.
Important:
1.The old client secret will be expired after 48 hours.
2.Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).

Access Policy

Once a 'newClientSecret' is set, both the old and the new secret can be used.
Important:
1.The old client secret will be expired after 48 hours.
2.Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).

Access Policy

Regenerate Organization Managed OAuth App Secret An empty JSON body {} is required in order to invoke the API.
Important:
Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).

Access Policy

Get organization's trust members.

Access Policy

Create trust member organization. Only HIERARCHY and PARTNER trust types are allowed

Access Policy

Invite member organizations to management organization by creating a pending hierarchical organization trusts between each member organization and the management organization. The member org can then update the trust to become active.

Access Policy

Get organization trusts.

Access Policy

Create organization trust between two organizations. Org owner can ONLY create trust type of CUSTOM.

Access Policy

Remove organization trust.

Access Policy

Update organization trust.

Access Policy

Create trust member organization. Only HIERARCHY and PARTNER trust types are allowed

Access Policy

Get principal user information.
Principal user is identified via a token. The token should be passed in a header called csp-auth-token.If expandProfile is passed in the request user profile information will be also returned.

Access Policy

Programmatically Generate User Api Token. The following restrictions are in place: .

1. 'All Roles' or high privilege organization roles are not allowed as a scope for the new API token (few exceptions apply)
2. Organization ID in Access token (in headers) and ID token (in request body) should be the same.
3. Maximum number of 50 API tokens is allowed.
4. In non-production environments it is possible to choose for which of your organizations to generate token.

Access Policy

Get organizations of principal user.
Principal user is identified via a token. The token should be passed in a header called csp-auth-token.If expand parameter is passed, detailed information for the organizations will be returned.

Access Policy

Get Principal User Groups Information Within the Specified Organization

Access Policy

Get principal user information and roles by organization.

Access Policy

Get principal user roles within the specified organization.

Access Policy

Get principal user service roles within the specified organization.

Access Policy

Set default organization for principal user.

Access Policy

Get organizations of principal user.
Principal user is identified via a token. The token should be passed in a header called csp-auth-token.If expand parameter is passed, detailed information for the organizations will be returned.

Access Policy

Get user groups by account identifier

Access Policy

Get user custom roles in an organization.

Access Policy

Search users in idp by names and email.

Access Policy

Get user groups by userId

Access Policy

Get user information for a specific organization.

Access Policy

Get user roles in an organization.

Access Policy

Get user service roles in an organization.
The query parameter 'serviceDefinitionLink' is used for filtering for specific service definition.

Access Policy

Update service and organization roles of a user in the organization

Access Policy