Provisioning: Authentification API


This document describes the Authentification API splited in two parts. Tt details who has access to the provisioning API and who can do what.

Permissions convention

This is the important part of the authentication system. Let's summarize every existing resources and http methods. We will then map profiles to their permissions :

Resource Method Description
groups POST Create a new group
  PUT Create or modify a group
  PATCH Partially modify an existing group
  DELETE Delete a group
  PUT Assigning a user list to a group
  PUT Assigning a user to a group
  PUT Assigning a subgroup to a group
  DELETE Removing a user from a group
  DELETE Removing a subgroup from a group
  GET Getting a group information
  GET Getting the subgroup members of a group
  GET Getting the members of a group
users POST Create a new user
  PUT Modify a user
  PATCH Partially modify an existing user
  DELETE Delete a user
  GET Getting a user
  GET Lists all users
profiles GET Getting a profile
  GET Lists all profiles
batches POST Creates a new batch
  PUT Commit the batch
  DELETE Discard the batch
  GET Getting the status of the batch

Then we describes verbs associated to http methods :

Verbs Method
create POST
read GET
update PUT
patch PATCH
delete DELETE

The provisioning authorization system does not use roles. It creates dynamically permissions in the format :


That way and except for admin0, a OBM profile has a set of pemissions only on its own domain.

Finally, the table below lists all the default OBM profiles and their permissions on the provisioning API :

Profile Description Permissions
admin0 It is the higher profile :
admin Administrator of a domain : (only on its domain)
admin_delegue Same as admin but cannot commit the batch batches:read,create,delete, users:*, groups:*, profiles:*
editor ??? users:read, groups:read, profiles:*
user a simple obm user users:read, groups:read, profiles:*
unknown person an anonymous user no permission

Authentification convention

By default, every requests done against the provisioning system must be authenticated. We currently use basic http authentication which then match password with the appropriate DAO.


Nike SB Hyperfeel Koston 3