GuidesChangelogData Inspector Library API Reference
Guides
  1. Command Line Interface
  2. OLP CLI Command reference

permission access filter

permission access filter

The OLP CLI supports the following:

  • list access filters available to be attached to a realm/user/app.
  • create a custom access filter.
  • update a custom access filter.
  • show the details of an access filter.
  • delete a custom access filter.

permission access filter list

Lists the access filters available to be attached to a realm, user, or app.

olp permission access filter list [command options]

Optional Parameters:

  • --realm-only Only include filters that could be attached to a realm.
  • --project-only Only include filters that could be attached to a project.
  • --type <here-platform|custom|virtual> Specifies the type of filters to list.
    • here-platform denotes HERE-managed filters available to be applied to the realm, users or apps.
    • custom denotes filters created by the Org Admin with specifically defined statements.
    • virtual denotes filters created by the Org Admin that effectively enable access to realm provisioned Plans and Resource Plans.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the access filter HRNs and permissions separated by space. each on a new line.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below shows access filter list in verbose format.

olp permission access filter list

Output:

HRN
hrn:here:authorization::HERE:platform:filter/strict
hrn:here:authorization::HERE:platform:filter/open
hrn:here:authorization::myRealm:filter/FILTER-123

Use the olp permission access filter show <filter HRN> command to display more information about an access filter

permission access filter create

Creates an access filter.

olp permission access filter create <path to config file> [command options]

Required parameters:

  • <path to config file> Specifies the path to the configuration file to create the access filter with.

Configuration file

Represents a JSON file containing required fields to create/update the access filter with.

Fields:

  • type (string) Type of the access filter. custom or virtual.
  • name (string) The name of the filter.
  • externalIds (array[string]) Only included in virtual Access Filters. This is the list of externalIds that the virtual Access Filter is linked to. Plans and ResourcePlans attached to this realm with one of the externalIds in this list are used as the basis of this filter. The list of Plans and ResourcePlans used may be further filtered if the planAttachments or resourcePlanAttachments properties are also defined. The statements in this filter are automatically generated to allow access to each of the permissions and resources defined in the included plans.
  • planAttachments (map(string, array[string])) Only included in virtual Access Filters. This is the list of planAttachments that the virtual Access Filter is linked to. If this field is included, then for the externalId of each list entry, only Plans attached to this realm with the specified externalId and one of the defined planHRNs will be used as the basis for statements in this filter. Any Plans attached to this realm with the given externalId that are not included in the list of defined planHRNs will be excluded from the basis of this filter. If this field is omitted, or if there is no entry for any of the externalIds defined for this virtual Access Filter, all Plans attached with that externalId will be used as the basis for statements in this filter.
  • resourcePlanAttachments (map(string, array[string]))
  • mode (string) Only included in virtual Access Filters. This is the pattern of filter statements used in the virtual Access Filter.
    • open - All permissions and resources specified in both Plans and ResourcePlans attached to this realm with the relevant externalIds are available through this filter with both scoped and unscoped access. In addition, all linkable resources are available with both scoped and unscoped access.
    • strict - All permissions specified in Plans attached to this realm with the relevant externalIds are available through this filter only with unscoped access. All resources specified in ResourcePlans attached to this realm with the relevant externalIds are available through this filter only with scoped access.
  • priority (integer) Only included in virtual Access Filters. This is the priority assigned to each filter statement in the virtual Access Filter.
  • statements (array(map(string, object)) List of statements in this filter. This is only considered for custom access filters.
    • description (string) Prose description of what this filter statement does.
    • permissions (string) The type of permissions that apply to this filter statement.
      • Possible values are unscoped, scoped, and linkable.
    • subresources (array[string]) In the case of scoped or linkable filter statements, the list of subresources that MAY be included as part of an allow decision response.
      • If more than one matching filter statement contains a subresources property, the aggregate of all subresources in all matching statements MAY be included as part of an allow decision response. An allow decision response that contains subresources will be filtered and WILL NOT contain any subresources not part of this aggregate set.
      • If NONE of the matching filter statements contain a subresources property, NO subresources filtering is applied.
    • service (string) The service of the access request that will match this statement. This value may match the serviceId or the serviceIdAlias of the service or a "*"(wildcard) representing any service.
    • actions (array[string] The specific action identifiers of the access request that will match this statement. "*"(wildcard) represents any action.
    • actionAccessLevel (string) The access level of the action of the access request that will match this statement. Default represents actions that are granted by default on subscription of the service.
      • Possible values are read, write, default, and internal.
    • resource (string) The resource identifier of the access request that will match this statement. This can be a HRN or a "*"(wildcard) representing any resource.
    • scope (string) The scope of the access request with possible values being a project HRN or a "*"(wildcard) representing any project scope. The lack of the scope property matches the statement to unscoped requests.
    • evaluate (boolean) Whether or not to evaluate the permissions identified by the permissions type of this statement.
    • priority (integer) An integer representing the statement priority. Valid range for this field is 0 to 1000.

Sample Config File for the access filter of type custom:

{
    "type": "custom",
    "name": "Strict Projects",
    "statements": [
        {
            "description": "Block evaluation of all unscoped permissions for any project scoped request.",
            "permissions": "unscoped",
            "subresources": [
                "usa-il-chicago",
                "deu"
            ],
            "service": "SERVICE-00000000-0000-0000-0000-000000000000",
            "actions": [
                "read"
            ],
            "resource": "hrn:here:data::my-realm:service-catalog",
            "scope": "hrn:here:authorization::org:project/my-project-0000",
            "evaluate": false,
            "priority": 1
        }
    ]
}

Sample Config File for the access filter of type virtual:

{
    "type": "virtual",
    "name": "Routing Subscription",
    "externalIds": [ "A-123456" ],
    "mode": "open",
    "priority": 1
}

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the access filter HRN.

For more information on using credentials and profiles, see Credentials setup.

Note

  • The create command will only work if an app has the Org Admin role. Otherwise, the command will fail.

Example:

The command below creates a new access filter:

olp permission access filter create path/to/config.json

Output:

HRN        hrn:here:authorization::org:filter/FILTER-99b7c7d7-867a-4573-8730-4689be1718c9
type       custom
name       Strict Projects
statements
  └─
    ├─ description: Block evaluation of all unscoped permissions for any project scoped request.
    ├─ permissions: unscoped
    ├─ service: SERVICE-00000000-0000-0000-0000-000000000000
    ├─ actions: [ read ]
    ├─ resource: hrn:here:data::my-realm:service-catalog
    ├─ scope: hrn:here:authorization::org:project/my-project-0000
    ├─ evaluate: false
    ├─ priority: 1
    └─ subresources: [ usa-il-chicago, deu ]

permission access filter update

Updates a specified access filter.

olp permission access filter update <filter HRN> <path to config file> [command options]

Required parameters:

  • <filter HRN> Specifies the HRN of the access filter to be updated.
  • <path to config file> Specifies the path to the configuration file to update the access filter with.

Configuration file

Sample Config File for the access filter of type custom:

{
    "type": "custom",
    "name": "Strict Projects",
    "statements": [
        {
            "description": "Block evaluation of all unscoped permissions for any project scoped request.",
            "permissions": "unscoped",
            "subresources": [
                "usa-il-chicago",
                "deu"
            ],
            "service": "SERVICE-00000000-0000-0000-0000-000000000000",
            "actions": [
                "read", "write"
            ],
            "resource": "hrn:here:data::my-realm:service-catalog",
            "scope": "hrn:here:authorization::org:project/my-project-0000",
            "evaluate": false,
            "priority": 1
        }
    ]
}

Sample Config File for the access filter of type virtual:

{
    "type": "virtual",
    "name": "Routing Adv Subscription",
    "externalIds": [ "A-123456", "A-567890" ],
    "mode": "open",
    "priority": 2
}

Note

The config file for the olp permission access filter update command must have the same structure as for the olp permission access filter create command. Updating the access filter of one type to another is NOT allowed.

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the access filter HRN.

For more information on using credentials and profiles, see Credentials setup.

Note

  • The update command will only work if an app has the Org Admin role. Otherwise, the command will fail.

Example:

The command below updates the existing access filter:

olp permission access filter update hrn:here:authorization::org:filter/FILTER-99b7c7d7-867a-4573-8730-4689be1718c9 path/to/updated_config.json

Output:

HRN        hrn:here:authorization::org:filter/FILTER-99b7c7d7-867a-4573-8730-4689be1718c9
type       custom
name       Strict Projects
statements
  └─
    ├─ description: Block evaluation of all unscoped permissions for any project scoped request.
    ├─ permissions: unscoped
    ├─ service: SERVICE-00000000-0000-0000-0000-000000000000
    ├─ actions: [ read, write ]
    ├─ resource: hrn:here:data::my-realm:service-catalog
    ├─ scope: hrn:here:authorization::org:project/my-project-0000
    ├─ evaluate: false
    ├─ priority: 1
    └─ subresources: [ usa-il-chicago, deu ]

permission access filter show

Shows the details of an access filter.

olp permission access filter show <filter HRN> [command options]

Required Parameters:

  • <filter HRN> The access filter HRN.

Optional Parameters:

  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the resource HRNs and permissions separated by space, each on a new line.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below shows access filter details in verbose format.

olp permission access filter show <filter HRN>

Output:

HRN        hrn:here:authorization::HERE:platform:filter/strict
type       here-platform
name       Strict
statements
  └─
    ├─ description: Allow linkable permissions for any scoped request with resource
    ├─ permissions: linkable
    ├─ service: *
    ├─ actions: ["*"]
    ├─ actionAccessLevel: default
    ├─ resource: *
    ├─ scope: *
    ├─ evaluate: false
    └─ priority: 0

permission access filter delete

Deletes the custom access filter.

olp permission access filter delete <filter HRN> [command parameters]

Required parameters:

  • <filter HRN> Specifies the HRN of the access filter to be deleted.

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.

  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.

  • --quiet Displays empty output with no additional information.

Note

  • The delete command will only work if an app has the Org Admin role. Otherwise, the command will fail.

Warning

Access filter deletion

Deleting an access filter could negatively affect the workflow of all dependent users and apps. If there are attachments that are created with the access filter, you would need to delete the attachments using olp permission access delete <entity HRN> <filter HRN> before deleting the access filter.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below deletes an access filter:

olp permission access filter delete hrn:here:authorization::org:filter/FILTER-99b7c7d7-867a-4573-8730-4689be1718c9

Output:

Access filter hrn:here:authorization::org:filter/FILTER-99b7c7d7-867a-4573-8730-4689be1718c9 has been deleted

Updated 21 days ago