GuidesChangelogData Inspector Library API Reference
Guides
  1. Command Line Interface
  2. OLP CLI Command reference

permission

permission

The OLP CLI supports the following:

  • list the associated application's authorization
  • report permissions associated with a user, app, group, or realm

To list, grant or revoke permissions, use the following commands depending on the type of platform resource:

permission list

Retrieves the application authorization associated with the Client Access Token.

olp permission list [HRN filter] [command options]

Optional parameters:

  • [HRN filter] Freeform text used to filter the permission list. The filter checks if the hrn field contains the filter string.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the resource HRNs and permissions separated by space, each on a new line.

Note

The olp permission list command only returns direct permissions assigned to the app, and does not include indirect permissions that the app may have through group membership or realm-wide policies.

For more information on using credentials and profiles, see Credentials setup.

Example:

olp permission list

Output:

HRN                                                            allow                                                   
hrn:here:authorization::org:project/example-project            read                                                    
hrn:here:data::org:example-catalog                             writeResource,readResource,manageResource,share

permission report

Lists the permissions assigned to the User, App, Group, or Realm identified by the HRN either directly or indirectly. Lists linkable resource permissions on the project or realm that are effective to the User or App identified by the HRN either directly or indirectly.

olp permission report <HRN> [command options]

Required parameters:

  • <HRN> The HRN of the User, App, Group, or Realm

Optional parameters:

  • --service-id <service id> Only include permissions associated with the service
  • --service-id-alias <service id alias> Only include permissions associated with the service with the specified alias. The value specified with this option overrides the service ID value in the output.

    Note::

    You can specify either --service-id or --service-id-alias.

  • --external-id <external id> Only include permissions derived from a plan or resource plan attached to the realm with the associated external ID.
  • --service-id-alias-only Service ID is overridden with the service alias in the output if the service has one configured. Otherwise, service IDs are displayed as is
  • --with-external-id Include external ID values of associated plans or resource plans if applicable.
  • --match-action <action name> Only include permissions that match the action
  • --match-resource <resource HRN> Only include permissions that match the resource
  • --project <project HRN> Only include permissions that are effective for the User, App, or Group in the scope of the project
  • --linkable-to <projectHRN | realmHRN> Only include permissions that are linkable to a specific project (if projectHRN is specified as parameter) or any project in the realm (if realmHRN is specified as parameter). This option is effective only for the User, or App.

    Note::

    The --project parameter is not allowed while using the --linkable-to parameter.

  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the resource HRNs and permissions separated by space, each on a new line.

For more information on using credentials and profiles, see Credentials setup.

Example:

olp permissions report hrn:here:account::org:realm/org

Output:

hrn:here:authorization::HERE:policy/some-default-policy
├─ allow someAction      for hrn:here:account::org:realm/org (via SOME-SERVICE)
├─ allow someOtherAction for hrn:here:account::org:realm/org (via SOME-SERVICE)
└─ deny  deniedAction    for hrn:here:account::org:realm/org (via SOME-SERVICE)

hrn:here:authorization::HERE:policy/some-other-default-policy
└─ allow anotherAction for &lt;no resource&gt; (via SOME-OTHER-SERVICE)

hrn:here:authorization::HERE:plan/PLAN-b0ae2f34-9044-47f5-8715-eb1ddbab5de9
└─hrn:here:authorization::HERE:policy/POLICY-00e1fd16-d408-4ec0-94d7-7e8ffcaecb18
  ├─ allow readResource  for hrn:here:service::org:resource1:*     (via SOME-SERVICE)
  └─ allow writeResource for hrn:here:service::other-org:resource2:* (via SOME-SERVICE)

Example:

olp permissions report hrn:here:account::org:app/appId --linkable-to hrn:here:account::org:realm/org

Output:

hrn:here:authorization::org:resourcePlan/b0ae2f34-9044-47f5-8715-eb1ddbab5de9
└─hrn:here:authorization::org:resourcePolicy/00e1fd16-d408-4ec0-94d7-7e8ffcaecb18 
  ├─ allow readResource  for hrn:here:service::org:resource1 (via SOME-SERVICE)
  └─ allow writeResource for hrn:here:service::org:resource2 (via SOME-SERVICE)
├─ allow someAction      for hrn:here:service::org:resource3 (via SOME-SERVICE)
└─ allow someOtherAction for hrn:here:service::org:resource3 (via SOME-SERVICE)

Updated 18 days ago