GuidesChangelogData Inspector Library API Reference
Guides
  1. Command Line Interface
  2. OLP CLI Command reference

project access

project access

The OLP CLI supports the following:

  • list all users, apps, and groups that have access to a project
  • grant project access to a user, app, or group
  • revoke project access from a user, app, or group
  • show policies attached to a user, app, or group in the project

project access list

Retrieves all users, apps, and groups that have access to a project.

olp project access list <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policy HRN> Specifies the HRN of the project policy.
  • --limit <max number of entities> Specifies the maximum number of entities returned in the result (100 by default).
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays members' HRNs, each on a new line.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below lists all users, apps, and groups that have access to the project:

olp project access list hrn:here:authorization::org:project/my-project-1234 --json

Output:

{"members": [{
    "identityType": "app",
    "member": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
    "project": "hrn:here:authorization::org:project/my-project-1234",
    "info": {
        "ownerHrn": "hrn:here:account::org:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
        "clientId": "F9p0HU3qCqtxnZ3KnH4z",
        "clientHrn": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
        "name": "my-app",
        "realm": "org",
        "ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
    }
}]}

Any --policy specified has to be either one of the policies created for that project or a platform policy.

For more information on using policy listing, see the olp project policy list command.

Example:

The command below lists all users, apps, and groups that have access to the project policy:

olp project access list hrn:here:authorization::org:project/my-project-1234 \
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
   --json
olp project access list hrn:here:authorization::org:project/my-project-1234 ^
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
   --json

Output:

{"members": [{
    "identityType": "app",
    "member": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
    "project": "hrn:here:authorization::org:project/my-project-1234",
    "info": {
        "ownerHrn": "hrn:here:account::org:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
        "clientId": "F9p0HU3qCqtxnZ3KnH4z",
        "clientHrn": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
        "name": "my-app",
        "realm": "org",
        "ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
    }
}]}

project access grant

Grants project access to a user, app, or group.

olp project access grant <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policyHRN1 policyHRN2 ...> The list of HRNs of policies to attach to the identity that is being granted access to the project, separated by space.
  • --app <appID1 appID2 ...> The list of application IDs you want to grant project access to, separated by space.
  • --user <userID1 userID2 ...> The list of user IDs you want to grant project access to, separated by space. This information can be found in the .here/credentials.properties file, in the user's home directory, or via your profile.
  • --group <groupID1 groupID2 ...> The list of group IDs you want to grant project access to, separated by space.
  • --project Attach the policies directly to the project, effectively attaching them to all current and future members.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --quiet Displays empty output with no additional information.

Note

  • You must specify at least one of these options – --app, --user, --group, or --project.
  • For the --project option you must specify at least one --policy. The '--app', '--user', or '--group' options are not allowed to be used together with `--project``.
  • You can only attach a maximum of 5 policies for a project to an entity and separately a maximum of 5 policies directly to the project. To see existing attachments, execute the olp project access show command.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below grants project access to a user, app, and group:

olp project access grant hrn:here:authorization::org:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:

User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::org:project/my-project-1234

Any --policy specified has to be either one of the policies created for that project or a platform policy.

For more information on using policy listing, see the olp project policy list command.

Example:

The command below grants project policy access from a user, app, and group:

olp project access grant hrn:here:authorization::org:project/my-project-1234 \
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^   
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:

User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog

Example:

The command below grants project policy access to all present and future members:

olp project access grant hrn:here:authorization::org:project/my-project-1234 \
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
   --project
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^   
   --project

Output:

Attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog to the project hrn:here:authorization::org:project/my-project-1234

project access revoke

Revokes project access from a user, app, or group.

olp project access revoke <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policyHRN1 policyHRN2 ...> The list of HRNs of policies to be revoked from the identity that is granted access to the project, separated by space.
  • --app <appID1 appID2 ...> The list of application IDs you want to revoke project access from, separated by space.
  • --user <userID1 userID2 ...> The list of user IDs you want to revoke project access from, separated by space. This information can be found in the .here/credentials.properties file, in the user's home directory, or via your profile.
  • --group <groupID1 groupID2 ...> The list of group IDs you want to revoke project access from, separated by space.
  • --project Revoke the policies that were previously attached directly to the project.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --quiet Displays empty output with no additional information.

Note

  • You must specify at least one of these options – --app, --user, --group or --project.
  • For the --project option you must specify at least one --policy. The '--app', '--user', or '--group' options are not allowed to be used together with `--project``.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below revokes project access from a user, app, and group:

olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:

User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the project hrn:here:authorization::org:project/my-project-1234

The --policy parameter specified here has to be one of the policies attached to a member or to a project in case the --project parameter is used.

For more information on using policy listing, see the olp project access show command.

Example:

The command below revokes project policy access from a user, app, and group:

olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:

User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234

Example:

The command below revokes a policy that was previously attached directly to a project:

olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
   --project
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
   --policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
   --project

Output:

Detached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog from the project hrn:here:authorization::org:project/my-project-1234

project access show

Policies attached to a user, app, or group in the project, or directly to the project itself.

olp project access show <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --app <appID> Application ID you want to query attached project policies for.
  • --user <userID> User ID you want to query attached project policies for. This information can be found in the .here/credentials.properties file, in the user's home directory, or through your profile.
  • --group <groupID> Group ID you want to query attached project policies for.
  • --project List the policies that were attached to the project directly.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays empty output with no additional information.

Note

You must specify only one of these options – --app, --user, --group or --project.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below lists the policies attached to a user, app or group:

olp project access show hrn:here:authorization::org:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --json
olp project access show hrn:here:authorization::org:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --json

Output:

{"policies": [
        {
            "id": "all-access-for-abc-catalog",
            "hrn": "hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog",
            "name": "allAccessForAbcCatalog",
            "description": "Read and write access to abc catalog.",
            "type": "custom",
            "permissions": [
                {
                   "resource": "hrn:here:data::org:abc-catalog",
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource", "writeResource"
                   ]
                }
            ]
        },
        {
            "id": "read-only-access-to-all-catalogs",
            "hrn": "hrn:here:authorization::org:platform:policy/read-only-access-to-all-catalogs",
            "name": "readOnlyAccessToAllCatalogs",
            "description": "Read access to all catalogs in project.",
            "type": "here-platform",
            "permissions": [
                {
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource"
                   ]
                }
            ]
        }
    ]
}

Example:

The command below lists the policies attached directly to the project:

olp project access show hrn:here:authorization::org:project/my-project-1234 \
   --project \
   --json
olp project access show hrn:here:authorization::org:project/my-project-1234 ^
   --project ^
   --json

Output:

{"policies": [
        {
            "id": "all-access-for-abc-catalog",
            "hrn": "hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog",
            "name": "allAccessForAbcCatalog",
            "description": "Read and write access to abc catalog.",
            "type": "custom",
            "permissions": [
                {
                   "resource": "hrn:here:data::org:abc-catalog",
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource", "writeResource"
                   ]
                }
            ]
        }
    ]
}

Updated 21 days ago