GuidesChangelogData Inspector Library API Reference
Guides
  1. Command Line Interface
  2. OLP CLI Command reference

project policy

project policy

The OLP CLI supports the following:

project policy list

Retrieves all the policies that are in a project.

olp project policy list <project HRN> [command options]

Required parameters:

  • <project HRN> Specifies the HRN of the project.

Optional parameters:

  • --type <custom|here-platform> Specifies a type of the project policy to be listed for the specified <project HRN>. custom denotes projects created by the project admin and available to apply to identities within the project. here-platform denotes HERE-managed policies available to apply to identities within the project.
  • --limit <max number of project policies> Specifies the maximum number of project policies returned in the result (100 by default).
  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the project HRNs, each on a new line.

For more information on using credentials and profiles, see Credentials setup.

Example:

olp project policy list hrn:here:authorization::org:project/myproject --json

Output:

{"policies": [
        {
            "id": "access-abc-cat",
            "hrn": "hrn:here:authorization::org:project/my-project:policy/access-abc-cat",
            "name": "allAccessForAbcCatalog",
            "description": "Read and write access to abc catalog.",
            "type": "custom",
            "permissions": [
                {
                   "resource": "hrn:here:data::org:abc-catalog",
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource", "writeResource"
                   ]
                }
            ]
        },
        {
            "id": "rd-only-all-cat",
            "hrn": "hrn:here:authorization::org:platform:policy/rd-only-all-cat",
            "name": "readOnlyAccessToAllCatalogs",
            "description": "Read access to all catalogs in project.",
            "type": "here-platform",
            "permissions": [
                {
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource"
                   ]
                }
            ]
        }
    ]
}

project policy create

Creates a project policy.

olp project policy create <project HRN> --config <path to config file> [command options]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • --config <path to config file> Specifies the path to the configuration file to create the project policy with.

Configuration file

Represents a JSON file containing required fields to create/update the project policy with.

Fields:

  • id (string) The identifier for the project policy. Limited to 16 characters.
  • name (string) The name for the project policy.
  • description (string) The description for the project policy.
  • permissions (array[string]) The list of permissions for the project policy.
  • resource (string) The HRN of the resource.
  • resourceType (string) The type of the resource. Acceptable values: catalog,pipeline,pipeline-template,schema,artifact,service.
  • allowedActions (array[string]) The list of actions allowed to be taken against either the resource or the resource type defined in the project policy in the context of the project. Allowed actions can be also retrieved using the olp resource action list command.

Sample Config File:

{
  "id": "access-xyz-cat",
  "name": "Access to xyz catalog",
  "description": "Full access to xyz catalog",
  "permissions": [
    {
      "resource": "hrn:here:data::org:<catalog-id>",
      "allowedActions": [
        "readResource",
        "manageResource",
        "writeResource"
      ]
    }
  ]
}

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays empty output with no additional information.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below creates a new project policy:

olp project policy create hrn:here:authorization::org:project/myproject \
    --config path/to/config.json
olp project policy create hrn:here:authorization::org:project/myproject ^
    --config path/to/config.json

Output:

Policy hrn:here:authorization::org:project/myproject:policy/access-xyz-cat has been created in project hrn:here:authorization::org:project/myproject

Note

This command allows you to construct policies without validation to check if the resources you’re including in the policy already exist in the project. This allows you to construct policies in advance of resource creation, which may be useful for some CI/CD flows. However, it also allows you to construct policies that include resources that are not accessible in the project, for instance, resources that are in another project and have not been shared and linked to the project for which you are creating policies. When such a policy is applied to a project member, such a member still will not have access to such resources contained in the policy.

project policy update

Updates a specified project policy.

olp project policy update <project HRN> <policy HRN> --config <path to config file> [command options]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • <policy HRN> Specifies the HRN of the policy.
  • --config <path to config file> Specifies the path to the configuration file to update the project policy with.

Configuration file

Sample Config File:

{
  "id": "rd-acc-xyz-cat",
  "name": "Read access for catalog xyz",
  "description": "This is a custom project policy that grants read access to catalog xyz",
  "permissions": [
    {
      "resource": "hrn:here:data::org:<catalog-id>",
      "resourceType": "catalog",
      "allowedActions": [
        "readResource"
      ]
    }
  ]
}

Note

The config file for the olp project policy update command must have the same structure as for the olp project policy create command.

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays empty output with no additional information.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below updates a specified project policy:

olp project policy update hrn:here:authorization::org:project/myproject \
hrn:here:authorization::org:project/myproject:policy/access-xyz-cat
    --config path/to/config.json
olp project policy update hrn:here:authorization::org:project/myproject ^
hrn:here:authorization::org:project/myproject:policy/access-xyz-cat
    --config path/to/config.json

Output:

Policy hrn:here:authorization::org:project/myproject:policy/access-xyz-cat has been updated in project hrn:here:authorization::org:project/myproject

Note

This command allows you to update specified policies without validating if the resources you're including in the policy already exist in the project. This allows you to update policies in advance of resource creation, which may be useful for some CI/CD flows. However, it also allows you to update policies that include resources that are not accessible in the project, for instance, resources that are in another project and have not been shared and linked to the project for which you are updating policies. When such a policy is applied to a project member, such a member still will not have access to such resources contained in the policy.

project policy show

Shows the details of a project policy.

olp project policy show <project HRN> <policy HRN> [command parameters]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • <policy HRN> Specifies the HRN of the project policy.

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command result in JSON format.
  • --quiet Displays the project policy HRN.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below shows the details of a project policy:

olp project policy show hrn:here:authorization::org:project/myproject \
    hrn:here:authorization::org:project/myproject:policy/access-xyz-cat \
    --json
olp project policy show hrn:here:authorization::org:project/myproject ^
    hrn:here:authorization::org:project/myproject:policy/access-xyz-cat ^
    --json

Output:

{
    "id": "access-xyz-cat",
    "hrn": "hrn:here:authorization::org:project/myproject:policy/access-xyz-cat",
    "name": "allAccessForXyzCatalog",
    "description": "Read and write access to the xyz catalog.",
    "type": "custom",
    "permissions": [
        {
           "resource": "hrn:here:data::org:xyz-catalog",
           "resourceType": "catalog",
           "allowedActions": [
              "readResource",
              "writeResource"
           ]
        }
    ]
}

project policy delete

Deletes a project policy.

olp project policy delete <project HRN> <policy HRN> [command parameters]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • <policy HRN> Specifies the HRN of the project policy to be deleted.

Optional parameters:

  • --force If set, forces the policy deletion and also deletes the policy attachments to identities. --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --quiet Displays empty output with no additional information.

Warning

Project policy deletion

Deleting a project policy could negatively affect the workflow of all dependent users and apps. If there are attachments that are created in the project policy, you would need to delete the attachments before deleting the project policy.

For more information on using credentials and profiles, see Credentials setup.

Example:

The command below deletes a project policy:

olp project policy delete hrn:here:authorization::org:project/myproject \
    hrn:here:authorization::org:project/myproject:policy/access-xyz-cat \
    --force
olp project policy delete hrn:here:authorization::org:project/myproject ^
    hrn:here:authorization::org:project/myproject:policy/access-xyz-cat ^
    --force

Output:

Policy hrn:here:authorization::org:project/myproject:policy/access-xyz-cat has been deleted from project hrn:here:authorization::org:project/myproject

Updated 21 days ago