Update access to IAM APIs (#79)

indigo-iam · Jun 22, 2023 · c94a2b2 · c94a2b2
1 parent 4fe32d0
commit c94a2b2
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 50 deletions.
diff --git a/content/en/docs/reference/api/account-api/_index.md b/content/en/docs/reference/api/account-api/_index.md
@@ -27,7 +27,7 @@ Remember that there are three roles in Indigo IAM: Amdin, User, Group Manager.
 
 Retrieves user attributes. The {id} refers to the account identifier.
 
-Requires that the user has `ROLE_ADMIN`, `ROLE_GM`, or is the one represented by the {id}.
+Requires that the Access Token contains the restricted System Scope `iam:admin.read`, or the token subject is the one represented by the {id}.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -44,7 +44,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Adds attributes to the user account. It can be done directly through the IAM dashboard by clicking on "Set attribute" button in *Attributes* section of the user homepage.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X PUT -H "Accept: application/json" \
@@ -66,7 +66,7 @@ where ```attribute.json``` is:
 
 Deletes user attribute by adding the query parameter at the end of the endpoint.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
@@ -79,7 +79,7 @@ $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
 
 Retrieves user roles.
 
-Requires `ROLE_ADMIN` or `ROLE_GM`.
+Requires `iam:admin.read` scope.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -98,7 +98,7 @@ The above example shows that the Test User is also a group manager (of group wit
 
 Adds an authority to the user.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
@@ -110,7 +110,7 @@ $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
 
 Revokes user authority by specifying the query parameter.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
@@ -151,7 +151,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Filters user information by label, e-mail, username, certificate subject or group/notingroup.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.read` scope.
 
 | Option | Attribute | Value |
 | -------- | -------- | -------- |
@@ -221,7 +221,7 @@ Examples of the available options:
 
 Adds user to a group. It can be done directly through the IAM dashboard as explained [here][group membership section].
 
-Requires `ROLE_ADMIN` or `ROLE_GM`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
@@ -234,7 +234,7 @@ $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
 
 Removes user from a specific group.
 
-Requires `ROLE_ADMIN` or `ROLE_GM`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
@@ -247,7 +247,7 @@ $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
 
 Lists the user's managed and not managed groups.
 
-Requires that the user has `ROLE_ADMIN` or is the one represented by the {id}.
+Requires that the Access Token contains the restricted System Scope `iam:admin.read`, or the token subject is the one represented by the {id}.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -273,7 +273,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Gives a user represented by {id} `ROLE_GM` privileges of the group identified by {groupId}.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
@@ -286,7 +286,7 @@ $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
 
 Removes a group manager from a certain group.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
@@ -297,7 +297,7 @@ $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
 
 Shows the information of managers in a certain group.
 
-Requires `ROLE_ADMIN` or `ROLE_GM` privileges of the group identified by {groupId}.
+Requires that the Access Token contains the restricted System Scope `iam:admin.read`, or `ROLE_GM` privileges of the group identified by {groupId}.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -332,7 +332,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Shows the user account labels.
 
-Requires that the user has `ROLE_ADMIN`, `ROLE_GM`, or is the one represented by the {id}.
+Requires that the Access Token contains the restricted System Scope `iam:admin.read`, or the token subject is the one represented by the {id}.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -349,7 +349,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Adds labels to user account.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X PUT -H "Content-Type: application/json" \
@@ -370,7 +370,7 @@ where `labels.json` is:
 
 Deletes an account label by specifying the label name and the label prefix (if present).
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
@@ -385,7 +385,7 @@ $ curl -X DELETE -H "Authorization: Bearer ${AT}" \
 Adds/changes the membership end time of the user. It can be done directly through the IAM dashboard 
 by clicking on "Change membership end time" button in the user homepage.
 
-Requires `ROLE_ADMIN`.
+Requires `iam:admin.write` scope.
 
 ```bash
 $ curl -X PUT -d @endTime.json \
@@ -410,6 +410,8 @@ Adds user proxy certificate. It can be done directly through the IAM dashboard
 by clicking on "Add managed proxy certificate" button 
 appearing on the user homepage after uploading the X.509 certificate.
 
+When using curl commands, it requires the restricted System Scope `iam:admin.write` in the Access Token.
+
 ```bash
 $ curl -i -X PUT -d @proxy.json \
   -H "Authorization: Bearer ${AT}" \
@@ -429,7 +431,7 @@ where `proxy.json` includes only the *certificate_chain* key:
 
 Shows the list of IAM accounts.
 
-Requires `ROLE_ADMIN`, `ROLE_GM` or `scim:read` scope.
+Requires `iam:admin.read` scope.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \
@@ -470,7 +472,7 @@ $ curl -s -H "Authorization: Bearer ${AT}" \
 
 Shows the list of IAM groups.
 
-Access granted to all IAM users or `scim:read` scope.
+Access granted to all IAM users or `iam:admin.read` scope.
 
 ```bash
 $ curl -s -H "Authorization: Bearer ${AT}" \

diff --git a/content/en/docs/reference/api/scim-api/_index.md b/content/en/docs/reference/api/scim-api/_index.md
@@ -7,8 +7,8 @@ Identity Management (SCIM) standard][scim], that
 can be used to manage users, change their personal information, manage their
 group membership, etc. 
 
-Access to the API is restricted to administrator users or OAuth clients that
-have access to the `scim:read` (for read access) or `scim:write` (for write
+Access to the API is restricted to administrator users authenticated via web interface
+or OAuth clients that have access to the `scim:read` (for read access) or `scim:write` (for write
 access) OAuth scopes.
 Note that these scopes are restricted in the default IAM configuration, i.e.
 can be assigned to clients only by IAM administrators.
@@ -373,7 +373,7 @@ Retrieves information about the currently authenticated user.
 
 Retrieves all the information about the user identified by `id` and returns results in application/json.
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
     GET http://localhost:8080/scim/Users/2cb10ac5-5b1a-47a0-8f60-48995999f18d
 
@@ -412,7 +412,7 @@ Requires `ROLE_ADMIN` or scope `scim:read`.
 
 Creates a new user, using the info specified within the request body, sent as application/json.
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
     POST http://localhost:8080/scim/Users/
 
@@ -470,7 +470,7 @@ Upon successful creation, the response body contains the newly created User.
 
 ## GET `/scim/Users`
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
 SCIM defines a standard set of operations that can be used to filter, sort, and
 paginate response results. The operations are specified by adding query
@@ -667,7 +667,7 @@ SCIM **Filtering** and **sorting** of results are currently not supported.
 
 ## PUT `/scim/Users/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 PUT performs a full update. Clients should retrieve the entire resource and
 then PUT the desired modifications as the operation overwrites all previously
@@ -762,7 +762,7 @@ The returned answer is:
 
 ## PATCH `/scim/Users/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 PATCH enables consumers to send only the attributes requiring modification,
 reducing network and processing overhead. Attributes may be deleted, replaced,
@@ -824,7 +824,7 @@ The following example shows how to add an OpenID Connect account and a ssh key:
 
 ## DELETE `/scim/Users/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 Clients request user removal via DELETE.
 
@@ -848,7 +848,7 @@ Example: Client attempt to retrieve the previously deleted User:
 Retrieves information about the group identified by `id` and returns results in
 application/json.
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
     GET /scim/Groups/c617d586-54e6-411d-8e38-64967798fa8a
 
@@ -884,7 +884,7 @@ Returns a paginated list of user accounts, ordered by username, which are
 members of the group identified by `id`. To know about more about pagination
 parameters, see the [Pagination section](#pagination).
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
     GET https://wlcg.cloud.cnaf.infn.it/scim/Groups/b86a9e99-9f0e-478f-999c-2046c764aa14/members?count=5
 
@@ -932,7 +932,7 @@ Returns a paginated list of groups, ordered by name, which are direct sub-groups
 identified by `id`. To know about more about pagination parameters, see the
 [Pagination section](#pagination).
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
     GET https://wlcg.cloud.cnaf.infn.it/scim/Groups/b86a9e99-9f0e-478f-999c-2046c764aa14/subgroups?count=10
 
@@ -968,7 +968,7 @@ Requires `ROLE_ADMIN` or scope `scim:read`.
 
 Creates a new group, using the info specified within the request body, sent as application/json.
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
     POST http://localhost:8080/scim/Groups/
 
@@ -998,7 +998,7 @@ Successful Resource creation is indicated with a 201 ("Created") response code.
 
 ## GET `/scim/Groups`
 
-Requires `ROLE_ADMIN` or scope `scim:read`.
+Requires `scim:read` scope.
 
 The pagination seen for users can be applied also to groups:
 
@@ -1032,7 +1032,7 @@ Example: retrieve the 22nd group
 
 ## PUT `/scim/Groups/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 PUT performs a full update. Clients should retrieve the entire resource and
 then PUT the desired modifications as the operation overwrites all previously
@@ -1066,7 +1066,7 @@ Example of replacing group with a different displayName:
 
 ## PATCH `/scim/Groups/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 The following example shows how to add member to a group:
 
@@ -1092,7 +1092,7 @@ The following example shows how to add member to a group:
 
 ## DELETE `/scim/Groups/{id}`
 
-Requires `ROLE_ADMIN` or scope `scim:write`.
+Requires `scim:write` scope.
 
 Clients request group removal via DELETE.
 

diff --git a/content/en/docs/reference/api/scope-policy-api/_index.md b/content/en/docs/reference/api/scope-policy-api/_index.md
@@ -222,7 +222,9 @@ the scope `wlcg.groups:/a/group` or any other group name matching the regexp.
 ## The Scope policy API
 
 The Scope Policy API is a REST API that allows to manage scope policies.
- API requires IAM administrator privileges.
+Access to the API is restricted to administrator users authenticated via web interface
+or OAuth clients that have access to the `iam:admin.read` (for read access) or `iam:admin.write` (for write
+access) OAuth scopes.
 
 ### GET /iam/scope_policies
 
@@ -231,7 +233,7 @@ organization.
 
 **Authentication required**: yes
 
-**Authorization required**: ROLE\_ADMIN
+**Authorization required**: `iam:admin.read` scope
 
 **Command example**
 
@@ -293,7 +295,7 @@ Returns the JSON representation for the scope policy identified by `id`.
 
 **Authentication required**: yes
 
-**Authorization required**: ROLE\_ADMIN
+**Authorization required**: `iam:admin.read` scope
 
 **Command example**
 
@@ -366,7 +368,7 @@ Changes an existing Scope Policy.
 
 **Authentication required**: yes
 
-**Authorization required**: ROLE\_ADMIN
+**Authorization required**: `iam:admin.write` scope
 
 **Data constraints**
 
@@ -448,7 +450,7 @@ Creates a Scope Policy for the organization
 
 **Authentication required**: yes
 
-**Authorization required**: ROLE\_ADMIN
+**Authorization required**: `iam:admin.write` scope
 
 **Data constraints**
 
@@ -544,7 +546,7 @@ Deletes the Scope Policy for the organization.
 
 **Authentication required**: yes
 
-**Authorization required**: ROLE\_ADMIN
+**Authorization required**: `iam:admin.write` scope
 
 **Command example**