Create a Privilege
Use this API to create a new privilege object.
A privilege defines a set of actions that can be performed on particular resources in OneLogin.
A privilege doesn’t grant user access to perform actions. It describes what actions can be performed on a resource. In order to grant access, assign the privilege to a user or a role.
Required Feature
A OneLogin subscription that includes Delegated Administration is required to use the privileges API.
Resource URL
POST https://<subdomain>/api/1/privilegesHeader Parameters
Authorization required string | Set to Set Generate the access token with the API credential pair created using the scope required to call this API. Call this API using the |
Content-Type required string |
Set to application/json. |
Request Parameters
|
name required string |
The name of this privilege |
|
description string |
The description for this privilege |
|
privilege required object |
An object containing statements that describe the level of access granted by this privilege.
|
Statement
|
Effect required string |
Set to “Allow.” By default, all actions are denied, this Statement allows the listed actions to be executed. |
|
Action required array |
An array of strings that represent actions within OneLogin. Actions are prefixed with the class of object they are related to and followed by a specific action for the given class. e.g. users:List, where the class is users and the specific action is List. Don’t mix classes within an Action array. To create a privilege that includes multiple different classes, create multiple statements. A wildcard * that includes all actions is supported. Use wildcards to create a Super User privilege. Valid actions include the following: Apps
|
|
Scope required array |
Target the privileged action against specific resources with the scope. The scope pattern is the class of object used by the Action, followed by an ID that represents a resource in OneLogin. e.g. apps/1234, where apps is the class and 1234 is the ID of an app. The wildcard * is supported and indicates that all resources of the class type declared, in the Action, are in scope. The Action and Scope classes must match. However, there is an exception, a scope of roles/{role_id} can be combined with Actions on the user or app class. The exception allows you to target groups of users or apps with specific actions. |
Sample Request Body
Allow any action on any resource in OneLogin.
{
"name": "Super Administrator",
"description": "Can administer users",
"privilege": {
"Version": "2018-05-18",
"Statement": [{
"Effect": "Allow",
"Action": ["*"],
"Scope": ["*"]
}]
}
}Allow the following user actions on any user in OneLogin.
{
"name": "User Helpdesk",
"description": "Can administer helpdesk users",
"privilege": {
"Version": "2018-05-18",
"Statement": [{
"Effect": "Allow",
"Action": [
"users:List",
"users:Get",
"users:Unlock",
"users:ResetPassword",
"users:ForceLogout",
"users:GenerateTempMfaToken"
],
"Scope": ["*"]
}]
}
}Allow read only access to users or apps.
{
"name": "User or App Read Only",
"description": "Can administer users",
"privilege": {
"Version": "2018-05-18",
"Statement": [{
"Effect": "Allow",
"Action": [
"users:List",
"users:Get",
],
"Scope": ["*"]
},{
"Effect": "Allow",
"Action": [
"apps:List",
"apps:Get",
],
"Scope": ["*"]
}]
}
}Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"id": "5e43a548-e9c6-47be-9341-92160902f7a6"
}No statement or statement is missing an Actions array.
{
"statusCode": 400,
"name": "BadRequestError",
"message": "The request could not be understood by the server due to malformed syntax: Statement required Action array"
}Effect is missing in the statement
{
"statusCode": 400,
"name": "BadRequestError",
"message": "The request could not be understood by the server due to malformed syntax: Effect is required and must be 'Allow'"
}Invalid action was supplied. e.g. users:MadeUpAction
{
"statusCode": 400,
"name": "BadRequestError",
"message": "The request could not be understood by the server due to malformed syntax: Operation 'MadeUpAction' does not exist"
}This error indicates an invalid access token.
{
"statusCode": 401,
"name": "UnauthorizedError",
"message": "The request requires user authentication."
}Sample Code
cURL
curl 'https://<subdomain>/api/1/privileges' \
-X POST \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Super Administrator",
"description": "Can do super things",
"privilege": {
"Version": "2018-05-18",
"Statement": [{
"Effect": "Allow",
"Action": ["*"],
"Scope": ["*"]
}]
}
}'Postman Collection
Replace sample variables indicated by {{ }} with your actual values.
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
ask
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.