See api-docs Menu

Create a Privilege

Use this API to create a new privilege object.

A privilege defines a set of actions that can be performed on particular resources in OneLogin.

A privilege doesn’t grant user access to perform actions. It describes what actions can be performed on a resource. In order to grant access, assign the privilege to a user or a role.

Required Feature

A OneLogin subscription that includes Delegated Administration is required to use the privileges API.

Resource URL

POST https://<subdomain>/api/1/privileges

Header Parameters

Authorization

required

string

Set to Bearer <access_token>.

Set <access_token> to the access token you generated using the Generate Token API.

Generate the access token with the API credential pair created using the scope required to call this API. Call this API using the Manage All scope.

Content-Type

required

string

Set to application/json.

Request Parameters

name

required

string

The name of this privilege

description

string

The description for this privilege

privilege

required

object

An object containing statements that describe the level of access granted by this privilege.

  • Version - The version for the privilege schema. Set to 2018-05-18.
  • Statement - An array of statement objects. See below.

{
    "name": "Administrator",
  "description": "Can administer users",
    "privilege":  {
        "Version": "2018-05-18",
        "Statement": [{
            "Effect": "Allow",
            "Action": ["*"],
            "Scope": ["*"]
        }]
    }
}

Statement

Effect

required

string

Set to “Allow.” By default, all actions are denied, this Statement allows the listed actions to be executed.

Action

required

array

An array of strings that represent actions within OneLogin. Actions are prefixed with the class of object they are related to and followed by a specific action for the given class.

e.g. users:List, where the class is users and the specific action is List.

Don’t mix classes within an Action array. To create a privilege that includes multiple different classes, create multiple statements.

A wildcard * that includes all actions is supported. Use wildcards to create a Super User privilege.

Valid actions include the following:

Apps

  • Apps:List
  • Apps:Get
  • Apps:Create
  • Apps:Update
  • Apps:Delete
  • Apps:ManageRoles
  • Apps:ManageUsers
  • Apps:ManageConnectors
  • Apps:ManageTabs
  • Apps:ReapplyMappings
  • Apps:ManageProvisionedLogins
Users
  • Users:List
  • Users:Get
  • Users:Create
  • Users:Update
  • Users:Delete
  • Users:Unlock
  • Users:ResetPassword
  • Users:ForceLogout
  • Users:Invite
  • Users:ReapplyMappings
  • Users:ManageRoles
  • Users:ManageApps
  • Users:ManageMFA
  • Users:GenerateTempMfaToken
  • Users:AssumeUser
  • Users:ManageLicense
  • Users:ManageProvisionedLogins
Roles
  • Roles:Create
  • Roles:Get
  • Roles:List
  • Roles:Update
  • Roles:Delete
  • Roles:ManageUsers
  • Roles:ManageApps
Reports
  • Reports:Create
  • Reports:Get
  • Reports:List
  • Reports:Update
  • Reports:Delete
  • Reports:Clone
Events
  • Events:Get
  • Events:List
Groups
  • Groups:Create
  • Groups:Get
  • Groups:List
  • Groups:Update
  • Groups:Delete
Policies
  • Policies:Create
  • Policies:Get
  • Policies:List
  • Policies:Update
  • Policies:Delete
  • Policies:SetDefault

Scope

required

array

Target the privileged action against specific resources with the scope.

The scope pattern is the class of object used by the Action, followed by an ID that represents a resource in OneLogin.

e.g. apps/1234, where apps is the class and 1234 is the ID of an app.

The wildcard * is supported and indicates that all resources of the class type declared, in the Action, are in scope.

The Action and Scope classes must match. However, there is an exception, a scope of roles/{role_id} can be combined with Actions on the user or app class. The exception allows you to target groups of users or apps with specific actions.

Sample Request Body

Allow any action on any resource in OneLogin.

{
    "name": "Super Administrator",
  "description": "Can administer users",
    "privilege":  {
        "Version": "2018-05-18",
        "Statement": [{
            "Effect": "Allow",
            "Action": ["*"],
            "Scope": ["*"]
        }]
    }
}

Allow the following user actions on any user in OneLogin.

{
    "name": "User Helpdesk",
  "description": "Can administer helpdesk users",
    "privilege":  {
        "Version": "2018-05-18",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "users:List",
        "users:Get",
                "users:Unlock",
                "users:ResetPassword",
                "users:ForceLogout",
                "users:GenerateTempMfaToken"
            ],
            "Scope": ["*"]
        }]
    }
}

Allow read only access to users or apps.

{
    "name": "User or App Read Only",
  "description": "Can administer users",
    "privilege":  {
        "Version": "2018-05-18",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "users:List",
                "users:Get",
            ],
            "Scope": ["*"]
        },{
            "Effect": "Allow",
            "Action": [
                "apps:List",
                "apps:Get",
            ],
            "Scope": ["*"]
        }]
    }
}

Sample Response

{
    "id": "5e43a548-e9c6-47be-9341-92160902f7a6"
}

No statement or statement is missing an Actions array.

{
    "statusCode": 400,
    "name": "BadRequestError",
    "message": "The request could not be understood by the server due to malformed syntax: Statement required Action array"
}

Effect is missing in the statement

{
    "statusCode": 400,
    "name": "BadRequestError",
    "message": "The request could not be understood by the server due to malformed syntax: Effect is required and must be 'Allow'"
}

Invalid action was supplied. e.g. users:MadeUpAction

{
    "statusCode": 400,
    "name": "BadRequestError",
    "message": "The request could not be understood by the server due to malformed syntax: Operation 'MadeUpAction' does not exist"
}

This error indicates an invalid access token.

{
    "statusCode": 401,
    "name": "UnauthorizedError",
    "message": "The request requires user authentication."
}

Sample Code

cURL

curl 'https://<subdomain>/api/1/privileges' \
-X POST \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
    "name": "Super Administrator",
  "description": "Can do super things",
    "privilege":  {
        "Version": "2018-05-18",
        "Statement": [{
            "Effect": "Allow",
            "Action": ["*"],
            "Scope": ["*"]
        }]
    }
}'

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.