Manage roles
Roles are associated with policy and are assigned to users in an organizational unit. A user can perform actions in that organizational unit based on the role assigned to the user and the policies assigned to the role.
Users with the org-admin role can create custom roles and assign them to users.
Create a custom role
To create a role,
use the authz role create-role command.
chef-platform-auth-cli authz role create-role --body '{"name": "<ROLE_NAME>", "description": "<ROLE_DESCRIPTION>"}'
By default, this new role has no policies assigned to it. To assign policies to a role, see the documentation on assigning policies.
List roles
To list all user-defined roles and system defined roles under the current organization,
use authz role find-role
command.
chef-platform-auth-cli authz role find-role
This lists user-defined roles by default.
Use --definedBy system to lists system-defined roles.
chef-platform-auth-cli authz role find-role --definedBy user
The response is similar to:
chef-platform-auth-cli authz role find-role --definedBy system
{
"items": [
{
"definedBy": "system",
"description": "",
"id": "5fcb0235-1e56-4ece-8857-404a5d39a290",
"level": "tenant",
"meantFor": "user",
"name": "tenant-admin",
"status": "enabled"
},
{
"definedBy": "system",
"description": "",
"id": "e96523ea-5890-4489-9979-0ccc3ecaaf06",
"level": "org",
"meantFor": "user",
"name": "tenant-viewer",
"status": "enabled"
}
]
}
List policies attached to a role
To lists all policies attached to a role, use authz role list-policies command.
The role can be a system-defined role or a custom role in the current organization.
chef-platform-auth-cli authz role list-policies --roleId <ROLE_ID>
The response is similar to:
{
"items": [
{
"definedBy": "system",
"description": "Policy for user self managment",
"id": "d86b4dfa-3a37-40cf-8867-0ad459192e1e",
"name": "self-manager-policy",
"statements": null,
"status": "enabled",
"version": "1.0"
},
{
"definedBy": "system",
"description": "Policy for node-specific-details",
"id": "7ea8f01a-bdbf-4d36-a071-a3dcb75eee4a",
"name": "node-specific-details",
"statements": null,
"status": "enabled",
"version": "1.0"
}
]
}
Assign a policy to a role
To assign a user-defined policy to a user-defined role in the current organization, use the authz role assign-policy command.
chef-platform-auth-cli authz role assign-policy --roleId "<role-id>" --body '{
"policyId": "<policy-id>"
}
The response is similar to:
{
"item": {
"definedBy": "user",
"description": "read policy",
"id": "cde59856-2950-48de-960b-83f4ae9dce59",
"name": "read-policy-01",
"status": "enabled",
"version": "1.0"
}
}
Detach a policy from a role
To remove a policy from a role, use the authz role delete-policy command.
This method only detaches user-defined policies from user-defined roles in the current organization.
chef-platform-auth-cli authz role delete-policy --roleId "<ROLE_ID>" --policyId "<POLICY_ID>"
Response:
{
"code": 200,
"message": "delete-policy successful"
}
Enable a role
To enable a user-defined role in the current organization,
use the authz role enable-role
command.
chef-platform-auth-cli authz role enable-role --roleId
Response:
{
"code": 200,
"message": "enable-role successful"
}
Disable a role
To disable a user-defined role in the current organization,
use the authz role disable-role
command.
chef-platform-auth-cli authz role disable-role --roleId
Response:
{
"code": 200,
"message": "disable-role successful"
}
Delete a role
To delete a user-defined role, use the authz role delete-role command.
This prevents all users from selecting this role upon login or when switching roles. If a user is currently using a role when the cache expires, the user is prevented from performing any actions until they log out and log in again.
chef-platform-auth-cli authz role delete-role --roleId 807a60a2-78ad-4865-9a7d-72e1a71d396a
Response:
{
"code": 200,
"message": "delete-role successful"
}