user.external

Description

If you are using IPA integration to allow authentication of users from an external IPA server (rare) the users will still need to be created in the #product() database. Methods in this namespace allow you to configure some specifics of how this happens, like what organization they are created in or what roles they will have. These options can also be set in the web admin interface.

Namespace:

user.external

Method: createExternalGroupToRoleMap

HTTP POST

Description:

Externally authenticated users may be members of external groups. You can use these groups to assign additional roles to the users when they log in. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • string name - Name of the external group. Must be unique.

  • string array roles - role - Can be any of: satellite_admin, org_admin (implies all other roles except for satellite_admin), channel_admin, config_admin, system_group_admin, or activation_key_admin.

Returns:

  • * struct external group

    • string "name"

    • string array "roles" - role

Method: createExternalGroupToSystemGroupMap

HTTP POST

Description:

Externally authenticated users may be members of external groups. You can use these groups to give access to server groups to the users when they log in. Can only be called by an org_admin.

Parameters:

  • string sessionKey

  • string name - Name of the external group. Must be unique.

  • string array groupNames - the names of the server groups to grant access to.

Returns:

  • * struct external group

    • string "name"

    • string array "groups" - roles

Method: deleteExternalGroupToRoleMap

HTTP POST

Description:

Delete the role map for an external group. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: deleteExternalGroupToSystemGroupMap

HTTP POST

Description:

Delete the server group map for an external group. Can only be called by an org_admin.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: getDefaultOrg

HTTP GET

Description:

Get the default org that users should be added in if orgunit from IPA server isn’t found or is disabled. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

Returns:

  • int id - ID of the default organization. 0 if there is no default

Method: getExternalGroupToRoleMap

HTTP GET

Description:

Get a representation of the role mapping for an external group. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

Returns:

  • * struct external group

    • string "name"

    • string array "roles" - role

Method: getExternalGroupToSystemGroupMap

HTTP GET

Description:

Get a representation of the server group mapping for an external group. Can only be called by an org_admin.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

Returns:

  • * struct external group

    • string "name"

    • string array "groups" - roles

Method: getKeepTemporaryRoles

HTTP GET

Description:

Get whether we should keeps roles assigned to users because of their IPA groups even after they log in through a non-IPA method. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

Returns:

  • boolean keep - True if we should keep roles after users log in through non-IPA method, false otherwise

Method: getUseOrgUnit

HTTP GET

Description:

Get whether we place users into the organization that corresponds to the "orgunit" set on the IPA server. The orgunit name must match exactly the #product() organization name. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

Returns:

  • boolean use - True if we should use the IPA orgunit to determine which organization to create the user in, false otherwise

Method: listExternalGroupToRoleMaps

HTTP GET

Description:

List role mappings for all known external groups. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

Returns:

  • array :

  • struct external group

    • string "name"

    • string array "roles" - role

Method: listExternalGroupToSystemGroupMaps

HTTP GET

Description:

List server group mappings for all known external groups. Can only be called by an org_admin.

Parameters:

  • string sessionKey

Returns:

  • array :

  • struct external group

    • string "name"

    • string array "groups" - roles

Method: setDefaultOrg

HTTP POST

Description:

Set the default org that users should be added in if orgunit from IPA server isn’t found or is disabled. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • int orgId - ID of the organization to set as the default org. 0 if there should not be a default organization.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: setExternalGroupRoles

HTTP POST

Description:

Update the roles for an external group. Replace previously set roles with the ones passed in here. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

  • string array roles - role - Can be any of: satellite_admin, org_admin (implies all other roles except for satellite_admin), channel_admin, config_admin, system_group_admin, or activation_key_admin.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: setExternalGroupSystemGroups

HTTP POST

Description:

Update the server groups for an external group. Replace previously set server groups with the ones passed in here. Can only be called by an org_admin.

Parameters:

  • string sessionKey

  • string name - Name of the external group.

  • string array groupNames - the names of the server groups to grant access to.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: setKeepTemporaryRoles

HTTP POST

Description:

Set whether we should keeps roles assigned to users because of their IPA groups even after they log in through a non-IPA method. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • boolean keepRoles - True if we should keep roles after users log in through non-IPA method, false otherwise.

Returns:

  • int - 1 on success, exception thrown otherwise.

Method: setUseOrgUnit

HTTP POST

Description:

Set whether we place users into the organization that corresponds to the "orgunit" set on the IPA server. The orgunit name must match exactly the #product() organization name. Can only be called by a #product() Administrator.

Parameters:

  • string sessionKey

  • boolean useOrgUnit - true if we should use the IPA orgunit to determine which organization to create the user in, false otherwise.

Returns:

  • int - 1 on success, exception thrown otherwise.