Privileges required for reading node permissions

Hi all!

We need to build ACLs for nodes in Content Server. For this purpose we use the following API calls:

/api/v2/nodes/{id} - for reading node permissions
/api/v2/members - for reading available groups
/api/v2/members/{id}/members - for reading group members
/api/v2/members/{id} - for reading user info

Which privileges are required for API account, so that all these API calls could be successfully executed? API documentation misses information on privileges necessary for the calls.

Thank you!

Find more posts tagged with

Comments

Appu Nair

/api/v2/nodes/{id} - for reading node permissions in this case the INVOKING USER in that action should have EDIT PERMISSIONS on the {id}.It is waived for SA privileges will work if the REST API caller is 'Admin','otdadmin@otds.admin', or any user account who has "SA" on their privilege.In most cases this will work but in case of SC(Security Clearance) you can change its behavior.
/api/v2/members-To do anything fully with USER&GROUPS the USER enquiring should have 'User Administrator'.If possible create a SA account other than 'Admin' and give that guy UA.SA privileges cannot enquire about members unless they have UA as well.It works with 'Admin' because it is a special case.

PS: In some cases, the administration won't be able to give what is needed nor would they give higher permissions. In those cases, it is going to be a hybrid of a WR(Web report) who can enquire all of the above without a lot of permissions. (Happens with ECM customers who has come on board and are new to the application so do not want to mess lot with Permissioning etc.)

CodeFuller

Appu, thank you for your answer!

I don't get this part: "It is waived for SA privileges will work if the REST API caller is 'Admin','otdadmin@otds.admin', or any user account who has "SA" on their privilege."

You say that waiver for SA privilege will work but then you say that account still has to have SA privilege. English is not my native language, so may be I don't understand you correctly. Could you please clarify?

Also, regarding enquiring groups membership: we understood from your answer that "User administration" privilege is required for this API call. But is "System administration" privilege is also necessary? Or it is possible to create a user with "User administration" privilege only and the call will pass?

Appu Nair

Admin=otadmin@otds.admin is the root user for Content Server a.k.a Livelink. It is a user with the "System Admin" privilege. If you create a user called myintegrationuser and give it UA and SA it will work for both your API calls.

in case you cannot get SA awarded to your integration user you have to have your user have 'Edit Permissions' this is not Privilege, this is Permissions on the Node a.k.a ACL

OT's reasoning is simple SA for doing something on the server like patches/changes to the configuration

UA-A User Administrator who can add/subtract people in groups.

https://appukili.wordpress.com/2015/05/03/general-help-series-3/

CodeFuller

Appu, thank you very much for your thorough answer!