1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
|
AAF 2.0 RESTful interface
=========================
Accessing RESTful
-----------------
AAF RESTful service is secured by the following:
* The Client must utilize HTTP/S. Non Secure HTTP is not acceptable
* The Client MUST supply an Identity validated by one of the following mechanisms:
* Valid Global Login Cookie (CSP)
* BASIC AUTH protocol using CSO Registered MechID, provisioned in AAF
* BASIC AUTH protocol using ATTUID@csp.att.com, Global Login Password
* (Available 3rd Qtr 2015) Valid tGuard Login Cookie
* (Near Future) Application level Certificate
Responses
Each API Entity listed shows what structure will be accepted by service (ContentType) or responded with by service (Accept). Therefore, use these in making your call. Critical for PUT/POST.
Each API call may respond with JSON or XML. Choose the ContentType/Accept that has +json after the type for JSON or +xml after the Type for XML
XSDs for Versions
AAF can support multiple Versions of the API. Choose the ContentType/Accept that has the appropriate version=?.?
All Errors coming from AAF return AT&T Standard Error Message as a String: `JSON <./example/YXBwbGljYXRpb24vRXJyb3IranNvbg==>`__ `XML <./example/YXBwbGljYXRpb24vRXJyb3IreG1s>`__ (does not apply to errors from Container)
Character Restrictions
- Character Restrictions must depend on the Enforcement Point used
- Most AAF usage will be AAF Enforcement Point Characters for Instance and Action are:
*a-zA-Z0-9,.()\_-=%*
For Instance, you may declare a multi-dimensional key with : (colon) separator, example:
Ask for a Consultation on how these are typically used, or, if your tool is the only Enforcement Point, if set may be expanded
+--------------------+--------------------+--------------------+---------------------------------------------------+
| Entity | Method | Path Info | Description |
+====================+====================+====================+===================================================+
| PERMISSION | POST | /authz/perm | Create a Permission |
| | | | Permission consists of: |
| | | | - type - a Namespace qualified identifier |
| | | | specifying what kind of resource is being |
| | | | protected |
| | | | - instance - a key, possibly multi-dimensional |
| | | | that identifies a specific instance of the |
| | | | type |
| | | | - action - what kind of action is allowed |
| | | | Note: instance and action can be an \* |
| | | | Expected HTTP Code |
| | | | 201 |
| | | | Explicit HTTP Error Codes |
| | | | 403, 404, 406, 409 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | PUT | /authz/perm | Set Description for Permission |
| | | | Add Description Data to Perm |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | DELETE | /authz/perm | Delete a Permission |
| | | | Delete the Permission referenced by PermKey. |
| | | | You cannot normally delete a permission which |
| | | | is still granted to roles, however the |
| | | | "force" property allows you to do just that. To |
| | | | do this: Add |
| | | | 'force=true' as a query parameter. |
| | | | **WARNING**: Using force will ungrant this |
| | | | permission from all roles. Use with care. |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | DELETE | /authz/perm/:name/ | Delete a Permission |
| | | :type/:action | Delete the Permission referenced by :type |
| | | | :instance: action |
| | | | You cannot normally delete a permission which |
| | | | is still granted to roles, however the |
| | | | "force" property allows you to do |
| | | | just that. To do this: Add 'force=true' as a |
| | | | query parameter |
| | | | |
| | | | WARNING: Using force will ungrant this permission |
| | | | from all roles. Use with care. |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | type : string (Required) |
| | | | instance : string (Required) |
| | | | action : string (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | PUT | /authz/perm/:type/ | Update a Permission |
| | | :instance/:action | Rename the Permission referenced |
| | | | by :type :instance :action, and rename |
| | | | (copy/delete) to the Permission described in |
| | | | PermRequest |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | type : string (Required) |
| | | | instance : string (Required) |
| | | | action : string (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 ,409 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | GET | /authz/perms/:type | Get Permissions by Type |
| | | | |
| | | | List All Permissions that match the :type |
| | | | element of the key |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | type : string (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | GET | /authz/perms/:type | Get Permissions by Key |
| | | /:instance/:action | List Permissions that match key; |
| | | | :type, :instance and :action |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | type : string (Required) |
| | | | instance : string (Required) |
| | | | action : string (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | GET | /authz/perms/ns/:n | Get PermsByNS |
| | | s | List All Permissions that are in Namespace :ns |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | type : ns (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | GET | /authz/perms/role/ | Get Permissions by Role |
| | | :role | List All Permissions that are granted to :role |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | role : string (Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | POST | /authz/perms/user/ | Get Permissions by User, Query AAF Perms |
| | | :user | |
| | | | List All Permissions that match user :user |
| | | | |
| | | | 'user' must be expressed as full |
| | | | identity (ex: id@full.domain.com) |
| | | | Present Queries as one or more Permissions (see |
| | | | ContentType Links below for format). If the |
| | | | Caller is Granted this specific Permission, and |
| | | | the Permission is valid for the User, it will be |
| | | | included in response permissions,along with all |
| | | | the normal permissions on the 'GET' version of |
| | | | this call. If it is not valid,or caller does not |
| | | | permission to see, it will be removed from the |
| | | | list. |
| | | | **Note**: This design allows you to make one |
| | | | call for all expected permissions |
| | | | |
| | | | The permission to be included MUST be: |
| | | | .access\|:[:key]\| |
| | | | |
| | | | examples: |
| | | | |
| | | | com.att.myns.access|:ns|write |
| | | | com.att.myns.access\|:role:myrole\|create |
| | | | com.att.myns.access\|:perm:mytype:myinstance: |
| | | | myaction\|read |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | user:string(Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | GET | /authz/perms/user/ | Get Permissions by User |
| | | :user | |
| | | | List All Permissions that match user :user |
| | | | 'user' must be expressed as full |
| | | | identity (ex:id@full.domain.com) |
| | | | --------------------------------------------------|
| | | | Parameters |
| | | | user:string(Required) |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| ROLE | POST | /authz/role | Create Role |
| | | | |
| | | | Roles are part of Namespaces |
| | | | Examples: |
| | | | - com.att.aaf |
| | | | - The team that created andmaintains AAF |
| | | | |
| | | | Roles do not include implied permissions for an |
| | | | App. Instead, they contain explicit Granted |
| | | | Permissions by any Namespace in AAF |
| | | | Restrictions on Role Names: |
| | | | - Must start with valid Namespace name, |
| | | | terminated by .(dot/period) |
| | | | - Allowed Characters are a-zA-Z0-9._- |
| | | | - role names are Case Sensitive |
| | | | |
| | | | Expected HTTP Code |
| | | | 201 |
| | | | Explicit HTTP Error Codes |
| | | | 403, 404, 406, 409 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
| | PUT | /authz/role | Set Description for role |
| | | | Add Description Data to a Role |
| | | | Expected HTTP Code |
| | | | 200 |
| | | | Explicit HTTP Error Codes |
| | | | 404, 406 |
+--------------------+--------------------+--------------------+---------------------------------------------------+
|