Administrators can use the Users API to create users with a specific role and set permissions explicitly on users. The permissions for a user are the sum of the permissions granted to the user's role(s) and permissions granted explicitly to the user. When creating a user, the administrator must assign the user a role.
Note: Administrators cannot use the Users API to assign themselves a role or set permissions on themselves. Such tasks would have to be done by another administrator. Best practices recommend that there should be at least two users with Administrator (12) permission. Any user with the Administrator (12) permission is in effect a system administrator and has permission to use all Hybrid Data Pipeline features and functionality.
The following POST creates a user with the ODataOnly role. The user inherits the permissions associated with this role. The administrator must have the Administrator (12) permission, or the CreateUsers (13) permission and administrative access on the tenant.
An administrator can then set permissions explicitly on the new user with the following PUT request, where {id} is the auto-generated user ID. In this example, the user is explicitly being granted ChangePassword permission. The administrator must have the Administrator (12) permission, or the ModifyUsers (15) permission and administrative access on the tenant.
Request
PUT https://MyServer:8443/api/admin/users/{id}/permissions
Request Payload
{
"roles": [6],
"permissions": [10]
}
Response Payload
{
"roles": [
6
],
"permissions": [
10
]
}
Retrieve permissions on the new user
With the following GET request, the permissions in terms of roles and explicit permissions can be retrieved for the new user, where {id} is the auto-generated ID of the user. The administrator must have the Administrator (12) permission, or the ViewUsers (14) permission and administrative access on the tenant.
Request
GET https://MyServer:8443/api/admin/users/{id}/permissions