Enforcing Permission when viewing User Licenses

kelsey.greene · July 27, 2021, 6:05pm

Category: API

Summary: We will begin enforcing permissions for users viewing user licenses in single or batch using the following endpoints:

GET /api/v2/license/users
POST /api/v2/license/users
GET /api/v2/license/users/{userId}

The above endpoints will not be permitted without the directory:user:view permission.

Context: Viewing user license data should require permissions to view general user data.

Impact: Users requesting user license data will require the directory:user:view permission. The vast majority of users who will be viewing license data are already granted this permission. Any users without this permission that need to be able to view user license data will need to be granted the directory:user:view permission prior to the date of change.

Previously the GET /api/v2/license/users/{userId} endpoint required the authorization:grant:add permission. This endpoint will now only require the directory:user:view permission.

Date of Change: October 27, 2021

Impacted APIs:

GET /api/v2/license/users
POST /api/v2/license/users
GET /api/v2/license/users/{userId}

References: IAM-1264

TheRealKevinGlinski · September 7, 2021, 5:42pm

Are the permissions for /api/v2/license/definitions/{licenseId} and /api/v2/license/toggles/{featureName} changing? It seems that they return similar information as GET /api/v2/license/users And since they are read operations, I'm not sure it makes sense for the required permission to be a Add permission

system · November 9, 2021, 5:43am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.