Authorization
NetFoundry authorization is based on resource actions: discrete privileges scoped to a resource type. Accounts come
in two flavors — User and ApiAccount — and either can be granted any resource action. See the
Authorization API reference for a full list of
resource types and actions.
This guide uses curl and jq. Set NETFOUNDRY_API_TOKEN before you start — see
Authentication if you don't have a token yet.
Grant a resource action to an identity
Objective
Grant permission to Alice to reset any user's secondary authentication factor (MFA).
Steps
-
Find the ID of the identity you want to grant the action to. This example looks up Alice by email:
ACCOUNT=$(curl -s "https://gateway.production.netfoundry.io/identity/v1/identities" \--header "Authorization: Bearer ${NETFOUNDRY_API_TOKEN}" \| jq -r '.[]|select(.email == "alice@example.com")|.id') -
Find the ID of the resource type you want to scope the action to. This example uses
user-identity:RESOURCE_TYPE=$(curl -s "https://gateway.production.netfoundry.io/auth/v1/resource-types" \--header "Authorization: Bearer ${NETFOUNDRY_API_TOKEN}" \| jq -r '.[]|select(.code == "user-identity")|.id') -
Find the ID of the resource action to grant. This filters for
update-reset-mfa:RESOURCE_ACTION=$(curl -s "https://gateway.production.netfoundry.io/auth/v1/resource-actions?resourceTypeId=${RESOURCE_TYPE}" \--header "Authorization: Bearer ${NETFOUNDRY_API_TOKEN}" \| jq -r '.[]|select(.code == "update-reset-mfa")|.id') -
Grant the action to the identity:
curl -s -X POST "https://gateway.production.netfoundry.io/auth/v1/identity-resource-actions" \--header "Authorization: Bearer ${NETFOUNDRY_API_TOKEN}" \--header "Content-Type: application/json" \--data '{"identityId": "'"${ACCOUNT}"'","resourceActionId": "'"${RESOURCE_ACTION}"'","path": []}' -
Verify the action is now granted:
curl -s "https://gateway.production.netfoundry.io/auth/v1/grants?resourceActionId=${RESOURCE_ACTION}&identityId=${ACCOUNT}" \--header "Authorization: Bearer ${NETFOUNDRY_API_TOKEN}" \| jq .