Configuring Profile API Token

You may want a user or group of users to be able to create, edit, or delete a Profile API Token within certain folders without granting them Full Control to All Folders within a Parent Segment. With Profile API Token permission, you can grant users Profile API Token for certain Folders, without compromising other folders and segments to which the user should not have access. An Administrator may assign a profile to a user to enable or limit their access.

This article provides details on how to apply or update Profile API Token permission for a particular parent segment and its associated folders using endpoints for Access Control Permissions.

INFO

An audience ID may represent a parent segment, a batch segment, or a realtime segment.

This topic contains:

Prerequisites
Verify the Profile API Token for a Policy
Apply Profile API Token to a Parent Segment
Update a Policy’s Profile API Token
Remove Profile API Token Permission

Prerequisites

Basic knowledge of Treasure Data
Your personal Master API Key

Verify the Profile API Token for a Policy

To confirm a policy has Profile API Token applied, you first need to view which permissions a policy has enabled. In the following example, you can view the permissions for policy 1115654.

Copy

Copied

curl --location --request GET 'https://{{baseUrl}}/v3/access_control/policies/1115654/permissions \
--header 'Accept: application/json' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \

In the following response, this portion of the response shows the Profile API Token has been applied to the audience ID 69129.

The response has been condensed for brevity.

Copy

Copied

{
   "ProfilesApiToken": [
       {
           "audience_id": "69129",
           "operation": "full"
       }
   ]
}

Apply Profile API Token to a Parent Segment

To enable the Profile API Token option, add this field into the payload. In the following example, the Profile API Token is included for the audience ID 143857 and its operation is set to full.

Copy

Copied

{
    "ProfilesApiToken": [
        {
            "audience_id": "143857",
            "operation": "full"
        }
    ]
}

Replace all the existing permissions on the policy. Add the new permission.

Update a Policy’s Profile API Token

You can update how a Profile API Token is applied to a policy by using the parent segment, or audience id, and the policy id to which it should be assigned. In the examples that follow, the audience ID 143856 is applied to the policy 1115654. In the first example, permission to edit and view all folders within the specified segment is applied. Whereas in the second example, different permissions are set to specific folders within the parent segment.

Example 1
In the example that follows, the policy is applied to all folders for the parent segment 143856. Indicated as audience ID 143856 and all the SegmentAllFolders permission is set to edit and view all folders to enable permissions for all the folders within the specified segment.

Sample Request

Copy

Copied

curl --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/1115654/permissions' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--data-raw '{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
        }
    ],
    "SegmentAllFolders": [
        {
            "audience_id": "143856",
            "operation": "view"
        },
        {
            "audience_id": "143856",
            "operation": "edit"
        }
    ]
}'

The response confirms that Profile API Token permissions are applied to the parent segment 143856 as well as its folders. With this change, the user with this policy is able to create, edit, and delete the Profile API Token.

Sample Response

Copy

Copied

{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
        }
    ],
    "SegmentAllFolders": [
         {
            "audience_id": "143856",
            "operation": "view"
        },
        {
            "audience_id": "143856",
            "operation": "edit"
        }
    ]
}

Example 2
In the example that follows, the policy is applied to all folders for the parent segment 143856 and view or edit operation is applied to specific folders within the parent segment while the value for the SegmentAllFolders field is left empty.

Both view and edit operations are applied to the specified folder, 498948. While only the view operation is applied to folder 498708.

Sample Request

Copy

Copied

curl --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/1115654/permissions' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--data-raw '{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
        }
    ],
    "SegmentAllFolders": [],
    "SegmentFolder": [
        {
            "id": "498708",
            "operation": "view"   
        },
        {
            "id": "498948",
            "operation": "view"
        },
        {
            "id": "498948",
            "operation": "edit"
        }
    ]
}'

The response confirms that a Profile API Token is applied to the parent segment 143856, with more granular permissions applied to folders within the segment.

Sample Response

Copy

Copied

{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
            
        }
    ],
    "SegmentAllFolders": [],
    "SegmentFolder": [
        {
            "id": "498708",
            "operation": "view"
        },
        {
            "id": "498948",
            "operation": "view"
            
        },
        {
            "id": "498948",
            "operation": "edit"
        }
    ]
}

Remove Profile API Token Permission

To remove Profile API Token permission for a particular parent segment, omit the audience_id for that particular parent segment. In the example that follows, Profile API Token permissions are first confirmed for audience IDs 143856 and 143857.

Copy

Copied

{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
        },
        {
            "audience_id": "143857",
            "operation": "full"
        }
    ]
}

In the request payload, Profile API Token permission is removed for audience ID 143856, while Profile API Token permission is retained for audience ID 143857.

Sample Request

Copy

Copied

curl --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/1115654/permissions' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--data-raw '{
    "ProfilesApiToken": [
        {
            "audience_id": "143856",
            "operation": "full"
        }
    ]
}'

The response confirms that Profile API Token is applied only to the parent segment 143857.

Sample Response

Copy

Copied

{
    "ProfilesApiToken": [
        {
            "audience_id": "143857",
            "operation": "full"
        }
    ]
}