Delegated Groups for Delegated Admins
As a Delegated Admin you can add or remove users and assign and unassign policies to a selected group of users you manage as part of the delegated policy scope you have been trusted to manage.
This topic contains:
- List Users in a Delegated Group
- Update Users for a Delegated Group
- Return a List of Delegated Groups
- Return the Attributes of a Delegated Group
- List the Policies for a Delegated Group
- Attach a Policy to a User
- Detach a Policy from a User
- Update Multiple Users with a Policy
- Update a User with Multiple Policies
List Users in a Delegated Group
You can list the users of a Delegated Group using the HTTP GET method for policy_group_tags as follows.
curl -s --location --request GET 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_ids": [
1,
2,
3
]
}Update Users for a Delegated Group
You can add users to a Delegated Group using the HTTP PATCH method for policy group tags endpoint. An Admin and Delegated Admin can tag any user from within the same account.
INFO
A Delegated Admin cannot tag/untag oneself nor other Delegated Admins.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_ids": [
1,
2,
3
]
}Return a List of Delegated Groups
You can get a list of Delegates Groups using the HTTP GET method and the following endpoint.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \[
{
"id": 240,
"account_id": 6598,
"name": "DG 02",
"created_at": "2023-12-06T13:02:53Z",
"updated_at": "2023-12-06T13:02:53Z",
"taggable_name": "DG 02",
"description": "DG 02",
"policy_count": 0
}
]Return the Attributes of a Delegated Group
You can get a list of attributes for a Delegated Group using its policy group id and the HTTP GET method the example that follows.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"id": 240,
"account_id": 6598,
"name": "DG 02",
"created_at": "2023-12-06T13:02:53Z",
"updated_at": "2023-12-06T13:02:53Z",
"taggable_name": "DG 02",
"description": "DG 02",
"policy_count": 0
}List the Policies for a Delegated Group
Get a list of policies in a Delegated Group using the HTTP GET method and the following endpoint.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}/policies' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"policy_ids": [
67
]
}{
"policy_ids": [
67
]
}Attach a Policy to a User
You can attach a policy to a user using the HTTP POST method and the following endpoints.
INFO
A Delegated Admin can only attach policies from within a Permission Set Group / Policy Group they manages.
curl -s --location --request POST 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users/{user_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \Detach a Policy from a User
You can detach a policy from a user using the HTTP DELETE method and one of the following endpoints.
curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/policies/{policy_id}/users/{user_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/users/{user_id}/policies/{policy_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"id": 67,
"account_id": 123,
"name": "some_policy",
"description": "written about the policy",
"user_count": 3
}Update Multiple Users with a Policy
You can update multiple users with a policy in a delegated group using the HTTP PATCH method and the following endpoint.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users
' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \Update a User with Multiple Policies
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/users/{user_id}/policies' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"id": 67,
"account_id": 123,
"name": "some_policy",
"description": "written about the policy",
"user_count": 3
}