Delegated Groups for Treasure Data Administrators
As a TD Administrator, you can create Delegated Groups to which you assign Delegated Admins. Delegated Admins are given specific a specific set of policies for a designated group of users. In addition to creating, editing, and deleting Delegated Groups and elevating or removing users to and from Delegated Admin roles, you can add and apply specific policies to Delegated Groups. Can create, edit, or delete Delegated Groups.
This topic contains:
- Create a Delegated Admin
- Remove a Delegated Admin
- List Users in a Delegated Group
- Update Users for a Delegated Group
- List the Delegated Admins for Delegated Group
- Update the Delegated Admins of Delegated Group
- Create a New Delegated Group
- Return a List of Delegated Groups
- Return the attributes of a Delegated Group
- Update the Information for a Delegated Group
- Delete a Delegated Group
- List the Policies for a Delegated Group
- Update the Policies Set in a Delegated Group
- Attach a Policy to a User
- Detach a Policy from a User
- Update Multiple Users with a Policy
- Update a User with Multiple Policies
Create a Delegated Admin
You can elevate a specific user to a Delegated Admin role, which allows them to assign or un-assign permission policies from a set of users. Delegated Policies under your purview are restricted to those assigned to you by a TD Administrator.
A Delegated Admin by default cannot apply policies to oneself. An Admin explicitly needs to tag the Delegated Admin with the Policy Group by using the HTTP POST method and calling /v3/policygrouptags/{policygrouptag/users}.
curl -s --location --request POST 'https://{{baseUrl}}/v3/user/delegated_admin/add/{user_email}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_email": "hello@world.com",
"delegated_admin": true
}Remove a Delegated Admin
You can demote a user from a Delegated Admin using the HTTP POST method as follows.
curl -s --location --request POST 'https://{{baseUrl}}/v3/user/delegated_admin/remove/{user_email}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_email": "hello@world.com",
"delegated_admin": false
}List Users in a Delegated Group
You can list the users of a Delegated Group using the HTTP GET method for policy_group_tags as follows.
curl -s --location --request GET 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_ids": [
1,
2,
3
]
}Update Users for a Delegated Group
You can add users to a Delegated Group using the HTTP PATCH method for policy group tags endpoint.
INFO
A Delegated Admin cannot tag/untag oneself nor other Delegated Admins.
An Admin and Delegated Admin can tag any user from within the same account.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"user_ids": [
1,
2,
3
]
}List the Delegated Admins for Delegated Group
Return the user ids of Delegated Admins that manage a policy group using the HTTP GET method and the following endpoint.
curl -s --location --request GET 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/delegated_admins' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"user_ids": [
1,
2
]
}Update the Delegated Admins of Delegated Group
You can tag a list of Delegated Admin user ids to manage a policy group using the HTTP PATCH method and the following endpoint.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/delegated_admins' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"user_ids": [
1,
2
]
}Create a New Delegated Group
You can create a new Delegated Group to which you can assign a specific set of policies and users.
curl -s --location --request POST 'https://{{baseUrl}}//v3/access_control/policy_groups' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"name": "emea",
"description": "emea group"
}{
"id": 1,
"name": "emea"
}Return a List of Delegated Groups
You can get a list of Delegates Groups using the HTTP GET method and the following endpoint.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \[
{
"id": 240,
"account_id": 6598,
"name": "DG 02",
"created_at": "2023-12-06T13:02:53Z",
"updated_at": "2023-12-06T13:02:53Z",
"taggable_name": "DG 02",
"description": "DG 02",
"policy_count": 0
}
]Return the attributes of a Delegated Group
You can get a list of attributes for a Delegated Group using its policy group id and the HTTP GET method the example that follows.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"id": 240,
"account_id": 6598,
"name": "DG 02",
"created_at": "2023-12-06T13:02:53Z",
"updated_at": "2023-12-06T13:02:53Z",
"taggable_name": "DG 02",
"description": "DG 02",
"policy_count": 0
}Update the Information for a Delegated Group
You can update the information related to a Delegated Group using using the HTTP PATCH method and the following endpoint.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"name": "some_policy_group",
"description": "some_policy_group_description"
}{
"id": 10,
"account_id": 123,
"name": "some_policy_group",
"taggable_name": "some_policy_group",
"description": "some_policy_group_description",
"policy_count": 1,
"created_at": "2012-01-01T12:00:00Z",
"updated_at": "2012-01-01T12:00:00Z"
}Delete a Delegated Group
You can delete a Delegated Group by its policy id using the HTTP DELETE method and the following endpoint.
curl -s --location --request DELETE 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \List the Policies for a Delegated Group
Get a list of policies in a Delegated Group using the HTTP GET method and the following endpoint.
curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}/policies' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"policy_ids": [
1,
2,
3
]
} Update the Policies Set in a Delegated Group
You can update the policies set in a Delegated Group using the HTTP PATCH method and the following endpoint.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}/policies' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"policy_ids": [
1,
2,
3
]
}{
"policy_ids": [
1,
2,
3
]
}Attach a Policy to a User
You can attach a policy to a user using the HTTP POST method and the following endpoints.
INFO
A Delegated Admin can only attach policies from within a Permission Set Group / Policy Group they manages.
curl -s --location --request POST 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users/{user_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \Detach a Policy from a User
You can detach a policy from a user using the HTTP DELETE method and one of the following endpoints.
curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/policies/{policy_id}/users/{user_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/users/{user_id}/policies/{policy_id}' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \{
"id": 67,
"account_id": 123,
"name": "some_policy",
"description": "written about the policy",
"user_count": 3
}Update Multiple Users with a Policy
You can update multiple users with a policy in a delegated group using the HTTP PATCH method and the following endpoint.
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users
' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
"user_ids": [
1,
2,
3
]
}{
[
{
"user_id": 123,
"account_id": 123,
"permissions": {
"WorkflowProject": [],
"WorkflowProjectLevel": [],
"WorkflowRestrictedOperators": [],
"Segmentation": [],
"MasterSegmentConfigs": [],
"MasterSegmentConfig": [],
"MasterSegmentColumn": [],
"MasterSegmentAllColumns": [],
"CookieConsent": [],
"SegmentAllFolders": [],
"SegmentFolder": [],
"Profiles": [],
"ProfilesApiToken": [],
"ActivationTemplate": [],
"Activation": [],
"Authentications": [],
"Sources": [],
"Destinations": [],
"Databases": [],
"UniversalConsent": []
},
"policies": [
{
"id": 67,
"account_id": 123,
"name": "some_policy",
"description": "written about the policy",
"user_count": 3
}
]
}
]}Update a User with Multiple Policies
curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/users/{user_id}/policies' \
--header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-H 'content-type: application/json' \
{
[
{
"id": 67,
"account_id": 123,
"name": "some_policy",
"description": "written about the policy",
"user_count": 3
}
]}