authorizationManagement IDD
generic_http & generic_https
Overview
This page describes the generic_http and generic_https service interface of authorizationManagement, which enables systems (with operator role or proper permissions) to handle (grant, revoke, query, check) authorization policies in bulk. An example of this interaction is when an operator uses the Management Tool to set up authorization policies manually before the related systems even register themselves. To enable other systems to use, to consume it, this service needs to be offered through the ServiceRegistry.
The interfaces are implemented using protocol, encoding as stated in the following tables:
Interface Description
generic_http
| Profile type | type | Version |
|---|---|---|
| Transfer protocol | HTTP | 1.1 |
| Data encryption | N/A | - |
| Encoding | JSON | RFC 8259 |
| Compression | N/A | - |
generic_https
| Profile type | type | Version |
|---|---|---|
| Transfer protocol | HTTPS | 1.1 |
| Data encryption | TLS | - |
| Encoding | JSON | RFC 8259 |
| Compression | N/A | - |
Hereby the Interface Design Description (IDD) is provided to the authorizationManagement – Service Description. For further details about how this service is meant to be used, please consult that document.
grant-policies
The service operation request requires an identity related header or certificate and an AuthorizationMgmtGrantListRequest JSON encoded body.
POST /consumerauthorization/authorization/mgmt/grant HTTP/1.1
Authorization: Bearer <authorization-info>
{
"list": [
{
"provider": "TemperatureProvider2",
"targetType": "SERVICE_DEF",
"target": "kelvinInfo",
"description": "query for everyone, config for TemperatureManager only",
"defaultPolicy": {
"policyType": "ALL"
},
"scopedPolicies": {
"config": {
"policyType": "WHITELIST",
"policyList": [
"TemperatureManager"
]
}
}
}
]
}
The service operation responds with 201 if called successfully. The response also contains an AuthorizationPolicyListResponse JSON encoded body.
{
"entries": [
{
"instanceId": "MGMT|LOCAL|TemperatureProvider2|SERVICE_DEF|kelvinInfo",
"level": "MGMT",
"cloud": "LOCAL",
"provider": "TemperatureProvider2",
"targetType": "SERVICE_DEF",
"target": "kelvinInfo",
"description": "query for everyone, config for TemperatureManager only",
"defaultPolicy": {
"policyType": "ALL"
},
"scopedPolicies": {
"config": {
"policyType": "WHITELIST",
"policyList": [
"TemperatureManager"
]
}
},
"createdBy": "Sysop",
"createdAt": "2025-06-23T08:35:43.217717900Z"
}
],
"count": 1
}
The error codes are 400 if the request is malformed, 401 if the requester authentication was unsuccessful,
403 if the authenticated requester has no permission and
500 if an unexpected error happens. The error response also contains an
ErrorResponse JSON encoded body.
{
"errorMessage": "Target is missing"",
"errorCode": 400,
"exceptionType": "INVALID_PARAMETER",
"origin": "POST /consumerauthorization/authorization/mgmt/grant"
}
revoke-policies
The service operation request requires an identity related header or certificate, and a List<AuthorizationPolicyInstanceID> as query parameter using the key instanceIds, which contains the unique identifiers of the policy instances to be deleted.
DELETE /consumerauthorization/authorization/mgmt/revoke?instanceIds=MGMT%7CLOCAL%7CTemperatureProvider%7CSERVICE_DEF%7CcelsiusInfo HTTP1.1
Authorization: Bearer <authorization-info>
The service operation responds with the status code 200 if called successfully. The success response does not contain any response body.
The error codes are, 400 if the request is malformed, 401 if the requester authentication was unsuccessful, 403 if the authenticated requester has no permission and 500 if an unexpected error happens. The error response also contains an ErrorResponse JSON encoded body.
{
"errorMessage": "Instance id list is missing",
"errorCode": 400,
"exceptionType": "INVALID_PARAMETER",
"origin": "DELETE /consumerauthorization/authorization/mgmt/revoke"
}
query-policies
The service operation request requires an identity related header or certificate and an AuthorizationQueryRequest JSON encoded body.
POST /consumerauthorization/authorization/mgmt/query HTTP/1.1
Authorization: Bearer <authorization-info>
{
"pagination": {
"page": 0,
"size": 10
},
"level": "MGMT",
"instanceIds": [
],
"cloudIdentifiers": [
],
"targetNames": [
"kelvinInfo"
],
"targetType": "SERVICE_DEF"
}
The service operation responds with the status code 200 if called successfully and with an AuthorizationPolicyListResponse JSON encoded body.
{
"entries": [
{
"instanceId": "MGMT|LOCAL|TemperatureProvider2|SERVICE_DEF|kelvinInfo",
"level": "MGMT",
"cloud": "LOCAL",
"provider": "TemperatureProvider2",
"targetType": "SERVICE_DEF",
"target": "kelvinInfo",
"description": "query for everyone, config for TemperatureManager only",
"defaultPolicy": {
"policyType": "ALL"
},
"scopedPolicies": {
"config": {
"policyType": "WHITELIST",
"policyList": [
"TemperatureManager"
]
}
},
"createdBy": "Sysop",
"createdAt": "2025-06-23T08:35:43Z"
}
],
"count": 1
}
The error codes are, 400 if the request is malformed, 401 if the requester authentication was unsuccessful, 403 if the authenticated requester has no permission and 500 Error if an unexpected error happens. The error response also contains an ErrorResponse JSON encoded body.
{
"errorMessage": "Level is missing",
"errorCode": 400,
"exceptionType": "INVALID_PARAMETER",
"origin": "POST /consumerauthorization/authorization/mgmt/query"
}
check-policies
The service operation request requires an identity related header or certificate and an AuthorizationMgmtVerifyListRequest JSON encoded body.
POST /consumerauthorization/authorization/mgmt/check HTTP/1.1
Authorization: Bearer <authorization-info>
{
"list": [
{
"provider": "TemperatureProvider2",
"consumer": "TemperatureManager",
"targetType": "SERVICE_DEF",
"target": "kelvinInfo",
"scope": "config"
}
]
}
The service operation responds with the status code 200 if called successfully and with an AuthorizationMgmtVerifyListResponse JSON encoded body.
{
"entries": [
{
"provider": "TemperatureProvider2",
"consumer": "TemperatureManager",
"cloud": "LOCAL",
"targetType": "SERVICE_DEF",
"target": "kelvinInfo",
"scope": "config",
"granted": true
}
],
"count": 1
}
The error codes are, 400 if the request is malformed, 401 if the requester authentication was unsuccessful, 403 if the authenticated requester has no permission and 500 Error if an unexpected error happens. The error response also contains an ErrorResponse JSON encoded body.
{
"errorMessage": "Provider is missing",
"errorCode": 400,
"exceptionType": "INVALID_PARAMETER",
"origin": "POST /consumerauthorization/authorization/mgmt/check"
}