Project Access

The OLP CLI supports the following:

  • list all users, apps, and groups that have access to a project
  • grant project access to a user, app, or group
  • revoke project access from a user, app, or group
  • show policies attached to a user, app, or group in the project

project access list

Retrieves all users, apps, and groups that have access to a project.

olp project access list <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policy HRN> Specifies the HRN of the project policy.
  • --limit <max number of entities> Specifies the maximum number of entities returned in the result (100 by default).
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Display the command's result in JSON format.
  • --quiet Display members' HRNs, each on a new line.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below lists all users, apps, and groups that have access to the project:


olp project access list hrn:here:authorization::myrealm:project/my-project-1234 --json

Output:


{"members": [{
    "identityType": "app",
    "member": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
    "project": "hrn:here:authorization::myrealm:project/my-project-1234",
    "info": {
        "ownerHrn": "hrn:here:account::myrealm:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
        "clientId": "F9p0HU3qCqtxnZ3KnH4z",
        "clientHrn": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
        "name": "my-app",
        "realm": "myrealm",
        "ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
    }
}]}

For using --policy, specified here has to be one or all of the policies available for the project that has been made available for attaching.

For more information on using policy listing, see the project policy list command.

Example:

The command below lists all users, apps, and groups that have access to the project policy:

Linux
Windows
olp project access list hrn:here:authorization::myrealm:project/my-project-1234 \
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
   --json
olp project access list hrn:here:authorization::myrealm:project/my-project-1234 ^
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^
   --json

Output:


{"members": [{
    "identityType": "app",
    "member": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
    "project": "hrn:here:authorization::myrealm:project/my-project-1234",
    "info": {
        "ownerHrn": "hrn:here:account::myrealm:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
        "clientId": "F9p0HU3qCqtxnZ3KnH4z",
        "clientHrn": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
        "name": "my-app",
        "realm": "myrealm",
        "ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
    }
}]}

project access grant

Grants project access to a user, app, or group.

olp project access grant <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policyHRN1 policyHRN2 ...> The list of HRNs of policies to attach to the identity that is being granted access to the project, separated by space.
  • --app <appID1 appID2 ...> The list of application IDs you want to grant project access to, separated by space.
  • --user <userID1 userID2 ...> The list of user IDs you want to grant project access to, separated by space. This information can be found in the .here/credentials.properties file, in the user's home directory, or via your profile.
  • --group <groupID1 groupID2 ...> The list of group IDs you want to grant project access to, separated by space.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --quiet Display an empty output skipping additional information.

Note

  • You must specify at least one of these options – --app, --user, or --group.
  • You can only attach a maximum of 5 policies for a project to an entity. To see existing attachments, execute project access show command.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below grants project access to a user, app, and group:

Linux
Windows
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:


User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234

For using --policy, specified here has to be one or all of the policies available for the project that has been made available for attaching.

For more information on using policy listing, see the project policy list command.

Example:

The command below grants project policy access from a user, app, and group:

Linux
Windows
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 \
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 ^
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^   
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:


User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog.
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog.
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog.

project access revoke

Revokes project access from a user, app, or group.

olp project access revoke <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --policy <policyHRN1 policyHRN2 ...> The list of HRNs of policies to be revoked from the identity that is granted access to the project, separated by space.
  • --app <appID1 appID2 ...> The list of application IDs you want to revoke project access from, separated by space.
  • --user <userID1 userID2 ...> The list of user IDs you want to revoke project access from, separated by space. This information can be found in the .here/credentials.properties file, in the user's home directory, or via your profile.
  • --group <groupID1 groupID2 ...> The list of group IDs you want to revoke project access from, separated by space.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --quiet Display an empty output skipping additional information.

Note

You must specify at least one of these options – --app, --user, or --group.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below revokes project access from a user, app, and group:

Linux
Windows
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:


User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234

For using --policy, specified here has to be one or all of the policies attached to a member.

For more information on using policy listing, see the attached project policy to member command.

Example:

The command below revokes project policy access from a user, app, and group:

Linux
Windows
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 \
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 ^
   --policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
   --group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008

Output:


User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234.
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234.
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234.

project access show

Policies attached to a user, app, or group in the project.

olp project access show <project HRN> [command options]

Required parameters:

  • <project HRN> The HRN of the project.

Optional parameters:

  • --app <appID> Application ID you want to query attached project policies for.
  • --user <userID> User ID you want to query attached project policies for. This information can be found in the .here/credentials.properties file, in the user's home directory, or through your profile.
  • --group <groupID> Group ID you want to query attached project policies for.
  • --credentials <path to credentials file> The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> The name of the credentials profile to use from the olpcli.ini file.
  • --json Display the command's result in JSON format.
  • --quiet Display an empty output skipping additional information.

Note

You must specify only one of these options – --app, --user, or --group.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below lists the policies attached to a user, app or group:

Linux
Windows
olp project access show hrn:here:authorization::myrealm:project/my-project-1234 \
   --app F9p0HU3qCqtxnZ3KnH4z \
   --json
olp project access show hrn:here:authorization::myrealm:project/my-project-1234 ^
   --app F9p0HU3qCqtxnZ3KnH4z ^
   --json

Output:


{"policies": [
        {
            "id": "all-access-for-abc-catalog",
            "hrn": "hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog",
            "name": "allAccessForAbcCatalog",
            "description": "Read and write access to abc catalog.",
            "type": "custom",
            "permissions": [
                {
                   "resource": "hrn:here:data::myrealm:abc-catalog",
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource", "writeResource"
                   ]
                }
            ]
        },
        {
            "id": "read-only-access-to-all-catalogs",
            "hrn": "hrn:here:authorization::HERE:platform:policy/read-only-access-to-all-catalogs",
            "name": "readOnlyAccessToAllCatalogs",
            "description": "Read access to all catalogs in project.",
            "type": "here-platform",
            "permissions": [
                {
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource"
                   ]
                }
            ]
        }
    ]
}

results matching ""

    No results matching ""