Project Policy Commands

The OLP CLI supports the following:

project policy list

Retrieves all the policies that are in a project.


olp project policy list [command options]

Required parameters:

  • <project HRN> Specifies the HRN of the project.

Optional parameters:

  • --type <custom|here-platform> Specifies a type of the project policy to be listed for the specified <project HRN>. custom denotes projects created by the project admin and available to apply to identities within the project. here-platform denotes HERE-managed policies available to apply to identities within the project.
  • --limit <max number of project policies> Specifies the maximum number of project policies returned in the result (100 by default).
  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command's result in JSON format.
  • --quiet Displays the project HRNs, each on a new line.

For more information on using credentials and profiles, see Credentials Setup.

Example:


olp project policy list hrn:here:authorization::myrealm:project/myproject --json

Output:


{"policies": [
        {
            "id": "all-access-for-abc-catalog",
            "hrn": "hrn:here:authorization::myrealm:project/my-project:policy/all-access-for-abc-catalog",
            "name": "allAccessForAbcCatalog",
            "description": "Read and write access to abc catalog.",
            "type": "custom",
            "permissions": [
                {
                   "resource": "hrn:here:data::myrealm:abc-catalog",
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource", "writeResource"
                   ]
                }
            ]
        },
        {
            "id": "read-only-access-to-all-catalogs",
            "hrn": "hrn:here:authorization::HERE:platform:policy/read-only-access-to-all-catalogs",
            "name": "readOnlyAccessToAllCatalogs",
            "description": "Read access to all catalogs in project.",
            "type": "here-platform",
            "permissions": [
                {
                   "resourceType": "catalog",
                   "allowedActions": [
                      "readResource"
                   ]
                }
            ]
        }
    ]
}

project policy create

Creates a project policy.


olp project policy create hrn:here:authorization::myrealm:project/myproject [command options]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • --config <path to config file> Specifies the path to the configuration file to create the project policy with.

Sample Config File:

 
{
  "id": "all-access-for-xyz-catalog",
  "name": "Access to xyz catalog",
  "description": "Full access to xyz catalog",
  "permissions": [
    {
      "resource": "hrn:here:data:::<catalog-id>",
      "allowedActions": [
        "readResource",
        "manageResource",
        "writeResource"
      ]
    }
  ]
} 

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command's result in JSON format.
  • --quiet Displays an empty output without additional information.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below creates a new project policy:

Linux
Windows
olp project policy create hrn:here:authorization::myrealm:project/myproject \
    --config path/to/config.json
olp project policy create hrn:here:authorization::myrealm:project/myproject ^
    --config path/to/config.json

Output:


Policy hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog has been created in project hrn:here:authorization::myrealm:project/myproject.

Note

This command allows you to construct policies without validation to check if the resources you’re including in the policy already exist in the project. This allows you to construct policies in advance of resource creation, which may be useful for some CI/CD flows. However, it also allows you to construct policies that include resources that are not accessible in the project, eg resources that are in another project and have not been shared and linked to the project for which you are creating policies. When such a policy is applied to a project member, they still will not have access to such resources contained in the policy.

project policy show

Shows the details of a project policy.


olp project policy show   [command parameters]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • <policy HRN> Specifies the HRN of the project policy.

Optional parameters:

  • --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --json Displays the command's result in JSON format.
  • --quiet Displays the project policy HRN.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below shows the details of a project policy:

Linux
Windows
olp project policy show hrn:here:authorization::myrealm:project/myproject \
    hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog \
    --json
olp project policy show hrn:here:authorization::myrealm:project/myproject ^
    hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog ^
    --json

Output:


{
    "id": "all-access-for-xyz-catalog",
    "hrn": "hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog",
    "name": "allAccessForXyzCatalog",
    "description": "Read and write access to the xyz catalog.",
    "type": "custom",
    "permissions": [
        {
           "resource": "hrn:here:data::myrealm:xyz-catalog",
           "resourceType": "catalog",
           "allowedActions": [
              "readResource", "writeResource"
           ]
        }
    ]
}

project policy delete

Deletes a project policy.


olp project policy delete   [command parameters]

Required parameters:

  • <project HRN> Specifies the HRN of the project.
  • <policy HRN> Specifies the HRN of the project policy to be deleted.

Optional parameters:

  • --force If set, forces the policy deletion and also deletes the policy attachments to identities. --credentials <path to credentials file> Specifies the name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal.
  • --profile <profile name> Specifies the name of the credentials profile to use from the olpcli.ini file.
  • --quiet Displays an empty output without additional information.

Warning: Project policy deletion

Deleting a project policy could negatively affect the workflow of all dependent users and apps. If there are attachments that are created in the project policy, you would need to delete the attachments before deleting the project policy.

For more information on using credentials and profiles, see Credentials Setup.

Example:

The command below deletes a project policy:

Linux
Windows
olp project policy delete hrn:here:authorization::myrealm:project/myproject \
    hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog \
    --force
olp project policy delete hrn:here:authorization::myrealm:project/myproject ^
    hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog ^
    --force

Output:


Policy hrn:here:authorization::myrealm:project/myproject:policy/all-access-for-xyz-catalog has been deleted from project hrn:here:authorization::myrealm:project/myproject.

results matching ""

    No results matching ""