POST OAuth/CreateRule

Creates a new grant rule for an application. This allows you to give a specific user identity access to an application. Once that access is given, that user identity can then request a grant for the application by calling POST Authorize/Oauth.

Requirements

  • Roles: Admin or Application Owner. See OAuth roles for more information.
  • Token scope:  Admin

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Body parameters
Order

Name

Description

1

TrusteePrefixedUniversal

string

(Required) The identity (user/group) that is allowed access, in prefixed universal format.

 

2

ApplicationId

string

(Required) The application that can request access.

3

MaximumScope

string

(Required) The maximum scope the application is allowed to request.

4

Description

string

A description or explanation of the rule

5

AccessValidity

integer

The length of time, in seconds, an access token is valid. If this value is not passed, the system default at the time the grant is issued is applied.

6

GrantValidity

integer

The length of time, in seconds, until the grant expires and can no longer be renewed. If this value is not passed, the system default at the time the grant is issued is applied.

7

Renewable

boolean

If set to true, a grant issued under the rule can be renewed. If set to false, it cannot not. If this value is not passed, the system default at the time the grant is issued is applied.

Returns

Response description

Name

Description

HTTP 200

See OAuth result codes.

A Rule object is return that shows the values passed in the request. See the Parameters section above for value descriptions.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • Error

    • invalid_request: The request is missing a required parameter or is otherwise malformed.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

For authentication errors, this call returns HTTP 401 Unauthorized and the following data in the message body:

  • Error

    • invalid_token: The access token is missing, or the provided token is expired, revoked, malformed, or invalid for other reasons.

    • insufficient_rights: The underlying user account does not have sufficient permissions for this request.

  • error_description: If available, additional information about how to retry the request.

HTTP 403

If the response is HTTP 403 Forbidden, the requester's token does not include the admin scope. Call POST Authorize/Oauth with the correct scope and restriction. Update the header with the new token and retry.

  • Error

    • insufficient_scope: The request requires a greater scope than provided by the access token.

  • error_description: If available, additional information about how to retry the request.

Example

Request

POST /vedsdk/oauth/createrule HTTP/1.1
Host: tpp-server-url
Content-Type: application/json
Accept: application/json
Authorization: Bearer 4MyGeneratedBearerTknz==

{
  "TrusteePrefixedUniversal": "local:{5be5a591-c842-4520-9142-b455f4ad2286}",
  "ApplicationId": "VenafiMMCCodeSigning",
  "MaximumScope": "codesign:admin",
  "Description": "Sample description",
  "AccessValidity": 12345,
  "GrantValidity": 56789,
  "Renewable": false
}

Response

{
  "Result": 0,
  "Rule": {
    "AccessValidity": 12345,
    "ApplicationId": "VenafiMMCCodeSigning",
    "Description": "Sample description",
    "GrantValidity": 56789,
    "MaximumScope": {
      "ScopeList": [
        {
          "RestrictionList": [
            "admin"
          ],
          "Scope": "codesign"
        }
      ]
    },
    "Renewable": false,
    "TrusteePrefixedUniversal": "local:{5be5a591-c842-4520-9142-b455f4ad2286}"
  },
  "Success": true
}