To identify all potential permissions that can be entered into the 'component_permissions' field, please utilize the 'GET /platform/iam/v1/role/permission-config' endpoint and utilize the 'view_name' and 'action_name' properties. Note: if you input an 'action' permission, then the relevant 'view' permission will be added for you. There will also be checks done on sub-permissions, ensuring that the main 'action' permissions are present as well. The available datasets can also be found by utilizing the 'GET /platform/iam/v1/role/permission-config' endpoint. Any dataset related permissions are not permissible in the 'component_permissions' field (an error will be thrown). The 'permissions' field in the entry for 'dataset_permissions' refers to dataset names for said dataset category.It is important to note that the 'access_all' field will only grant the role access to all datasets in said category that the API key has access to.
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
'https://api-cortex.paloaltonetworks.com/platform/iam/v1/role'
-d
'{
"request_data" : {
"component_permissions" : [ "rules_action", "wf_verdict_change" ],
"dataset_permissions" : [ {
"category" : "Lookup",
"access_all" : true,
"permissions" : [ ]
} ],
"pretty_name" : "CustomRoleName",
"description" : "A custom role with specific permissions"
}
}'
import http.client
conn = http.client.HTTPSConnection("api-")
payload = "{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}"
headers = { 'content-type': "application/json" }
conn.request("POST", "%7Bfqdn%7D/platform/iam/v1/role", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-/%7Bfqdn%7D/platform/iam/v1/role")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"component_permissions": [
"rules_action",
"wf_verdict_change"
],
"dataset_permissions": [
{
"category": "Lookup",
"access_all": true,
"permissions": []
}
],
"pretty_name": "CustomRoleName",
"description": "A custom role with specific permissions"
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-/%7Bfqdn%7D/platform/iam/v1/role");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-/%7Bfqdn%7D/platform/iam/v1/role")
.header("content-type", "application/json")
.body("{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}")
.asString();import Foundation
let headers = ["content-type": "application/json"]
let parameters = ["request_data": [
"component_permissions": ["rules_action", "wf_verdict_change"],
"dataset_permissions": [
[
"category": "Lookup",
"access_all": true,
"permissions": []
]
],
"pretty_name": "CustomRoleName",
"description": "A custom role with specific permissions"
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7Bfqdn%7D/platform/iam/v1/role")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-/%7Bfqdn%7D/platform/iam/v1/role",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}",
CURLOPT_HTTPHEADER => [
"content-type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7Bfqdn%7D/platform/iam/v1/role");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-/%7Bfqdn%7D/platform/iam/v1/role");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"component_permissions\":[\"rules_action\",\"wf_verdict_change\"],\"dataset_permissions\":[{\"category\":\"Lookup\",\"access_all\":true,\"permissions\":[]}],\"pretty_name\":\"CustomRoleName\",\"description\":\"A custom role with specific permissions\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Request object for creating a new role
request_dataobjectThe data required to create a new role
The data required to create a new role
component_permissionsarray[string]requiredList of component permissions for the role. Possible values can be found by using the permission configs API and referring to the rbac_permissions field.
List of component permissions for the role. Possible values can be found by using the permission configs API and referring to the rbac_permissions field.
dataset_permissionsarrayOptional list of dataset permissions. This must be a list of JSONs. The layout for this JSON can be found under the 'DatasetPermission' schema . Note: possible dataset values can be found by using the permission configs API and referring to the datasetGroups field.
Optional list of dataset permissions. This must be a list of JSONs. The layout for this JSON can be found under the 'DatasetPermission' schema . Note: possible dataset values can be found by using the permission configs API and referring to the datasetGroups field.
pretty_namestringrequiredName of the role
Name of the role
descriptionstringOptional description of the role
Optional description of the role
{
"request_data": {
"component_permissions": [
"rules_action",
"wf_verdict_change"
],
"dataset_permissions": [
{
"category": "Lookup",
"access_all": true,
"permissions": []
}
],
"pretty_name": "CustomRoleName",
"description": "A custom role with specific permissions"
}
}Role created successfully
dataobject
messagestringrequiredSuccess message indicating the role was created
Success message indicating the role was created
{
"data": {
"message": "role_id test_role01 created successfully."
}
}Bad request for role create call
dataobject
err_msgstringrequiredError message describing the issue
Error message describing the issue
metadataobject
err_extrastringrequiredAdditional error details
Additional error details
err_codeintegerrequiredHTTP error code
HTTP error code
{
"data": {
"err_msg": "The request contains invalid or missing parameters.",
"metadata": {
"err_extra": "The role name CustomRoleName is already utilized by another role.",
"err_code": 400
}
}
}Unauthorized access
{
"reply": {
"err_code": 401,
"err_msg": "Public API request unauthorized",
"err_extra": null
}
}Unauthorized access due to lack of sufficient permissions
replyobject
err_msgstringrequired
err_extrastring
err_codeinteger
metadataobjectrequired
{
"reply": {
"err_code": 403,
"err_msg": "Forbidden. Access was denied to this resource.",
"err_extra": "Insufficient permissions for api key",
"metadata": {}
}
}Internal server error. A unified status for API communication type errors.