Access Profiles and Grants API


Overview

These APIs let you manage (create/read/update/delete) roles for a principal in your organization. A principal and its access to the system is governed by the grant assigned. A principal can only have 1 grant. That grant can contain a role OR multiple profiles of role assignments.

Requirements

  • At least one Carbon Black Cloud product
  • All API calls require an API key with appropriate permissions see Authentication

Authentication

Access Level and API Key:

When creating your API Key, this API requires a different process for creating the appropriate Access Level than is outlined in the Carbon Black Cloud Authentication Guide.

Option 1

  • Navigate to Settings > API Access in the Carbon Black Cloud console, and add a new API Key with a “Custom” Access Level and choose “Super Admin” from the Custom Access Level dropdown. This will grant the maximum permissions to the API Key and allow the key to grant any role.

Option 2

  • It is recommended to limit access to only the necessary permissions, so the “Super Admin” Access Level may not be right for you. To create a new Access Level with more limited permissions:
    • Navigate to Settings > Roles in the console.
    • Add a new Role and then use the category expanders to add permissions to the role. At minimum, you must add the permissions for “Manage Roles” and “Manage Users” from the “Organization Settings” category. It may be helpful to copy permissions from the “Level 3 Analyst” and add the “Manage Roles” and “Manage Users” permissions on top of the base permissions for that role.
    • Once you configure the role to your liking, hit save, and then add a new API Key from Settings > API Access, select “Custom” Access Level, and choose the new role from the Custom Access Level dropdown.

Note: you can only create Roles with the same level of permissions granted to you. You may need a Super Admin to assist in creating the new Role and API Key. The Super Admin assignment must be a role.

Environment Details:

Quick Start

Assign multiple roles to an existing user

This guide explains how to change the access profile for an existing user in a multi-tenant environment.

  1. Get the existing Grant for a user with the Get Grant of a Principal call.
  2. Get the list of roles the API Key or User specified in the request can manage in the organization or its children organizations with the Get Permitted Roles call.
  3. Update the existing Profile for that user to add another organization using the Update Profile of Principal’s Grant call.
  4. Update the Grant to add a new profile with different permissions in another organization with the Create Profile in Principal’s Grant call.

Basic user creation with a grant

  1. Create a new user with Level 1 Analyst role with the User Management API - Create User call.
  2. User receives an invite in mail and follows instructions for registration.
  3. Check if the new user is included in the Organization with the User Management API - List All Users call.
  4. View the details of the User Grant with the Get Grant of a Principal call.

API Calls

Create Grant for a Principal

Create grant for a Principal in given Org.

Note: When using a role grant, you can only select one role. The profiles however do support multiple roles.

Role Permissions
Manage Users

Request

POST {cbc-hostname}/access/v2/orgs/{org_key}/grants/

Request Body - application/json

{
  "principal": "string",
  "roles": [ "string" ],
  "profiles": [
    {
      "orgs": {
        "allow": [ "string" ],
      },
      "roles": [ "string" ],
      "conditions": {
        "expiration": "string",
        "disabled": boolean
      }
    }
  ],
  "org_ref": "string",
  "principal_name": "string"
}

Body Schema

Field Definition Data Type Values
principal
REQUIRED
Uniform Resource Name String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
roles
REQUIRED
Role attached to grant. Accepts only one value. Either roles or profiles can be used, but not both. Array
[ "string" ]
Format:
psc:role:{org_key}:{role_name}
profiles
REQUIRED
List of profiles attached to grant. Either roles or profiles can be used, but not both. Array Profile Schema
org_ref
REQUIRED
Org reference in urn format String Format:
psc:org:{org_key}
principal_name
REQUIRED
Principals name String N/A
conditions Conditions attached to a profile Object Condition Schema

Response

Code Description Content-Type Content
201 Successful Request application/json View example response below
400 Bad request application/json
{
  "error_code": "BAD_REQUEST",
  "message": "Principal resource must match request body"
}
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/

Request_Body

{
  "principal": "psc:user:ABCD1234:1234567",
  "profiles": [
    {
      "orgs": {
        "allow": [ "psc:org:ABCD1234" ],
      },
      "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ]
    }
  ],
  "org_ref": "psc:org:ABCD1234",
  "principal_name": "demo@vmware.com"
}

Response

{
  "principal": "psc:user:ABCD1234:1234567",
  "roles": null,
  "profiles": [
    {
      "orgs": {
        "allow": [ "psc:org:ABCD1234" ],
      },
      "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
      "conditions": {
        "expiration": "",
        "disabled": true
      },
      "can_manage": true
    }
  ],
  "org_ref": "psc:org:ABCD1234",
  "principal_name": "demo@vmware.com",
  "created_by": "psc:user:ABCD1234:DEFG1234",
  "updated_by": "psc:user:ABCD1234:DEFG1234",
  "create_time": "2021-01-19T12:56:31.645Z",
  "update_time": "2021-01-19T12:56:31.645Z",
  "can_manage": true
}


Get Grant of a Principal

Get grant of a Principal(User or API Key) in a given Organization.

Role Permissions
Manage Roles

Request

GET {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234

Response

{
    "principal": "psc:user:ABCD1234:1234567",
    "roles": [ "psc:role::CUSTOM_ROLE" ],
    "version": 1,
    "profiles": null,
    "org_ref": "psc:org:ABCD1234",
    "principal_name": "demo@vmware.com",
    "created_by": "psc:cnn:ABCD1234:DEFG1234",
    "updated_by": "psc:cnn:ABCD1234:DEFG1234",
    "create_time": "2021-04-05T06:56:23.348Z",
    "update_time": "2021-04-05T06:56:23.348Z",
    "can_manage": true
}


Bulk Fetch Grants

Bulk fetch grants for list of Principals and Organizations key pair.

Role Permissions
Manage Roles

Request

POST {cbc-hostname}/access/v2/grants/_fetch

Request Body - application/json

[
  {
    "principal": "string",
    "org_ref": "string"
  }
]

Body Schema

Field Definition Data Type Values
principal
REQUIRED
Uniform Resource Name String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
org_ref
REQUIRED
Org reference in urn format String Format:
psc:org:{org_key}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/access/v2/grants/_fetch

Request_Body

[
  {
    "principal": "psc:user:ABCD1234:1234567",
    "org_ref": "psc:org:ABCD1234"
  },
    {
    "principal": "psc:user:ABCD1234:7654321",
    "org_ref": "psc:org:ABCD1234"
  }
]

Response

{
    "results": [
        {
            "principal": "psc:user:ABCD1234:1234567",
            "roles": null,
            "version": 3,
            "profiles": [
                {
                    "profile_uuid": "01a27d93-1974-492a-9e95-d92d66b2d123",
                    "orgs": {
                        "allow": [ "psc:org:ABCD1234" ]
                    },
                    "roles": [ "psc:role:ABCD1234:MANAGE_ANALYST_1_ROLE" ],
                    "conditions": null,
                    "can_manage": true
                }
            ],
            "org_ref": "psc:org:ABCD1234",
            "principal_name": demo@vmware.com,
            "created_by": "psc:cnn:ABCD1234:DEFG1234",
            "updated_by": "psc:cnn:ABCD1234:DEFG1234",
            "create_time": null,
            "update_time": null,
            "can_manage": true
        },
        {
            "principal": "psc:user:ABCD1234:7654321",
            "roles": [ "psc:role:ABCD1234:LEVEL_1_ANALYST_WITH_MANAGE_USERS" ],
            "version": 1,
            "profiles": null,
            "org_ref": "psc:org:ABCD1234",
            "principal_name": "demo@vmware.com",
            "created_by": "psc:cnn:ABCD1234:DEFG1234",
            "updated_by": "psc:cnn:ABCD1234:DEFG1234",
            "create_time": null,
            "update_time": null,
            "can_manage": true
        }
    ]
}


Update Grant of a Principal

Update grant of a Principal in given Organization.

Note: The entire grant will be updated including the profiles. Be aware that this will generate new profile_uuids for each profile.

Role Permissions
Manage Roles, Manage Users

Request

PUT {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}

Request Body

{
    "principal": "<string>",
    "roles": [ "<string>" ],
    "profiles": [
        {
            "profile_uuid": "<string>",
            "orgs": {
                "allow": [ "<string>" ]
            },
            "roles": [ "<string>" ],
            "conditions": {
              "expiration": "string",
              "disabled": boolean
            }
        }
    ],
    "org_ref": "<string>",
    "principal_name": "<string>"
}

Body Schema

Field Definition Data Type Values
principal
REQUIRED
Uniform Resource Name String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
roles Role attached to grant. Accepts only one value. Either roles or profiles can be used, but not both. Array
[ "string" ]
Format:
psc:role:{org_key}:{role_name}
profiles The role attached to a grant. Either roles or profiles can be used, but not both. Array Profile Schema
org_ref
REQUIRED
Org reference in urn format String Format:
psc:org:{org_key}
principal_name
REQUIRED
Principals name String N/A

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Bad request application/json
{
  "error_code": "BAD_REQUEST",
  "message": "Roles must be set"
}
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

PUT https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234

Request_Body

{
  "principal": "psc:user:ABCD1234:1234567",
  "roles": [ "psc:role:ABCD1234:CUSTOM_ROLE" ],
  "org_ref": "psc:org:ABCD1234",
  "principal_name": "demo@vmware.com"
}

Response

{
  "principal": "psc:user:ABCD1234:1234567",
  "roles": [ "psc:role:ABCD1234:CUSTOM_ROLE" ],
  "org_ref": "psc:org:ABCD1234",
  "principal_name": "demo@vmware.com",
  "created_by": "psc:user:ABCD1234:DEFG1234",
  "updated_by": "psc:user:ABCD1234:DEFG1234",
  "create_time": "2021-01-19T12:56:31.645Z",
  "update_time": "2021-01-19T12:56:31.645Z",
  "can_manage": true
}


Delete Grant for a Principal

Delete grant for a Principal in given Organization.

Role Permissions
Manage Roles

Request

DELETE {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

DELETE https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234

Response

{
  "principal": "psc:user:ABCD1234:1234567",
  "roles": [ "psc:role:ABCD1234:CUSTOM_ROLE" ],
  "org_ref": "psc:org:ABCD1234",
  "principal_name": "demo@vmware.com",
  "created_by": "psc:user:ABCD1234:DEFG1234",
  "updated_by": "psc:user:ABCD1234:DEFG1234",
  "create_time": "2021-01-19T12:56:31.645Z",
  "update_time": "2021-01-19T12:56:31.645Z",
  "can_manage": true
}


Get Permitted Roles

Returns a list of roles that may be managed by the user making the request. Helps to identify roles in an organization and its child organizations (in a multi-tenant environment).

Note: In order for this API call to function correctly, the {token} in the endpoint URL below must match the “token” portion of the API credentials specified in the X-Auth-Token header (everything after the ‘/’ character). Otherwise a 403 Forbidden error will be returned.

Role Permissions
Manage Roles

Request

GET {cbc-hostname}/access/v3/orgs/{org_key}/principals/{token}/roles/permitted

Query Parameters

Parameter Required Default Description
type Yes N/A Type of roles to be returned. Supported: USER, API_KEY

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Bad Request N/A N/A
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/access/v3/orgs/ABCD1234/principals/A1B2C3D4/roles/permitted?type=USER

Response

{
    "results": {
        "ABCD1234": [
            {
                "urn": "psc:role::CONTAINER_IMAGE_CLI_TOOL",
                "scoped": "psc:org:org-scope:all",
                "name": "Container Image CLI tool",
                "desc": "Upload image SBOMs, and view container image and Kubernetes data",
                "disabled": false,
                "capabilities": [
                    "api",
                    "private_api",
                    "public_api"
                ],
                "child_urn": "psc:role::CONTAINER_IMAGE_CLI_TOOL",
                "created_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "updated_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "create_time": "2021-04-13T17:51:34.539Z",
                "update_time": "2021-04-13T17:51:34.539Z"
            },
            {
                "urn": "psc:role::BETA_SUPER_ADMIN",
                "scoped": "psc:org:org-scope:all",
                "name": "Super Admin",
                "desc": "All permissions, including console configuration, Live Response, and management of policies, API keys, and sensor group rules",
                "disabled": false,
                "capabilities": [
                    "user"
                ],
                "child_urn": "psc:role::BETA_SUPER_ADMIN",
                "created_by": null,
                "updated_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "create_time": "",
                "update_time": "2021-05-05T06:03:09.998Z"
            },
            {
                "urn": "psc:role::VIEW_ONLY",
                "scoped": "psc:org:org-scope:all",
                "name": "View Only - Legacy",
                "desc": "View Only",
                "disabled": false,
                "capabilities": [
                    "user"
                ],
                "child_urn": "psc:role::VIEW_ONLY",
                "created_by": null,
                "updated_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "create_time": "",
                "update_time": "2021-03-16T01:02:54.214Z"
            }
        ],
        "ABCD1234:CHILDREN": [
            {
                "urn": "psc:role::KUBERNETES_SECURITY_DEVOPS",
                "scoped": "psc:org:org-scope:all",
                "name": "Kubernetes Security DevOps",
                "desc": "Manage Kubernetes security features",
                "disabled": false,
                "capabilities": [
                    "user"
                ],
                "child_urn": "psc:role::KUBERNETES_SECURITY_DEVOPS",
                "created_by": null,
                "updated_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "create_time": "",
                "update_time": "2020-11-20T20:43:15.961Z"
            },
            {
                "urn": "psc:role::BETA_SYSTEM_ADMIN",
                "scoped": "psc:org:org-scope:all",
                "name": "System Admin",
                "desc": "Manage sensors, add users, and enable bypass; can't change global settings, delete files, or use Live Response",
                "disabled": false,
                "capabilities": [
                    "user"
                ],
                "child_urn": "psc:role::BETA_SYSTEM_ADMIN",
                "created_by": null,
                "updated_by": "psc:cnn:ABCD1234:9Z8Y7X6W5V",
                "create_time": "",
                "update_time": "2021-05-05T06:03:09.084Z"
            }
        ]
    }
}


Create Profile in Principal’s Grant

Create profile in Principal’s grant in given Organization.

Role Permissions
Manage Roles

Request

POST {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}/profiles

Request Body - application/json

{
    "orgs": {
        "allow": [ "<string>" ],
    },
    "roles": [ "<string>" ],
    "conditions": {
      "expiration": "string",
      "disabled": boolean
    }
}

Body Schema

Field Definition Data Type Values
orgs
REQUIRED
Allowed/denied Orgs in the current Profile Object Orgs Schema
roles
REQUIRED
Role attached to a profile Array
[ "string" ]
conditions Conditions attached to a profile Object Condition Schema

Response

Code Description Content-Type Content
201 Successful Request application/json View example response below
400 Bad request application/json
{
  "error_code": "BAD_REQUEST",
  "message": "Orgs must be defined for each profile"
}
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234/profiles

Request_Body

{
  "orgs": {
    "allow": [ "psc:org:ABCD1234" ],
  },
  "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
  "conditions": {
  }
}

Response

{
  "orgs": {
    "allow": [ "psc:org:ABCD1234" ],
  },
  "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
  "conditions": {
    "expiration": "string",
    "disabled": true
  },
  "can_manage": true
}


Update Profile of Principal’s Grant

Update profile of Principal’s grant in given Organization.

Role Permissions
Manage Roles

Request

PUT {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}/profiles/{profile_uuid}

Request Body

{
  "profile_uuid": "string",
  "orgs": {
    "allow": [ "string" ],
  },
  "roles": [ "string" ],  
  "conditions": {
    "expiration": "string",
    "disabled": boolean
  }
}

Body Schema

Field Definition Data Type Values
profile_uuid Universally Unique Identifier String N/A
orgs Allowed/denied Orgs in the current Profile Object Orgs Schema
roles
REQUIRED
Role attached to a profile Array
[ "string" ]
Example:
psc:role::SECOPS_ROLE_MANAGER
conditions Conditions attached to a profile Object Condition Schema

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Bad request application/json
{
  "error_code": "BAD_REQUEST",
  "message": "profile_uuid must not be null"
}
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

PUT https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234/profiles/3fa85f64-5717-4562-b3fc-2c963f66afa6

Request_Body

{
  "profile_uuid": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "orgs": {
    "allow": [ "psc:org:ABCD1234" ],
  },
  "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
  "conditions": {
  }
}

Response

{
  "profile_uuid": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "orgs": {
    "allow": [ "psc:org:ABCD1234" ],
  },
  "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
  "conditions": {
    "expiration": "2021-01-27T18:34:04Z",
    "disabled": true
  },
  "can_manage": true
}


Delete Profile

Delete profile with matching uuid from Principal’s grant in given Organization.

Role Permissions
Manage Roles

Request

DELETE {cbc-hostname}/access/v2/orgs/{org_key}/grants/{principal_urn}/profiles/{profile_uuid}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
401 Unauthorized application/json
{
  "success": false,
  "message": "User is not authenticated"
}
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

DELETE https://defense-eap01.conferdeploy.net/access/v2/orgs/ABCD1234/grants/psc:user:ABCD1234:DEFG1234/profiles/3fa85f64-5717-4562-b3fc-2c963f66afa6

Response

{
  "profile_uuid": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "orgs": {
    "allow": [ "psc:org:ABCD1234" ],
  },
  "roles": [ "psc:role::SECOPS_ROLE_MANAGER" ],
  "conditions": {
    "expiration": "2021-01-27T18:34:04Z",
    "disabled": true
  },
  "can_manage": true
}


Schemas

Condition

Field Definition Data Type Values
expiration ISO 8601 extended time format indicating when the profile condition will expire String N/A
disabled Indicating if the profile is disabled Boolean Supported: true, false

Grant

Field Definition Data Type Values
principal
REQUIRED
Principals URN String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
roles Role attached to a grant. Accepts only one value. Either roles or profiles can be used, but not both. Array
[ "string" ]
Format:
psc:role:{org_key}:{role_name}
profiles List of profiles attached to a grant. Either roles or profiles can be used, but not both. Array Profile Schema
org_ref
REQUIRED
Org reference in Urn format String Format:
psc:org:{org_key}
principal_name
REQUIRED
Principals name String N/A
created_by Principals URN who created the grant String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
updated_by Principals URN who last updated the grant String Format:
psc:user:{org_key}:{login_id}
or
psc:cnn:{org_key}:{connector_id}
create_time ISO 8601 extended time format indicating when the grant has been created String N/A
update_time ISO 8601 extended time format indicating when last time the grant has been updated String N/A
can_manage Indicates whether the requesting user can manage the grant and/or the individual profiles Boolean Supported: true, false
version Numerical tag incremented by backend on each update. This property is not editable. Integer N/A

Orgs

Field Definition Data Type Values
allow
REQUIRED
List of allowed Orgs in the current Profile Array
[ "string" ]
Format:
psc:org:{org_key}

Profile

Field Definition Data Type Values
profile_uuid UUID String N/A
orgs N/A Object Orgs Schema
roles
REQUIRED
Role attached to a profile. Accepts only one value Array
[ "string" ]
Example:
psc:role::SECOPS_ROLE_MANAGER
conditions Conditions attached to a profile Object Condition Schema
can_manage Indicates whether the requesting user can manage the grant and/or the individual profiles Boolean Supported: true, false

Role

Note: psc:org:{org_key}:CHILDREN is a special URN that allows you to grant access to all current and future children of a multi-tenant environment parent where {org_key} is the parent. If you create this type of profile, you must have the appropriate access to all the children.

Field Definition Data Type Values
urn
REQUIRED
Role URN String Format: psc:role:{org_key}:{role} or psc:role::{role} or psc:org:{org_key}:CHILDREN
scoped Scoped URN String Format: psc:org:org-scope:csr-all or for org specific roles psc:org:ORGKEY
name
REQUIRED
Role name String N/A
desc Role description String N/A
disabled Value indicating if the role is disabled Boolean Supported: true, false
capabilities
REQUIRED
Array
[ "string" ]
Supported: api, internal, private_api, public_api, non_grantable
child_urn
REQUIRED
Role URN String Format: psc:role:{org_key}:{role} or psc:role::{role}
created_by Principals URN who created the grant String Format: psc:user:{org_key}:{login_id} or psc:cnn:{org_key}:{connector_id}
updated_by Principals URN who last updated the grant String Format psc:user:{org_key}:{login_id} or psc:cnn:{org_key}:{connector_id}
create_time ISO-8601 timestamp when the grant has been created String N/A
update_time ISO-8601 timestamp when last time the grant has been updated String N/A
Last modified on June 4, 2021