Package com.ibm.cloud.platform_services.iam_access_groups.v2

Class IamAccessGroups

  • public class IamAccessGroups
extends com.ibm.cloud.sdk.core.service.BaseService
    The IAM Access Groups API allows for the management of access groups (Create, Read, Update, Delete) as well as the management of memberships and rules within the group container. API Version: 2.0

    • Field Detail

      • DEFAULT_SERVICE_NAME

        public static final java.lang.String DEFAULT_SERVICE_NAME
        Default service name used when configuring the `IamAccessGroups` client.
        See Also:
        Constant Field Values

      • DEFAULT_SERVICE_URL

        public static final java.lang.String DEFAULT_SERVICE_URL
        Default service endpoint URL.
        See Also:
        Constant Field Values

    • Constructor Detail

      • IamAccessGroups

        public IamAccessGroups​(java.lang.String serviceName,
                       com.ibm.cloud.sdk.core.security.Authenticator authenticator)
        Constructs an instance of the `IamAccessGroups` client. The specified service name and authenticator are used to configure the client instance.
        Parameters:
        serviceName - the service name to be used when configuring the client instance
        authenticator - the Authenticator instance to be configured for this client

    • Method Detail

      • newInstance

        public static IamAccessGroups newInstance()
        Class method which constructs an instance of the `IamAccessGroups` client. The default service name is used to configure the client instance.
        Returns:
        an instance of the `IamAccessGroups` client using external configuration

      • newInstance

        public static IamAccessGroups newInstance​(java.lang.String serviceName)
        Class method which constructs an instance of the `IamAccessGroups` client. The specified service name is used to configure the client instance.
        Parameters:
        serviceName - the service name to be used when configuring the client instance
        Returns:
        an instance of the `IamAccessGroups` client using external configuration

      • createAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<Group> createAccessGroup​(CreateAccessGroupOptions createAccessGroupOptions)
        Create an access group. Create a new access group to assign multiple users and service ids to multiple policies. The group will be created in the account specified by the `account_id` parameter. The group name is a required field, but a description is optional. Because the group's name does not have to be unique, it is possible to create multiple groups with the same name.
        Parameters:
        createAccessGroupOptions - the CreateAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Group

      • listAccessGroups

        public com.ibm.cloud.sdk.core.http.ServiceCall<GroupsList> listAccessGroups​(ListAccessGroupsOptions listAccessGroupsOptions)
        List access groups. This API lists access groups within an account. Parameters for pagination and sorting can be used to filter the results. The `account_id` query parameter determines which account to retrieve groups from. Only the groups you have access to are returned (either because of a policy on a specific group or account level access (admin, editor, or viewer)). There may be more groups in the account that aren't shown if you lack the aforementioned permissions.
        Parameters:
        listAccessGroupsOptions - the ListAccessGroupsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type GroupsList

      • getAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<Group> getAccessGroup​(GetAccessGroupOptions getAccessGroupOptions)
        Get an access group. Retrieve an access group by its `access_group_id`. Only the groups data is returned (group name, description, account_id, ...), not membership or rule information. A revision number is returned in the `ETag` header, which is needed when updating the access group.
        Parameters:
        getAccessGroupOptions - the GetAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Group

      • updateAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<Group> updateAccessGroup​(UpdateAccessGroupOptions updateAccessGroupOptions)
        Update an access group. Update the group name or description of an existing access group using this API. An `If-Match` header must be populated with the group's most recent revision number (which can be acquired in the `Get an access group` API).
        Parameters:
        updateAccessGroupOptions - the UpdateAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Group

      • deleteAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteAccessGroup​(DeleteAccessGroupOptions deleteAccessGroupOptions)
        Delete an access group. This API is used for deleting an access group. If the access group has no members or rules associated with it, the group and its policies will be deleted. However, if rules or members do exist, set the `force` parameter to true to delete the group as well as its associated members, rules, and policies.
        Parameters:
        deleteAccessGroupOptions - the DeleteAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • isMemberOfAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> isMemberOfAccessGroup​(IsMemberOfAccessGroupOptions isMemberOfAccessGroupOptions)
        Check membership in an access group. This HEAD operation determines if a given `iam_id` is present in a group either explicitly or via dynamic rules. No response body is returned with this request. If the membership exists, a `204 - No Content` status code is returned. If the membership or the group does not exist, a `404 - Not Found` status code is returned.
        Parameters:
        isMemberOfAccessGroupOptions - the IsMemberOfAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • addMembersToAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<AddGroupMembersResponse> addMembersToAccessGroup​(AddMembersToAccessGroupOptions addMembersToAccessGroupOptions)
        Add members to an access group. Use this API to add users (`IBMid-...`), service IDs (`iam-ServiceId-...`) or trusted profiles (`iam-Profile-...`) to an access group. Any member added gains access to resources defined in the group's policies. To revoke a given members's access, simply remove them from the group. There is no limit to the number of members one group can have, but each `iam_id` can only be added to 50 groups. Additionally, this API request payload can add up to 50 members per call.
        Parameters:
        addMembersToAccessGroupOptions - the AddMembersToAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type AddGroupMembersResponse

      • listAccessGroupMembers

        public com.ibm.cloud.sdk.core.http.ServiceCall<GroupMembersList> listAccessGroupMembers​(ListAccessGroupMembersOptions listAccessGroupMembersOptions)
        List access group members. List all members of a given group using this API. Parameters for pagination and sorting can be used to filter the results. The most useful query parameter may be the `verbose` flag. If `verbose=true`, user, service ID and trusted profile names will be retrieved for each `iam_id`. If performance is a concern, leave the `verbose` parameter off so that name information does not get retrieved.
        Parameters:
        listAccessGroupMembersOptions - the ListAccessGroupMembersOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type GroupMembersList

      • removeMemberFromAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> removeMemberFromAccessGroup​(RemoveMemberFromAccessGroupOptions removeMemberFromAccessGroupOptions)
        Delete member from an access group. Remove one member from a group using this API. If the operation is successful, only a `204 - No Content` response with no body is returned. However, if any error occurs, the standard error format will be returned. Dynamic member cannot be deleted using this API. Dynamic rules needs to be adjusted to delete dynamic members.
        Parameters:
        removeMemberFromAccessGroupOptions - the RemoveMemberFromAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • removeMembersFromAccessGroup

        public com.ibm.cloud.sdk.core.http.ServiceCall<DeleteGroupBulkMembersResponse> removeMembersFromAccessGroup​(RemoveMembersFromAccessGroupOptions removeMembersFromAccessGroupOptions)
        Delete members from an access group. Remove multiple members from a group using this API. On a successful call, this API will always return 207. It is the caller's responsibility to iterate across the body to determine successful deletion of each member. This API request payload can delete up to 50 members per call. This API doesnt delete dynamic members accessing the access group via dynamic rules.
        Parameters:
        removeMembersFromAccessGroupOptions - the RemoveMembersFromAccessGroupOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type DeleteGroupBulkMembersResponse

      • removeMemberFromAllAccessGroups

        public com.ibm.cloud.sdk.core.http.ServiceCall<DeleteFromAllGroupsResponse> removeMemberFromAllAccessGroups​(RemoveMemberFromAllAccessGroupsOptions removeMemberFromAllAccessGroupsOptions)
        Delete member from all access groups. This API removes a given member from every group they are a member of within the specified account. By using one operation, you can revoke one member's access to all access groups in the account. If a partial failure occurs on deletion, the response will be shown in the body.
        Parameters:
        removeMemberFromAllAccessGroupsOptions - the RemoveMemberFromAllAccessGroupsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type DeleteFromAllGroupsResponse

      • addAccessGroupRule

        public com.ibm.cloud.sdk.core.http.ServiceCall<Rule> addAccessGroupRule​(AddAccessGroupRuleOptions addAccessGroupRuleOptions)
        Create rule for an access group. Rules can be used to dynamically add users to an access group. If a user's SAML assertions match the rule's conditions during login, the user will be dynamically added to the group. The duration of the user's access to the group is determined by the `expiration` field. After access expires, the user will need to log in again to regain access. Note that the condition's value field must be a stringified JSON value. [Consult this documentation for further explanation of dynamic rules.](/docs/account?topic=account-rules).
        Parameters:
        addAccessGroupRuleOptions - the AddAccessGroupRuleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Rule

      • listAccessGroupRules

        public com.ibm.cloud.sdk.core.http.ServiceCall<RulesList> listAccessGroupRules​(ListAccessGroupRulesOptions listAccessGroupRulesOptions)
        List access group rules. This API lists all rules in a given access group. Because only a few rules are created on each group, there is no pagination or sorting support on this API.
        Parameters:
        listAccessGroupRulesOptions - the ListAccessGroupRulesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type RulesList

      • getAccessGroupRule

        public com.ibm.cloud.sdk.core.http.ServiceCall<Rule> getAccessGroupRule​(GetAccessGroupRuleOptions getAccessGroupRuleOptions)
        Get an access group rule. Retrieve a rule from an access group. A revision number is returned in the `ETag` header, which is needed when updating the rule.
        Parameters:
        getAccessGroupRuleOptions - the GetAccessGroupRuleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Rule

      • replaceAccessGroupRule

        public com.ibm.cloud.sdk.core.http.ServiceCall<Rule> replaceAccessGroupRule​(ReplaceAccessGroupRuleOptions replaceAccessGroupRuleOptions)
        Replace an access group rule. Update the body of an existing rule using this API. An `If-Match` header must be populated with the rule's most recent revision number (which can be acquired in the `Get an access group rule` API).
        Parameters:
        replaceAccessGroupRuleOptions - the ReplaceAccessGroupRuleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Rule

      • removeAccessGroupRule

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> removeAccessGroupRule​(RemoveAccessGroupRuleOptions removeAccessGroupRuleOptions)
        Delete an access group rule. Remove one rule from a group using this API. If the operation is successful, only a `204 - No Content` response with no body is returned. However, if any error occurs, the standard error format will be returned.
        Parameters:
        removeAccessGroupRuleOptions - the RemoveAccessGroupRuleOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • getAccountSettings

        public com.ibm.cloud.sdk.core.http.ServiceCall<AccountSettings> getAccountSettings​(GetAccountSettingsOptions getAccountSettingsOptions)
        Get account settings. Retrieve the access groups settings for a specific account.
        Parameters:
        getAccountSettingsOptions - the GetAccountSettingsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type AccountSettings

      • updateAccountSettings

        public com.ibm.cloud.sdk.core.http.ServiceCall<AccountSettings> updateAccountSettings​(UpdateAccountSettingsOptions updateAccountSettingsOptions)
        Update account settings. Update the access groups settings for a specific account. Note: When the `public_access_enabled` setting is set to false, all policies within the account attached to the Public Access group will be deleted. Only set `public_access_enabled` to false if you are sure that you want those policies to be removed.
        Parameters:
        updateAccountSettingsOptions - the UpdateAccountSettingsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type AccountSettings

      • createTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<TemplateResponse> createTemplate​(CreateTemplateOptions createTemplateOptions)
        Create template. Create an access group template. Make sure that the template is generic enough to apply to multiple different child accounts. Before you can assign an access group template to child accounts, you must commit it so that no further changes can be made to the version.
        Parameters:
        createTemplateOptions - the CreateTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type TemplateResponse

      • updateTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<TemplateVersionResponse> updateTemplateVersion​(UpdateTemplateVersionOptions updateTemplateVersionOptions)
        Update template version. Update a template version. You can only update a version that isn't committed. Create a new version if you need to update a committed version.
        Parameters:
        updateTemplateVersionOptions - the UpdateTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type TemplateVersionResponse

      • deleteTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteTemplateVersion​(DeleteTemplateVersionOptions deleteTemplateVersionOptions)
        Delete template version. Delete a template version. You must remove all assignments for a template version before you can delete it.
        Parameters:
        deleteTemplateVersionOptions - the DeleteTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • commitTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> commitTemplate​(CommitTemplateOptions commitTemplateOptions)
        Commit a template. Commit a template version. You must do this before you can assign a template version to child accounts. After you commit the template version, you can't make any further changes.
        Parameters:
        commitTemplateOptions - the CommitTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • deleteTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteTemplate​(DeleteTemplateOptions deleteTemplateOptions)
        Delete template. Endpoint to delete a template. All access assigned by that template is deleted from all of the accounts where the template was assigned.
        Parameters:
        deleteTemplateOptions - the DeleteTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • createAssignment

        public com.ibm.cloud.sdk.core.http.ServiceCall<TemplateAssignmentResponse> createAssignment​(CreateAssignmentOptions createAssignmentOptions)
        Create assignment. Assign a template version to accounts that have enabled enterprise-managed IAM. You can specify individual accounts, or an entire account group to assign the template to all current and future child accounts of that account group.
        Parameters:
        createAssignmentOptions - the CreateAssignmentOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type TemplateAssignmentResponse

      • deleteAssignment

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteAssignment​(DeleteAssignmentOptions deleteAssignmentOptions)
        Delete assignment. Delete an access group template assignment.
        Parameters:
        deleteAssignmentOptions - the DeleteAssignmentOptions containing the options for the call
        Returns:
        a ServiceCall with a void result