Package com.ibm.cloud.platform_services.iam_policy_management.v1

Class IamPolicyManagement

  • public class IamPolicyManagement
extends com.ibm.cloud.sdk.core.service.BaseService
    IAM Policy Management API. API Version: 1.0.1

    • Field Detail

      • DEFAULT_SERVICE_NAME

        public static final java.lang.String DEFAULT_SERVICE_NAME
        Default service name used when configuring the `IamPolicyManagement` client.
        See Also:
        Constant Field Values

      • DEFAULT_SERVICE_URL

        public static final java.lang.String DEFAULT_SERVICE_URL
        Default service endpoint URL.
        See Also:
        Constant Field Values

    • Constructor Detail

      • IamPolicyManagement

        public IamPolicyManagement​(java.lang.String serviceName,
                           com.ibm.cloud.sdk.core.security.Authenticator authenticator)
        Constructs an instance of the `IamPolicyManagement` client. The specified service name and authenticator are used to configure the client instance.
        Parameters:
        serviceName - the service name to be used when configuring the client instance
        authenticator - the Authenticator instance to be configured for this client

    • Method Detail

      • newInstance

        public static IamPolicyManagement newInstance()
        Class method which constructs an instance of the `IamPolicyManagement` client. The default service name is used to configure the client instance.
        Returns:
        an instance of the `IamPolicyManagement` client using external configuration

      • newInstance

        public static IamPolicyManagement newInstance​(java.lang.String serviceName)
        Class method which constructs an instance of the `IamPolicyManagement` client. The specified service name is used to configure the client instance.
        Parameters:
        serviceName - the service name to be used when configuring the client instance
        Returns:
        an instance of the `IamPolicyManagement` client using external configuration

      • listPolicies

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyCollection> listPolicies​(ListPoliciesOptions listPoliciesOptions)
        Get policies by attributes. Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.
        Parameters:
        listPoliciesOptions - the ListPoliciesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyCollection

      • createPolicy

        public com.ibm.cloud.sdk.core.http.ServiceCall<Policy> createPolicy​(CreatePolicyOptions createPolicyOptions)
        Create a policy. Creates a policy to grant access between a subject and a resource. There are two types of policies: **access** and **authorization**. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services. ### Access To create an access policy, use **`"type": "access"`** in the body. The possible subject attributes are **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute for assigning access for a user or service-id. Use the **`access_group_id`** subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or **`service_group_id`** attribute and the **`accountId`** attribute. The IAM Services group (`IAM`) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail. ### Authorization Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. ### Attribute Operators Currently, only the `stringEquals` and the `stringMatch` operators are available. Resource attributes may support one or both operators. For more information, see [Assigning access by using wildcard policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). ### Attribute Validations Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
        Parameters:
        createPolicyOptions - the CreatePolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Policy

      • replacePolicy

        public com.ibm.cloud.sdk.core.http.ServiceCall<Policy> replacePolicy​(ReplacePolicyOptions replacePolicyOptions)
        Update a policy. Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy). ### Access To update an access policy, use **`"type": "access"`** in the body. The possible subject attributes are **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute for assigning access for a user or service-id. Use the **`access_group_id`** subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). The policy resource must include either the **`serviceType`**, **`serviceName`**, or **`resourceGroupId`** attribute and the **`accountId`** attribute.` If the subject is a locked service-id, the request will fail. ### Authorization To update an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. ### Attribute Operators Currently, only the `stringEquals` and the `stringMatch` operators are available. Resource attributes might support one or both operators. For more information, see [Assigning access by using wildcard policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). ### Attribute Validations Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
        Parameters:
        replacePolicyOptions - the ReplacePolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Policy

      • deletePolicy

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deletePolicy​(DeletePolicyOptions deletePolicyOptions)
        Delete a policy by ID. Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
        Parameters:
        deletePolicyOptions - the DeletePolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • updatePolicyState

        public com.ibm.cloud.sdk.core.http.ServiceCall<Policy> updatePolicyState​(UpdatePolicyStateOptions updatePolicyStateOptions)
        Restore a deleted policy by ID. Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use **`"state": "active"`** in the body.
        Parameters:
        updatePolicyStateOptions - the UpdatePolicyStateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type Policy

      • listRoles

        public com.ibm.cloud.sdk.core.http.ServiceCall<RoleCollection> listRoles​(ListRolesOptions listRolesOptions)
        Get roles by filters. Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.
        Parameters:
        listRolesOptions - the ListRolesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type RoleCollection

      • listRoles

        public com.ibm.cloud.sdk.core.http.ServiceCall<RoleCollection> listRoles()
        Get roles by filters. Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.
        Returns:
        a ServiceCall with a result of type RoleCollection

      • createRole

        public com.ibm.cloud.sdk.core.http.ServiceCall<CustomRole> createRole​(CreateRoleOptions createRoleOptions)
        Create a role. Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.
        Parameters:
        createRoleOptions - the CreateRoleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type CustomRole

      • replaceRole

        public com.ibm.cloud.sdk.core.http.ServiceCall<CustomRole> replaceRole​(ReplaceRoleOptions replaceRoleOptions)
        Update a role. Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.
        Parameters:
        replaceRoleOptions - the ReplaceRoleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type CustomRole

      • getRole

        public com.ibm.cloud.sdk.core.http.ServiceCall<CustomRole> getRole​(GetRoleOptions getRoleOptions)
        Retrieve a role by ID. Retrieve a role by providing a role ID.
        Parameters:
        getRoleOptions - the GetRoleOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type CustomRole

      • deleteRole

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteRole​(DeleteRoleOptions deleteRoleOptions)
        Delete a role by ID. Delete a role by providing a role ID.
        Parameters:
        deleteRoleOptions - the DeleteRoleOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • listV2Policies

        public com.ibm.cloud.sdk.core.http.ServiceCall<V2PolicyCollection> listV2Policies​(ListV2PoliciesOptions listV2PoliciesOptions)
        Get policies by attributes. Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.
        Parameters:
        listV2PoliciesOptions - the ListV2PoliciesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type V2PolicyCollection

      • createV2Policy

        public com.ibm.cloud.sdk.core.http.ServiceCall<V2Policy> createV2Policy​(CreateV2PolicyOptions createV2PolicyOptions)
        Create a policy. Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: **access**. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group. ### Access To create an access policy, use **`"type": "access"`** in the body. The supported subject attributes are **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute to assign access to a user or service-id. Use the **`access_group_id`** subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or **`service_group_id`** attribute and the **`accountId`** attribute. In the rule field, you can specify a single condition by using **`key`**, **`value`**, and condition **`operator`**, or a set of **`conditions`** with a combination **`operator`**. The possible combination operators are **`and`** and **`or`**. Currently, we support two types of patterns: 1. `time-based`: Used to specify a time-based restriction Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule: ```json "rule": { "operator": "and", "conditions": [{ "key": "{{environment.attributes.day_of_week}}", "operator": "dayOfWeekAnyOf", "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"] }, "key": "{{environment.attributes.current_time}}", "operator": "timeGreaterThanOrEquals", "value": "09:00:00+00:00" }, "key": "{{environment.attributes.current_time}}", "operator": "timeLessThanOrEquals", "value": "17:00:00+00:00" }] } ``` You can use the following operators in the **`key`** and **`value`** pair: ``` 'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and [Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail. 2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes. Combine conditions to specify an attribute-based condition using AND/OR-based operators. For example, a policy can grant access based on multiple conditions applied on the resource attributes below: ```json "pattern": "attribute-based-condition:resource:literal-and-wildcard" "rule": { "operator": "or", "conditions": [ { "operator": "and", "conditions": [ { "key": "{{resource.attributes.prefix}}", "operator": "stringEquals", "value": "home/test" }, { "key": "{{environment.attributes.delimiter}}", "operator": "stringEquals", "value": "/" } ] }, { "key": "{{resource.attributes.path}}", "operator": "stringMatch", "value": "home/David/_*" } ] } ``` In addition to satisfying the `resources` section, the policy grants permission only if either the `path` begins with `home/David/` **OR** the `prefix` is `home/test` and the `delimiter` is `/`. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition [here](/docs/account?topic=account-wildcard#string-comparisons). ### Authorization Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. ### Attribute Operators Currently, only the `stringEquals`, `stringMatch`, and `stringEquals` operators are available. For more information, see [Assigning access by using wildcard policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). ### Attribute Validations Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
        Parameters:
        createV2PolicyOptions - the CreateV2PolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type V2Policy

      • replaceV2Policy

        public com.ibm.cloud.sdk.core.http.ServiceCall<V2Policy> replaceV2Policy​(ReplaceV2PolicyOptions replaceV2PolicyOptions)
        Update a policy. Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. ### Access To update an access policy, use **`"type": "access"`** in the body. The supported subject attributes are **`iam_id`** and **`access_group_id`**. Use the **`iam_id`** subject attribute to assign access to a user or service-id. Use the **`access_group_id`** subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). The policy resource must include either the **`serviceType`**, **`serviceName`**, **`resourceGroupId`** or **`service_group_id`** attribute and the **`accountId`** attribute. In the rule field, you can specify a single condition by using **`key`**, **`value`**, and condition **`operator`**, or a set of **`conditions`** with a combination **`operator`**. The possible combination operators are **`and`** and **`or`**. Currently, we support two types of patterns: 1. `time-based`: Used to specify a time-based restriction Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule: ```json "rule": { "operator": "and", "conditions": [{ "key": "{{environment.attributes.day_of_week}}", "operator": "dayOfWeekAnyOf", "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"] }, "key": "{{environment.attributes.current_time}}", "operator": "timeGreaterThanOrEquals", "value": "09:00:00+00:00" }, "key": "{{environment.attributes.current_time}}", "operator": "timeLessThanOrEquals", "value": "17:00:00+00:00" }] } ``` You can use the following operators in the **`key`** and **`value`** pair: ``` 'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and [Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail. 2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes. Combine conditions to specify an attribute-based condition using AND/OR-based operators. For example, a policy can grant access based on multiple conditions applied on the resource attributes below: ```json "pattern": "attribute-based-condition:resource:literal-and-wildcard" "rule": { "operator": "or", "conditions": [ { "operator": "and", "conditions": [ { "key": "{{resource.attributes.prefix}}", "operator": "stringEquals", "value": "home/test" }, { "key": "{{environment.attributes.delimiter}}", "operator": "stringEquals", "value": "/" } ] }, { "key": "{{resource.attributes.path}}", "operator": "stringMatch", "value": "home/David/_*" } ] } ``` In addition to satisfying the `resources` section, the policy grants permission only if either the `path` begins with `home/David/` **OR** the `prefix` is `home/test` and the `delimiter` is `/`. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition [here](/docs/account?topic=account-wildcard#string-comparisons). ### Authorization To update an authorization policy, use **`"type": "authorization"`** in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see [IAM roles and actions](/docs/account?topic=account-iam-service-roles-actions). The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the [documentation](/docs?tab=all-docs). Both the policy subject and the policy resource must include the **`accountId`** attributes. The policy subject must include either **`serviceName`** or **`resourceGroupId`** (or both) attributes. ### Attribute Operators Currently, only the `stringEquals`, `stringMatch`, and `stringEquals` operators are available. For more information, see [Assigning access by using wildcard policies](https://cloud.ibm.com/docs/account?topic=account-wildcard). ### Attribute Validations Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
        Parameters:
        replaceV2PolicyOptions - the ReplaceV2PolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type V2Policy

      • deleteV2Policy

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteV2Policy​(DeleteV2PolicyOptions deleteV2PolicyOptions)
        Delete a policy by ID. Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
        Parameters:
        deleteV2PolicyOptions - the DeleteV2PolicyOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • listPolicyTemplates

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplateCollection> listPolicyTemplates​(ListPolicyTemplatesOptions listPolicyTemplatesOptions)
        List policy templates by attributes. List policy templates and filter by attributes by using query parameters. The following attributes are supported: `account_id`, `policy_service_name`, `policy_service_type`, `policy_service_group_id` and `policy_type`. `account_id` is a required query parameter. These attributes `policy_service_name`, `policy_service_type` and `policy_service_group_id` are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.
        Parameters:
        listPolicyTemplatesOptions - the ListPolicyTemplatesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplateCollection

      • createPolicyTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplateLimitData> createPolicyTemplate​(CreatePolicyTemplateOptions createPolicyTemplateOptions)
        Create a policy template. Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
        Parameters:
        createPolicyTemplateOptions - the CreatePolicyTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplateLimitData

      • getPolicyTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplate> getPolicyTemplate​(GetPolicyTemplateOptions getPolicyTemplateOptions)
        Retrieve latest version of a policy template. Retrieve the latest version of a policy template by providing a policy template ID.
        Parameters:
        getPolicyTemplateOptions - the GetPolicyTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplate

      • deletePolicyTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deletePolicyTemplate​(DeletePolicyTemplateOptions deletePolicyTemplateOptions)
        Delete a policy template. Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
        Parameters:
        deletePolicyTemplateOptions - the DeletePolicyTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • replacePolicyTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplate> replacePolicyTemplate​(ReplacePolicyTemplateOptions replacePolicyTemplateOptions)
        Update a policy template version. Update a specific version of a policy template. You can use this only if the version isn't committed.
        Parameters:
        replacePolicyTemplateOptions - the ReplacePolicyTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplate

      • deletePolicyTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deletePolicyTemplateVersion​(DeletePolicyTemplateVersionOptions deletePolicyTemplateVersionOptions)
        Delete a policy template version. Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
        Parameters:
        deletePolicyTemplateVersionOptions - the DeletePolicyTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • getPolicyTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplate> getPolicyTemplateVersion​(GetPolicyTemplateVersionOptions getPolicyTemplateVersionOptions)
        Retrieve a policy template version. Retrieve a policy template by providing a policy template ID and version number.
        Parameters:
        getPolicyTemplateVersionOptions - the GetPolicyTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplate

      • commitPolicyTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> commitPolicyTemplate​(CommitPolicyTemplateOptions commitPolicyTemplateOptions)
        Commit a policy template version. Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
        Parameters:
        commitPolicyTemplateOptions - the CommitPolicyTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • listPolicyAssignments

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyTemplateAssignmentCollection> listPolicyAssignments​(ListPolicyAssignmentsOptions listPolicyAssignmentsOptions)
        Get policy template assignments. Get policy template assignments by attributes. The following attributes are supported: `account_id`, `template_id`, `template_version`, `sort`. `account_id` is a required query parameter. Only policy template assignments that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy template assignments an empty array is returned.
        Parameters:
        listPolicyAssignmentsOptions - the ListPolicyAssignmentsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyTemplateAssignmentCollection

      • updatePolicyAssignment

        public com.ibm.cloud.sdk.core.http.ServiceCall<PolicyAssignmentV1> updatePolicyAssignment​(UpdatePolicyAssignmentOptions updatePolicyAssignmentOptions)
        Update a policy authorization type assignment. Update a policy assignment by providing a policy assignment ID.
        Parameters:
        updatePolicyAssignmentOptions - the UpdatePolicyAssignmentOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type PolicyAssignmentV1

      • deletePolicyAssignment

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deletePolicyAssignment​(DeletePolicyAssignmentOptions deletePolicyAssignmentOptions)
        Remove a policy assignment. Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
        Parameters:
        deletePolicyAssignmentOptions - the DeletePolicyAssignmentOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • updateSettings

        public com.ibm.cloud.sdk.core.http.ServiceCall<AccountSettingsAccessManagement> updateSettings​(UpdateSettingsOptions updateSettingsOptions)
        Update Access Management account settings by account ID. Update access management settings for an account. ### External Account Identity Interaction Update the way identities within an external account are allowed to interact with the requested account by providing: * the `account_id` as a parameter * one or more external account ID(s) and state for the specific identity in the request body External account identity interaction includes the following `identity_types`: `user` (user identities that are defined as [IBMid's](https://cloud.ibm.com/docs/account?topic=account-identity-overview#users-bestpract)), `service_id` (defined as [IAM ServiceIds](https://cloud.ibm.com/docs/account?topic=account-identity-overview#serviceid-bestpract)), `service` (defined by a service’s [CRN](https://cloud.ibm.com/docs/account?topic=account-crn)). To update an Identity’s setting, the `state` and `external_allowed_accounts` fields are required. Different identity states are: * "enabled": An identity type is allowed to access resources in the account provided it has access policies on those resources. * "limited": An identity type is allowed to access resources in the account provided it has access policies on those resources AND it is associated with either the account the resources are in or one of the allowed accounts. This setting uses the "external_allowed_accounts" list. * "monitor": It has no direct impact on an Identity’s access. Instead, it creates AT events for access decisions as if the account were in a limited “state”. **Note**: The state "enabled" is a special case. In this case, access is given to all accounts and there is no need to specify a particular list. Therefore, when updating "state" to "enabled" for an identity type "external_allowed_accounts" should be left empty.
        Parameters:
        updateSettingsOptions - the UpdateSettingsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type AccountSettingsAccessManagement

      • listActionControlTemplates

        public com.ibm.cloud.sdk.core.http.ServiceCall<ActionControlTemplateCollection> listActionControlTemplates​(ListActionControlTemplatesOptions listActionControlTemplatesOptions)
        List action control templates by attributes. List action control templates and filter by attributes by using query parameters. The following attributes are supported: `account_id` `account_id` is a required query parameter. Only action control templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any action control templates an empty array is returned.
        Parameters:
        listActionControlTemplatesOptions - the ListActionControlTemplatesOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type ActionControlTemplateCollection

      • getActionControlTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<ActionControlTemplate> getActionControlTemplate​(GetActionControlTemplateOptions getActionControlTemplateOptions)
        Retrieve the latest version of an action control template. Retrieve the latest version of an action control template by providing an action control template ID.
        Parameters:
        getActionControlTemplateOptions - the GetActionControlTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type ActionControlTemplate

      • deleteActionControlTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteActionControlTemplate​(DeleteActionControlTemplateOptions deleteActionControlTemplateOptions)
        Delete an action control template. Delete an action control template by providing the action control template ID. This deletes all versions of this template. An action control template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the action control assignments first.
        Parameters:
        deleteActionControlTemplateOptions - the DeleteActionControlTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • createActionControlTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<ActionControlTemplate> createActionControlTemplateVersion​(CreateActionControlTemplateVersionOptions createActionControlTemplateVersionOptions)
        Create a new action control template version. Create a new version of an action control template. Use this if you need to make updates to an action control template that is committed.
        Parameters:
        createActionControlTemplateVersionOptions - the CreateActionControlTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type ActionControlTemplate

      • deleteActionControlTemplateVersion

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteActionControlTemplateVersion​(DeleteActionControlTemplateVersionOptions deleteActionControlTemplateVersionOptions)
        Delete an action control template version. Delete a specific version of an action control template by providing an action control template ID and version number. You can't delete an action control template version that is assigned to one or more child accounts. You must remove the action control assignments first.
        Parameters:
        deleteActionControlTemplateVersionOptions - the DeleteActionControlTemplateVersionOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • commitActionControlTemplate

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> commitActionControlTemplate​(CommitActionControlTemplateOptions commitActionControlTemplateOptions)
        Commit an action control template version. Commit an action control template version. You cannot make any further changes to the action control template once it's committed. If you have to make updates after committing a version, create a new version.
        Parameters:
        commitActionControlTemplateOptions - the CommitActionControlTemplateOptions containing the options for the call
        Returns:
        a ServiceCall with a void result

      • listActionControlAssignments

        public com.ibm.cloud.sdk.core.http.ServiceCall<ActionControlAssignmentCollection> listActionControlAssignments​(ListActionControlAssignmentsOptions listActionControlAssignmentsOptions)
        Get action control template assignments. Get action control template assignments by attributes. The following attributes are supported: `account_id`, `template_id`, `template_version`, `sort`. `account_id` is a required query parameter. Only action control template assignments with the specified attributes and accessible by the caller are returned. If the caller does not have read access to any action control template assignments, an empty array is returned.
        Parameters:
        listActionControlAssignmentsOptions - the ListActionControlAssignmentsOptions containing the options for the call
        Returns:
        a ServiceCall with a result of type ActionControlAssignmentCollection

      • deleteActionControlAssignment

        public com.ibm.cloud.sdk.core.http.ServiceCall<java.lang.Void> deleteActionControlAssignment​(DeleteActionControlAssignmentOptions deleteActionControlAssignmentOptions)
        Remove an action control assignment. Remove an action control template assignment by providing an action control assignment ID. You can't delete an action control assignment if the status is "in_progress".
        Parameters:
        deleteActionControlAssignmentOptions - the DeleteActionControlAssignmentOptions containing the options for the call
        Returns:
        a ServiceCall with a void result