{"activeVersionTag":"latest","latestAvailableVersionTag":"latest","collection":{"info":{"_postman_id":"073108dd-d0ec-453e-87c3-c343dddfef49","name":"12.6.x","description":"### Background\n\nWe are adhering to REST API best practices in the creation of this documentation.\n\nWe are adhering to [http://github.com/Microsoft/api-guidelines/blob/vNext/Guidelines.md](http://github.com/Microsoft/api-guidelines/blob/vNext/Guidelines.md) except where explicitly listed **in this documentation.**\n\nIDAPI references - [https://bravurasecuritydocs.com/release126/content/en/api.pdf](https://bravurasecuritydocs.com/release126/content/en/api.pdf)\n\nQuick start and Bravura Security Fabric console options - [https://bravurasecuritydocs.com/release126/#/home/API/10/11](https://bravurasecuritydocs.com/release126/#/home/API/10/11)\n\n#### Backwards compatibility\n\nBravura Security's REST API version will be incremented if a backwards incompatible change has been introduced. And if a backwards compatibility item is introduced we will do everything we can to preserve the past definition of the API for the period of time the versions are in support. A breaking change on the API that violates this will only be considered if a security concern or data loss issue is flagged in the API in question that would warrant a break.\n\n### Language tags\n\nLanguage tags across the board are NOT currently translated or expanded.\n\nAny intention of returning human readable values should take this into account and either return known-readable values or designs should incorporate non-language tag based content.\n\nThis is not specific to question and answer endpoints.\n\n### Resource Summary\n\n| **Resource** | **Description** | **Version** |\n| --- | --- | --- |\n| Account | An account is an object identified and discovered from a target system. It can be referenced by other resources such as User resources and Managed Account resources. An account can hold multiple Group Member references that explains the groups it’s a member of and attributes of that membership. | 1 |\n| Attribute | An attribute is an object identified and discovered from a target system, profile or group. It can be referenced by other resources such as User resources, Managed Account resources, Account resources and Group resources. An attribute can hold multiple may hold multiple values. | 1 |\n| Credential | A credential is referenced by a User. It can take the form of a password and/or a Question/Answer. A user can reference multiple credentials. | 1 |\n| Group | A group is a resource identified and discovered from a target system. It references a collection of memberships and attributes. | 1 |\n| Managed Account | A managed account is an account in which we are managing secrets too. It references an account resource and can have multiple secrets associated to it. In the future it might be similar to a Managed Group where it can hold direct policies about how the account should be governed. For example, a user account vs a service account. | 1 |\n| Managed System Policy | A managed system policy is a resource that is defined in Bravura Security Fabric. It references a collection of managed systems and managed accounts. | 1 |\n| Managed System | A managed system is a resource that is defined in Bravura Security Fabric. It references managed accounts. | 1 |\n| Operation | An operation is an object that defines a task that has been submitted by the API. It references the execution details and the status of the task. | 1 |\n| Policy | A policy is a reference to the Rego policies that are used for Authorization in the REST API. | 1 |\n| Secret | A secret is referenced by a Managed Account. It can take the form of a password and/or a file. A managed account can reference multiple secrets but in common operation it’s often limited to just one secret. | 1 |\n| Target Group | A target group is an object defined in Bravura Security Fabric an is a collection of target systems sharing a password policy. | 1 |\n| Target System | A target system is a object defined in Bravura Security Fabric. It contains a collection of accounts and groups. | 1 |\n| User | A user is a person who can log into the Bravura Security Fabric. They can have multiple accounts associated with them. The object can also reference attributes. | 1 |\n\n### Authentication\n\nTo authenticate to a request, add a bearer token to the Authorization HTTP header.\n\n#### Retrieving a bearer token\n\nTo get a bearer token, the REST API has an IdentityServer established to mint tokens. To authenticate, follow the **Resource owner password** grant type for IdentityServer4.\n\n##### Authentication Example\n\nFor external authentication to the REST API, the client ID is `passwordclient`. There is no client secret. For a user to be able to authenticate externally, they must be members of the `_EXPLICIT_REST_API_USERS_` user class.\n\n```\nPOST {{scheme}}://{{hostname}}/{{instancename}}/identity/connect/token\nContent-Type: application/x-www-form-urlencoded\n    client_id=passwordclient&\n    grant_type=password&\n    username={{username}}&\n    password={{password}}\n\n ```\n\nThe resulting response will provide an `access_token` which is the bearer token used for the Authorization HTTP header in the REST API requests. The response also includes a `refresh_token` which can be used to extend the lifetime of the authenticated user's session.\n\nExample response:\n\n``` json\n{\n    \"access_token\": \"FB1A619D121BA73B52B5BF2FD96D3669075A158918A66FC6E5D4845CEA035F29\",\n    \"expires_in\": 3600,\n    \"token_type\": \"Bearer\",\n    \"refresh_token\": \"D2FE60948CA91B61C8EC82BD9D2183FC1F5B7E7A41A47D1F0BE749A00F3E0F4E\",\n    \"scope\": \"api.read api.write offline_access\"\n}\n\n ```\n\n### Authorization\n\nFor authorization to endpoints, policy-based access control (PBAC) has been implemented into the REST API using [Open Policy Agent](https://www.openpolicyagent.org/) (OPA). Each endpoint is protected by one or more policies, and the policies are written using OPA's native query language Rego. For more information on Rego, see [here](https://www.openpolicyagent.org/docs/latest/policy-language/).\n\nEach policy can be modified using the REST API; Bravura Security Fabric offers a few custom functions that can used in Rego, and all data referenced in the policies follow the REST API models.\n\n| **Policy ID** | **Default Authorization** |\n| --- | --- |\n| generic_policy | \\- User has superuser privileges |\n| accounts_get | \\- End users can get their own account  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can get another user's account |\n| accounts_get_list | \\- End users can list their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can list accounts of other users |\n| accounts_patch | \\- End users can patch their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can patch accounts of other users |\n| accounts_patch_replace_locked | \\- End users can unlock their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can unlock accounts of other users |\n| accounts_patch_replace_password | \\- End users can replace their own accounts' passwords  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can unlock accounts of other users |\n| accounts_patch_test_locked | \\- End users can check if their own accounts are locked  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can check if accounts of other users are locked |\n| accounts_patch_test_password | \\- End users can test their own accounts' passwords  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can test accounts of other users passwords |\n| accounts_post | \\- End users can make POST requests for their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can make POST requests for accounts of other users |\n| accounts_post_generate_password | \\- End users can generate passwords for their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can generate passwords for accounts of other users |\n| operations_get | \\- End users can get their own operation |\n| operations_get_list | \\- End users can list their own operations |\n| users_accounts_get_list | \\- End users can list their own accounts  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can list accounts of other users |\n| users_attributes_data_value_get | \\- End users can get the value of their own user attributes |\n| users_attributes_data_value_value_get | \\- End users can get the value of their own user attributes |\n| users_attributes_get | \\- End users can get their own user attribute |\n| users_attributes_get_list | \\- End users can list their own user attributes |\n| users_credentials_delete | \\- End users can delete their own credentials  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can delete another user's credentials |\n| users_credentials_get | \\- End users can get their own credentials  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can get another user's credential |\n| users_credentials_get_list | \\- End users can list their own credentials  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can list another user's credentials |\n| users_credentials_patch | \\- End users can patch their own credentials  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can patch another user's credentials |\n| users_credentials_patch_add_value | \\- End users can add their own credential value  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can add another user's credential value |\n| users_credentials_patch_remove_value | \\- End users can remove their own credential value  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can remove another user's credential value |\n| users_credentials_patch_replace_value | \\- End users can replace their own credential value  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can replace another user's credential value |\n| users_credentials_patch_test_value | \\- End users can test their own credential value  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can test another user's credential value |\n| users_credentials_post_create | \\- End users can create their own credential  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can create another user's credential |\n| users_credentials_question_get_list | \\- End users can list their own credentials of type **Question**  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can list another user's credentials of type **Question** |\n| users_credentials_question_post_create | \\- End users can create their own **Question** credential  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can create another user's **Question** credential |\n| users_credentials_value_get | \\- Denied |\n| users_credentials_value_value_get | \\- Denied |\n| users_get | \\- End users can get their own user profile  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can get another's user profile |\n| users_get_list | \\- End users can list their own user profiles  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can list others user profiles |\n| users_patch | \\- End users can patch their own user profile  <br>\\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can patch another user's user profile |\n| users_patch_add_attributes | \\- End users can add their own attributes |\n| users_patch_remove_attributes | \\- End users can remove their own attributes |\n| users_patch_replace_attributes | \\- End users can replace their own attributes |\n| users_patch_replace_enabled | \\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can enable/disable another user's user profile |\n| users_patch_replace_locked | \\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can unlock another user's user profile |\n| users_patch_test_enabled | \\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can check if another user's user profile is enabled |\n| users_patch_test_locked | \\- Users in user classes `_GLOBAL_HELP_DESK_` or `_HELP_DESK_MANAGERS_` can check if another user's user profile is locked |\n\n#### Workflow\n\nIn the diagram below, an example workflow for a REST API request is shown. When a request is submitted to the REST API, we send a query object to the Open Policy Agent SDK; OPA reaches out to our product database for data, as well as our authorization policies, and uses custom functions (eg. CheckUserclassMembership) to check for more complex access. When the policy decision is returned to the REST API, the queryable is modified to contain the required filters to ensure the authorized data is returned as the response. If no access has been granted, a **404 Not Found** response will be returned.\n\n<img src=\"https://content.pstmn.io/ee4984de-d99b-4100-8bf6-b69222f40d66/UkVTVCBBUEkgLSBBdXRoWiBXb3JrZmxvdy5wbmc=\">\n\n**N.B.** Some endpoints will check multiple policies, due to the nested nature of the endpoint. In those cases, if access is denied at any point, the entire request is denied, and a **404 Not Found** response will be returned. Policies will be evaluated in the order they are found in the ordered list of the documentation.\n\n##### Example\n\nEndpoint: `GET /users({key})/attributes`\n\nPolicies:\n\n1. users_get\n2. users_attributes_get_list\n    \n\nThe `users_get` policy will be evaluated first; if denied, a **404 Not Found** response is returned, else `users_attributes_get_list` is evaluated.\n\n#### Custom Rego Functions\n\nTo improve the capabilities of Rego, some custom functions have been developed into Rego to allow for more complex product queries to be done.\n\n| **Function Signature** | **Description** |\n| --- | --- |\n| IsSuperuser(_**string**_ _userguid_) | Provided a user's unique identifier, returns true if user has superuser privileges. |\n| CheckUserclassMembership(_**string**_ _userclass_, _**string**_ _userguid_) | Provided a user class identifier and a user's unique identifier, returns true if user is a member of the user class. |","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","isPublicCollection":false,"owner":"7060447","team":3283228,"collectionId":"073108dd-d0ec-453e-87c3-c343dddfef49","publishedId":"2s93eVXE6s","public":true,"publicUrl":"https://documenter-api.postman.tech/view/7060447/2s93eVXE6s","privateUrl":"https://go.postman.co/documentation/7060447-073108dd-d0ec-453e-87c3-c343dddfef49","customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"},"documentationLayout":"classic-double-column","customisation":{"metaTags":[{"name":"description","value":""},{"name":"title","value":""}],"appearance":{"default":"light","themes":[{"name":"dark","logo":null,"colors":{"top-bar":"212121","right-sidebar":"303030","highlight":"FF6C37"}},{"name":"light","logo":null,"colors":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"}}]}},"version":"8.10.0","publishDate":"2024-05-13T04:41:44.000Z","activeVersionTag":"latest","documentationTheme":"light","metaTags":{"title":"","description":""},"logos":{"logoLight":null,"logoDark":null}},"statusCode":200},"environments":[],"user":{"authenticated":false,"permissions":{"publish":false}},"run":{"button":{"js":"https://run.pstmn.io/button.js","css":"https://run.pstmn.io/button.css"}},"web":"https://www.getpostman.com/","team":{"logo":"https://res.cloudinary.com/postman/image/upload/t_team_logo_pubdoc/v1/team/40ede95af1caa0cd3a68d5aeff5d740557ca121fe1908a5e9d0759ff588451b4","favicon":""},"isEnvFetchError":false,"languages":"[{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"HttpClient\"},{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"RestSharp\"},{\"key\":\"curl\",\"label\":\"cURL\",\"variant\":\"cURL\"},{\"key\":\"dart\",\"label\":\"Dart\",\"variant\":\"http\"},{\"key\":\"go\",\"label\":\"Go\",\"variant\":\"Native\"},{\"key\":\"http\",\"label\":\"HTTP\",\"variant\":\"HTTP\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"OkHttp\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"Unirest\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"Fetch\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"jQuery\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"XHR\"},{\"key\":\"c\",\"label\":\"C\",\"variant\":\"libcurl\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Axios\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Native\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Request\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Unirest\"},{\"key\":\"objective-c\",\"label\":\"Objective-C\",\"variant\":\"NSURLSession\"},{\"key\":\"ocaml\",\"label\":\"OCaml\",\"variant\":\"Cohttp\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"cURL\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"Guzzle\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"HTTP_Request2\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"pecl_http\"},{\"key\":\"powershell\",\"label\":\"PowerShell\",\"variant\":\"RestMethod\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"http.client\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"Requests\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"httr\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"RCurl\"},{\"key\":\"ruby\",\"label\":\"Ruby\",\"variant\":\"Net::HTTP\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"Httpie\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"wget\"},{\"key\":\"swift\",\"label\":\"Swift\",\"variant\":\"URLSession\"}]","languageSettings":[{"key":"csharp","label":"C#","variant":"HttpClient"},{"key":"csharp","label":"C#","variant":"RestSharp"},{"key":"curl","label":"cURL","variant":"cURL"},{"key":"dart","label":"Dart","variant":"http"},{"key":"go","label":"Go","variant":"Native"},{"key":"http","label":"HTTP","variant":"HTTP"},{"key":"java","label":"Java","variant":"OkHttp"},{"key":"java","label":"Java","variant":"Unirest"},{"key":"javascript","label":"JavaScript","variant":"Fetch"},{"key":"javascript","label":"JavaScript","variant":"jQuery"},{"key":"javascript","label":"JavaScript","variant":"XHR"},{"key":"c","label":"C","variant":"libcurl"},{"key":"nodejs","label":"NodeJs","variant":"Axios"},{"key":"nodejs","label":"NodeJs","variant":"Native"},{"key":"nodejs","label":"NodeJs","variant":"Request"},{"key":"nodejs","label":"NodeJs","variant":"Unirest"},{"key":"objective-c","label":"Objective-C","variant":"NSURLSession"},{"key":"ocaml","label":"OCaml","variant":"Cohttp"},{"key":"php","label":"PHP","variant":"cURL"},{"key":"php","label":"PHP","variant":"Guzzle"},{"key":"php","label":"PHP","variant":"HTTP_Request2"},{"key":"php","label":"PHP","variant":"pecl_http"},{"key":"powershell","label":"PowerShell","variant":"RestMethod"},{"key":"python","label":"Python","variant":"http.client"},{"key":"python","label":"Python","variant":"Requests"},{"key":"r","label":"R","variant":"httr"},{"key":"r","label":"R","variant":"RCurl"},{"key":"ruby","label":"Ruby","variant":"Net::HTTP"},{"key":"shell","label":"Shell","variant":"Httpie"},{"key":"shell","label":"Shell","variant":"wget"},{"key":"swift","label":"Swift","variant":"URLSession"}],"languageOptions":[{"label":"C# - HttpClient","value":"csharp - HttpClient - C#"},{"label":"C# - RestSharp","value":"csharp - RestSharp - C#"},{"label":"cURL - cURL","value":"curl - cURL - cURL"},{"label":"Dart - http","value":"dart - http - Dart"},{"label":"Go - Native","value":"go - Native - Go"},{"label":"HTTP - HTTP","value":"http - HTTP - HTTP"},{"label":"Java - OkHttp","value":"java - OkHttp - Java"},{"label":"Java - Unirest","value":"java - Unirest - Java"},{"label":"JavaScript - Fetch","value":"javascript - Fetch - JavaScript"},{"label":"JavaScript - jQuery","value":"javascript - jQuery - JavaScript"},{"label":"JavaScript - XHR","value":"javascript - XHR - JavaScript"},{"label":"C - libcurl","value":"c - libcurl - C"},{"label":"NodeJs - Axios","value":"nodejs - Axios - NodeJs"},{"label":"NodeJs - Native","value":"nodejs - Native - NodeJs"},{"label":"NodeJs - Request","value":"nodejs - Request - NodeJs"},{"label":"NodeJs - Unirest","value":"nodejs - Unirest - NodeJs"},{"label":"Objective-C - NSURLSession","value":"objective-c - NSURLSession - Objective-C"},{"label":"OCaml - Cohttp","value":"ocaml - Cohttp - OCaml"},{"label":"PHP - cURL","value":"php - cURL - PHP"},{"label":"PHP - Guzzle","value":"php - Guzzle - PHP"},{"label":"PHP - HTTP_Request2","value":"php - HTTP_Request2 - PHP"},{"label":"PHP - pecl_http","value":"php - pecl_http - PHP"},{"label":"PowerShell - RestMethod","value":"powershell - RestMethod - PowerShell"},{"label":"Python - http.client","value":"python - http.client - Python"},{"label":"Python - Requests","value":"python - Requests - Python"},{"label":"R - httr","value":"r - httr - R"},{"label":"R - RCurl","value":"r - RCurl - R"},{"label":"Ruby - Net::HTTP","value":"ruby - Net::HTTP - Ruby"},{"label":"Shell - Httpie","value":"shell - Httpie - Shell"},{"label":"Shell - wget","value":"shell - wget - Shell"},{"label":"Swift - URLSession","value":"swift - URLSession - Swift"}],"layoutOptions":[{"value":"classic-single-column","label":"Single Column"},{"value":"classic-double-column","label":"Double Column"}],"versionOptions":[],"environmentOptions":[{"value":"0","label":"No Environment"}],"canonicalUrl":"https://documenter.gw.postman.com/view/metadata/2s93eVXE6s"}