User Permissions¶
But drnic
cannot use uaa
CLI to perform other API requests that have not been permitted to drnic
, that uaa
has requested from drnic
, or that drnic
has not permitted to uaa
application:
$ uaa list-clients --verbose
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"uaa.admin clients.read clients.admin zones.uaa.admin"}
$ uaa list-users --verbose
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"uaa.admin scim.read zones.uaa.admin"}
$ uaa get-user drnic --verbose
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"uaa.admin scim.read zones.uaa.admin"}
$ uaa create-user foo --email foo@bar.com --givenName Foo --familyName Bar --verbose
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"uaa.admin scim.write scim.create zones.uaa.admin"}
Each new user is automatically added as a member of various groups:
uaa get-user drnic | jq -r ".groups[].display" | sort
The output might be similar to:
approvals.me
oauth.approvals
openid
password.write
profile
roles
scim.me
uaa.offline_token
uaa.user
user_attributes
To start to learn what authorizations/priveleges each group provides:
uaa list-groups | jq -r ".resources[] | {displayName, description}"
An interesting selection of the output is:
{
"displayName": "openid",
"description": "Access profile information, i.e. email, first and last name, and phone number"
}
{
"displayName": "password.write",
"description": "Change your password"
}
{
"displayName": "uaa.user",
"description": "Act as a user in the UAA"
}
{
"displayName": "scim.userids",
"description": "Read user IDs and retrieve users by ID"
}
{
"displayName": "scim.invite",
"description": "Send invitations to users"
}
{
"displayName": "uaa.none",
"description": "Forbid acting as a user"
}
Comparing the two lists, we see that the drnic
user will be granted permission to:
openid
- Access profile information, i.e. email, first and last name, and phone numberpassword.write
- Change your own passworduaa.user
- Act as a user in the UAA
From the sample list of available authorization groups, we can note that drnic
user is not in the following groups:
scim.userids
- cannot read the user IDs nor retrieve users by IDscim.invite
- is not allowed to send invites to other usersuaa.node
- is not forbidden from acting as a user
In the subsequent sections we will allow our new users to "login" and authorize the uaa
CLI to interact with the UAA on their behalf.