Cloudentity Organization Service API

To be called by a customer using an apiKey. Gets the record for the calling customer.

The CUSTOMER_GET_ITSELF entitlement is required, but is granted to customers by default and is unrevokable.

This API uses the same request authorization headers as POST /apiKey/entitlement/validate (Validate Entitlements using API Key). See documentation for that API for details about authorization header inputs.

Get a customer record from the datastore.

This API accepts one of the following authentication mechanisms: - session token header, - HMAC headers with valid API key - valid JWT header in bearer format

When session or HMAC authentication is used then the ADMIN_GET_CUSTOMER entitlement is required. For HMAC see the API Key Validation API documentation for more details about HMAC headers. The principal entity (user or application calling this API) may only retrieve the requested customer if any of the following conditions are met: - The principal entity has the "ADMIN_ALL_CUSTOMERS" entitlement - The requested customer exists in the customers attribute of the principal entity - The system configuration restrictCustomerAccess is false

Otherwise, a Customer.NotFound error will be returned, even if the customer exists in the system.

Update a customer record in the datastore.

The ADMIN_UPDATE_CUSTOMER entitlement is required.

Cannot remove; cid, customerAlias, customerName, eulaRevision

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

If the customer EULA revision is changed - Loop through each user associated to this customer – Set user’s EULA acceptance to false – Set user’s EULA revision to the customer EULA revision

The principal entity (user or application calling this API) may only update the requested customer if any of the following conditions are met: - The principal entity has the "ADMIN_ALL_CUSTOMERS" entitlement - The requested customer exists in the customers attribute of the principal entity - The system configuration restrictCustomerAccess is false

Otherwise, a Customer.NotFound error will be returned, even if the customer exists in the system.

Removes the customer record.

Any users associated with this customer will be deleted; any of their active sessions will also be invalidated.

The ADMIN_DELETE_CUSTOMER entitlement is required.

Activate a customer allowing users to access the system.

The ADMIN_ACTIVATE_CUSTOMER entitlement is required.

Automatically sets the activationDate attribute to today’s date and time.

The following customer attributes are set automatically - status = active - recordUpdated = timestamp - recordUpdater = admin uuid

Deactivate a customer disallowing users to access the system.

The ADMIN_DEACTIVATE_CUSTOMER entitlement is required.

The following customer attributes are set automatically - status = inactive - recordUpdated = timestamp - recordUpdater = admin uuid

Grant an entitlement identified by entitlementName to a customer identified by customerIdentifier.

The ADMIN_GRANT_ENTITLEMENT_TO_CUSTOMER entitlement is required.

The ADMIN_GRANT_ANY_ENTITLEMENT entitlement is required to grant entitlements unowned by the current user. If the current user owns neither the target entitlement nor the ADMIN_GRANT_ANY_ENTITLEMENT entitlement, an Authorization.Unauthorized error will be returned.

Core entitlements may not be granted to customers. If the entitlement to be granted is a core entitlement, an Entitlement.CoreNotAllowed error will be returned.

The entitlement will be recursively granted to all customer admins, based on the identifiers in this customer’s adminEmails list.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Revoke an entitlement identified by entitlementName from a customer identified by customerIdentifier.

The ADMIN_REVOKE_ENTITLEMENT_FROM_CUSTOMER entitlement is required.

The ADMIN_REVOKE_ANY_ENTITLEMENT entitlement is required to revoke entitlements unowned by the current user. If the current user owns neither the target entitlement nor the ADMIN_REVOKE_ANY_ENTITLEMENT entitlement, an Authorization.Unauthorized error will be returned.

Core entitlements may not be revoked from customers. If the entitlement to be revoked is a core entitlement, an Entitlement.CoreNotAllowed error will be returned.

IMPORTANT: The entitlement will be recursively revoked from all users associated with this customer.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Grant an entitlement group identified by entitlementName to a customer identified by customerIdentifier.

The ADMIN_GRANT_ENTITLEMENT_GROUP_TO_CUSTOMER entitlement is required.

In order to grant an entitlement group, at least one of the following conditions must be met: * The current user must own the target group * The current user must own each entitlement in the target group, through some combination of individual entitlements or other groups * The current user must own the ADMIN_GRANT_ANY_ENTITLEMENT_GROUP entitlement

If none of these conditions is met, an Authorization.Unauthorized error will be returned.

Core entitlements may not be granted to customers; therefore, groups which could contain core entitlements also cannot be granted to customers. If the allowCoreEntitlements attribute of the group is true, an Entitlement.CoreNotAllowed error will be returned.

The entitlement group will be recursively granted to all customer admins, based on the identifiers in this customer’s adminEmails list.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

group

Get the list of entitlement groups assigned to the customer identified by customerIdentifier.

The ADMIN_GET_CUSTOMER_ENTITLEMENT_GROUPS entitlement is required.

Also returns the list of effective entitlement groups (completeGroups) available to the customer. Effective entitlement groups are any group defined in the system that meets one of the following requirements: * The customer owns the group and the group exists in the system, or * The customer owns each entitlement in the group, through some combination of individual entitlements or other groups, and the group and all member entitlements are defined in the system.

Revoke an entitlement group from a customer identified by {customerIdentifier}

The ADMIN_REVOKE_ENTITLEMENT_GROUP_FROM_CUSTOMER entitlement is required.

In order to revoke an entitlement group, at least one of the following conditions must be met: * The current user must own the target group * The current user must own each entitlement in the target group, through some combination of individual entitlements or other groups * The current user must own the ADMIN_REVOKE_ANY_ENTITLEMENT_GROUP entitlement

If none of these conditions is met, an Authorization.Unauthorized error will be returned.

IMPORTANT: The entitlement group will be recursively revoked from every user belonging to this customer.

Note that this API only revokes an entitlement group. Any constituent entitlements still owned by the target customer (standalone or as part of other groups) will not be revoked automatically.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Get the list of entitlements assigned to the customer identified by customerIdentifier.

The ADMIN_GET_CUSTOMER_ENTITLEMENTS entitlement is required.

Also returns the list of effective entitlements (completeEntitlements) available to the customer. Effective entitlements are any entitlement defined in the system that meets one of the following requirements: * The customer owns the entitlement and the entitlement exists in the system, or * The customer owns a group containing the entitlement, and both the entitlement and the group exist in the system.

Create a new customer in the user store.

The ADMIN_CREATE_CUSTOMER entitlement is required.

Required parameters: cid, customerAlias, customerName, eulaRevision

Note that the customer will be created without an API key. A call to "Reset Customer API Key" is necessary to generate the first API key for a new customer.

The following customer attributes are set automatically - status = inactive if not specified as body param - recordCreated = timestamp - recordCreator = admin uuid - recordUpdated = timestamp - recordUpdater = admin uuid - eulaAutomaticApproval, if not provided = false

Optional allowPublicRegistration attribute determines whether public registration should be allowed or not.

Upon successful creation of a customer, the CID of the newly created customer will be added to the customers list of the calling admin.

Return a list of all customers matching the search criteria.

The ADMIN_LIST_CUSTOMERS entitlement is required.

This API accepts either a valid session token header, or the three HMAC headers with valid API key, as authentication. See the API Key Validation API documentation for more details about HMAC headers. If the principal entity (user or application calling this API) has the "ADMIN_ALL_CUSTOMERS" entitlement, or the system configuration restrictCustomerAccess is false, all customers will be available and the filter request parameter will be accepted and used. Otherwise, only the customers available in the customers attribute of the principal entity will be returned, and the filter request parameter will be ignored.

To be called by a customer using an apiKey. Gets the record for the calling customer.

The CUSTOMER_GET_ITSELF entitlement is required, but is granted to customers by default and is unrevokable.

This API uses the same request authorization headers as POST /apiKey/entitlement/validate (Validate Entitlements using API Key). See documentation for that API for details about authorization header inputs.

Get a customer record from the datastore.

This API accepts one of the following authentication mechanisms: - session token header, - HMAC headers with valid API key - valid JWT header in bearer format

When session or HMAC authentication is used then the ADMIN_GET_CUSTOMER entitlement is required. For HMAC see the API Key Validation API documentation for more details about HMAC headers. The principal entity (user or application calling this API) may only retrieve the requested customer if any of the following conditions are met: - The principal entity has the "ADMIN_ALL_CUSTOMERS" entitlement - The requested customer exists in the customers attribute of the principal entity - The system configuration restrictCustomerAccess is false

Otherwise, a Customer.NotFound error will be returned, even if the customer exists in the system.

Update a customer record in the datastore.

The ADMIN_UPDATE_CUSTOMER entitlement is required.

Cannot remove; cid, customerAlias, customerName, eulaRevision

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

If the customer EULA revision is changed - Loop through each user associated to this customer – Set user’s EULA acceptance to false – Set user’s EULA revision to the customer EULA revision

The principal entity (user or application calling this API) may only update the requested customer if any of the following conditions are met: - The principal entity has the "ADMIN_ALL_CUSTOMERS" entitlement - The requested customer exists in the customers attribute of the principal entity - The system configuration restrictCustomerAccess is false

Otherwise, a Customer.NotFound error will be returned, even if the customer exists in the system.

Removes the customer record.

Any users associated with this customer will be deleted; any of their active sessions will also be invalidated.

The ADMIN_DELETE_CUSTOMER entitlement is required.

Activate a customer allowing users to access the system.

The ADMIN_ACTIVATE_CUSTOMER entitlement is required.

Automatically sets the activationDate attribute to today’s date and time.

The following customer attributes are set automatically - status = active - recordUpdated = timestamp - recordUpdater = admin uuid

Deactivate a customer disallowing users to access the system.

The ADMIN_DEACTIVATE_CUSTOMER entitlement is required.

The following customer attributes are set automatically - status = inactive - recordUpdated = timestamp - recordUpdater = admin uuid

Grant an entitlement identified by entitlementName to a customer identified by customerIdentifier.

The ADMIN_GRANT_ENTITLEMENT_TO_CUSTOMER entitlement is required.

The ADMIN_GRANT_ANY_ENTITLEMENT entitlement is required to grant entitlements unowned by the current user. If the current user owns neither the target entitlement nor the ADMIN_GRANT_ANY_ENTITLEMENT entitlement, an Authorization.Unauthorized error will be returned.

Core entitlements may not be granted to customers. If the entitlement to be granted is a core entitlement, an Entitlement.CoreNotAllowed error will be returned.

The entitlement will be recursively granted to all customer admins, based on the identifiers in this customer’s adminEmails list.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Revoke an entitlement identified by entitlementName from a customer identified by customerIdentifier.

The ADMIN_REVOKE_ENTITLEMENT_FROM_CUSTOMER entitlement is required.

The ADMIN_REVOKE_ANY_ENTITLEMENT entitlement is required to revoke entitlements unowned by the current user. If the current user owns neither the target entitlement nor the ADMIN_REVOKE_ANY_ENTITLEMENT entitlement, an Authorization.Unauthorized error will be returned.

Core entitlements may not be revoked from customers. If the entitlement to be revoked is a core entitlement, an Entitlement.CoreNotAllowed error will be returned.

IMPORTANT: The entitlement will be recursively revoked from all users associated with this customer.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Grant an entitlement group identified by entitlementName to a customer identified by customerIdentifier.

The ADMIN_GRANT_ENTITLEMENT_GROUP_TO_CUSTOMER entitlement is required.

In order to grant an entitlement group, at least one of the following conditions must be met: * The current user must own the target group * The current user must own each entitlement in the target group, through some combination of individual entitlements or other groups * The current user must own the ADMIN_GRANT_ANY_ENTITLEMENT_GROUP entitlement

If none of these conditions is met, an Authorization.Unauthorized error will be returned.

Core entitlements may not be granted to customers; therefore, groups which could contain core entitlements also cannot be granted to customers. If the allowCoreEntitlements attribute of the group is true, an Entitlement.CoreNotAllowed error will be returned.

The entitlement group will be recursively granted to all customer admins, based on the identifiers in this customer’s adminEmails list.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

group

Get the list of entitlement groups assigned to the customer identified by customerIdentifier.

The ADMIN_GET_CUSTOMER_ENTITLEMENT_GROUPS entitlement is required.

Also returns the list of effective entitlement groups (completeGroups) available to the customer. Effective entitlement groups are any group defined in the system that meets one of the following requirements: * The customer owns the group and the group exists in the system, or * The customer owns each entitlement in the group, through some combination of individual entitlements or other groups, and the group and all member entitlements are defined in the system.

Revoke an entitlement group from a customer identified by {customerIdentifier}

The ADMIN_REVOKE_ENTITLEMENT_GROUP_FROM_CUSTOMER entitlement is required.

In order to revoke an entitlement group, at least one of the following conditions must be met: * The current user must own the target group * The current user must own each entitlement in the target group, through some combination of individual entitlements or other groups * The current user must own the ADMIN_REVOKE_ANY_ENTITLEMENT_GROUP entitlement

If none of these conditions is met, an Authorization.Unauthorized error will be returned.

IMPORTANT: The entitlement group will be recursively revoked from every user belonging to this customer.

Note that this API only revokes an entitlement group. Any constituent entitlements still owned by the target customer (standalone or as part of other groups) will not be revoked automatically.

The following customer attributes are set automatically - recordUpdated = timestamp - recordUpdater = admin uuid

Get the list of entitlements assigned to the customer identified by customerIdentifier.

The ADMIN_GET_CUSTOMER_ENTITLEMENTS entitlement is required.

Also returns the list of effective entitlements (completeEntitlements) available to the customer. Effective entitlements are any entitlement defined in the system that meets one of the following requirements: * The customer owns the entitlement and the entitlement exists in the system, or * The customer owns a group containing the entitlement, and both the entitlement and the group exist in the system.

Create a new customer in the user store.

The ADMIN_CREATE_CUSTOMER entitlement is required.

Required parameters: cid, customerAlias, customerName, eulaRevision

Note that the customer will be created without an API key. A call to "Reset Customer API Key" is necessary to generate the first API key for a new customer.

The following customer attributes are set automatically - status = inactive if not specified as body param - recordCreated = timestamp - recordCreator = admin uuid - recordUpdated = timestamp - recordUpdater = admin uuid - eulaAutomaticApproval, if not provided = false

Optional allowPublicRegistration attribute determines whether public registration should be allowed or not.

Upon successful creation of a customer, the CID of the newly created customer will be added to the customers list of the calling admin.

Return a list of all customers matching the search criteria.

The ADMIN_LIST_CUSTOMERS entitlement is required.

This API accepts either a valid session token header, or the three HMAC headers with valid API key, as authentication. See the API Key Validation API documentation for more details about HMAC headers. If the principal entity (user or application calling this API) has the "ADMIN_ALL_CUSTOMERS" entitlement, or the system configuration restrictCustomerAccess is false, all customers will be available and the filter request parameter will be accepted and used. Otherwise, only the customers available in the customers attribute of the principal entity will be returned, and the filter request parameter will be ignored.