Manage Organization Permissions

The MANAGE Organization permission gives the access to actions and resources across the entire GoodData deployment. This permission should be reserved for administrators.

Supported Permissions

The following permissions are applicable to the organization object:

  • MANAGE

    User has access to any protected action or resource.

  • SELF_CREATE_TOKEN

    User can create their own API access tokens. Users without this permission can still delete any of their pre-existing API tokens. Note that to create API access tokens for other users, you still need the MANAGE permission.

Permissions limit who can create new tokens, but they do not block the utilization of pre-existing tokens, whether generated by an admin for the user (if applicable) or older tokens (e.g., if the user previously had the permission, which was subsequently revoked).

Set Permissions For an Organization

Permissions for an organization are set using the /api/v1/layout/organization declarative API endpoint. Note that you need the Organization.MANAGE permission to change the organization layout.

Note that there always has to be at least one user with MANAGE permission in an organization. API calls that would result in an organization having no users with MANAGE permission are not valid.

Steps:

  1. Make the following API call to fetch an up-to-date json definition of your organization layout:

    curl -H "Authorization: Bearer $API_TOKEN" \
        -H "Content-Type: application/json" \
        -X GET \
        $HOST_URL/api/v1/layout/organization
    
  2. In the organization layout json file, update the permissions definition:

    {
      "organization": {
        ...,
        "permissions": [
            {
                "assignee": {
                    "id": "<user_id_or_user_group_id>",
                    "type": "<user_or_userGroup>"
                },
                "name": "MANAGE"
            }
        ]
      }
    }
    
  3. Update the organization using your updated json in the following API call:

    curl -H "Authorization: Bearer $API_TOKEN" \
      -H "Content-Type: application/json" \
      -X PUT \
      $HOST_URL/api/v1/layout/organization -d @<your_updated_organization_layout>.json