project access
The OLP CLI supports the following:
- list all users, apps, and groups that have access to a project
- grant project access to a user, app, or group
- revoke project access from a user, app, or group
- show policies attached to a user, app, or group in the project
project access list
Retrieves all users, apps, and groups that have access to a project.
olp project access list <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policy HRN>
Specifies the HRN of the project policy. -
--limit <max number of entities>
Specifies the maximum number of entities returned in the result (100 by default). -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--json
Displays the command result in JSON format. -
--quiet
Displays members' HRNs, each on a new line.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below lists all users, apps, and groups that have access to the project:
olp project access list hrn:here:authorization::myrealm:project/my-project-1234 --json
Output:
{"members": [{
"identityType": "app",
"member": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
"project": "hrn:here:authorization::myrealm:project/my-project-1234",
"info": {
"ownerHrn": "hrn:here:account::myrealm:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
"clientId": "F9p0HU3qCqtxnZ3KnH4z",
"clientHrn": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
"name": "my-app",
"realm": "myrealm",
"ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
}
}]}
For using --policy
, specified here has to be one or all of the policies available for the project that has been made available for attaching.
For more information on using policy listing, see the olp project policy list
command.
Example:
The command below lists all users, apps, and groups that have access to the project policy:
olp project access list hrn:here:authorization::myrealm:project/my-project-1234 \
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
--json
olp project access list hrn:here:authorization::myrealm:project/my-project-1234 ^
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^
--json
Output:
{"members": [{
"identityType": "app",
"member": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
"project": "hrn:here:authorization::myrealm:project/my-project-1234",
"info": {
"ownerHrn": "hrn:here:account::myrealm:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
"clientId": "F9p0HU3qCqtxnZ3KnH4z",
"clientHrn": "hrn:here:account::myrealm:app/F9p0HU3qCqtxnZ3KnH4z",
"name": "my-app",
"realm": "myrealm",
"ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
}
}]}
project access grant
Grants project access to a user, app, or group.
olp project access grant <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policyHRN1 policyHRN2 ...>
The list of HRNs of policies to attach to the identity that is being granted access to the project, separated by space. -
--app <appID1 appID2 ...>
The list of application IDs you want to grant project access to, separated by space. -
--user <userID1 userID2 ...>
The list of user IDs you want to grant project access to, separated by space. This information can be found in the .here/credentials.properties
file, in the user's home directory, or via your profile. -
--group <groupID1 groupID2 ...>
The list of group IDs you want to grant project access to, separated by space. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--quiet
Displays empty output with no additional information.
Note
- You must specify at least one of these options –
--app
, --user
, or --group
. - You can only attach a maximum of 5 policies for a project to an entity. To see existing attachments, execute the
olp project access show
command.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below grants project access to a user, app, and group:
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234
For using --policy
, specified here has to be one or all of the policies available for the project that has been made available for attaching.
For more information on using policy listing, see the olp project policy list
command.
Example:
The command below grants project policy access from a user, app, and group:
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 \
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::myrealm:project/my-project-1234 ^
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::myrealm:project/my-project-1234 with attached policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog
project access revoke
Revokes project access from a user, app, or group.
olp project access revoke <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policyHRN1 policyHRN2 ...>
The list of HRNs of policies to be revoked from the identity that is granted access to the project, separated by space. -
--app <appID1 appID2 ...>
The list of application IDs you want to revoke project access from, separated by space. -
--user <userID1 userID2 ...>
The list of user IDs you want to revoke project access from, separated by space. This information can be found in the .here/credentials.properties
file, in the user's home directory, or via your profile. -
--group <groupID1 groupID2 ...>
The list of group IDs you want to revoke project access from, separated by space. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--quiet
Displays empty output with no additional information.
Note
You must specify at least one of these options – --app
, --user
, or --group
.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below revokes project access from a user, app, and group:
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the project hrn:here:authorization::myrealm:project/my-project-1234
For using --policy
, specified here has to be one or all of the policies attached to a member.
For more information on using policy listing, see the olp project access show
command.
Example:
The command below revokes project policy access from a user, app, and group:
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 \
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::myrealm:project/my-project-1234 ^
--policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the policy hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::myrealm:project/my-project-1234
project access show
Policies attached to a user, app, or group in the project.
olp project access show <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--app <appID>
Application ID you want to query attached project policies for. -
--user <userID>
User ID you want to query attached project policies for. This information can be found in the .here/credentials.properties
file, in the user's home directory, or through your profile. -
--group <groupID>
Group ID you want to query attached project policies for. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--json
Displays the command result in JSON format. -
--quiet
Displays empty output with no additional information.
Note
You must specify only one of these options – --app
, --user
, or --group
.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below lists the policies attached to a user, app or group:
olp project access show hrn:here:authorization::myrealm:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--json
olp project access show hrn:here:authorization::myrealm:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--json
Output:
{"policies": [
{
"id": "all-access-for-abc-catalog",
"hrn": "hrn:here:authorization::myrealm:project/my-project-1234:policy/all-access-for-abc-catalog",
"name": "allAccessForAbcCatalog",
"description": "Read and write access to abc catalog.",
"type": "custom",
"permissions": [
{
"resource": "hrn:here:data::myrealm:abc-catalog",
"resourceType": "catalog",
"allowedActions": [
"readResource", "writeResource"
]
}
]
},
{
"id": "read-only-access-to-all-catalogs",
"hrn": "hrn:here:authorization::HERE:platform:policy/read-only-access-to-all-catalogs",
"name": "readOnlyAccessToAllCatalogs",
"description": "Read access to all catalogs in project.",
"type": "here-platform",
"permissions": [
{
"resourceType": "catalog",
"allowedActions": [
"readResource"
]
}
]
}
]
}