project access
The OLP CLI supports the following:
- list all users, apps, and groups that have access to a project
- grant project access to a user, app, or group
- revoke project access from a user, app, or group
- show policies attached to a user, app, or group in the project
project access list
Retrieves all users, apps, and groups that have access to a project.
olp project access list <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policy HRN>
Specifies the HRN of the project policy. -
--limit <max number of entities>
Specifies the maximum number of entities returned in the result (100 by default). -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--json
Displays the command result in JSON format. -
--quiet
Displays members' HRNs, each on a new line.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below lists all users, apps, and groups that have access to the project:
olp project access list hrn:here:authorization::org:project/my-project-1234 --json
Output:
{"members": [{
"identityType": "app",
"member": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
"project": "hrn:here:authorization::org:project/my-project-1234",
"info": {
"ownerHrn": "hrn:here:account::org:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
"clientId": "F9p0HU3qCqtxnZ3KnH4z",
"clientHrn": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
"name": "my-app",
"realm": "org",
"ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
}
}]}
Any --policy
specified has to be either one of the policies created for that project or a platform policy.
For more information on using policy listing, see the olp project policy list
command.
Example:
The command below lists all users, apps, and groups that have access to the project policy:
olp project access list hrn:here:authorization::org:project/my-project-1234 \
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
--json
olp project access list hrn:here:authorization::org:project/my-project-1234 ^
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
--json
Output:
{"members": [{
"identityType": "app",
"member": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
"project": "hrn:here:authorization::org:project/my-project-1234",
"info": {
"ownerHrn": "hrn:here:account::org:user/HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3",
"clientId": "F9p0HU3qCqtxnZ3KnH4z",
"clientHrn": "hrn:here:account::org:app/F9p0HU3qCqtxnZ3KnH4z",
"name": "my-app",
"realm": "org",
"ownerId": "HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3"
}
}]}
project access grant
Grants project access to a user, app, or group.
olp project access grant <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policyHRN1 policyHRN2 ...>
The list of HRNs of policies to attach to the identity that is being granted access to the project, separated by space. -
--app <appID1 appID2 ...>
The list of application IDs you want to grant project access to, separated by space. -
--user <userID1 userID2 ...>
The list of user IDs you want to grant project access to, separated by space. This information can be found in the .here/credentials.properties
file, in the user's home directory, or via your profile. -
--group <groupID1 groupID2 ...>
The list of group IDs you want to grant project access to, separated by space. -
--project
Attach the policies directly to the project, effectively attaching them to all current and future members. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--quiet
Displays empty output with no additional information.
Note
- You must specify at least one of these options –
--app
, --user
, --group
, or --project
. - For the
--project
option you must specify at least one --policy
. The '--app', '--user', or '--group' options are not allowed to be used together with `--project``. - You can only attach a maximum of 5 policies for a project to an entity and separately a maximum of 5 policies directly to the project. To see existing attachments, execute the
olp project access show
command.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below grants project access to a user, app, and group:
olp project access grant hrn:here:authorization::org:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::org:project/my-project-1234
Any --policy
specified has to be either one of the policies created for that project or a platform policy.
For more information on using policy listing, see the olp project policy list
command.
Example:
The command below grants project policy access from a user, app, and group:
olp project access grant hrn:here:authorization::org:project/my-project-1234 \
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog
Application F9p0HU3qCqtxnZ3KnH4z has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been granted access to the project hrn:here:authorization::org:project/my-project-1234 with attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog
Example:
The command below grants project policy access to all present and future members:
olp project access grant hrn:here:authorization::org:project/my-project-1234 \
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
--project
olp project access grant hrn:here:authorization::org:project/my-project-1234 ^
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
--project
Output:
Attached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog to the project hrn:here:authorization::org:project/my-project-1234
project access revoke
Revokes project access from a user, app, or group.
olp project access revoke <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--policy <policyHRN1 policyHRN2 ...>
The list of HRNs of policies to be revoked from the identity that is granted access to the project, separated by space. -
--app <appID1 appID2 ...>
The list of application IDs you want to revoke project access from, separated by space. -
--user <userID1 userID2 ...>
The list of user IDs you want to revoke project access from, separated by space. This information can be found in the .here/credentials.properties
file, in the user's home directory, or via your profile. -
--group <groupID1 groupID2 ...>
The list of group IDs you want to revoke project access from, separated by space. -
--project
Revoke the policies that were previosly attached directly to the project. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--quiet
Displays empty output with no additional information.
Note
- You must specify at least one of these options –
--app
, --user
, --group
or --project
. - For the
--project
option you must specify at least one --policy
. The '--app', '--user', or '--group' options are not allowed to be used together with `--project``.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below revokes project access from a user, app, and group:
olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the project hrn:here:authorization::org:project/my-project-1234
The --policy
parameter specified here has to be one of the policies attached to a member or to a project in case the --project
parameter is used.
For more information on using policy listing, see the olp project access show
command.
Example:
The command below revokes project policy access from a user, app, and group:
olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
--app F9p0HU3qCqtxnZ3KnH4z \
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 \
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--user HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 ^
--group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008
Output:
User HERE-05966c89-aaf1-4ae2-b0e4-3676b3f8b8c3 has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234
Application F9p0HU3qCqtxnZ3KnH4z has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234
Group GROUP-859ddd60-78f2-4ad2-865d-7351b01ff008 has been revoked access to the policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog in the project hrn:here:authorization::org:project/my-project-1234
Example:
The command below revokes a policy that was previously attached directly to a project:
olp project access revoke hrn:here:authorization::org:project/my-project-1234 \
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog \
--project
olp project access revoke hrn:here:authorization::org:project/my-project-1234 ^
--policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog ^
--project
Output:
Detached policy hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog from the project hrn:here:authorization::org:project/my-project-1234
project access show
Policies attached to a user, app, or group in the project, or directly to the project itself.
olp project access show <project HRN> [command options]
Required parameters:
-
<project HRN>
The HRN of the project.
Optional parameters:
-
--app <appID>
Application ID you want to query attached project policies for. -
--user <userID>
User ID you want to query attached project policies for. This information can be found in the .here/credentials.properties
file, in the user's home directory, or through your profile. -
--group <groupID>
Group ID you want to query attached project policies for. -
--project
List the policies that were attached to the project directly. -
--credentials <path to credentials file>
The name of a credentials file to use with the command. Credentials files are downloaded separately from the platform portal. -
--profile <profile name>
The name of the credentials profile to use from the olpcli.ini
file. -
--json
Displays the command result in JSON format. -
--quiet
Displays empty output with no additional information.
Note
You must specify only one of these options – --app
, --user
, --group
or --project
.
For more information on using credentials and profiles, see Credentials setup.
Example:
The command below lists the policies attached to a user, app or group:
olp project access show hrn:here:authorization::org:project/my-project-1234 \
--app F9p0HU3qCqtxnZ3KnH4z \
--json
olp project access show hrn:here:authorization::org:project/my-project-1234 ^
--app F9p0HU3qCqtxnZ3KnH4z ^
--json
Output:
{"policies": [
{
"id": "all-access-for-abc-catalog",
"hrn": "hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog",
"name": "allAccessForAbcCatalog",
"description": "Read and write access to abc catalog.",
"type": "custom",
"permissions": [
{
"resource": "hrn:here:data::org:abc-catalog",
"resourceType": "catalog",
"allowedActions": [
"readResource", "writeResource"
]
}
]
},
{
"id": "read-only-access-to-all-catalogs",
"hrn": "hrn:here:authorization::org:platform:policy/read-only-access-to-all-catalogs",
"name": "readOnlyAccessToAllCatalogs",
"description": "Read access to all catalogs in project.",
"type": "here-platform",
"permissions": [
{
"resourceType": "catalog",
"allowedActions": [
"readResource"
]
}
]
}
]
}
Example:
The command below lists the policies attached directly to the project:
olp project access show hrn:here:authorization::org:project/my-project-1234 \
--project \
--json
olp project access show hrn:here:authorization::org:project/my-project-1234 ^
--project ^
--json
Output:
{"policies": [
{
"id": "all-access-for-abc-catalog",
"hrn": "hrn:here:authorization::org:project/my-project-1234:policy/all-access-for-abc-catalog",
"name": "allAccessForAbcCatalog",
"description": "Read and write access to abc catalog.",
"type": "custom",
"permissions": [
{
"resource": "hrn:here:data::org:abc-catalog",
"resourceType": "catalog",
"allowedActions": [
"readResource", "writeResource"
]
}
]
}
]
}