linkAuthorization
Access to certain resources is dependent upon a token bearer's role. Most of the time you will be authenticating as one of your users, which will allow access to a small subset of resources available to your account. In other cases, as when you are using a server-side integration, you may be authenticating as a product, or even an admin; in these cases, you will have access to a wider range of resources.
Resource attributes and relationships marked with a "protected" badge are only allowed to be specified if the authenticated bearer is an admin of the account, or a product that owns the resource. Attributes and relationships marked with a "read only" badge cannot be modified.
Many resource endpoints are automatically scoped according to the token bearer's
role. For example, listing all licenses while authenticated as a product will
only list licenses associated with that particular product. Attempting to
access resources that the bearer does not have access to will respond
with a 403 forbidden
error.
Here's a quick summary of the different authorization roles:
Role | Administrator | Authentication | Authorization |
---|---|---|---|
None | No | No | Unauthenticated users can create a new user profile (unless your account is protected), access open/public releases, and validate license keys using the validate-key action. No other endpoints are accessisible to unauthenticated users. |
User | No | Yes | Authenticated users may access certain resource endpoints, but all resources that are returned will be scoped to their user profile, e.g. when a user makes a request to list all licenses, only the licenses which are associated with their user profile will be returned. |
License | No | Yes | Authenticated licenses may perform machine activations and deactivations through activation tokens. They may also validate the license, read their machines, and read their group. They cannot perform any other request. |
Product | Yes | Yes | Authenticated products may access resources for their account that are associated with that particular product. All resources that are returned will be scoped to the product, e.g. when a product makes a request to list all licenses, only the licenses which are associated with the product will be returned. |
Support Agent | Yes | Yes | Authenticated support agents may access some resources for their account. They can read the following resources: products, policies, users, licenses, machines, and groups. They can update the following resources: licenses, machines. They cannot delete resources. |
Sales Agent | Yes | Yes | Authenticated sales agents may access some resources for their account. They can read the following resources: products, policies, users, licenses, machines, and groups. They can create the following resources: policies, licenses, machines. They can update the following resources: policies, users, licenses, machines. They can delete the following resources: licenses, machines. They cannot delete any other resources. |
Developer | Yes | Yes | Authenticated developers may access all resources for their account, minus account billing information. |
Admin | Yes | Yes | Authenticated admin users may access all resources for their account. |