Manage batches of security identities
Manage batches of security identities
It’s possible to add, update, and/or disable batches of security identities in the security identity provider of a secured Push source.
This means that you can update many security identities using only a few Push API requests, rather than performing numerous single security identity requests to achieve the same results. Therefore, managing security identities in batches is the best way to ensure that you never get throttled by the service. See Push API limits - Recommended maximum number of items/security identities per hour for details.
Performing batch security identity update requests is slightly more complex than performing single security identity requests, as doing so involves three distinct steps which are detailed in this article.
Step 1: Create a file container
See Create a file container for details.
Step 2: Upload the security identity update into the file container
Perform the following PUT uploadUri
request to upload the security identity update into the Amazon S3 file container obtained in step 1.
Request template
PUT <MyUploadURI> HTTP/1.1
<HTTPHeaders>
Parameters
Request body:
{
"members": [
<MySecurityIdentityDefinition>*
],
"mappings": [
<MyUserAliasDefinition>*
],
"deleted": [
{
"identity": {
"name": <MySecurityIdentityName>,
"type": <"GROUP"|"UNKNOWN"|"USER"|"VIRTUAL_GROUP">
}
}*
]
}
Parameters
The request body must implement the BatchIdentityBody
model.
In the members
array:
-
Replace
<MySecurityIdentityDefinition>*
with any number of security identity definitions to add or update in the target security identity provider.When pushing a group, you overwrite the current version of that group. Therefore, to keep existing group members, be sure to include them in the new group configuration. If this isn’t viable, consider using granted security identities instead.
In the mappings
array:
-
Replace
<MyUserAliasDefinition>*
with any number of user alias definitions to add or update in the target security identity provider.
In the deleted
array:
-
Replace
<MySecurityIdentityName>
by the name of the security identity to disable for each security identity you include. -
Replace
<"GROUP"|"UNKNOWN"|"USER"|"VIRTUAL_GROUP">
by the corresponding entity type.
|
Make consistent use of the |
Successful response: 200 OK
{}
A successful response has no content, but indicates that the security identity update was successfully uploaded into the Amazon S3 file container.
Sample request
The following example shows how to upload a batch of security identity updates into a file container.
PUT link:https://coveo-nprod-customerdata.s3.amazonaws.com/proda/blobstore/mycoveocloudv2organizationg8tp8wu3/b5e8767e-8f0d-4a89-9095-1127915c89c7[...] HTTP/1.1
x-amz-server-side-encryption: AES256
Content-Type: application/octet-stream
Request body:
{
"members": [
{
"identity": {
"name": "SampleGroup",
"type": "GROUP"
},
"members": [
{
"name": "asmith@example.com",
"type": "USER"
},
// ...More members for this group...
],
"wellKnowns": [
{
"name": "Domain Users",
"type": "GROUP"
},
// ...More granted identities for this group...
]
},
// ...More security identity definitions...
],
"mappings": [
{
"identity": {
"name": "asmith@example.com",
"type": "USER"
},
"mappings": [
{
"name": "alice_smith@example.com",
"type": "USER",
"provider": "Email Security Provider"
},
// ...More aliases for this user...
],
"wellKnowns": [
{
"name": "Everyone",
"type": "GROUP"
},
// ...More granted identities for this alias...
]
},
// ...More alias definitions...
],
"deleted": [
{
"identity": {
"name": "SampleGroup2",
"type": "GROUP"
}
},
{
"identity": {
"name": "bjones_alias",
"type": "USER"
}
}
// ...More security identities to disable...
]
}
Step 3: Push the file container into a security identity provider
Use the Add, update, and/or delete a batch of security identities
request to push the Amazon S3 file container into the security identity provider of your secured Push source.
Request template
US East region
PUT https://api.cloud.coveo.com/push/v1/organizations/<MyOrganizationId>/providers/<MySecurityIdentityProviderId>/permissions/batch?fileId=<MyFileId> HTTP/1.1
Accept: application/json
Authorization: Bearer <MyAccessToken>
Canada region
PUT https://api-ca.cloud.coveo.com/push/v1/organizations/<MyOrganizationId>/providers/<MySecurityIdentityProviderId>/permissions/batch?fileId=<MyFileId> HTTP/1.1
Accept: application/json
Authorization: Bearer <MyAccessToken>
Ireland region
PUT https://api-eu.cloud.coveo.com/push/v1/organizations/<MyOrganizationId>/providers/<MySecurityIdentityProviderId>/permissions/batch?fileId=<MyFileId> HTTP/1.1
Accept: application/json
Authorization: Bearer <MyAccessToken>
Australia region
PUT https://api-au.cloud.coveo.com/push/v1/organizations/<MyOrganizationId>/providers/<MySecurityIdentityProviderId>/permissions/batch?fileId=<MyFileId> HTTP/1.1
Accept: application/json
Authorization: Bearer <MyAccessToken>
Request parameters:
Parameters
In the request path:
-
Replace
<MyOrganizationId>
by the actual ID of the target Coveo organization. See Retrieve the organization ID for details. -
Replace
<MySecurityIdentityProviderId>
by the actual ID of the target security identity provider. See Create a security identity provider for a secured push source for details.
In the query string:
-
Replace
<MyFileId>
by thefiledId
you got from step 1.
In the Authorization
HTTP header:
-
Replace
<MyAccessToken>
with a Push source API key that grants the set of privileges required to push security identities to the security identity provider.
Request body:
{}
You may notice that certain security identities in a security identity provider are in error. Typically, this is because the security identity no longer exists in the security identity provider (that is, it has been disabled), but one or several item permission models still refer to it.
To address this error, perform the necessary push requests on the secured Push source to ensure that item permission models and security identities are perfectly in sync.
|
The contents of a file container can be pushed to multiple security identity providers or sources in the same Coveo organization.
Just update the target The file container remains available for 4 days. |
Sample request
This example shows how to push a file container into the security identity provider of a secured Push source.
PUT https://api.cloud.coveo.com/push/v1/organizations/mycoveocloudv2organizationg8tp8wu3/providers/My%20Secured%20Push%20Source%20Security%20Identity%20Provider/permissions/batch?fileId=b5e8767e-8f0d-4a89-9095-1127915c89c7 HTTP/1.1
Accept: application/json
Authorization: Bearer **********-****-****-****-************
Request body:
{}