Skip to content

API v1 - Permission

API v1 - Permission

The Permission API gives details on permissions that either allow or restrict access to each group in Matillion ETL.

The Permissions in Matillion ETL allow admins to specify what parts of the client each user has access to or restrictions, if any. To enable Permissions on the server, an Admin must ensure that the Security Configuration AdminUser Configuration is set to "Internal" or "External". That will allow admin to "Manage Groups" and "Manage Permissions" through the Admin menu. View Permissions is available through the Help menu and can be managed by both "Admins" and regular users.

The Permission API provides the "resource" data ("Resources" refers to the information returned by an API). These resources usually have various endpoints which are combined with multiple HTTP methods for each endpoint. The Permissions API family consist of some PATHs that combine with endpoint resources using HTTP methods: GET, POST, and DELETE.

This API offers a REST-based web service, offering ease of use and a flexible choice of programming language. This API can be used to access and analyse the permissions within the Matillion ETL instance.

Note

  • This document is part of a series on the Matillion ETL API - v1.
  • This process requires the Matillion ETL instance URL, and the username and password of a user with appropriate permissions.
  • Users responsible for experimenting with Matillion ETL API services require access to the Matillion ETL instance and ought to know how to make REST API calls either employing a REST API GUI client such as Postman or employing a command-line interface like cURL.
  • Permissions API will be available for the admin users of Matillion ETL.

Permission API endpoints

API base URL

http(s)://[InstanceAddress]/rest/v1/[permission]

The Permission API is available on standard REST-based APIs that uses HTTP or HTTPS request to GET and POST data. The Permission API service is accessed through the uniform resource locator (URL). All following references in this document will assume the API Base URL has been specified. The available API endpoints are listed in the following sections.


Graphical representation

To illustrate the Permission API, endpoints, and methods, below is the graphical flow of the /permission endpoint showing possible PATH, GET , POST, and DELETE options.

Permission API Endpoint Flow


URL parameters and description

Below is the list of endpoint parameters and their brief description:

Parameter Description
[InstanceAddress] This is the server IP address or domain name.
[groupName] The name of the group.
[permissionName] The name of the permission created in Matillion ETL.
[user] Gets the list of users.
[update] This allows to update the selected permissions.
[get] This property will get the permissions associated with the groups in the Matillion ETL instance.
[clear] Resets the permissions.
[roles] This defines the roles assigned to the permission.
[remove] This will remove the selected property from the instance.

PATH endpoints

Before working with any Permission endpoint call, we recommend that you understand the concept of PATH used in the Permission API family.

A PATH is a unit of a REST API that you can call. A PATH comprises HTTP Methods (GET/POST/DELETE) and a URL PATH that, when exposed, is combined with the base PATH URL (<server address>/rest/v1) of the API.

The Permission API family comprises of following PATHs:

The graphical view of the Permission API PATHs shown below:

Permission Endpoint PATH

Once you have a basic understanding of PATH and associated HTTP methods, you can start making API requests.

All the APIs listed in this chapter are available to use with GET/POST/DELETE methods to retrieve the "resource" information. The detailed description of each endpoint and associated methods is discussed in the next section of this guide.


PATH/user

This is a PATH for the user permissions within the Matillion ETL instance. This will provide the list of users assigned permissions for the instance.

GET/user

To get the list of users for the specified permission. This example using GET method REST API call to export the permission users.

Base URL

http://[InstanceAddress]/rest/v1/permission/user

Server Response

{
        "user-1"
        "user-2"
        "user-3"
}

GET/export

To export the list of users for the specific permission from one instance to another using /export endpoint. This example using GET method REST API call to export the permission groups and all associated information aligned with the groups.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/export

Server Response

{
        "objects": [
            {
                "name": "automation-user",
                "groupNames": []
            },
            {
                "name": "ss-docs",
                "groupNames": []
            }
        ],
        "version": "Built",
        "environment": "redshift"
    }

POST/import

The /import endpoint imports one or more permission user. This example uses the POST method REST API call to import the permission users to the instance. Note that, when importing, there is no "merge" option. If a resource of the same name already exists, you must delete the existing resource before importing the new. This will be a POST method API call as we will have to attach the project (in JSON form, as exported), in the body as a JSON file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/import

POST BODY(JSON)

{
            "objects": [
                {
                    "name": "User-1",
                    "groupNames": []
                },
                {
                    "name": "User-2",
                    "groupNames": []
                }
            ],
            "version": "Built",
            "environment": "redshift"
        }

Server Response

{
        "name": "Permission Users",
        "statusList": [
            {
                "success": true,
                "name": "User-1"
            },
            {
                "success": true,
                "name": "User-2"
            }
        ],
        "success": true
    }

URL Parameters

There is an optional parameter, onConflict, which determines what should happen if an import clashes with something that already exists. For an explanation of this parameter's use, read API Import conflicts - Explanation in Matillion ETL API - v1.

POST/userName/delete

Delete the selected permission user from the instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/name/userName/delete

Server Response

{
"success": true,
"msg": "Successfully deleted the permission user by the name: User-1",
"id": -1
}

PATH/user/name/[userName]/groups

GET/userName/groups/ids

To get the set of group IDs assigned to the selected permission user. This example uses the GET method REST API call to export the groups' ids assigned to the user.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/name/userName/groups/ids

Server Response

{
2138489
}

GET/userName/groups/get

Get the set of group names assigned to the selected permission user. This example uses the GET method REST API call to get the groups assigned to the user.

Base URL

http://<InstanceAddress>/rest/v1/permission/user/name/userName/groups/get

Server Response

{
"Runner",
"Scheduler",
"Reader with Comments",
"All Global Access",
"Reader",
"Writer"
}

POST/userName/groups/add

This is to add a group to the selected permission user. This will be a POST method API call. The name of the new group must be sent in the POST body, in plain text format. The POST call will require a header parameter of Content-Type: text/plain.

If a group of the same name already exists, you must remove the existing group before adding the new one.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/name/userName/groups/add

POST Body

Test

Server Response

{
"success": true,
"msg": "Successfully added the group permission Test to the group.",
"id": -1
}

POST/userName/groups/remove

This is to remove a group from the selected permission group. This will be a POST method API call. The name of the group to remove must be sent in the POST body, in plain text format. The POST call will require a header parameter of Content-Type: text/plain.

Base URL

http://[InstanceAddress]/rest/v1/permission/user/name/userName/groups/remove

POST Body

Test

Server Response

{
"success": true,
"msg": "Successfully removed the group permission Test.",
"id": -1
}

PATH/group

PATH/group is a primary PATH for the API Base URL of Permission API aligned with HTTP methods (GET, POST, DELETE), and a PATH to make a unique operation for the resource to retrieve the information correlated with the permissions associated with the groups in the instance.

GET/export

To export one or more permission groups within the Matillion ETL instance, use /export endpoint. This example uses the GET method REST API call to export the permission groups and all associated information aligned with the groups.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/export

Server Response

{
"objects": [
{
"name": "Writer",
"otherRoles": [],
"parentGroupID": null
},
{
"name": "NoEnterprise",
"otherRoles": [],
"parentGroupID": null
},
{
"name": "Runner",
"otherRoles": [],
"parentGroupID": null
}.....
],
"version": "1.48.7",
"environment": "redshift"
}

POST/import

Now that you have an exported permission group (see previous example), we'll use the API to import one or more permission groups into a Matillion ETL instance. Note that, when importing, there is no "merge" option. If a resource of the same name already exists, you must delete the existing resource before importing the new. This will be a POST method API call as we will have to attach the project (in JSON form, as exported), in the body as a JSON file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddres]>/rest/v1/permission/group/import

POST BODY(JSON)

{
"objects": [
{
"name": "Docs",
"otherRoles": [],
"parentGroupID": null
}
],
"version": "1.48.7",
"environment": "redshift"
}

Server Response

{
"name": "Permission Groups",
"statusList": [
{
"success": true,
"name": "Docs"
}
],
"success": true
}

URL Parameters

There is an optional parameter, onConflict, which determines what should happen if an import clashes with something that already exists. For an explanation of this parameter's use, read API Import conflicts - Explanation in Matillion ETL API - v1.

GET/parent

This example is a GET method REST API request that will provide the parent Group ID of the selected permission group within the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/parent

Server Response

{
123456
}

GET/[groupName]/export

To export the all group permissions within the instance, provide the groupName and use the /export endpoint. This example uses the GET method REST API call to export the selected permission group and all associated information aligned with the group.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/export

Server Response

{
        "objects": [
            {
                "name": "Example-Group",
                "otherRoles": [],
                "parentGroupID": null
            }
        ],
        "version": "1.44.11",
        "environment": "redshift"
    }

DELETE/groupName

To remove any resource from the list, use the DELETE API request. In this example, we'll delete a permission group from within the permissions in the Matillion ETL instance.

Note

There are often multiple ways of achieving the same task within the API as resources and methods branch out and overlap.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]

Server Response

{
      "success": true,
      "msg": "Successfully deleted schedule [Exampleschedule]",
      "id": -1
    }

POST/update

The /update endpoint will allow to update the selected permission group. This will be a POST method API call as you'll need to attach the project (in JSON form, as exported), in the body as a JSON file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/update WITH POST DATA arg0

POST BODY(JSON)

{
                "name": "Writer",
                "otherRoles": [],
                "parentGroupID": null
    }

Below is the description of the fields included in the POST body:

Field name Data type Description
name String The name of the permission group.
otherRoles String The new role if required to be added.
parentGroupID String The id of the parent group, if available.

Server Response

{
      "success": true,
      "msg": "Successfully updated the permission group: Writer",
      "id": -1
    }

POST/delete

This will be a POST method API call. The /delete endpoint will delete the selected permission group.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/delete

Server Response

{
      "success": true,
      "msg": "Successfully deleted the permission group: test",
      "id": -1
    }

PATH/[groupName]/roles

PATH/roles is a part of the primary PATH/group of Permission API aligned with two HTTP method (GET and POST) to make a unique operation for the resource to retrieve the information correlated with the permissions associatd with the groups in the instance.

GET/get

This is a GET request API call to retrieve the list of roles assigned to the selected permissions group.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/roles/get

Server Response

{
        "API",
        "Admin"
}

POST/add

This API endpoint call is to add a role to the selected permission group. This will be a POST method API call as we will have to attach the role in the body as a TEXT file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/roles/add WITH POST DATA arg0

POST BODY

{
     "name":"Global"
    }

Server Response

{
      "success": true,
      "msg": "Successfully assigned the role [{\\r\
 \\"name\\":\\"Global\\"     \\r\
}] to the group [Writer].",
      "id": -1
    }

POST/remove

This is a POST request API call to remove a role from the selected permission group.

Base URL

http://[InstanceAddress]/rest/v1/permission/group/name/[groupName]/roles/remove WITH POST DATA arg0

POST BODY

{
     "name":"Global"
    }

Server Response

{
      "success": true,
      "msg": "Successfully removed the role [{\\r\
 \\"name\\":\\"Global\\"     \\r\
}] from the group [Writer].",
      "id": -1
    }

PATH/global

PATH/global is a part of the Permission API family with HTTP methods (GET and POST) and two PATH to make a unique operation for the resource to retrieve the information correlated with the permissions associated with the groups in the instance.

GET/export

The is a GET operation for the resource information to export all the permissions for every group within the instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/export

Server Response

{
        "objects": [
              {
                "group": "Example-Group",
                "permissions": {
                    "": "GRANTED",
                    "/OAuth": "GRANTED",
                    "/Variable": "GRANTED",
                    "/CDC": "GRANTED",
                    "/API Profile/Read": "GRANTED",
                    "/API Profile": "GRANTED",
                    "/Project": "GRANTED",
                    "/CDC/Read": "GRANTED",
                    "/CDC/Write": "GRANTED",
                    "/Credential": "GRANTED",
                    "/API Profile/Write": "GRANTED",
                    "/Queue": "GRANTED",
                    "/Password": "FORBIDDEN"
                }
            },
        ],
        "version": "1.44.11",
        "environment": "redshift"
    }

GET/group

This endpoint retrieve the list of all permissions for every group in the instance, using GET REST API call.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group

Server Response

{
        "Example-Group",
        "Example-Group-2",
        "Admin only",
        "Reader",
}

POST/import

Now that you have an exported permission group (see previous example), we'll use the API to import the group into a Matillion ETL instance. Note that, when importing, there is no "merge" option. If a resource of the same name already exists, you must delete the existing resource before importing the new. This will be a POST method API call as we will have to attach the project (in JSON form, as exported), in the body as a JSON file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/import

POST BODY(JSON)

{
        "objects": [
              {
                "group": "Example-Group",
                "permissions": {
                    "": "GRANTED",
                    "/OAuth": "GRANTED",
                    "/Variable": "GRANTED",
                    "/CDC": "GRANTED",
                    "/API Profile/Read": "GRANTED",
                    "/API Profile": "GRANTED",
                    "/Project": "GRANTED",
                    "/CDC/Read": "GRANTED",
                    "/CDC/Write": "GRANTED",
                    "/Credential": "GRANTED",
                    "/API Profile/Write": "GRANTED",
                    "/Queue": "GRANTED",
                    "/Password": "FORBIDDEN"
                }
            },
        ],
        "version": "1.44.11",
        "environment": "redshift"
    }

Server Response

{
      "name": "Group Permissions",
      "statusList": [
        {
          "success": true,
          "name": "Example-Group"
        },
      ],
    }

PATH/instance

We'll be retrieving a single resource information, performing a GET request for that named resource endpoint. This PATH is a part of the PATH/global URI which will retrieve the global list of groups for the instance.

When you reach a named resource endpoint, the API will expose API metadata for that resource, including PATH, GET and POST and DELETE method options available.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/instance?groupName=[groupName]

Server Response

{
      "endpoints": [
        {
          "httpMethod": "PATH",
          "name": "GroupPermissionInstanceService",
          "children": [
            {
              "httpMethod": "GET",
              "name": "exportPermissions",
              "description": "Export all permissions for the selected group.",
              "path": "/export",
              "type": "ExportContainer<GroupPermissionContainerExport>",
              "example": "/export",
              "totalPath": "/export"
            },
            {
              "httpMethod": "GET",
              "name": "listPermissions",
              "description": "List permission in the selected group.",
              "path": "/permission",
              "type": "Set<String>",
              "example": "/permission",
              "totalPath": "/permission"
            },
              ],
              "children": [],
      "dataTypes": []
        } ]
    }

PATH/group/name/[groupName]

PATH/group/name{group} is a part of the PATH/global URI family with two HTTP methods (GET and POST), and one PATH, for the resource to retrieve the information correlating with the permissions of the groups within the instance.

GET/export

The is a GET operation for the resource information to export all the permissions for the selected group within the instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group/name/[groupName]/export

Server Response

{
        "objects": [
              {
                "group": "Example-Group",
                "permissions": {
                    "": "GRANTED",
                    "/OAuth": "GRANTED",
                    "/Variable": "GRANTED",
                    "/CDC": "GRANTED",
                    "/API Profile/Read": "GRANTED",
                    "/API Profile": "GRANTED",
                    "/Project": "GRANTED",
                    "/CDC/Read": "GRANTED",
                    "/CDC/Write": "GRANTED",
                    "/Credential": "GRANTED",
                    "/API Profile/Write": "GRANTED",
                    "/Queue": "GRANTED",
                    "/Password": "FORBIDDEN"
                }
            },
        ],
        "version": "1.44.11",
        "environment": "redshift"
    }

GET/permission

This endpoint retrieves the list of all permissions aligned with the selected group within the instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group/name/[groupName]/permission

Server Response

{
        "Project",
        "Credential",
        "Variable",
        "CDC",
        "API Profile",
        "CDC-Write",
        "API Profile-Read",
        "CDC-Read",
        "Queue",
        "OAuth",
        "API Profile-Write",
        "Password"
}

POST/clear

This API call lets you reset permissions for the selected group within the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group/name/[groupName]/clear

Server Response

{
      "success": true,
      "msg": "Successfully reset the permissions for the group: Example-Group",
      "id": -1
    }

PATH/permission/name/[permissionName]

This PATH is a part of the PATH/group/name/[groupName] URI, with two HTTP methods (GET and POST), to make a unique operation for the resource to retrieve or update the information associated within the instance.

GET/get

This endpoint is a GET request API call that lets you retrieve the information of the selected permissions for the instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group/name/[groupName]/permission/name/[permissionName]/get

Server Response

{
      "id": "/APIProfile",
      "state": "GRANTED"
    }

POST/update

The endpoint will update the state of selected permissions from the selected group within the instance. There are three permissions in Matillion ETL instance: DEFAULT, GRANTED, FORBIDDEN. This will be a POST method API call as we will have to attach the project (in JSON form, as exported), in the body as a JSON file to import into the Matillion ETL instance.

Base URL

http://[InstanceAddress]/rest/v1/permission/global/group/name/[groupName]/permission/name/[permissionName]/update WITH POST DATA arg0

POST BODY(JSON)

{
          "id": "/APIProfile",
          "state": "FORBIDDEN"
    }

Below is the description of the fields included in the POST body:

Field name Data type Description
id String The name of the permission as available in instance.
state String The new state to be changed. Must be one of: DEFAULT, FORBIDDEN, or GRANTED.

Server Response

{
        "success": true,
        "msg": "Successfully update the state of the permission: APIProfile",
        "id": 0
    }