This appendix describes Oracle Privileged Account Manager's RESTful interface, including the specific APIs that are exposed through this interface.
This appendix includes the following sections:
While Oracle Privileged Account Manager can be consumed through several client interfaces, its fundamental access mechanism or layer is encapsulated in its RESTful interfaces.
Note:
For information about using Oracle Privileged Account Manager's web-based Console or command line tool to perform tasks described in this appendix, refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console" or Appendix A, "Working with the Command Line Tool."All interactions with Oracle Privileged Account Manager's server that are being used by external parties, such as a non-Oracle Privileged Account Manager server, are exposed through RESTful interfaces. All externally visible Oracle Privileged Account Manager resources are modeled by URIs, while standard HTTP operations are mapped to relevant Oracle Privileged Account Manager operations on those resources.
Note:
The information provided in this appendix is essentially the same whether you are using Oracle Privileged Account Manager on WebLogic or on IBM WebSphere; however, there are a few minor differences.For more information, refer to "Differences When Using the Oracle Privileged Account Manager Command Line Tool and REST Interfaces on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
This section describes the Get Server State API.
Use this API to retrieve information about the status of a server.
URI: https://opam_server_host:opam_ssl_port/opam/
Method: GET
Content-Type: NA
Returns on Success: Status code 200 and JSON representation of the Server State Resource
Example B-1 Sample JSON Output of Server Status
{
"RequestorGroups" : [
"OPAM_APPLICATION_CONFIGURATOR",
"OPAM_SECURITY_ADMIN",
"OPAM_USER_MANAGER",
"OPAM_SECURITY_AUDITOR"
],
"ServerState" : {
"Status" : "Oracle Privileged Account Manager Server is up!",
"StatusCode" : 0
},
"Requestor" : "master_user"
"version":"11.1.2.2.0"
}
{
"ServerState" : {
"Status" : "Oracle Privileged Account Manager Server is up!",
"StatusCode" : 0
},
"Requestor" : "sec_admin",
"RequestorGroups" : [
"OPAM_SECURITY_ADMIN"
],
version: "11.1.2.3.0",
DelegatedPrivileges: [ ]
}
{
"ServerState":{
"Status":"Oracle Privileged Account Manager Server is up!",
"StatusCode":0
},
"Requestor":"weblogic",
"RequestorGroups":[
"Administrators"
],
"version":"11.1.2.3.0",
"DelegatedPrivileges":[
"security_admin"
]
}
Where:
RequestorGroups are groups assigned to the user who is making the request.
Requestor is the user who is making the request.
StatusCode indicates whether the server is working properly.
Returns a zero (0) if the server is working properly.
Returns a non-zero integral value if the server has encountered some issue.
Status is an informative message about the state of the server.
version is the Oracle Privileged Account Manager version.
DelegatedPrivileges are the administration privileges delegated to the user. If the user was delegated an admin privilege such as "security_admin" or "user_manager" on a resource group, the privilege will be displayed in this attribute.
If no admin privilege was delegated to the user, the attribute will remain empty as shown in the second sample JSON output in Example B-1.
This section describes the following configuration resource APIs:
Use this API to add a connector server configuration.
Note:
You must be an administrator with the "Application Configurator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver
Method: POST
Content-Type: application/json
Body: JSON representation of connector server for addition/test
Returns on Success: Status code 201 Created and Location
Example B-2 Sample JSON Representation of Connector Server Configuration for Addition
{
"connectorserver": {
"connectorservername": "server_test",
"connectorserverdescription": "demo connector server in US",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 8579,
"connectorserverkey": "password2",
"connectorserversslenabled ": true
}
}
Sample Output:
https://opam_server_host:opam_ssl_port/opam/connectorserver/9bbcbbb087174ad1900ea691a2573b61 as the Location
Where:
connectorservername is the name given to the connector server.
connectorserverdescription is the description for the connector server. It is an optional field.
connectorserverhost is the hostname of the connector server.
connectorserverport is the port of the connector server.
connectorserverkey is the key of the connector server.
connectorserversslenabled indicates whether SSL is enabled on the connector server.
Use this API to verify a connector server configuration before addition.
Note:
You must be an administrator with the "Application Configurator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver/test
Method: POST
Content-Type: application/json
Body: JSON representation of connector server for addition/test
Returns on Success: Status code 200
Example B-3 Sample JSON Representation of Connector Server Configuration for Addition
{
"connectorserver": {
"connectorservername": "server_test",
"connectorserverdescription": "demo connector server in US",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 8579,
"connectorserverkey": "password2",
"connectorserversslenabled ": true
}
}
Where:
connectorservername is the name given to the connector server.
connectorserverdescription is the description for the connector server. It is an optional field.
connectorserverhost is the hostname of the connector server.
connectorserverport is the port of the connector server.
connectorserverkey is the key of the connector server.
connectorserversslenabled indicates whether SSL is enabled on the connector server.
Use this API to update a connector server configuration.
Note:
You must be an administrator with the "Application Configurator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver/connector_server_id
Method: PUT
Content-Type: application/json
Body: JSON representation of connector server modification
Returns on Success: Status code 200
Example B-4 Sample JSON Representation of Connector Server Configuration Modification
{
"modifications":[
{
"modification": {
"connectorserverhost": "myhost.us.example.com"
}
},
{
"modification": {
"connectorserverport":8670
}
}
]
}
Where:
connectorserverhost is the hostname of the connector server.
connectorserverport is the port of the co nnector server.
Use this API to delete a connector server configuration.
Note:
You must be an administrator with the "Application Configurator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver/connector_server_id
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status code 200
Use this API to retrieve a connector server configuration.
Note:
You must be an administrator with the "Application Configurator," "Security Administrator," or "Delegate Security Administrator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver/connector_server_id
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON Representation of Connector Server
Sample Output:
{
"connectorserver": {
"connectorserverid": "ab62a4b85ba34c9499794ab181d37c15",
"connectorservername": "server_test",
"connectorserverdescription": "demo connector server in US",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 8579,
"connectorserverkey": "password2",
"connectorserversslenabled": true
}
}
Where:
Use this API to search connector server configurations.
Note:
You must be an administrator with the "Application Configurator," "Security Administrator," or "Delegate Security Administrator" Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/connectorserver//search?param1=val1¶m2=val2..
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON Representation of Connector Server
Where query parameters could be host, name, and description.
Sample Query:
https://myhost.example.com:2001/opam/connectorserver/search?name=server&host=oracle
Sample Query:
{
"connectorservercollection": [
{
"connectorserver": {
"connectorserverid": "21ae721b54854b3790214fd3fa6864df",
"connectorservername": "server1",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 180,
"connectorserversslenabled ": true
}
},
{
"connectorserver": {
"connectorserverid": "0a24c6287aa44d6a814b6f4deb7b751b",
"connectorservername": "server2",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 280,
"connectorserversslenabled ": true
}
},
{
"connectorserver": {
"connectorserverid": "ab62a4b85ba34c9499794ab181d37c15",
"connectorservername": "server3",
"connectorserverdescription": "optional description",
"connectorserverhost": "myhost.us.example.com",
"connectorserverport": 45,
"connectorserversslenabled ": true
}
}
]
}
Where:
connectorserverid is the ID of the connector server in your environment.
connectorservername is the name given to the connector server.
connectorserverdescription is the description for the connector server. It is an optional field.
connectorserverhost is the hostname of the connector server.
connectorserverport is the port of the connector server.
connectorserversslenabled indicates whether SSL is enabled on the connector server.
This section describes the following configuration resource APIs:
The APIs described in this section include:
Use this API to retrieve a configuration object for Oracle Privileged Account Manager.
Note:
You must be an administrator with the User Manager Admin Role, the Security Administrator Admin Role, or the Application Configurator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/config/configid
Method: GET
Content-Type: NA
Returns on Success: Status code 200 and JSON representation of a config object
https://opam_server_host:opam_ssl_port/opam/config/globalconfig
Example B-5 Sample JSON Representation of a config Object
{
config: {
configUID: "globalconfig",
configType: "config_globalconfig",
idstorefilter: [
"beginswith"
],
tdemode: [
"true"
],
resourceLockWaitTimeout: [
"120"
],
policyenforcerinterval: [
"3600"
],
targettimeout: [
"20"
],
passwddisplayoption: [
"showpasswd"
],
passwordcyclerinterval: [
"3600"
]
}
}
Where:
configUID is a unique identifier for the config object.
configType is the type of config object.
policyenforcerinterval is the interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy.
passwordcyclerinterval is the interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy.
passworddisplayoption determines how Oracle Privileged Account Manager displays the password of an account to the user.
targettimeout is the time (in seconds) allowed to perform the target connectivity test operation.
tdemode is a flag to request that Oracle Privileged Account Manager use TDE or non-TDE mode.
resourceLockWaitTimeout is the Maximum time (in seconds) allowed for an operation to obtain a transaction lock on a resource.
Use this API to modify a configuration object for Oracle Privileged Account Manager.
Note:
You must be an administrator with the Application Configurator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/config/configid
Method: PUT
Content-Type: application/json
Body: JSON representation of Modification
Returns on Success: Status code 200
Example B-6 Sample JSON Output of Modification
{
"modifications":[
{
"modification":{
"tdemode":[
"false"
]
}
}
]
}
Where:
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single configuration object.
tdemode is a flag to request that Oracle Privileged Account Manager use TDE or non-TDE mode.
The APIs described in this section include:
Use this API to get a configuration object for Oracle Privileged Session Manager.
Note:
You must be an administrator with the User Manager, the Security Administrator, or the Application Configurator Admin Role to use this API.
You cannot run two instances of Oracle Privileged Session Manager on the same machine.
URI: https://opam_server_host:opam_ssl_port/opam/config/sessionmgrconfig
Method: GET
Content-Type: NA
Returns on Success: Status code 200 and JSON Representation of a Session Manager config object
Example B-7 Sample JSON Representation of Session Manager Config
{
config: {
updateinterval: 60,
maxauditthreads: 5,
maxsessions: 8192,
maxrecordsize: 10240,
restResponseTimeout: 180,
SSH: {
opamListenPort: 1222,
sessionchkoutinstructions: "ssh -p <port> <opamuser>:<targetname>:<accountname>@<sessionmgrhost> Use opam password on password prompt"
},
SMVS: {
opamListenPort: 5389,
imagestorepath: "/scratch/opam/images"
},
configUID: "sessionmgrconfig",
configType: "config_sessionmgrconfig",
windowsAgentCount: 0
}
}
Where:
configUID is a unique identifier for the config object.
configType is the type of config object.
updateinterval is the interval (in seconds) in which the Oracle Privileged Session Manager server checks all of the checked-out sessions and updates their transcripts.
opamserverurls is an array of Oracle Privileged Account Manager server URLs to which Oracle Privileged Session Manager can connect.
pub-key is the Oracle Privileged Session Manager server's public key.
maxrecordsize is the maximum recording size that is allowed per session (in KB). When this quota is reached, the session is automatically terminated.
prv-key is the Oracle Privileged Session Manager server's private key.
Protocol-specific attributes include:
opamListenPort is the listener port for the protocol.
sessionchkoutinstructions is the session checkout instructions.
restResponseTimeout is the maximum time allowed for Oracle Privileged Session Manager to complete Oracle Privileged Account Manager Server REST URL invocation.
maxauditthreads is the maximum number of audit threads in the session manager audit pool.
maxsessions is the maximum number of concurrent sessions allowed per session manager server.
windowAgentCount is the number of windows agents that are deployed.
Use this API to update a configuration object for Oracle Privileged Session Manager.
URI: https://opam_server_host:opam_ssl_port/opam/config/sessionmgrconfig
Method: PUT
Content-Type: application/json
Body: JSON representation of Modification
Returns on Success: Status code 200
Note:
You must be an administrator with the Application Configurator Admin Role to use this API.Example B-8 Sample JSON Modification
{
"modifications": [
{
"modification": {
"updateinterval": 300
}
},
{
"modification": {
"opamserverurls": [
"https://localhost:7002/opam"
]
}
},
{
"modification": {
"SSH": {
"opamListenPort": 1222
}
}
},
{
"modification": {
"SSH": {"sessionchkoutinstructions":"ssh -p <port>
<opamuser>:<targetname>:<accountname>@<sessionmgrhost> \n Use opam password on password prompt"
}
}
}
]
}
Note:
You can update all of these attributes, exceptconfigUID is a unique identifier for the config object.
configType is the type of config object.
WindowsAgentCount is the number of windows agents that have been deployed.
For the other attribute definitions, refer to Section B.4.2.1, "Get Configuration Resource."
This section describes the APIs you use when working with Oracle Privileged Account Manager policies.
The APIs described in this section include:
Use this API to search for policies. This API is a search, using one or more of the following parameters:
policystatus
policyname
All of the parameters are optional.
URI: https://opam_server_host:opam_ssl_port/opam/policy/search?param1=val1¶m2=val2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of policies
Example B-9 Sample JSON Representation of Policies
{
"usagepolicies":[
{
"policyname":"Default Usage Policy",
"policyid":"usagepolicy1",
"policystatus":"active",
}
],
"passwordpolicies":[
{
"policyname":"Default Password Policy",
"policyid":"passwordpolicy2",
"policystatus":"active",
"globaldefault":"y"
}
]
}
Where:
usagepolicies are an array of Usage Policies.
passwordpolicies are an array of Password Policies.
policyname is the policy name.
policyid is the policy's unique identifier.
policystatus is the policy status, where acceptable values are active or disabled.
Use this API to get the Default Usage Policy and Default Password Policy.
URI: https://opam_server_host:opam_ssl_port/opam/policy/default
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON Representation of policies
Example B-10 Sample JSON Representation of Policies
{
"usagepolicies":[
{
"policyname":"Default Usage Policy",
"policyid":"usagepolicy1",
"policystatus":"active"
}
],
"passwordpolicies":[
{
"policyname":"Default Password Policy",
"policyid":"passwordpolicy2",
"policystatus":"active"
}
]
}
Where:
usagepolicies is an array of Usage Policies.
passwordpolicies is an array of Password Policies.
policyname is the policy name.
policyid is the policy's unique identifier.
policystatus is the policy status, where acceptable values are active or disabled.
This attribute only returns the default policies, Default Usage Policy and Default Password Policy.
The APIs described in this section include:
Use this API to retrieve a Password Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of Password Policy
Example B-11 Sample JSON Representation of Password Policy
{
"passwordpolicy":{
"policyid":"passwordpolicy2",
"policystatus":"active",
"policyname":"Default Password Policy",
"description":"Default Password Policy",
"globaldefault":"y",
"passwordchangedurationunit":"days",
"passwordchangedurationvalue":30,
"passwordhistorydays":30
"changeoncheckin":"y",
"changeoncheckout":"y",
"passwordcharsmin":8,
"passwordcharsmax":8,
"passwordalphabeticmin":1,
"passwordnumericmin":1,
"passwordalphanumericmin":2,
"passworduniquemin":1,
"passworduppercasemin":1,
"passwordlowercasemin":1,
"passwordspecialmin":0,
"passwordspecialmax":0,
"passwordrepeatedmin":0,
"passwordrepeatedmax":1,
"startingchar":"n",
"isaccountnameallowed":"n",
"requiredchars":[
"a",
"h",
"j"
],
"allowedchars":[
"b",
"t",
"y",
"p",
"u",
"r",
"o",
"k",
"1",
"2",
"=",
"M",
"a",
"h",
"j"
],
"disalloweddchars":[
"7",
"8",
"l"
],
}
}
Where:
passwordpolicy is a passwordpolicy JSON object.
policyid is the policy's unique identifier.
policystatus is the policy's status, where acceptable values are active or disabled.
policyname is the policy name.
description is a description of the policy.
globaldefault indicates whether the policy is a global default or not.
passwordchangedurationunit and passwordchangedurationvalue determine the interval after which the account password must be changed. Where passwordchangedurationunit can have the values: days, hours, or minutes.
passwordhistorydays indicates how many days to keep the password history.
changeoncheckin indicates whether to change the password on check-in. The valid values are y and n.
changeoncheckout indicates whether to change the password on checkout. The valid values are y and n.
startingchar indicates the character with which the password should begin.
isaccountnameallowed indicates whether the password can be the same as the account name.
requiredchars, allowedchars, disallowedchars are characters that are required, allowed, and disallowed respectively.
passwordcharsmin is the minimum number of characters required in the password.
passwordcharsmax is the maximum number of characters allowed in the password.
passwordalphabeticmin is the minimum number of alphabetic characters required in the password.
passwordnumericmin is the minimum number of numeric characters required in the password.
passwordalphanumericmin is the minimum number of alphanumeric characters required in the password.
passworduniquemin is the minimum number of unique characters required in the password.
passworduppercasemin is the minimum number of uppercase characters required in the password.
passwordlowercasemin is the minimum number of lowercase characters required in the password.
passwordspecialmin is the minimum number of special characters required in the password.
passwordspecialmax is the maximum number of special characters allowed in the password.
passwordrepeatedmin is the minimum number of repeated characters required in the password.
passwordrepeatedmax is the maximum number of repeated characters allowed in the password.
Use this API to update a Usage Policy. You can update all of the attributes, except policyid, and you can update multiple attributes at a time.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}
Method: PUT
Content-Type: application/json
Body: JSON representation for Password Policy modification
Returns on Success: Status code 200
Example B-12 Sample JSON Representation of Password Policy Modification
{
"modifications":[
{
"modification":{
"disalloweddchars":[
"4",
"6"
]
}
},
{
"modification":{
"passwordalphabeticmin":2
}
}
]
}
Where:
modifications is an array of modification JSON objects.
modification is a JSON object representing a single attribute.
Use this API to create a Password Policy.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/passwordpolicy
Method: POST
Content-Type: application/json
Body: JSON representation for Password Policy creation
Returns on Success: Status code 201
Example B-13 Sample JSON Representation for Password Policy Creation
{
"passwordpolicy":{
"policystatus":"active",
"policyname":"Custom Password Policy",
"description":"Default Password Policy",
"passwordchangedurationunit":"days",
"passwordchangedurationvalue":30,
"passwordhistorydays":30,
"changeoncheckin":"y",
"changeoncheckout":"y",
"passwordcharsmin":8,
"passwordcharsmax":8,
"passwordalphabeticmin":1,
"passwordnumericmin":1,
"passwordalphanumericmin":2,
"passworduniquemin":1,
"passworduppercasemin":1,
"passwordlowercasemin":1,
"passwordspecialmin":0,
"passwordspecialmax":0,
"passwordrepeatedmin":0,
"passwordrepeatedmax":1,
"startingchar":"n",
"isaccountnameallowed":"n",
"requiredchars":[
"a",
"h",
"j"
],
"allowedchars":[
"b",
"t",
"y",
"p",
"u",
"r",
"o",
"k",
"1",
"2",
"=",
"M",
"a",
"h",
"j"
],
"disalloweddchars":[
"7",
"8",
"l"
]
}
}
All attributes are optional, except policyname. For attribute definitions refer to Section B.5.3.1, "Retrieve a Password Policy."
Use this API to retrieve a list of accounts for a Password Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}/accounts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of accounts
Example B-14 Sample JSON Representation of Accounts
{
"accounts":[
{
"account":{
"accountUID":"5bb2c74e1655487c92ecefd5b5270e95",
"accountName":"dsperson1",
"targetID":"3ba06e568166493384f86aa5cc7152f1",
"targetName":"sunds_6.3_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"account":{
"accountUID":"c67f93d7a7e44844b24aa43d4cd236e9",
"accountName":"person2",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
}
]
}
For attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Use this API to delete a Password Policy.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status 200
The APIs described in this section include:
Use this API to retrieve a Usage Policy.
URI: https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of Usage Policy
Example B-15 Sample JSON Representation of Usage Policy
{
"usagepolicy":{
"policyid":"usagepolicy1",
"policystatus":"active",
"policyname":"Default Usage Policy",
"description":"Default Usage Policy",
"globaldefault":"y",
"dateorduration":"duration",
"expireddateminutesfromcheckout":7200,
"expireddate":"08\/08\/2088",
"expireddatehour":0,
"expireddateminutes":0,
"expireddateamorpm":"am",
"timezone":"America\/Los_Angeles",
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"sunday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"friday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"tuesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"thursday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"monday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
],
"allowcheckouttype":"all",
"scp":{
"enable":true
},
"ssh":{
"enableInteractive":true,
"enableNonInteractive":true,
"enableCommandLogging":true,
"commandControl":{
"listType":"whitelist",
"listValues":[
"cd",
"ls"
]
},
"commandReplacements":[
{
"original":"setenv",
"replaceWith":"set"
},
{
"original":"history",
"replaceWith":"safehistory"
}
]
}
}
}
Where:
usagepolicy is a usagepolicy JSON object.
policyid is the Usage Policy's unique identifier.
policystatus is set to active or disabled.
policyname is a name of the policy
description is a description of the policy.
globaldefault indicates whether the policy is the global default policy or not.
dateorduration indicates how the expiration time is calculated.
If set to date, then expireddate, expireddatehour, expireddateminutes, and expireddateamorpm are used.
If set to duration, then expireddateminutesfromcheckout is used.
Where:
expireddate is the date of expiration. The format is MM/dd/yyyy.
expireddatehour.hour are integer values between 0 and 12.
expireddateminutes.minutes are integer values between 0 and 60.
expireddateamorpm is am or pm.
expireddateminutesfromcheckout are minutes from checkout.
timezone is a time zone for the Usage Policy.
usagedates is an array, where each value represents the check out time for individual days.
day is a day of the week, where acceptable values are sunday, monday, tuesday, wednesday, thursday, friday, and saturday.
Use the following attributes to indicate a range from and to:
fromhour is an integer value between 0 and 12.
fromminutes is a n integer value between 0 and 60.
fromamorpm is am or pm.
tohour is a n integer value between 0 and 12.
tominutes is a n integer value between 0 and 60.
toamorpm is am or pm.
allowcheckoutype indicates which type of checkout is permitted for the policy.
all: Choose this option to allow users to check out passwords and sessions.
password (default): Choose this option to allow users to only check out passwords.
session: Choose this option to allow users to only check out sessions.
scp is the JSON object with attributes specific to SCP.
enable specifies whether scp is enabled.
ssh is the JSON object with attributes specific to SSH.
enableInteractive specifies whether ssh is enabled for interactive access. It is a boolean whose default is true.
enableNonInteractive specifies whether ssh is enabled for non-interactive access. It is a boolean whose default is true.
enableCommandLogging specifies whether command logging is enabled. Command logging allows the auditor to view session recordings as an interactive transcript.
commandControl is the JSON Object with attributes specifying the command control constraints.
listType specifies whether the list specified for command control is a whitelist or a blacklist. Only allowed values are considered as "whitelist" or "blacklist". If ("") appears, the empty string specifies that the list was ignored.
listValue is an array of command regular expressions.
commandReplacements is an array of commands along with their replacements. By default this list is empty.
original is the command name to match with while specifying a replacement for the command.
replaceWith is the command that will replace the original command.
Use this API to update a Usage Policy. You can update all attributes, except policyid, and you can update multiple attributes at a time.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}
Method: PUT
Content-Type: application/json
Body: JSON representation of Usage Policy modification
Returns on Success: Status code 200
Example B-16 Sample JSON Representation of Usage Policy Modification
{
"modifications":[
{
"modification":{
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
]
}
},
{
"modification":{
"expireddatehour":2
}
},
{
"modification":{
"scp":{
"enable":false
}
}
},
{
"modification":{
"ssh":{
"commandControl":{
"listValues":[
"cd",
"ls.*"
]
}
}
}
},
{
"modification":{
"ssh":{
"commandReplacements":[
{
"original":"setenv",
"replaceWith":"set"
}
]
}
}
}
]
}
Where:
modifications are an array of modification JSON objects.
modification is a JSON object representing a single attribute.
Use this API to create a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/usagepolicy
Method: POST
Content-Type: application/json
Body: JSON representation for Usage Policy creation
Returns on Success: Status code 201
SCP: true/false
SSH: true/false
Example B-17 Sample JSON Representation for Usage Policy Creation
{
"usagepolicy":{
"policystatus":"active",
"policyname":"Custom Usage Policy",
"description":"Custom Usage Policy",
"globaldefault":"y",
"dateorduration":"duration",
"expireddateminutesfromcheckout":7200,
"expireddate":"08\/08\/2088",
"expireddatehour":0,
"expireddateminutes":0,
"expireddateamorpm":"am",
"timezone":"America\/Los_Angeles",
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"sunday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"friday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"tuesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"thursday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"monday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
],
"allowcheckouttype":"all",
"scp":{
"enable":true
},
"ssh":{
"enableInteractive":true,
"enableNonInteractive":true,
"enableCommandLogging":true,
"commandControl":{
"listType":"whitelist",
"listValues":[
"cd",
"ls"
]
},
"commandReplacements":[
{
"original":"setenv",
"replaceWith":"set"
},
{
"original":"history",
"replaceWith":"safehistory"
}
]
}
}
}
For attribute definitions, refer to Section B.5.4.1, "Retrieve a Usage Policy."
Use this API to retrieve a list of grants for a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}/grantees
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON Representation of grants
Example B-18 Sample JSON Representation of Grants
{
"grantees":[
{
"grantee":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap",
"grantee":"CrossDomainConnectors",
"grantType":"role"
}
},
{
"grantee":{
"accountUID":"3a7f105a1e45407284cd887f8774700d",
"accountName":"openLDAPperson2",
"targetID":"dd9d7a31b39348c79eb23ac46f04d40d",
"targetName":"openldap_2.3_target",
"targetDomain":"needtofix",
"targetType":"ldap",
"grantee":"opamuser2",
"grantType":"user"
}
}
]
}
For attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Use this API to delete a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status 200
The APIs described in this section include:
Use this API to retrieve a list of the attributes that are associated with all of the target types.
You can use the list of supported target types, along with these attributes, to create the JSON object required to add a target. Refer to Section B.6.2, "Add a Target" for more information.
URI: https://opam_server_host:opam_ssl_port/opam/target/attributes
Method: GET
Content-Type: NA
Returns on Success: Status code 200 and JSON representation of target types, along with the attributes associated with them.
https://opam_server_host:opam_ssl_port/opam/target/attributes
Example B-19 JSON Output of Supported Target Types with Attributes
{
"TargetAttributes":[
{
"TargetType":"ldap",
"DisplayName":"ldap",
"Remote":false,
"BasicAttributes":[
{
"name":"targetName",
"type":"string",
"description":"",
"label":"Name",
"mask":"false",
"array":"false",
"required":"true"
"readonly":"false"
},
{
"name":"description",
"type":"string",
"description":"",
"label":"Description",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"organization",
"type":"string",
"description":"",
"label":"Organization",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"domain",
"type":"string",
"description":"",
"label":"Domain",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"host",
"type":"string",
"description":"",
"label":"Host",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"port",
"type":"int",
"description":"TCP/IP port number used to communicate with the LDAP server.",
"label":"TCP Port",
"default":"",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"ssl",
"type":"boolean",
"description":"Select the check box to connect to the LDAP server using SSL.",
"label":"SSL",
"default":"false",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"principal",
"type":"string",
"description":"The distinguished name with which to authenticate
to the LDAP server.",
"label":"Principal",
"default":"",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"credentials",
"type":"string",
"description":"Password for the principal.",
"label":"Password",
"default":"",
"mask":"true",
"array":"false",
"required":"true"
},
{
"name":"baseContexts",
"type":"string",
"description":"One or more starting points in the LDAP tree that will be used
when searching the tree. Searches are performed when discovering users from
the LDAP server or when looking for the groups of which a user is a member.",
"label":"Base Contexts",
"default":[
],
"mask":"false",
"array":"true",
"required":"true"
},
{
"name":"accountNameAttribute",
"type":"string",
"description":"Attribute which holds the account's user name.",
"label":"Account User Name Attribute",
"default":"uid",
"mask":"false",
"array":"false",
"required":"true"
}
],
"AdvancedAttributes":[
{
"name":"uidAttribute",
"type":"string",
"description":"The name of the LDAP attribute which is mapped
to the Uid attribute.",
"label":"Uid Attribute",
"default":"uid",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"accountSearchFilter",
"type":"string",
"description":"An optional LDAP filter to control which accounts are returned
from the LDAP resource. If no filter is specified, only accounts that include
all specified object classes are returned.",
"label":"LDAP Filter for Retrieving Accounts",
"default":"(uid=*)",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"passwordAttribute",
"type":"string",
"description":"The name of the LDAP attribute which holds the password.
When changing an user's password, the new password is set to this attribute.",
"label":"Password Attribute",
"default":"userpassword",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"accountObjectClasses",
"type":"string",
"description":"The object class or classes that will be used when
creating new user objects in the LDAP tree. When entering more than one
object class, each entry should be on its own line; do not use commas or
semi-colons to separate multiple object classes. Some object classes
may require that you specify all object classes in the class hierarchy.",
"label":"Account Object Classes",
"default":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"mask":"false",
"array":"true",
"required":"false"
}
]
}
]
}
Where:
TargetAttributes is an array of objects, where each object represents a target type.
TargetType is the target type.
DisplayName is how the target type name should display.
BasicAttributes is an array of objects, where each object represents basic attributes for the target type.
AdvancedAttributes is an array of objects, where each object represents advanced attributes for the target type.
name is the attribute name to use when constructing the target JSON to create a target.
type is the attribute type. Acceptable values include string, int, boolean, or lov (list of values).
description is a helpful description of the attribute.
label is how the attribute name should display.
default is a default value for the attribute.
Specify a single value if the array parameter is false or specify an array of values if array is true.
mask hides sensitive values, such as credentials.
Specify true to hide attributes.
Specify false if hiding attributes is not necessary.
array indicates whether the attribute is single-valued or an array of multiple values.
Specify true if the attribute is an array of multiple values.
Specify false if the attribute is single-valued.
required indicates whether the attribute is mandatory or optional.
Specify true for mandatory attributes.
Specify false for optional attributes.
Remote indicates whether this target type is supported through a connector server.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
First, you must obtain a list of attributes for the target type as described in Section B.6.1, "Get Target Attributes." You use these attributes to create the JSON object sent in the body.
URI: https://opam_server_host:opam_ssl_port/opam/target
Method: POST
Content-Type: application/json
Body: JSON representation of target for addition/test
Returns on Success: Status code 201 Created and Location
Example B-20 Sample JSON Representation of Target for Addition (ldap TargetType)
{
"target":{
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"passwordpolicy":"712375b4b7bb453c9482d02535989b53",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid"
}
}
Example B-21 Sample JSON Representation of Target for Addition (lockbox TargetType)
{
"target" : {
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"targetType" : "targetType",
"targetName" : "lockbox_target",
"passwordpolicy" : "passwordpolicy1",
"passwordchgtime" : "2015-01-12 11:59:39.935",
"host" : "myhost.us.example.com",
"domain" : "",
"description" : "",
"connectorserverid" : "",
"targetCustomAttrs ":[{"targetCustomAttr" : {
"attrname" : "attr1"
"attrvalue" : ["value1"]
}}]
}
}
Example B-22 Sample JSON Representation of Target for Addition (database TargetType)
{
"target" : {
"targetType" : "database",
"targetName" : "db1_target",
"passwordpolicy" : "712375b4b7bb453c9482d02535989b53",
"passwordrollover" : "true",
"host" : "afg1140282",
"domain" : "adc1140282Domain",
"description" : "Dbase target for the automation",
"connectionProperties" : "",
"dbType" : "Oracle",
"jdbcUrl" : "jdbc:oracle:thin:@afg1140282.pk.com:11227:db5474",
"loginPassword" : "password1",
"loginUser" : "system"
}
}
Example B-23 Sample JSON Representation of Target for Addition (unix TargetType)
{
"target" : {
"targetType" : "unix",
"targetName" : "BackUpUnixTarget",
"passwordpolicy" : "712375b4b7bb453c9482d02535989b53",
"passwordrollover" : "true",
"host" : "myhost.us.example.com",
"domain" : "US",
"description" : "Backup system",
"organization" : "IT",
"port" : "23",
"sudoPasswdExpectExpression" : "password",
"commandTimeout" : "120000",
"passwordExpectExpressions" :
"new[\\s](unix[\\s])?password:,new[\\s](unix[\\s])?password([\\s]again)?:",
"loginShellPrompt" : "$",
"prePasswdExpectExpression" : "None",
"sudoAuthorization" : "false",
"loginUserpassword" : "password1",
"loginUser" : "aime2"
}
}
Example B-24 Sample JSON Representation of Target for Addition (windows TargetType)
{
"target":{
"targetType":"windows",
"targetName":"Windows7Target",
"connectorserverid":"52d42cf5346f46449a565939dce61d05",
"passwordpolicy":"9a565939d6f46449a5659352d42cf53",
"passwordrollover":"false",
"host":"myhost.us.example.com",
"domain":"US",
"description":"Windows7 target system",
"organization" : "IT",
"AdminPassword":"password1",
"AdminName":"MYHOST\Administrator"
}
}
https://opam_server_host:opam_ssl_port/opam/target
/9bbcbbb087174ad1900ea691a2573b61 as the Location.
Where:
target is the target JSON object.
targetName is the name of the target.
targetType is the target type.
passwordpolicy is the Password Policy identifier of the Password Policy applied to the target.
passwordrollover is the flag that indicates whether to enable automatic password recycling for a target's service account.
If you set this flag to true, then Oracle Privileged Account Manager automatically resets the target's service account password based on the settings specified in the Password Policy that applies.
Note:
Thepasswordrollover flag is currently not supported for ldap or lockbox targets.connectorserverid indicates the connector server associated with the target. connectorserverid would be empty, signified by (""), for a target using local bundle jars.
All of the other attributes are dynamic and they correspond to the attributes in Section B.6.1, "Get Target Attributes."
Use this API to verify a target.
Note:
First, you must obtain a list of attributes for the target type. Refer to Section B.6.1, "Get Target Attributes," to create the JSON object to be sent in the body.URI: https://opam_server_host:opam_ssl_port/opam/target/test
Method: PUT
Content-Type: application/json
Body: JSON representation of target for addition/test
Returns on Success: Status code 200
Example B-25 Sample JSON Representation of Target for Addition/Verification
{
"target":{
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"passwordpolicy":"712375b4b7bb453c9482d02535989b53",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid"
}
}
Where:
target is the target JSON object.
targetName is the name of the target.
targetType is the target type.
passwordpolicy is the Password Policy identifier of the Password Policy applied to the target.
All of the other attributes are dynamic and they correspond to the attributes in Section B.6.1, "Get Target Attributes."
Use this API to retrieve a target.
URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of target
Example B-26 Sample JSON Representation of Target (ldap Target Type)
{
"target":{
"targetUID":"62bcfb98f95174ad1900ea2535989b53",
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid",
}
}
Example B-27 Sample JSON Representation of Target (database Target Type)
{
"target" : {
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"targetType" : "database",
"targetName" : "db1_target",
"passwordpolicy" : "712375b4b7bb453c9482d02535989b53",
"passwordrollover" : "true",
"host" : "afg1140282",
"domain" : "adc1140282Domain",
"description" : "Dbase target for the automation",
"connectionProperties" : "",
"dbType" : "Oracle",
"jdbcUrl" : "jdbc:oracle:thin:@afg1140282.us.pk.com:11227:db5474",
"loginPassword" : "password1",
"loginUser" : "system"
}
}
Example B-28 Sample JSON Representation of Target (unix Target Type)
{
"target" : {
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"targetType" : "unix",
"targetName" : "unix1-target",
"passwordpolicy" : "712375b4b7bb453c9482d02535989b53",
"passwordrollover" : "true",
"host" : "myhost.us.example.com",
"domain" : "US",
"description" : "Backup system",
"organization" : "IT",
"port" : "23",
"sudoPasswdExpectExpression" : "password",
"commandTimeout" : "120000",
"passwordExpectExpressions" :
"new[\\s](unix[\\s])?password:,new[\\s](unix[\\s])?password([\\s]again)?:",
"loginShellPrompt" : "$",
"prePasswdExpectExpression" : "None",
"sudoAuthorization" : "false",
"loginUserpassword" : "password1",
"loginUser" : "aime2"
}
}
Example B-29 Sample JSON Representation of Target (Windows Target Type)
{
"target":{
"targetType":"windows",
"targetName":"Windows7Target",
"targetAgentKey" : "wsiaWCKz\/um9kJWTrjz8DaoM5mxnk\/sUIjDyEZrSc4FBHxO8P+3VS39xL8gQs3JuYlS6h+m01N\/5Rg0Y686xCorU=:AQAB"
"targetUID" : "62bcfb98f95174ad1900ea2535989b53"
"connectorserverid":"52d42cf53465939dce61d05",
"passwordpolicy":"9a565659352d42cf53",
"passwordrollover":"false",
"host":"myhost.us.example.com",
"domain":"US",
"description":"Windows7 target system",
"organization" : "IT",
"AdminPassword":"Password1",
"AdminName":"SLC05TYZ\Administrator"
}
}
Note:
The "targetAgentKey" parameter will display for the agent registered target. It will not display for a normal windows target.Where:
target is the target JSON object.
targetUID is the target's unique identifier.
targetName is the name of the target.
targetType is target type.
passwordrollover is the flag that indicates whether to enable automatic password recycling for a target's service account.
If you set this flag to true, then Oracle Privileged Account Manager automatically resets the target's service account password based on the settings specified in the Password Policy that applies.
Note:
Thepasswordrollover flag is currently not supported for ldap or lockbox targets.connectorserverid indicates the connector server associated with the target. connectorserverid would be empty, signified by (""), for a target using local bundle jars.
All of the other attributes are dynamic and they correspond to the attributes in Section B.6.1, "Get Target Attributes."
Use this API to update a target.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}
Method: PUT
Content-Type: application/json
Body: JSON representation of Target Modification
Returns on Success: Status code 200
You can change all of the attributes, except targetType and targetUID, and you can change multiple attributes at a time.
Example B-30 Sample JSON Object to Modify Target
{
"modification":{
"host":"opam_server_host"
}
},
{
"modification":{
"port":"6000"
}
}
]
}
Where:
targetUID is the target's unique identifier.
modifications is an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
Use this API to delete a target.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status code 200
Use this API to search for a target using any of the following request parameters:
type
name
hostname
domain
description
org
customattrname
customattrvalue
All of these parameters are optional.
Note:
There should be one customattrvalue per customattrname.
For example:
https://opam_server_host:opam_ssl_port/opam/target/search?customattrname=location&customattrvalue=US&customattrname=owner&customattrvalue=john
The preceding example will search all targets that have custom attribute pairs, which have US as location and john as owner.
URI: https://opam_server_host:opam_ssl_port/opam/target/search?param1=value1¶m2=value2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of Target Collection
https://opam_server_host:opam_ssl_port/opam/target/search? : Returns all targets
https://opam_server_host:opam_ssl_port/opam/target/search?type=ldap&org=us : Returns all targets whose type contains ldap and org contains us.
Example B-31 Sample JSON Representation of Target Collection
{
"Target Collection":[
{
"target":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/9bbcbbb087174ad1900ea691a2573b61",
"type":"ldap",
"name":"person1-ldap",
"host":"opam_server_host",
"domain":"berkeley"
"description" : "Ldap target"
}
},
{
"target":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/ac246a162ce948c7b1cdcc17dfc92c15",
"type":"ldap",
"name":"person1-ldap2",
"host":"opam_server_host:opam_ssl_port",
"domain":"berkeley"
"description" : "Ldap target"
}
}
]
}
Where:
Target Collection is an array of target JSON objects.
target is the target JSON object.
uri is the target resource URI.
type is the target type.
hostname is the target's host name.
name is the target name.
org is the target's organization.
domain is the target's domain.
description is a description of the target system.
Use this API to retrieve all of the accounts present on the target system.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/availableaccounts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 OK and JSON representation of account collection
Example B-32 Sample JSON Representation of Account Collection
{
"AvailableAccounts":[
{
"accountName":"SCOTT",
"accountUid":"SCOTT"
},
{
"accountName":"BLAKE",
"accountUid":"BLAKE "
},
{
"accountName":"JONES",
"accountUid":"JONES"
}
]
}
Where:
AvailableAccounts is an array of the accounts present on the target system.
accountName is the account name.
accountUID is the account's unique identifier.
Use this API to retrieve all the accounts on the target that are registered with Oracle Privileged Account Manager.
Note:
You must be an administrator with the User Manager Admin Role, Security Administrator Admin Role, or Security Auditor Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/accounts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of URI collection of accounts Server
Example B-33 Sample JSON Representation of URI Collection of Accounts
{
"URI Collection":[
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4",
"accountName":"sherlock"
}
},
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d",
"accountName":"root"
}
}
]
}
Where:
URI Collection is an array of accounts on a target that are registered with Oracle Privileged Account Manager.
account is the account JSON object.
uri is the account's URI.
accountName is the account name.
Use this API to retrieve a list of all supported target types.
URI: https://opam_server_host:opam_ssl_port/opam/target/types
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of supported target types
Example B-34 Sample JSON Representation of Supported Target Types
{
"targettypes":[
"ldap",
"unix",
"database",
"lockbox"
"sapum"
"sapume"
"unix"
"windows"
]
}
Where: "targettypes" are the supported target types.
Use this API to reset the password on the target's service account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/resetpassword
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200
Example B-35 Sample JSON Representation of the New Password
{
"password":"password1"
}
or
{
"autogen":"true"
}
Where:
targetUID is the target's unique identifier.
password is the password to assign to the service account.
autogen is the flag that controls whether to automatically generate the password or not. The default value of this flag is false.
Use this API to retrieve and display the service account password.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpassword
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of service account
Example B-36 Sample JSON Representation of Account Token
{
"serviceAccount" : {
"targetName" : "APILDAP",
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"targetAccount" : "cn=admin",
"targetPassword" : "password1",
"targetPasswordChangeTime" : " 2013-01-27 02:58:13.259"
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
targetAccount is the service account on the target.
targetPassword is the service account password.
targetPasswordChangeTime is the time when the password was modified.
Note:
This API has been deprecated. Oracle recommends that you use the Show Service Account Password API in Section B.6.12, "Show Service Account Password."Use this API to retrieve and display the service account password.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpassword
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of service account
Example B-37 Sample JSON Representation of Account Token
{
"serviceAccount" : {
"targetName" : "APILDAP",
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"targetAccount" : "cn=admin",
"targetPassword" : "password1",
"targetPasswordChangeTime" : " 2013-01-27 02:58:13.259"
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
targetAccount is the service account on the target.
targetPassword is the service account password.
targetPasswordChangeTime is the time when the password was modified.
Use this API to retrieve and display the service account password history.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
URI: https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpasswordhistory
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of service account Server
Example B-38 Sample JSON Representation of Target Token
{
"targetToken": {
"targetName": "SessionMgr_Target",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"passwordHistory": [
{
"targetPassword": "password1",
"modificationTime": "1383078344"
},
{
"targetPassword": "4PkVerh7",
"modificationTime": "1383078329"
},
{
"targetPassword": "l9yAigqj",
"modificationTime": "1383078314"
},
{
"targetPassword": "password1",
"modificationTime": "1383010874"
}
]
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
passwordHistory is the service account password history.
targetPassword is the service account password.
modificationTime (UTC time in seconds) is the time when the password was modified.
Password history results are sorted by modification time, where the most recent results will be at the top.
The APIs described in this section include:
Section B.7.2, "Get Applicable Usage Policy for the Account"
Section B.7.19, "Remove a User's/Role's Access to an Account"
Use this API to add an account to the target. This API does not create an account on the target system, but it registers the existing account with the Oracle Privileged Account Manager target.
Note:
You must never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager.
You must be an administrator with the Security Administrator Admin Role to use this API.
URI: https://opam_server_host:opam_ssl_port/opam/accoun
Method: POST
Content-Type: application/json
Body: JSON representation for account addition/verification
Returns on Success: Status code 201 and Location
Example B-39 Sample JSON Representation of Account for Addition/Verification
{
"account":{
"accountName":"admin",
"description" : "maintenance account on the machine",
"password" : "password1",
"passwordpolicy":"passwordpolicy2",
"shared":"true",
"targetUID":"62bcfb98f95174ad1900ea2535989b53"
"accountCustomAttrs": [{"accountCustomAttr": {
"attrname": "attr1",
"attrvalue": ["100"]
}}]
}
}
Where:
account is the account JSON object.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
password is the account password. This attribute is optional.
passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is the target's unique identifier.
Use this API to get the applicable Usage Policy for an account.
URI: https://opam_server_host:opam_ssl_port/opam/account/
accountUID/usagepolicy
Method: GET
Content-Type: NA
Returns on Success: Status code 200 and JSON representation of the Usage Policy
Example B-40 Sample JSON Representation of the Usage Policy
{"usagepolicy":
{
"policyid":"bafd53072bbb442db185dca18bd00e69",
"policyname":"usage_policy_anytime"
}
}
Where:
usagepolicy is the Usage Policy JSON object.
policyid is the Usage Policy's unique identifier.
policyname is a name of the policy
Use this API to grant a user or role access to an account. Multiple users and roles can be granted the access at a time.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}
Method: PUT
Content-Type: application/json
Body: JSON representation for adding grantees
Returns on Success: Status code 200
Example B-41 Sample JSON Representation for Adding Grantees
{
"modifications":[
{
"modification":{
"usagepolicy":"712375b4b7bb453c9482d02535989b53",
"role":"opamgroup1",
"operation":"add"
}
},
{
"modification":{
"usagepolicy":"usagepolicy1",
"user":"opamuser1",
"operation":"add"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
role indicates that a group has to be granted an access. This parameter value is the group name.
user indicates that a user has to be granted an access. This parameter value is the user login id.
usagepolicy indicates the Usage Policy identifier to be applied to the grant.
operation indicates the type of operation to be performed. Acceptable values include:
add indicates grant.
delete indicates revocation.
replace indicates replacement of usagepolicy with a new value.
Use this API to add a CSF map-key to an account or remove the map-key from an account. You can add or remove multiple map-keys at a time.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https:///opam_server_host:opam_ssl_port/opam/account/{accountUID}
Method: PUT
Content-Type: application/json
Body: JSON representation for adding keymaps
Returns on Success: Status code 200
Example B-42 Sample JSON Representation for Map-Keys Addition/Removal
{
"modifications": [
{
"modification": {
"keymap": "[app1][sd45kjlf4g][t3://myhost:2001][weblogic][password]",
"operation": "add"
}
},
{
"modification": {
"keymap": "[hrmap][hrkey2][t3://myhost:2001][weblogic][password]",
"operation": "delete"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications is an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
keymap is the map-key to be added or removed. The map-key must be in the following format:
[csfmap][csfkey][Administration Server Url][username][password]
operation indicates the type of operation to be performed. Acceptable values include:
add indicates addition of map-key.
delete indicates removal of map-key.
Use this API to search accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
customattrname
customattrvalue
All of these parameters are optional.
Note:
There should be one customattrvalue per customattrname.
For example:
https://opam_server_host:opam_ssl_port/opam/account/search?customattrname=location&customattrvalue=US&customattrname=owner&customattrvalue=john
The preceding example will search all targets that have custom attribute pairs, which have US as location and john as owner.
URI: https://opam_server_host:opam_ssl_port/opam/account/search?
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-43 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"shared" : false,
"passwordchangetime" : 1383072107,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson1",
"uri" : "https://localhost:7002/opam/account/35e2709edf0443edae8f67727d937bec",
"accountUID" : "35e2709edf0443edae8f67727d937bec"
}
},
{
"account" : {
"shared" : false,
"passwordchangetime" : 1383072107,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson10",
"uri" : "https://localhost:7002/opam/account/0a1ee2cb17e345cdb537a2f05e11e93c",
"accountUID" : "0a1ee2cb17e345cdb537a2f05e11e93c"
}
}
],
"count" : 2
}
Where:
account is the account JSON object.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
accountlevelstatus indicates whether the account has been checked in by anyone. Acceptable values are checkedIn and checkedOut.
description is a description of the account. This attribute is optional.
accountName is the name of the account.
accountUID is the account's unique identifier.
passwordchangetime is the time when the password was modified.
For all other attribute definitions, refer to Section B.6, "Target Resource."
Use this API to search assigned accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
URI: https://opam_server_host:opam_ssl_port/opam/account/myaccounts/search?
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-44 Sample JSON Representation of Account Collection
{
"AccountCollection": [
{
"account": {
"uri": "https://myhost:7002/opam/account/aa243a9323974eca84d4141193ca58e1",
"accountUID": "aa243a9323974eca84d4141193ca58e1",
"accountName": "account1",
"description": ""8759",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"targetName": "kiki",
"targetType": "lockbox",
"domain": ""
"host": "kiki"
}
}
],
{
"AccountCollection": [
{
"account": {
"uri": "https://myhost:7002/opam/account/086931f6816647f0a4c0ca6b28055739",
"accountUID": "086931f6816647f0a4c0ca6b28055739",
"accountName": "hello",
"description": "8759",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"targetName": "lockbox2",
"targetType": "lockbox",
"domain": ""
"host": "myhost.us.example.com"
}
}
],
"count": 2
}
Where:
account is the account JSON object.
accountUID is the account's unique identifier.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
For all other attribute definitions, refer to Section B.6, "Target Resource."
Use this API to retrieve an account.
URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account Server
Example B-45 Sample JSON Representation of Account
{
"account":{
"accountUID":"aa243a9323974eca84d4141193ca58e1",
"description":"8759",
"targetUID":"62bcfb98f95174ad1900ea2535989b53",
"accountName":"account1",
"shared":false,
"keymaps":[],
"passwordpolicy":"passwordpolicy1",
"accountlevelstatus":"checkedIn",
"passwordchangetime":"1421107647",
}
}
Where:
account is the account JSON object.
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordpolicy is the policy ID of the Password Policy applicable to the account.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is target's unique identifier.
accountlevelstatus indicates whether the account has been checked in by anyone. Acceptable values are checkedIn and checkedOut.
protocol is the protocol used to connect to the Oracle Privileged Session Manager server.
port is the port used to connect to the Oracle Privileged Session Manager server.
Use this API to retrieve all the grantees of an account. A grantee can be a user or a role.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/grantees
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of Grantees
Example B-46 Sample JSON Representation of Grantees
{
"grantees":{
"users":[
"opamuser1"
],
"roles":[
"opamgroup1"
]
}
}
Where:
grantees are grantees of the account.
users are the users who have been granted the account. Each value is the user's login ID/UID.
roles are the groups or roles who have been granted the account. Each value is a group name.
Use this API to retrieve a list of all users who have currently checked out an account.
Note:
You must be an administrator with the User Manager Admin Role, the Security Auditor Admin Role, or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/whocheckedout
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of users who checked out the account.
Example B-47 Sample JSON Representation of Users Who Checked Out the Account
{
"users": [
{
"user": {
"uid": "user_manager",
"expiryTime": "1382147587",
"checkoutTime": "1381715587",
"checkoutUID": "f499b76719ba4d0aa30487e58316def3",
"checkoutType": "password",
"transcriptURL": ""
}
},
{
"user": {
"uid": "user_manager",
"expiryTime": "1382147587",
"checkoutTime": "1381715587",
"checkoutUID": "f499b76719ba4d0aa30487e58316def3",
"checkoutType": "session",
"transcriptURL": "https://myhost:2001/opam/checkout/dee8383184664ddfa09f454d0a9a023d/
transcript"
}
}
]
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
Use this API to check out an account.
URI: https://opam_server_host:opam_ssl_port/opam/account/v1/{accountUID}/checkout
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of account token
Example B-48 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountpassword is the account password.
Note:
In version v1, upon a repeat checkout, account token is returned along with a message in that account is already checked out. In earlier versions, only an error message was sent. This behavior is retained in (https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkout).Use this API to retrieve a list of all accounts that have been checked out by the logged in user.
URI: https://opam_server_host:opam_ssl_port/opam/account/mycheckouts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-49 Sample JSON Representation of Account Collection
{
"Checkouts": [
{
"uri": "https://myhost:7002/opam/account/b0e7ae053afb45658da4e3a0453bffec",
"accountUID": "b0e7ae053afb45658da4e3a0453bffec",
"accountName": "dduck",
"status": "checkedOut",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"targetName": "unix1-target",
"targetType": "unix",
"domain": "US",
"expiryTime": "1371945854",
"checkoutUID": "b97b2de6a80b40c48f873067027ac476",
"checkoutType": "session",
"transcriptURL": "https://myhost:2001/opam/account/checkout/b97b2de6a80b40c48f873067027ac476/
transcript"
},
{
"uri": "https://myhost:7002/opam/account/b0e7ae053afb45658da4e3a0453bffec",
"accountUID": "b0e7ae053afb45658da4e3a0453bffec",
"accountName": "dduck",
"status": "checkedOut",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"targetName": "unix1-target",
"targetType": "unix",
"domain": "US",
"expiryTime": "1371940624",
"checkoutUID": "bf43672ffd3a43018cdfde9b78bf1691",
"checkoutType": "password",
"transcriptURL": ""
}
]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
checkoutUID is the unique ID for the checkout.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
transcriptURL is the URL to access the session transcript.
For all other attribute definitions, refer to Section B.6, "Target Resource."
Use this API to get information to help you perform a session checkout.
Note:
For more information about password and session checkouts, refer to Section 9.5, "Checking Out Privileged Accounts" and Section 9.5.3, "Checking Out Privileged Account Sessions."URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkout/
session/instructions
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of output
Example B-50 Sample JSON Representation of Session Checkout Instructions
{
"sessionCheckoutInstructions": {
"accountName": "dduck",
"targetName": "bkottaha-unix",
"port": 1222,
"instruction": "ssh -p <port> <opamuser>:<targetname>:<accountname>@
<sessionmgrhost>\n Use opam password on password prompt"
}
}
Where:
accountName is the name of the account.
targetName is the name of the target.
port is the port that Session Manager listens to for connections.
instruction is the information required to perform a session checkout.
Use this API to search for an account's checkout history using one or more of the following parameters:
from: Specify start time in seconds (UTC) (required).
to: Specify end time in seconds (UTC) (required).
uid: Specify the userID (optional).
pattern: Specify the command that was executed or a term in the log (optional).
size: Specify the number of array elements to be returned (optional).
Use the from and to parameters to specify the time period in which the checkouts were running.
Note:
You must be an administrator with the User Manager or Security Administrator Admin Role to access this query.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkouts/
historical/search?param1=val1
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of output
https://myhost:7002/opam/account/8d9e9ce750da4aedac3ffbea0d28a73a/checkouts/historical/search?from=123&to=1372893007&size=2&pattern=ls
Example B-51 Sample JSON Representation of Account Checkout History
{
"checkouts":[
{
"checkout":{
"accountName":"itsupport",
"targetName":"unixTarget",
"uid":"end_user",
"starttime":"1404691650",
"endtime":"1404691654",
"recordingType":"text\/plain",
"transcriptURL":"https:\/\/myhost:2001\/opam\/checkout\/c3bcb3366581420d9d8166810c1c72da\/transcript",
"transcript":"\/checkout\/c3bcb3366581420d9d8166810c1c72da\/transcript"
}
},
{
"checkout":{
"accountName":"itsupport",
"targetName":"unixTarget",
"uid":"end_user",
"starttime":"1404691378",
"endtime":"1404691387",
"recordingType":"text\/html",
"transcriptURL":"https:\/\/myhost:2001\/opam\/checkout\/b869b1d8a48a4b459adaff010c887543\/transcript",
"metadata":"\/checkout\/b869b1d8a48a4b459adaff010c887543\/metadata",
"transcript":"\/checkout\/b869b1d8a48a4b459adaff010c887543\/transcript"
}
}
],
"totalcount":5,
"returncount":5
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
totalcount is the number of actual search results.
returncount is the number of search results that were actually returned. This is determined by size.
recordingType is available in the plain text ("text/plain") or interactive ("text/html") formats.
metadata is the relative link to base opam url for the xml metadata for the session.
Note:
The metadata attribute is absent if there is no metadata.video is the relative link to the video
transcript is the relative link for the transcript. This transcript can be in the plain text or html formats.
For all other attribute definitions, refer to Section B.7, "Account Resource."
Use this API to search for the checkout history of all accounts, using one or more of the following parameters:
from: Specify start time in seconds (UTC) (required).
to: Specify end time in seconds (UTC) (required).
targetname: Specify the name of a target on which to search (optional).
accountname: Specify the name of an account to search (optional).
uid: Specify the userID (optional).
pattern: Specify the command that was executed or a term in the log (optional).
size: Specify the number of array elements to be returned (optional).
Use the from and to parameters to specify the time period in which the checkouts were running.
Note:
You must be an administrator with the Security Auditor Admin Role to access this query.URI: https://opam_server_host:opam_ssl_port/opam/checkout/historical/search?param1=val1
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of output
https://myhost:7002/opam/checkout/historical/search?from=123&to=
1472816146&size=2&pattern=ls&accountname=a&targetname=h&uid=u
Example B-52 Sample JSON Representation of Checkout History
{
"checkouts":[
{
"checkout":{
"accountName":"itsupport",
"targetName":"unixTarget",
"uid":"end_user",
"starttime":"1404691650",
"endtime":"1404691654",
"recordingType":"text\/plain",
"transcriptURL":"https:\/\/myhost:2001\/opam\/checkout\/b869b1d8a48a4b459adaff010c887543\/transcript",
"transcript":"\/checkout\/c3bcb3366581420d9d8166810c1c72da\/transcript
}
},
{
"checkout":{
"accountName":"itsupport",
"targetName":"unixTarget",
"uid":"end_user",
"starttime":"1404691378",
"endtime":"1404691387",
"recordingType":"text\/html",
"transcriptURL":"https:\/\/myhost:2001\/opam\/checkout\/b869b1d8a48a4b459adaff010c887543\/transcript",
"metadata":"\/checkout\/b869b1d8a48a4b459adaff010c887543\/metadata",
"transcript":"\/checkout\/b869b1d8a48a4b459adaff010c887543\/transcript"
}
},
{
"checkout":{
"accountName":"SystemAdmin",
"targetName":"WinTarget",
"uid":"end_user",
"starttime":"1403501578",
"endtime":"1403501593",
"recordingType":"video",
"video":"\/checkout\/bde06872949740a59dc5a702d8aca48e\/video",
"metadata":"\/checkout\/bde06872949740a59dc5a702d8aca48e\/metadata"
}
}
],
"totalcount":5,
"returncount":5
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
totalcount is the number of actual search results.
returncount is the number of search results that were actually returned. This is determined by size.
recordingType is available in the plain text ("text/plain") or interactive ("text/html") formats.
metadata is the relative link to base opam url for the xml metadata for the session.
Note:
The metadata attribute is absent if there is no metadata.video is the relative link to the video
transcript is the relative link for the transcript. This transcript can be in the plain text or html formats.
For all other attribute definitions, refer to Section B.7, "Account Resource."
Use this API to check in an account.
A checkout can be a password checkout or session checkout. You can individually check in each checkout by using its checkoutUID or you can check in all of the checkouts for an account. In this publication, the term "account checkout" generally refers to the latter case.
Note:
To do a force-check in, you must be an administrator with the User Manager Admin Role.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkin
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200
Sample JSON Representations of Account Check Ins
The following examples illustrate different types of Force Check Ins
Example B-53, "Self Check In a Password or Session Checkout"
Example B-54, "Force Account Check In (Both Password and Session) for All Users"
Example B-55, "Force Account Check In (Both Password and Session) for a Single User"
Example B-53 Self Check In a Password or Session Checkout
{
"checkoutUID":"9c3c5d687d414a57b7dbda0692c9b06d"
}
Example B-55 Force Account Check In (Both Password and Session) for a Single User
{
"force" : "true",
"userid" : "person1"
}
Example B-56 Force Check In a Password or Session
{
"force" : "true",
"checkoutUID" : "9c3c5d687d414a57b7dbda0692c9b06d",
}
Note:
If you want to perform an account check in (for both password or session), you do not have to provide any content in the JSON body.Where:
force is a flag that indicates a force check-in. The default value of this flag is false.
userid is the user who is to be force-checked in. The default action is to force-check in all users that have checked out the account.
checkoutUID is the unique identifier for a checkout.
Use this API to verify whether the account is present on the target system.
URI: https://opam_server_host:opam_ssl_port/opam/account/test
Method: PUT
Content-Type: application/json
Body: JSON representation for account addition/verification
Returns on Success: Status code 200
Example B-57 Sample JSON Representation of Account Addition/Verification
{
"account":{
"accountName":"admin",
"description" : "maintenance account on the machine"
"password" : "password1"
"passwordpolicy":"passwordpolicy2",
"shared":"true",
"targetUID":"62bcfb98f95174ad1900ea2535989b53"
}
}
Where:
account is the account JSON object.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
password is the account password. This attribute is optional.
passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is the target's unique identifier.
Use this API to update an account. You can change multiple attributes at a time. Only passwordpolicy, description, and shared attributes can be updated.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}
Method: PUT
Content-Type: application/json
Body: JSON representation of account modifications
Returns on Success: Status code 200
Example B-58 Sample JSON Representation of Account Modifications
{
"modifications":[
{
"modification":{
"passwordpolicy":"passwordpolicy2"
}
},
{
"modification":{
"shared":"false"
}
}
}
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
Use this API to remove an account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status code 200
Where:
accountUID is the account's unique identifier.
Use this API to remove a user's access or a role's access to an account. You can revoke multiple user and role grants at a time.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}
Method: PUT
Content-Type: application/json
Body: JSON representation for removing grantees
Returns on Success: Status code 200
Example B-59 Sample JSON Representation for Removing Grantees
{
"modifications":[
{
"modification":{
"usagepolicy":"usagepolicy1",
"role":"opamgroup1",
"operation":"delete"
}
},
{
"modification":{
"usagepolicy":"usagepolicy1",
"user":"opamuser1",
"operation":"delete"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing a single modification.
role indicates that a group has to be granted an access. This parameter value is the group name.
user indicates that a user has to be granted an access. This parameter value is the user login id.
usagepolicy indicates the Usage Policy identifier to be applied to the grant.
operation indicates the type of operation to be performed. Acceptable values include:
add indicates a grant.
delete indicates a revocation.
replace indicates the replacement of the usagepolicy with a new value.
Use this API to retrieve and display the password associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpassword
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of account token
Example B-60 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountPassword is the account password.
Note:
This API has been deprecated. Oracle recommends that you use the Show Password API in Section B.7.20, "Show Password."Use this API to retrieve and display the password associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpassword
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of account token
Example B-61 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountPassword is the account password.
Use this API to retrieve and display the password history associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpasswordhistory
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of account token
Example B-62 Sample JSON Representation of Account Token
{
"accountName": "opamuser1",
"accountUID": "c1b054ed0f984e27bd68b8c28b985801",
"passwordHistory": [
{
"accountPassword": "M7aGfNOR",
"modificationTime": "1382996686"
},
{
"accountPassword": "Dr3z5AGa",
"modificationTime": "1382996412"
}
]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordHistory is the account password history.
accountPassword is the account password.
modificationTime is the time (in UTC seconds) when the password was modified.
Note:
This API has been deprecated. Oracle recommends that you use the Show Password History API in Section B.7.22, "Show Password History."Use this API to retrieve and display the password history associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpasswordhistory
Method: PUT
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of account token
Example B-63 Sample JSON Representation of Account Token
{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"passwordHistory": [{
"accountPassword": "Ud2fykRx",
"modificationTime": "2013-01-27 19:36:32.952"
}, {
"accountPassword": "jgs21Z8w",
"modificationTime": "2013-01-27 19:37:02.449"
}, {
"accountPassword": "I3jDRaZb",
"modificationTime": "2013-01-27 19:37:19.488"
}, {
"accountPassword": "5VfKaYZT",
"modificationTime": "2013-01-28 00:22:37.331"
}]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordHistory is the account password history.
accountPassword is the account password.
modificationTime is the time when the password was modified.
Use this API to reset the password on the account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/resetpassword
Method: GET
Content-Type: application/json
Body: JSON representation of the new password
Returns on Success: Status code 200
Example B-64 Sample JSON Representation of the New Password
{
"password":"password1"
}
Or,
{
"autogen":"true"
}
Where:
accountUID is the account's unique identifier.
password is the password assigned to the account.
autogen is the a flag that controls whether to generate a password automatically or not. The default value if this flag is false.
The APIs described in this section include:
Note:
This API has been deprecated. Oracle recommends that you use the Search Accounts API in Section B.7, "Account Resource."Use this API to search accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/ui/allaccounts/search?param1=val1¶m2=val2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-65 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"shared" : false,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson1",
"uri" : "https://localhost:7002/opam/account/35e2709edf0443edae8f67727d937bec",
"accountUID" : "35e2709edf0443edae8f67727d937bec"
}
},
{
"account" : {
"shared" : false,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson10",
"uri" : "https://localhost:7002/opam/account/0a1ee2cb17e345cdb537a2f05e11e93c",
"accountUID" : "0a1ee2cb17e345cdb537a2f05e11e93c"
}
}
],
"count" : 2
}
For all other attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Note:
This API has been deprecated. Oracle recommends that you use the Section B.7.6, "Search Assigned Accounts" API in Section B.7, "Account Resource."Use this API to search assigned accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
URI: https://opam_server_host:opam_ssl_port/opam/ui/myaccounts/search?param1=
val1¶m2=val2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-66 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"status" : "checkedIn",
"shared" : false,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "ldap1_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "person1",
"uri" : "https://localhost:7002/opam/account/0d755f646bcf4fa08ca515ed3829aadf",
"accountUID" : "0d755f646bcf4fa08ca515ed3829aadf"
}
},
{
"account" : {
"status" : "checkedIn",
"shared" : false,
"targetUID" : "62bcfb98f95174ad1900ea2535989b53",
"domain" : "needtofix",
"targetName" : "ldap1_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "person2",
"uri" : "https://localhost:7002/opam/account/62c684c3821f4e118790e815ee881e02",
"accountUID" : "62c684c3821f4e118790e815ee881e02"
}
}
],
"count" : 2
}
Where "status" indicates whether the requesting user has checked out the account or not.
For all other attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Note:
This API has been deprecated. Oracle recommends that you use the Get All Checked Out Accounts API in Section B.7, "Account Resource."Use this API to retrieve a list of all accounts that have been checked out by the logged in user.
URI: https://opam_server_host:opam_ssl_port/ui/allaccounts/mycheckedout
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of account collection
Example B-67 Sample JSON Representation of Account Collection
{
"AccountCollection":[
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4",
"accountUID":"3740553e999a4f6aa8e8f9286d320cb4",
"accountName":"sherlock",
"status":"checkedOut",
"targetUID":"62bcfb98f95174ad1900ea2535989b53",
"targetName":"ldap1-target",
"targetType":"ldap",
"domain":"berkeley",
"expiryTime":1338765551,
},
"count":1
}
]
}
For attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Use this API to retrieve the checked-out accounts distribution or retrieve checkout distribution.
URI: https://opam_server_host:opam_ssl_port/opam/ui/report/usage/
checkedoutdistribution? para1=value1¶2=value2¶3=value3
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of checked out accounts distribution
Example B-68 Example JSON Output of Checked Out Accounts Distribution
{
"CheckoutDistribution": [
{
"ldap": 3
},
{
"lockbox": 2
},
{
"unix": 1
}
]
}
Where:
org is the target organization. For example, enter org=ldap to search only LDAP organizations, or enter org = null to search all organizations.
type is the checkout type. For example, enter
type = password checkout for password checkout distribution.
type = session checkout for session checkout distribution.
type =null defaults to password checkout.
dis_type is the distribution type. For example, enter
dis_type = checkout for password or session checkout distribution.
dis_type = account (Default) for account distribution. If you specify this parameter, then Oracle Privileged Account Manager automatically ignores the (preceding) type parameter.
Use this API to retrieve checked-out account information.
URI: https://opam_server_host:opam_ssl_port/opam/ui/report/usage/checkedoutaccounts
Method: GET
Content-Type: application/json
Body: NA
Returns on Success: Status code 200 and JSON representation of checked out checkout distribution
Example B-69 Example JSON Output of Checked Out Account Information
{
"CheckedoutAccountCollection":
[
{
"accountUID": "62bcfb98f95174ad1900ea2535989b53",
"targetUID": "62bcfb98f95174ad1900ea2535989b53",
"accountName": "OPAM_DB_ACC1",
"targetName": "OPAM_DB_ACC1",
"targetType": "database",
"host": "adc6170584"
},
{
"accountUID": "a044bd2aec7de5d70d73f97645db9191",
"targetUID": "a044bd2aec7de5d70d73f97645db9191",
"accountName": "cluser1",
"targetName": "cluser1",
"targetType": "ldap",
"host": "myhost.us.example.com"
}
]
}
The APIs described in this section include:
Use this API to retrieve a user.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/user/{uid}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of user
Example B-70 Sample JSON Representation of User
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"usertype":"End-User",
"opamrole":[
],
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain",
}
}
Where:
uid is the login ID of the user.
lastname is the last name of the user.
firstname is the first name of the user.
dn is the distinguished name of the user.
usertype indicates whether the user has an Administrative Role.
opamrole is the user's Admin Role.
Use this API to retrieve all of the accounts granted to a user.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/user/{uid}/accounts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of accounts collection
Example B-71 Sample JSON Representation of Accounts Collection
{
"accounts":[
{
"account":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"accountUID":"47671a7a4ebc44c496888aac5423dad1",
"accountName":"oudperson11",
"targetID":"488d6d656b2c4b96a5fd835c131b4c00",
"targetName":"oud_11.115_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
]
}
For attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Use this API to search for users. This API searches for the searchKeyWord in firstname, lastname, uid, and mail of the user.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/user/search/{searchKeyWord}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of users
Example B-72 Sample JSON Representation of Users
{
"users":[
{
"user":{
"uid":"opamenduser1",
"firstname":"opamenduser1",
"lastname":"opamenduser1",
"dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser2",
"lastname":"opamenduser2",
"dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get a User."
Use this API to search for users. This API is contains a search with the uid parameter.
The uid parameter is optional.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/user/advancedsearch?param1=val1¶m2=val2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of users
Example B-73 Sample JSON Representation of Users
{
"users":[
{
"user":{
"uid":"OracleSystemUser",
"lastname":"OracleSystemUser",
"dn":"uid=OracleSystemUser,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"weblogic",
}
},
{
"user":{
"uid":"app_config",
"lastname":"app_config",
"dn":"uid=app_config,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_admin",
"lastname":"sec_admin",
"dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"user_manager",
"lastname":"user_manager",
"dn":"uid=user_manager,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_auditor",
"lastname":"sec_auditor",
"dn":"uid=sec_auditor,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser1",
"firstname":"opamenduser1",
"lastname":"opamenduser1",
"dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser2",
"lastname":"opamenduser2",
"dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get a User."
The APIs described in this section include:
Use this API to retrieve a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/{name}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of group
Example B-74 Sample JSON Representation of Group
{
"group":{
"name":"opamgroup1",
"dn":"cn=opamgroup1,ou=groups,ou=myrealm,dc=base_domain",
"description":"",
}
}
Where:
name is the name of the group.
dn is the distinguished name of the group.
description is a description of the group.
Use this API to retrieve the user members of a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/{name}/users
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of user collection
Example B-75 Sample JSON Representation of User Collection
{
"users":[
{
"user":{
"uid":"master_user",
"lastname":"master_user",
"dn":"uid=master_user,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_admin",
"lastname":"sec_admin",
"dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get a User."
Use this API to retrieve the group members of a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/{name}/groups
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of group collection
Example B-76 Sample JSON Representation of Group Collection
{
"groups":[
{
"group":{
"name":"CrossDomainConnectors",
"description":"CrossDomainConnectors can make inter-domain calls from foreign domains."
}
},
{
"group":{
"name":"Deployers",
"description":"Deployers can view all resource attributes and deploy applications."
}
}
]
}
For attribute definitions, refer to Section B.10.1, "Get Group."
Use this API to retrieve the all of the accounts granted to a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/{name}/accounts
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and representation of accounts collection
Example B-77 Sample JSON Representation of Accounts Collection
{
"accounts":[
{
"account":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"accountUID":"47671a7a4ebc44c496888aac5423dad1",
"accountName":"oudperson11",
"targetID":"488d6d656b2c4b96a5fd835c131b4c00",
"targetName":"oud_11.115_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
]
}
For attribute definitions, refer to Section B.6, "Target Resource" and Section B.7, "Account Resource."
Use this API to search for groups. This API searches for the searchKeyWord in the group names.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/search/{searchKeyWord}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of groups
Example B-78 Sample JSON Representation of Groups
{
"groups":[
{
"group":{
"name":"opamgroup1",
"description":"",
}
},
{
"group":{
"name":"opamgroup2",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup1",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup2",
"description":"",
}
},
{
"group":{
"name":"OPAM_APPLICATION_CONFIGURATOR",
"description":"OPAM_APPLICATION_CONFIGURATOR",
}
},
{
"group":{
"name":"OPAM_SECURITY_ADMIN",
"description":"OPAM_SECURITY_ADMIN",
}
},
{
"group":{
"name":"OPAM_SECURITY_AUDITOR",
"description":"OPAM_SECURITY_AUDITOR",
}
},
{
"group":{
"name":"OPAM_USER_MANAGER",
"description":"OPAM_USER_MANAGER",
}
}
]
}
For attribute definitions, refer to Section B.10.1, "Get Group."
Use this API to search for groups who have been assigned an account. The request parameter is groupname, which is optional.
Note:
You must be an administrator with the User Manager Admin Role to use this API.URI: https://opam_server_host:opam_ssl_port/opam/group/advancedsearch?param1=val1¶m2=val2.
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of groups
Example B-79 Sample JSON Representation of Groups
{
"groups":[
{
"group":{
"name":"opamgroup1",
"description":"",
}
},
{
"group":{
"name":"opamgroup2",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup1",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup2",
"description":"",
}
},
{
"group":{
"name":"OPAM_APPLICATION_CONFIGURATOR",
"description":"OPAM_APPLICATION_CONFIGURATOR",
}
},
{
"group":{
"name":"OPAM_SECURITY_ADMIN",
"description":"OPAM_SECURITY_ADMIN",
}
},
{
"group":{
"name":"OPAM_SECURITY_AUDITOR",
"description":"OPAM_SECURITY_AUDITOR",
}
},
{
"group":{
"name":"OPAM_USER_MANAGER",
"description":"OPAM_USER_MANAGER",
}
}
]
}
For attribute definitions, refer to Section B.10.1, "Get Group."
The APIs described in this section include:
Use this API to create a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role to create resource groups.
If you have been delegated the Security Administrator Admin Role, you can use this API to create resource groups under delegated resource groups by using the memberof option.
URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup
Method: POST
Content-Type: application/json
Body: JSON representation of the resource group to be added
Returns on Success: Status code 200 and JSON Representation of Connector Server
Returns on Failure: NA
Example B-80 Sample JSON Representation of a Resource Group
{
"resourcegroup": {
"resourcegroupname":"rg1",
"description":"this is the description of the resource group"
}
}
{
"resourcegroup":{
"resourcegroupname":"rg1",
"description":"this is a resource group",
"members":[
{
"member":{
"memberid":"26894a8fadc8448b9bf01eb6f52402c1",
"membertype":"account"
}
},
{
"member":{
"memberid":"fcc6ec6530174fcb94b066e3dc1469e4",
"membertype":"account"
}
},
{
"member":{
"memberid":"0542ef9600e6479a8597ec1f8479276e",
"membertype":"resourcegroup"
}
},
{
"member":{
"memberid":"fc142a16c1c04148923049c8798abfdb",
"membertype":"target"
}
}
]
}
}
Where:
org is the target organization (org = null is search all organizations.)
type is the password checkout or session checkout. Use this parameter to specify password checkout distribution or session checkout distribution. (type=null is default for password checkout.)
dis_type is distribution type, either checked-out account distribution or checkout distribution. (Default is account distribution). You can use dis_type = checkout to choose password or session checkout distribution and dis_type = account automatically ignores the preceding parameter type.
Use this API to search for a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role to search for resource groups.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}
Method: NA
Content-Type: NA
Body: NA
Returns on Success: NA
Returns on Failure: NA
Use this API to view a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role or the User Manager Admin Role to view resource groups.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of the resource group
Returns on Success: NA
Example B-81 Sample JSON Representation of a Resource Group
{
"resourcegroup":{
"resourcegroupid":"ae43b6e6dd664ee1b8a547f44f3278e8",
"resourcegroupname":"rg1",
"description":"updated description for rg1",
"members":[
{
"member":{
"memberid":"26894a8fadc8448b9bf01eb6f52402c1",
"membername":"a1",
"membertype":"account"
}
},
{
"member":{
"memberid":"fcc6ec6530174fcb94b066e3dc1469e4",
"membername":"a2",
"membertype":"account"
}
},
{
"member":{
"memberid":"0542ef9600e6479a8597ec1f8479276e",
"membername":"rg2",
"membertype":"resourcegroup"
}
},
{
"member":{
"memberid":"f433674a53c448f9ae820f12995ba51d",
"membername":"t1",
"membertype":"target"
}
}
]
}
}
Use this API to update a resource group (for example modify the description or add and remove members in the resource group).
Note:
You must be an administrator with the Security Administrator Admin Role to update resource groups.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}
Method: PUT
Content-Type: application/json
Body: JSON representation of resource group modification
Returns on Success: Status code 200
Example B-82 Sample JSON Representation of a Resource Group Modification
{
"modifications":[
{
"modification":{
"description":"updated description"
}
},
{
"modification":{
"members":{
"operation":"add",
"memberid":"1001",
"membertype":"account"
}
}
},
{
"modification":{
"members":{
"operation":"delete",
"memberid":"1001"
}
}
}
]
}
Use this API to delete a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role to delete resource groups.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}
Method: DELETE
Content-Type: NA
Body: NA
Returns on Success: Status code 200
Returns on Failure: NA
Use this API to create a delegation on a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role to create or delete a resource group delegation.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200
Returns on Failure NA
Example B-83 Sample JSON Representation of a Resource Group
{
"modifications":[
{
"modification":{
"delegations":{
"operation":"add",
"delegatee":"opam_user1",
"delegatee_type":"user",
"privilege":"security_admin"
}
}
},
{
"modification":{
"delegations":{
"operation":"add",
"delegatee":"opam_admins",
"delegatee_type":"role",
"privilege":"user_manager"
}
}
},
{
"modification":{
"delegations":{
"operation":"delete",
"delegatee":"opam_user2",
"delegatee_type":"user",
"privilege":"security_admin"
}
}
}
]
}
Use this API to view the delegations on a resource group.
Note:
You must be an administrator with the Security Administrator Admin Role to view resource group delegations.URI: https://opam_server_host:opam_ssl_port/opam/resourcegroup/{resourcegroupUID}/
delegations
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of the resource group
Returns on Failure: NA
Example B-84 Sample JSON Representation of Delegations on a Resource Group
{
"resourcegroup":{
"resourcegroupid":"139b052b2d1649aa89964b4bafd2476a",
"resourcegroupname":"rg2",
"description":"updated description for rg1",
"delegations":[
{
"delegation":{
"delegatee":"opam_user1",
"delegatee_type":"user",
"privilege":"security_admin"
}
},
{
"delegation":{
"delegatee":"opam_user2",
"delegatee_type":"user",
"privilege":"security_admin"
}
},
{
"delegation":{
"delegatee":"opam_admins",
"delegatee_type":"role",
"privilege":"user_manager"
}
}
]
}
}
The APIs described in this section include:
Use this API to add a plug-in configuration.
URI: https://opam_server_host:opam_ssl_port/opam/plugin
Method: POST
Content-Type: application/json
Body: JSON representation of plug-in
Returns on Success: Status code 201 and Location
Returns on Error: NA
Example B-85 Sample JSON Representation of Plug-In Configuration Creation
{
"plugin": {
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginCustomAttrs":[
{
"pluginCustomAttr": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
https://opam_server_host:opam_ssl_port/opam/plugin/9bbcbbb087174ad1900ea691a2573b61
Use this API to validate a plug-in configuration, which includes
Testing the uniqueness of the pluginName
Testing the uniqueness of the pluginResource, pluginOperation, pluginOrder combination
Validating attributes and allowed values
Validating the loading of pluginClassName using the pluginClassPath
The API is as follows:
URI: https://opam_server_host:opam_ssl_port/opam/plugin/test
Method: PUT
Content-Type: application/json
Body: JSON representation of plug-in
Returns on Success: Status code 200
Returns on Error: NA
Example B-86 Sample JSON Representation of Plug-In Configuration for Verification
{
"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginCustomAttrs":[
{
"pluginCustomAttr": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
Use this API, with any of the following parameters, to search for plug-in configurations:
Name
Description
Enabled
Resource
Operation
Timing
The API is as follows:
URI: https://opam_server_host:opam_ssl_port/opam/plugin
/search?param1=value1¶m2=value2
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of plug-in collection
https://opam_server_host:opam_ssl_port/opam/plugin
/search?name=email&enabled=true&timing=post
Example B-87 Sample JSON Representation of Plug-In Collection
{"pluginCollection": [
{"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginDescription":"Sample Plugin"
"pluginName":"sampleplugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginCustomAttrs":[
{
"pluginCustomAttr": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}}
]
}
Use this API to retrieve a plug-in configuration.
URI: https://opam_server_host:opam_ssl_port/opam/plugin
/plugin/{pluginUID}
Method: GET
Content-Type: NA
Body: NA
Returns on Success: Status code 200 and JSON representation of a plug-in
Example B-88 Sample JSON Representation of Plug-In
{
"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginCustomAttrs":[
{
"pluginCustomAttr": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
Use this API to update a plug-in configuration.
URI: https://opam_server_host:opam_ssl_port/opam/plugin/{pluginUID}
Method: PUT
Content-Type: application/json
Body: JSON representation of a plug-in modification
Returns on Success: Status code 200