Remove Users' Role Assignment

Removes one role currently assigned to the users whose login IDs are included in the ANSI or UTF-8 encoded CSV file that is used with this command. Before running this API, upload the file to the environment using the Upload REST API. The file should be deleted after the API executes.

Only Service Administrators who are also assigned to the Identity Domain Administrator role in the identity domain can run this command to revoke pre-defined role assignments. Only a Service Administrator can run this command to revoke application role assignments. The CSV file should not include the account of the user who executes this command. Use double quotation marks to enclose role names that contain the space character.

The API is asynchronous and returns the Job ID. The presence of status -1 in the response indicates that the removal of role assignments is in progress. Use the job status URI to determine whether unassigning roles is complete. Any non-zero status except -1 indicates failure of unassigning roles.

This REST API is version v1.

Table 8-11 Tasks for Unassign Users to Predefined Roles

Task Request REST Resource
Unassign role PUT /interop/rest/security/<api_version>/users
Unassign role status GET /interop/rest/security/<api_version>/jobs/<jobid>

REST Resource

PUT /interop/rest/security/<api_version>/users

Supported Media Types: application/json

Parameters:

The following table summarizes the PUT request parameters.

Table 8-12 Parameters

Name Description Type Required Default
api_version Specific API version Path Yes None
jobtype UNASSIGN_ROLE Path Yes None
filename

The name of the ANSI or UTF-8 encoded CSV file containing the users whose role assignment is to be revoked, such as unssignRole.csv.

The CSV file must have been uploaded already using the Upload REST API. The CSV file should not include the account of the user who executes this command.

File format example:

User Login
FirstName1.LastName1@email.com 
FirstName2.LastName2
Form Yes None
roleName

The name of a pre-defined role applicable to the service. An incorrect role name will result in an error.

ROLE identifies one of the following:
  • If you are assigning users to pre-defined identity domain roles, ROLE should identify a pre-defined role applicable to the service. See Understanding Predefined Roles in Getting Started with Oracle Enterprise Performance Management Cloud for Administrators.
  • Acceptable values for Oracle Planning and Budgeting Cloud, Oracle Enterprise Planning and Budgeting Cloud, Oracle Financial Consolidation and Close Cloud, and Oracle Tax Reporting Cloud:
    • Service Administrator
    • Power User
    • User (do not use Planner, which was used in earlier versions of the service)
    • Viewer
  • Acceptable values for Oracle Enterprise Data Management Cloud:
    • Service Administrator
    • User
  • If you are assigning users to an application role, ROLE should identify an application role listed in the assign roles tab of Access Control. Acceptable values for Oracle Planning and Budgeting Cloud, Oracle Enterprise Planning and Budgeting Cloud, Oracle Financial Consolidation and Close Cloud, and Oracle Tax Reporting Cloud applications:
    • Approvals Administrator
    • Approvals Ownership Assigner
    • Approvals Process Designer
    • Approvals Supervisor
    • Ad Hoc Grid Creator
    • Ad Hoc User
    • Ad Hoc Read Only User
    • Calculation Manager Administrator
    • Create Integration
    • Drill Through
    • Run Integration
    • Mass Allocation
    • Task List Access Manager
  • Acceptable values for Oracle Enterprise Data Management Cloud applications:
    • Application Creator
    • View Creator

For a description of these roles, see Managing Role Assignments at the Application Level in Administering Access Control for Oracle Enterprise Performance Management Cloud.

Form Yes None

Response

Supported Media Types: application/json

Parameters:

Table 8-13 Parameters

Name Description
details In the case of errors, details are published with the error string
status See Migration Status Codes
links Detailed information about the link
href Links to API call or status API
action The HTTP call type
rel Possible values: self or Job Status. If the value is set to Job Status, you can use the href to get the status of the recreate service
data Parameters as key value pairs passed in the request
items Details about the resource
links Details of the first URL to be requested to get the job details; rel is "Job Details"

Examples of the Response Body in JSON format

Example 1, when the job is in progress

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/users”,
      "data": {
        "jobtype": "UNASSIGN_ROLE",
        "filename": "<fileName>",
        "rolename": "<roleName>"
      },
      "action": "PUT"
    },
    {
      "rel": "Job Status",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": null,
  "status": -1,
  "items": null
}

Example 2, when the job completes with errors

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com /interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": " Failed to unassign role for users. File <filename> is not found. Please provide a valid file name.",
  "status": 1,
  "items": null
}

Example 3, when the job completes without errors

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com /interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": "Processed - 3, Succeeded - 2, Failed - 1.",
  "status": 0,
  "items": null
}

Example 8-5 Java Sample Code

Prerequisites: json.jar

Common Functions: See CSS Common Helper Functions for Java

public void unassignRole(String fileName, String roleName) {
		try {
			String url = this.serverUrl + "/interop/rest/security/" + apiVersion + "/users";
			Map<String, String> reqHeaders = new HashMap<String, String>();
			reqHeaders.put("Authorization", "Basic " + DatatypeConverter
					.printBase64Binary((this.userName + ":" + this.password).getBytes(Charset.defaultCharset())));

			Map<String, String> reqParams = new HashMap<String, String>();
			reqParams.put("filename", fileName);
			reqParams.put("jobtype", "UNASSIGN_ROLE");
			reqParams.put("rolename", roleName);

			Map<String, String> restResult = CSSRESTHelper.callRestApi(new HashMap(), url, reqHeaders, reqParams,
					"PUT");
			String jobStatus = CSSRESTHelper.getCSSRESTJobCompletionStatus(restResult, reqHeaders);
			System.out.println(jobStatus);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}

Example 8-6 Shell Script Sample Code

Prerequisites: jq (http://stedolan.github.io/jq/download/linux64/jq)

Common Functions: See CSS Common Helper Functions for cURL.

funcUnassignRole() {
        url="$SERVER_URL/interop/rest/security/$API_VERSION/users"
        params="filename=$1&jobtype=UNASSIGN_ROLE&rolename=$2"
        header="Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
        cssRESTAPI="UnassignRole"
        statusMessage=$(funcCSSRESTHelper "PUT" "$url" "$header" "$USERNAME" "$PASSWORD" "$params" "$cssRESTAPI")
        echo $statusMessage
}

Groovy Sample Code

Common Functions: See CSS Common Helper Functions for Groovy.

def unassignUsersRoles(fileName, roleName) {

	String scenario = "Un-assigning users in " + fileName + " with role " + roleName;
	String params = "jobtype=UNASSIGN_ROLE&filename="+ fileName +"&rolename="+ roleName;
	def url = null;
	def response = null;
	try {
		url = new URL(serverUrl + "/interop/rest/security/" + apiVersion + "/users");
	} catch (MalformedURLException e) {
		println "Please enter a valid URL"
		System.exit(0);
	}
	response = executeRequest(url, "PUT", params, "application/x-www-form-urlencoded");
	if (response != null) {
		getJobStatus(getUrlFromResponse(scenario, response, "Job Status"), "GET");
	}
}