Remove Users' Role Assignment (v1)

Removes one role currently assigned to the users (including the user who invokes this API) whose login IDs are included in the ANSI or UTF-8 encoded CSV file that is used with this command. Before running this API, upload the file to the environment using the Upload REST API. The file should be deleted after the API executes. With this API, you can see which records failed and the reason why they failed in addition to how many records passed and failed.

Use double quotation marks to enclose role names that contain the space character.

The API is asynchronous and returns the Job ID. The presence of status -1 in the response indicates that the removal of role assignments is in progress. Use the job status URI to determine whether unassigning roles is complete. Any non-zero status except -1 indicates failure of unassigning roles.

This API is version v1.

Required Roles

For predefined roles:

Classic environments: Identity Domain Administrator and any predefined role (Service Administrator, Power User, User, or Viewer)

OCI environments: Service Administrator, or Identity Domain Administrator and any predefined role (Power User, User, or Viewer)

For application roles:

Service Administrator or Access Control Manager

Table 12-20 Tasks for Unassign Users to Roles

Task	Request	REST Resource
Unassign role	PUT	`/interop/rest/security/<api_version>/users`
Unassign role status	GET	`/interop/rest/security/<api_version>/jobs/<jobid>`

REST Resource

PUT /interop/rest/security/<api_version>/users

Supported Media Types: application/x-www-form-urlencoded

Note:

Before using the REST resources, you must understand how to access the REST resources and other important concepts. See Implementation Best Practices for EPM Cloud REST APIs. Using this REST API requires prerequisites. See Prerequisites.

The following table summarizes the PUT request parameters.

Table 12-21 Parameters

Name	Description	Type	Required	Default
`api_version`	Specific API version	Path	Yes	None
`jobtype`	UNASSIGN_ROLE	Form	Yes	None
`filename`	The name of the ANSI or UTF-8 encoded CSV file containing the users whose role assignment is to be revoked, such as `unssignRole.csv`. The CSV file must have been uploaded already using the Upload REST API. The CSV file should not include the account of the user who executes this command. File format example: `User Login <email> <FirstName2.LastName2>`	Form	Yes	None
`rolename`	The name of a pre-defined or application role applicable to the service. An incorrect role name will result in an error. It identifies one of the following: If you are removing users from a pre-defined role, roleName should identify a pre-defined role applicable to the service. See Understanding Predefined Roles in Getting Started with Oracle Enterprise Performance Management Cloud for Administrators. Acceptable values for services other than Oracle Enterprise Data Management Cloud: Service Administrator Power User User (do not use Planner, which was used in earlier versions of the service) Viewer Acceptable values for Oracle Enterprise Data Management Cloud: Service Administrator User If you are removing users from an application role, roleName should identify an application role listed in the assign roles tab of Access Control. Acceptable values for Oracle Planning, Oracle Planning Modules, Oracle Financial Consolidation and Close, Sales Planning, Strategic Workforce Planning, and Oracle Tax Reporting applications: Approvals Administrator Approvals Ownership Assigner Approvals Process Desiger Approvals Supervisor Ad Hoc Grid Creator Ad Hoc User Ad Hoc Read Only User Calculation Manager Administrator Create Integration Drill Through Run Integration Mass Allocation Task List Access Manager Acceptable values for Account Reconciliation applications: Manage Alert Types Manage Announcements Manage Data Loads Manage Organizations Manage Periods Manage Profiles and Reconciliations Reconciliation Manage Currencies Reconciliation Manage Public Filters and Lists Reconciliation Manage Reports Reconciliation Manage Teams Reconciliation Manage Users Reconciliation Commentator Reconciliation Preparer Reconciliation Reviewer Reconciliation View Jobs Reconciliation View Profiles View Audit View Periods Acceptable values for Oracle Enterprise Data Management Cloud applications: Application Creator Auditor View Creator Acceptable values for Oracle Enterprise Profitability and Cost Management applications: Ad Hoc Grid Creator Ad Hoc Read Only User Ad Hoc User Clear POV Data Copy POV Data Create/Edit Rule Create Integration Create Model Create POV Create Profit Curve Delete Calculation History Delete Model Delete POV Delete Rule Drill Through Edit POV Status Edit Profit Curve Mass Edit of Rules Run Calculation Run Integration Run Profit Curve Run Rule Balancing Run Trace Allocation Run Validation View Calculation History View Model For a description of these roles, see Managing Role Assignments at the Application Level in Administering Access Control for Oracle Enterprise Performance Management Cloud.	Form	Yes	None

Response

Supported Media Types: application/json

Table 12-22 Parameters

Name	Description
`details`	In the case of errors, details are published with the error string
`status`	See Migration Status Codes
`links`	Detailed information about the link
`href`	Links to API call or status API
`action`	The HTTP call type
`rel`	Possible values: `self` or `Job Status`. If the value is set to `Job Status`, you can use the href to get the status
`data`	Parameters as key value pairs passed in the request
`items`	Details about the resource
`links`	Details of the first URL to be requested to get the job details; rel is Job Details

Examples of the Response Body in JSON format

Example 1, when the job is in progress

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/users",
      "data": {
        "jobtype": "UNASSIGN_ROLE",
        "filename": "<fileName>",
        "rolename": "<roleName>"
      },
      "action": "PUT"
    },
    {
      "rel": "Job Status",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": null,
  "status": -1,
  "items": null
}

Example 2, when the job completes with errors

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com /interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": "Failed to unassign role for users. Input file <filename> is not found. Specify a valid file name.",
  "status": 1,
  "items": null
}

Example 3, when the job completes without errors

{
  "links": [
    {
      "rel": "self",
      "href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com /interop/rest/security/<api_version>/jobs/<jobid>",
      "data": null,
      "action": "GET"
    }
  ],
  "details": "Processed - 3, Succeeded - 2, Failed - 1.",
  "status": 0,
  "items": [
    {
				"UserName":"<USERNAME>","Error_Details": "User <USERNAME> is not found. Verify that the user exists."
    }
  ]
}

Example 12-5 Java Sample Code

Prerequisites: json.jar

Common Functions: See CSS Common Helper Functions for Java

public void unassignRole(String fileName, String roleName) {
		try {
			String url = this.serverUrl + "/interop/rest/security/" + apiVersion + "/users";
			Map<String, String> reqHeaders = new HashMap<String, String>();
			reqHeaders.put("Authorization", "Basic " + DatatypeConverter
					.printBase64Binary((this.userName + ":" + this.password).getBytes(Charset.defaultCharset())));

			Map<String, String> reqParams = new HashMap<String, String>();
			reqParams.put("filename", fileName);
			reqParams.put("jobtype", "UNASSIGN_ROLE");
			reqParams.put("rolename", roleName);

			Map<String, String> restResult = CSSRESTHelper.callRestApi(new HashMap(), url, reqHeaders, reqParams,
					"PUT");
			String jobStatus = CSSRESTHelper.getCSSRESTJobCompletionStatus(restResult, reqHeaders);
			System.out.println(jobStatus);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}

Example 12-6 Shell Script Sample Code

Prerequisites: jq (http://stedolan.github.io/jq/download/linux64/jq)

Common Functions: See CSS Common Helper Functions for cURL.

funcUnassignRole() {
        url="$SERVER_URL/interop/rest/security/$API_VERSION/users"
        params="filename=$1&jobtype=UNASSIGN_ROLE&rolename=$2"
        header="Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
        cssRESTAPI="UnassignRole"
        statusMessage=$(funcCSSRESTHelper "PUT" "$url" "$header" "$USERNAME" "$PASSWORD" "$params" "$cssRESTAPI")
        echo $statusMessage
}

Groovy Sample Code

Common Functions: See CSS Common Helper Functions for Groovy.

def unassignUsersRoles(fileName, roleName) {

	String scenario = "Un-assigning users in " + fileName + " with role " + roleName;
	String params = "jobtype=UNASSIGN_ROLE&filename="+ fileName +"&rolename="+ roleName;
	def url = null;
	def response = null;
	try {
		url = new URL(serverUrl + "/interop/rest/security/" + apiVersion + "/users");
	} catch (MalformedURLException e) {
		println "Please enter a valid URL"
		System.exit(0);
	}
	response = executeRequest(url, "PUT", params, "application/x-www-form-urlencoded");
	if (response != null) {
		getJobStatus(getUrlFromResponse(scenario, response, "Job Status"), "GET");
	}
}

Sample cURL Command Basic Auth

curl -X PUT -s -u '<USERNAME>:<PASSWORD>' -H
'Content-Type: application/x-www-form-urlencoded' -d
'jobtype=UNASSIGN_ROLE&filename=<CSV-FILE-NAME>&rolename=<ROLENAME>'
'https://<EPM-CLOUD-BASE-URL>/interop/rest/security/v1/users'

Sample cURL Command OAuth 2.0

curl -X PUT --header "Authorization: Bearer <OAUTH_ACCESS_TOKEN>" -H
'Content-Type: application/x-www-form-urlencoded' -d
'jobtype=UNASSIGN_ROLE&filename=<CSV-FILE-NAME>&rolename=<ROLENAME>'
'https://<EPM-CLOUD-BASE-URL>/interop/rest/security/v1/users'