{"info":{"_postman_id":"24108c31-ca17-4451-9829-d4e6bb05aaa3","name":"FIWARE Roles and Permissions","description":"The tutorial explains how to create applications, and how to assign roles and permissions to them.\nIt takes the users and organizations created in the [previous tutorial](https://github.com/Fiware/tutorials.Identity-Management)\nand ensures that only legitmate users will have access to resources.\n\nThe `docker-compose` files for this tutorial can be found on GitHub: \n\n![GitHub](https://fiware.github.io/tutorials.Identity-Management/icon/GitHub-Mark-32px.png) [FIWARE 402: Roles and Permissions](https://github.com/Fiware/tutorials.Roles-Permissions)\n\n# What is Authorization?\n\n> \"No matter what he does, every person on earth plays a central role in the history of the world.\n> And normally he doesn't know it\"\n>\n> — Paulo Coelho (The Alchemist)\n\n\nAuthorization is the function of specifying access rights/privileges to resources related to information\nsecurity. More formally, \"to authorize\" is to define an access policy. In the case of Keyrock, User\naccess is granted based on permissions assigned to a role.\n\nEvery application secured by the **Keyrock** generic enabler can define a set of permissions - i.e.\na set of things that can be done within the application. For example within the application, the ability\nto send a commmand to unlock a Smart Door could be secured behind a `Unlock Door` permission. Similarly\nthe ability to send a commmand to ring the alarm bell could be secured behind a `Ring Bell` permission,\nand the ability to alter prices could be secured behind a `Price Change` permission\n\nThese permissions are grouped together in a series of roles - for example `Unlock Door` and `Ring Bell`\ncould both be assigned to the Security Role, meaning that Users who are subsequently given that role\nwould gain both permissions.\n\nPermissions can overlap and be assigned to multiple roles - maybe `Ring Bell` is also assigned to the management\nrole along with `Price Change` and `Order Stock`.\n\nIn turn users or organizations will be assigned to one of more roles - each user will gain the sum of all the\npermissions for each role they have. For example if Alice is assigned to both management and security roles,\nshe will gain all four permissions `Unlock Door`, `Ring Bell`, `Price Change` and `Order Stock`.\n\nThe concept of a role is unknown to a user - they only know the list of permissions they have been granted,\nnot how the permissions are split up within the application.\n\nIn summary, permissions are all the possible actions that can be done to resources within an application, whereas roles\nare groups of actions which can be done by a type of user of that application.\n\n\n## Standard Concepts of Identity Management\n\nThe following common objects are found with the **Keyrock** Identity Management database:\n\n* **User** - Any signed up user able to identify themselves with an eMail and password. Users can be assigned\n rights individually or as a group\n* **Application** - Any securable FIWARE application consisting of a series of microservices\n* **Organization** - A group of users who can be assigned a series of rights. Altering the rights of the organization\n effects the access of all users of that organization\n* **OrganizationRole** - Users can either be members or admins of an organization - Admins are able to add and remove users\n from their organization, members merely gain the roles and permissions of an organiation. This allows each organization\n to be responisible for their members and removes the need for a super-admin to administer all rights\n* **Role** - A role is a descriptive bucket for a set of permissions. A role can be assigned to either a single user\n or an organization. A signed-in user gains all the permissions from all of their own roles plus all of the roles associated\n to their organization\n* **Permission** - An ability to do something on a resource within the system\n\nAdditionally two further non-human application objects can be secured within a FIWARE application:\n\n* **IoTAgent** - a proxy betwen IoT Sensors and the Context Broker\n* **PEPProxy** - a middleware for use between generic enablers challenging the rights of a user.\n\n\n The relationship between the objects can be seen below:\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/entities.png)\n\n# Prerequisites\n\n## Docker\n\nTo keep things simple both components will be run using [Docker](https://www.docker.com). **Docker** is a\ncontainer technology which allows to different components isolated into their respective environments.\n\n* To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/)\n* To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/)\n* To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/)\n\n**Docker Compose** is a tool for defining and running multi-container Docker applications. A\n[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Entity-Relationships/master/docker-compose.yml) is used\nconfigure the required services for the application. This means all container services can be brought up in a single\ncommand. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users\nwill need to follow the instructions found [here](https://docs.docker.com/compose/install/)\n\n## Cygwin\n\nWe will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) to provide a\ncommand line functionality similar to a Linux distribution on Windows.\n\n# Architecture\n\nThis introduction will only make use of one FIWARE component - the [Keyrock](http://fiware-idm.readthedocs.io/)\nIdentity Management Generic Enabler. Usage of **Keyrock** alone alone is insufficient for an application to qualify\n as *“Powered by FIWARE”*. Additionally will be persisting user data in a **MySQL** database.\n\n\nThe overall architecture will consist of the following elements:\n\n* One **FIWARE Generic Enabler**:\n * FIWARE [Keyrock](http://fiware-idm.readthedocs.io/) offer a complement Identity Management System including:\n * An OAuth2 authentication system for Applications and Users\n * A website graphical front-end for Identity Management Administration\n * An equivalent REST API for Identity Management via HTTP requests\n\n* One [MySQL](https://www.mysql.com/) database :\n * Used to persist user identities, applications, roles and permsissions\n\n\nSince all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run from exposed ports.\n\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/architecture.png)\n\nThe specific architecture of each section of the tutorial is discussed below.\n\n## Keyrock Configuration\n\n\n```yaml\n keyrock:\n image: fiware/idm\n container_name: fiware-keyrock\n hostname: keyrock\n depends_on:\n - mysql-db\n ports:\n - \"3005:3005\"\n - \"3443:3443\"\n environment:\n - DEBUG=idm:*\n - DATABASE_HOST=mysql-db\n - IDM_DB_PASS_FILE=/run/secrets/my_secret_data\n - IDM_DB_USER=root\n - IDM_HOST=http://localhost:3005\n - IDM_PORT=3005\n - IDM_HTTPS_ENABLED=true\n - IDM_HTTPS_PORT=3443\n - IDM_ADMIN_USER=alice\n - IDM_ADMIN_EMAIL=alice-the-admin@test.com\n - IDM_ADMIN_PASS=test\n secrets:\n - my_secret_data\n```\n\nThe `keyrock` container is a web application server listening on two ports:\n\n* Port `3005` has been exposed for HTTP traffic so we can display the web page and interact with the REST API.\n* Port `3443` has been exposed for secure HTTPS traffic for the website and REST API\n\n> **Note** HTTPS should be used throughout for any secured application, but to do this properly,\n> **Keyrock** requires a trusted SSL certificate - the default certificate is self-certified and\n> available for testing purposes. The certificates can be overridden by attaching a volume to\n> replace the files under `/opt/fiware-idm/certs`.\n>\n> In a production environment, all access should occur over HTTPS, to avoid sending\n> any sensitive information using plain-text. Alternatively HTTP can be used within a\n> private network behind a configured HTTPS Reverse Proxy\n>\n> The port `3005` offering the HTTP protocol is being exposed for demonstration purposes only and to\n> simplify the interactions within this tutorial - you may also use HTTPS on port `3443` with certain\n> caveats.\n>\n> If you want to use HTTPS to access the REST API when you are using Postman, ensure that SSL\n> certificate verfication is OFF. If you want to use HTTPS to access the web front-end, please\n> accept any security warnings issued.\n\n\n\nThe `keyrock` container is driven by environment variables as shown:\n\n| Key |Value|Description|\n|-----|-----|-----------|\n|IDM_DB_PASS|`idm`| Password of the attached MySQL Database - secured by **Docker Secrets** (see below) |\n|IDM_DB_USER|`root`|User name of the default MySQL user - left in plain-text |\n|IDM_HOST|`http://localhost:3005`| Host name of the **Keyrock** App Server - used in activation eMails when signing up users|\n|IDM_PORT|`3005`| Port used by the **Keyrock** App Server for HTTP traffic - this has been altered from the default 3000 port to avoid clashes |\n|IDM_HTTPS_ENABLED|`true`| Whether to offer HTTPS Support - this will use the self-signed certs unless overridden |\n|IDM_HTTPS_PORT|`3443`| Port used by the **Keyrock** App Server for HTTP traffic this has been altered from the default 443 |\n\n\n> **Note** that this example has secured the MySQL password using **Docker Secrets**\n> By using `IDM_DB_PASS` with the `_FILE` suffix and referring to a secrets file location.\n> This avoids exposing the password as an `ENV` variable in plain-text - either in the `Dockerfile` Image or\n> as an injected variable which could be read using `docker inspect`.\n>\n> The following list of variables (where used) should be set via secrets with the `_FILE` suffix in a Production System:\n>\n> * `IDM_SESSION_SECRET`\n> * `IDM_ENCRYPTION_KEY`\n> * `IDM_DB_PASS`\n> * `IDM_DB_USER`\n> * `IDM_ADMIN_ID`\n> * `IDM_ADMIN_USER`\n> * `IDM_ADMIN_EMAIL`\n> * `IDM_ADMIN_PASS`\n> * `IDM_EX_AUTH_DB_USER`\n> * `IDM_EX_AUTH_DB_PASS`\n\n\n## MySQL Configuration\n\n```yaml\n mysql-db:\n image: mysql:5.7\n hostname: mysql-db\n container_name: db-mysql\n expose:\n - \"3306\"\n ports:\n - \"3306:3306\"\n networks:\n default:\n environment:\n - \"MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data\"\n - \"MYSQL_ROOT_HOST=172.18.1.5\"\n volumes:\n - mysql-db:/var/lib/mysql\n secrets:\n - my_secret_data\n```\n\n\nThe `mysql-db` container is listening on a single port:\n\n* Port `3306` is the default port for a MySQL server. It has been exposed so you can also run other database tools to display data if you wish\n\nThe `mysql-db` container is driven by environment variables as shown:\n\n| Key |Value. |Description |\n|-------------------|----------|------------------------------------------|\n|MYSQL_ROOT_PASSWORD|`123`. | specifies a password that is set for the MySQL `root` account - secured by **Docker Secrets** (see below)|\n|MYSQL_ROOT_HOST |`root`| By default, MySQL creates the `root'@'localhost` account. This account can only be connected to from inside the container. Setting this environment variable allows root connections from other hosts |\n\n# Start Up\n\nTo start the installation, do the following:\n\n```console\ngit clone git@github.com:Fiware/tutorials.Roles-Permissions.git\ncd tutorials.Roles-Permissions\n\n./services create\n```\n\n>**Note** The initial creation of Docker images can take up to three minutes\n\n\nThereafter, all services can be initialized from the command line by running the [services](https://github.com/Fiware/tutorials.Roles-Permissions/blob/master/services) Bash script provided within the repository:\n\n```console\n./services \n```\n\nWhere `` will vary depending upon the exercise we wish to activate.\n\n> **Note:** If you want to clean up and start over again you can do so with the following command:\n>\n>```console\n>./services stop\n>```\n>\n\n\n### Dramatis Personae\n\nThe following people at `test.com` legitimately have accounts within the Application\n\n* Alice, she will be the Administrator of the **Keyrock** Application\n* Bob, the Regional Manager of the supermarket chain - he has several store managers under him:\n * Manager1\n * Manager2\n* Charlie, the Head of Security of the supermarket chain - he has several store detectives under him:\n * Detective1\n * Detective2\n\nThe following people at `example.com` have signed up for accounts, but have no reason to be granted access\n\n* Eve - Eve the Eavesdropper\n* Mallory - Mallory the malicious attacker\n* Rob - Rob the Robber\n\n\n| Name |eMail |Password | UUID |\n|------------|----------------------------|---------|---------------------------------------|\n| alice | alice-the-admin@test.com | `test` |`aaaaaaaa-good-0000-0000-000000000000` |\n| bob | bob-the-manager@test.com | `test` |`bbbbbbbb-good-0000-0000-000000000000` |\n| charlie | charlie-security@test.com | `test` |`cccccccc-good-0000-0000-000000000000` |\n| manager1 | manager1@test.com | `test` |`manager1-good-0000-0000-000000000000` |\n| manager2 | manager2@test.com | `test` |`manager2-good-0000-0000-000000000000` |\n| detective1 | detective1@test.com | `test` |`secure01-good-0000-0000-000000000000` |\n| detective2 | detective2@test.com | `test` |`secure02-good-0000-0000-000000000000` |\n| eve | eve@example.com | `test` |`eeeeeeee-evil-0000-0000-000000000000` |\n| mallory | mallory@example.com | `test` |`mmmmmmmm-evil-0000-0000-000000000000` |\n| rob | rob@example.com | `test` |`rrrrrrrr-evil-0000-0000-000000000000` |\n\n\nTwo organizations have also been set up by Alice:\n\n| Name | Description | UUID |\n|------------|-------------------------------------|--------------------------------------|\n| Security | Security Group for Store Detectives |`security-team-0000-0000-000000000000`|\n| Management | Management Group for Store Managers |`managers-team-0000-0000-000000000000`|\n\nThe data creating users and organizations from the [previous tutorial](https://github.com/Fiware/tutorials.Identity-Management) has been downloaded:\n\n```console\ndocker exec db-mysql /usr/bin/mysqldump -u root --password=idmx idm > backup.sql\n```\n\nand is injected into the MySQL Database on start-up.\n\n\n\n\nTo refresh your memory about how to create users and organizations, you can log in at `http://localhost:3005/idm`\nusing the account `alice-the-admin@test.com` with a password of `test`.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/log-in.png)\n\nand look at the organizations list.\n\n\n\n### Reading directly from the Keyrock MySQL Database\n\nAll Identify Management records and releationships are held within the the attached MySQL database. This can be\naccessed by entering the running Docker container as shown:\n\n\n```console\ndocker exec -it db-mysql bash\n```\n\n```console\nmysql -u -p idm\n```\n\nWhere `` and `` match the values defined in the `docker-compose` file for `MYSQL_ROOT_PASSWORD`\nand `MYSQL_ROOT_USER`. The default values for the tutorial are usually `root` and `secret`.\n\nSQL commands can then be entered from the command line. e.g.:\n\n```SQL\nselect id, username, email, password from user;\n```\n\n\n### UUIDs within Keyrock\n\nAll ids and tokens within **Keyrock** are subject to change. The following values will need to be amended when\nquerying for records .Record ids use Universally Unique Identifiers - UUIDs.\n\n| Key |Description | Sample Value |\n|-----|-----------------------------------|--------------|\n|`keyrock`| URL for the location of the **Keyrock** service|`localhost:3005`|\n|`X-Auth-token`| Token received in the Header when logging in as a user |`aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa` = I am Alice|\n|`X-Subject-token`|Token to pass when asking about a subject, alternatively repeat the user token |`bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb` = Asking about Bob|\n|`user-id`| id of an existing user, found with the `user` table |`bbbbbbbb-good-0000-0000-000000000000` - Bob's User Id|\n|`application-id`| id of an existing application, found with the `oauth_client` table |`c978218d-ad63-4427-b12b-542b81299cfb`|\n|`role-id`| id of an existing role, found with the `role` table |`d28baa00-839e-4b45-a6b2-1cec563942ee`|\n|`permission-id`| id of an existing permission, found with the `permission` table |`6b6cd19c-9398-4834-9ba1-1616c57139c0`|\n|`organization-id`| id of an existing organization, found with the `organization` table |`e424ed98-c966-46e3-b161-a165fd31bc01`|\n|`organization-role-id`| type of role a user has within an organization either `owner` or `member`|`member`|\n|`iot-agent-id`| id of an existing IoT Agent, found with the `iot` table |`iot_sensor_f3d0245b-3330-4e64-a513-81bf4b0dae64`|\n|`pep-proxy-id`| id of an existing PEP Proxy, found with the `pep_proxy` table |`iot_sensor_f3d0245b-3330-4e64-a513-81bf4b0dae64`|\n\nTokens are designed to expire after a set period. If the `X-Auth-token` value you are using has expired, log-in again to obtain a new token. For this tutorial, a long lasting set of tokens has been created for each user and persisted into the database,\nso there is usually no need to refresh tokens.","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json"},"item":[{"name":"Logging In - Authentication","item":[{"name":"Create token with Password","id":"85fcd649-718c-464d-8648-07524c59b796","request":{"method":"POST","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"name\": \"alice-the-admin@test.com\",\n \"password\": \"test\"\n}"},"url":"http://{{keyrock}}/v1/auth/tokens","description":"Enter a username and password to enter the application. The default super-user has the values `alice-the-admin@test.com` and `test`.\n\nThe response header returns an `X-Subject-token` which identifies who has logged on the application.\nThis token is required in all subsequent requests to gain access"},"response":[],"_postman_id":"85fcd649-718c-464d-8648-07524c59b796"},{"name":"Get token info","id":"1e1b1bfc-ee5c-46a4-aabc-07a0bfd4b4ee","request":{"method":"GET","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"},{"key":"X-Subject-token","value":"{{X-Subject-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/auth/tokens","description":"You can use the long-lasting `X-Auth-token=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa` to pretend to be Alice throughout this\ntutorial. \n\nThe presence of a (time-limited) token is sufficient to find out more information about the user.\nTo find information about Bob, use the long-lasting token `X-Subject-token=bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb`\n\nThis request indicates that *the\nuser authorized with the token `{{X-Auth-token}}` (i.e Alice) is enquiring about the user holding the token `{{X-Subject-token}}`* i.e Bob \n\nThe response will return the details of the associated user. As you can see Bob holds a long-lasting token until 2026."},"response":[],"_postman_id":"1e1b1bfc-ee5c-46a4-aabc-07a0bfd4b4ee"}],"id":"95893149-c72e-4b99-88f3-84cbc080f5a2","_postman_id":"95893149-c72e-4b99-88f3-84cbc080f5a2"},{"name":"Managing Applications","item":[{"name":"Application CRUD Actions","item":[{"name":"Create an Application","id":"0ea53326-6fcb-49af-9532-bdbd48f5853f","request":{"method":"POST","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"application\": {\n \"name\": \"Tutorial Application\",\n \"description\": \"FIWARE Application protected by OAuth2 and Keyrock\",\n \"redirect_uri\": \"http://context-provider/login\",\n \"url\": \"http://context-provider\",\n \"grant_type\": [\n \"authorization_code\",\n \"implicit\",\n \"password\"\n ],\n \"token_types\": [\"permanent\"]\n }\n}"},"url":"http://{{keyrock}}/v1/applications","description":"From the homepage of the GUI, a new application can be created by clicking the **Register** button.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/create-app.png)\n\nTo create a new application via the REST API, send a POST request to the `/v1/application` endpoint containing details of the application\nsuch as `name` and `description`, along with OAuth information fields such as the `url` of the webservice to be protected,\nand `redirect_uri` (where a user will be challenged for their credentials). The `grant_types` are chosen from the available list of\nOAuth2 grant flows.\nThe headers include the `X-Auth-token` from a previously logged in user will automatically be granted a provider role over the application.\n\nIn the example below, Alice (who holds `X-Auth-token=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa`) is creating a new application which accepts three different grant types\n\nThe response includes a Client Id and Secret which can be used to secure the application"},"response":[],"_postman_id":"0ea53326-6fcb-49af-9532-bdbd48f5853f"},{"name":"Read Application details","id":"c78a3c48-11ce-4462-a06d-ca80a639df22","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}","description":"Making a GET request to a resource under the `/v1/applications/{{application-id}}` endpoint will return the application listed under that id.\n\nThe `X-Auth-token` must be supplied in the headers."},"response":[],"_postman_id":"c78a3c48-11ce-4462-a06d-ca80a639df22"},{"name":"List Applications","id":"c1af4275-ac24-497d-a101-10b4a3d2b271","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications","description":"Users will only be permitted to return applications they are associated with. \nListing applications can be done by making a GET request to the `/v1/applications`\nendpoint and supplying the `X-Auth-token` Header"},"response":[],"_postman_id":"c1af4275-ac24-497d-a101-10b4a3d2b271"},{"name":"Update an Application","id":"a2dc5603-70e9-4a9e-bbfb-00ae3137884c","request":{"method":"PATCH","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"application\": {\n \"name\": \"new name\",\n \"description\": \"new description\",\n \"redirect_uri\": \"new redirect uri\",\n \"grant_type\": [\n \"authorization_code\",\n \"password\"\n ]\n }\n}"},"url":"http://{{keyrock}}/v1/applications/{{application-id}}","description":"Within the GUI, users can be updated by selecting an application and clicking on `edit`.\nThis can also be done from the command line by making PATCH request to `/v1/applications/` endpoint\nwhen the applications id is known. The `X-Auth-token` header must also be set, since a User can only edit\napplications he is associated with.\n\nThe response lists only the fields which have been updated"},"response":[],"_postman_id":"a2dc5603-70e9-4a9e-bbfb-00ae3137884c"},{"name":"Delete an Application","id":"31c76f6e-2673-4451-8d14-1f60a380b493","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}","description":"Within the GUI, users can delete an application by selecting an application and clicking on `edit`,\nthen scrolling to the bottom of the page and selecting **Remove Application**. This can also be\ndone from the command line by sending a DELETE request to the `/v1/applications/`\nendpoint. The `X-Auth-token` header must also be set."},"response":[],"_postman_id":"31c76f6e-2673-4451-8d14-1f60a380b493"}],"id":"bba85f42-e80b-4873-9f8f-aa824997f053","description":"The standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE) under the `/v1/applications` endpoint.\n","event":[{"listen":"prerequest","script":{"id":"f5b72a9e-54d5-4948-9325-a0360fb39779","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"ec28c3cd-ea56-426a-9bb0-f9e2012f9ac2","type":"text/javascript","exec":[""]}}],"_postman_id":"bba85f42-e80b-4873-9f8f-aa824997f053"},{"name":"Permission CRUD Actions","item":[{"name":"Create a Permission","id":"aa705748-458f-4737-9079-733e29c3920e","request":{"method":"POST","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"Content-Type","value":"{{Content-Type}}"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"permission\": {\n \"name\": \"Access Price Changes\",\n \"action\": \"POST\",\n \"resource\": \"/price-change\"\n }\n}"},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/permissions","description":"Within the GUI, a permission can be added to an application by selecting the application, clicking on **Manage Roles**\nand then pressing the plus next to the Permissions label.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/create-permission.png)\n\nJust fill out the wizard and click save.\n\nTo create a new permission via the REST API, send a POST request to the `/applications/{{application-id}}/permissions` endpoint containing the `action`and `resource` along with the `X-Auth-token` header from a previously logged in user.\n\nThe response returns the details of the newly created permission."},"response":[],"_postman_id":"aa705748-458f-4737-9079-733e29c3920e"},{"name":"Read Permission details","id":"f1569981-fb91-488c-94d4-ac6c715e7ea5","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/permissions/{{permission-id}}","description":"The `/applications/{{application-id}}/permissions/{permission-id}}` endpoint will return the permission\nlisted under that id. The `X-Auth-token` must be supplied in the headers.\n\nThe response returns the details of the requested permission."},"response":[],"_postman_id":"f1569981-fb91-488c-94d4-ac6c715e7ea5"},{"name":"List Permissions","id":"af0e79a1-cbef-42d8-bac1-2fef987adcf2","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/permissions","description":"Listing the permissions with an application can be done by making a GET request to\nthe `/v1/applications/{{application-id}}/permissions/` endpoint.\n\nThe complete list of permissons includes any custom permissions created previously plus all the standard permissions which are avaiable by default"},"response":[],"_postman_id":"af0e79a1-cbef-42d8-bac1-2fef987adcf2"},{"name":"Update a Permission","id":"389e57e7-e6a3-41ec-b90f-133e2f8ddf43","request":{"method":"PATCH","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"permission\": {\n \"name\": \"Ring Alarm Bell\",\n \"action\": \"POST\",\n \"resource\": \"/ring\"\n }\n}"},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/permissions/{{permission-id}}","description":"To amend the details of an existing permission, a PATCH request is send to the `/applications/{{application-id}}/permissions/{permission-id}}` endpoint.\n\nThe response contains a list of the fields which have been amended."},"response":[],"_postman_id":"389e57e7-e6a3-41ec-b90f-133e2f8ddf43"},{"name":"Delete a Permission","id":"c523511e-332e-49a5-ab12-709d109ad91d","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/permissions/{{permission-id}}","description":"Deleting a permission from an application automatically removes that permission from any associated roles."},"response":[],"_postman_id":"c523511e-332e-49a5-ab12-709d109ad91d"}],"id":"f471d444-8e6b-45a1-935c-5d0a4927392b","description":"An application permission is an allowable action on a resource within that application. \nEach resource is defined by a URL (e.g. `/price-change`) and the action is any HTTP verb (e.g. GET) \n- the combination will be used to ensure only permitted users are able to access the `/price-change` resource.\n\nFurther advanced permission rules can be described using XACML - this is the subject of another tutorial.\n\nIt should be emphasized that permissions are always found bound to an application - abstract permissions \ndo not exist on their own. The standard permision CRUD actions are assigned to the appropriate \nHTTP verbs (POST, GET, PATCH and DELETE) under the `/v1/applications/{{application-id}}/permissions` endpoint \n- as you can see the `` itself is integral to the URL.\n\nPermissions are usually defined once and set-up when the application is created. If the design of your \nuse-case means that you find you need to alter the permissions regularly, then the definition has\nprobably been defined incorrectly or in the wrong layer - complex access control rules should be pushed \ndown into the XACML definitions or moved into the business logic of the application - they should not be dealt \nwith within **Keyrock**.","event":[{"listen":"prerequest","script":{"id":"57a9d6f7-c670-4a6f-adc9-8f15f5eb3015","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"f370386c-b90d-46c5-924b-375e536b780b","type":"text/javascript","exec":[""]}}],"_postman_id":"f471d444-8e6b-45a1-935c-5d0a4927392b"},{"name":"Role CRUD Actions","item":[{"name":"Create a Role","id":"35388e69-9877-46bd-a11a-5cf906eec51e","request":{"method":"POST","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"role\": {\n \"name\": \"Management\"\n }\n}"},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles","description":"Within the GUI, a role can be added to an application by selecting the application, clicking on **Manage Roles**\nand then pressing the plus next to the Role label.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/create-role.png)\n\nJust fill out the wizard and click save.\n\nTo create a new role via the REST API, send a POST request to the `/applications/{{application-id}}/roles` endpoint\ncontaining the `name` of the new role, with the `X-Auth-token` header from a previously logged in user.\n\nThe details of the created role are returned"},"response":[],"_postman_id":"35388e69-9877-46bd-a11a-5cf906eec51e"},{"name":"Read Role details","id":"945afd08-2e77-4c3f-9e43-1e50d19f0d79","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles/{{role-id}}","description":"The `/applications/{{application-id}}/roles/{role-id}}` endpoint will return the role\nlisted under that id. The `X-Auth-token` must be supplied in the headers.\n\nThe response returns the details of the requested role."},"response":[],"_postman_id":"945afd08-2e77-4c3f-9e43-1e50d19f0d79"},{"name":"List Roles","id":"cd1e0e81-fc22-472d-be12-692de25531e2","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles"},"response":[],"_postman_id":"cd1e0e81-fc22-472d-be12-692de25531e2"},{"name":"Update a Role","id":"f7c9e4c4-a7d2-4f6b-98b3-80c78834f494","request":{"method":"PATCH","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":"{\n \"role\": {\n \"name\": \"Security Team\"\n }\n}"},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles/{{role-id}}","description":"It is possible to amend the name of a role using a PATCH request is sent to the `/applications/{{application-id}}/permissions/{permission-id}}` endpoint.\n\nThe response contains a list of the fields which have been amended."},"response":[],"_postman_id":"f7c9e4c4-a7d2-4f6b-98b3-80c78834f494"},{"name":"Delete a Role","id":"7093860f-75ef-4e2c-a318-2f17c2762715","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles/{{role-id}}","description":"Application roles can also be deleted - this will also remove the role from any users."},"response":[],"_postman_id":"7093860f-75ef-4e2c-a318-2f17c2762715"}],"id":"ebce03a5-a6bc-449a-9790-6b61d2893c22","description":"A permission is an allowable action on a resource, as noted above. A role consists of a group of\npermissions, in other words a series of permitted actions over a group of resources. Roles are\nusually usually given a description with a broad scope so that they can be assigned to a wide range \nof users or organizations for example a *Reader* role could be able to\naccess but not update a series of devices.\n\nThere are two pre-defined roles with **Keyrock** :\n\n* a *Purchaser* who can\n + Get and assign all public application roles\n* a *Provider* who can:\n + Get and assign only public owned roles\n + Get and assign all public application roles\n + Manage authorizations\n + Manage roles\n + Manage the application\n + Get and assign all internal application roles\n\nUsing our Supermarket Store Example, Alice the admin would be assigned the *Provider* role, she could then create any additional\napplication-specific roles needed (such as *Management* or *Security*)\n\nOnce again, roles are always directly bound to an application - abstract roles do not exist on their own.\nThe standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE) under the `/v1/applications/{{application-id}}/roles` endpoint.","event":[{"listen":"prerequest","script":{"id":"b374f10e-6723-4073-9099-c581e19850b2","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"4d86a2fd-d2b4-4a58-8241-e5b316671a5d","type":"text/javascript","exec":[""]}}],"_postman_id":"ebce03a5-a6bc-449a-9790-6b61d2893c22"},{"name":"Assigning Permissions to each Role","item":[{"name":"Assign a permission to a role","id":"37921ce9-1f99-4cba-ab3b-37530c20612a","request":{"method":"PUT","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"raw","raw":""},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles/{{role-id}}/permissions/{{permission-id}}","description":"Within the GUI, select the role and check permissions from the list before saving.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/add-permission-to-role.png)\n\nTo add a permission using the REST API make a PUT request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header.\n\nThe response returns the permissions for the role"},"response":[],"_postman_id":"37921ce9-1f99-4cba-ab3b-37530c20612a"},{"name":"List permissions associated to a role","id":"98499350-2cb7-4bd0-bcdc-f1011bbb20a1","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/roles/{{role-id}}/permissions","description":"A full list of all permissions assigned to an application role can be retrieved by making a GET request to the\n`/v1/applications/{{application-id}}/roles/{{role-id}}/permissions` endpoint"},"response":[],"_postman_id":"98499350-2cb7-4bd0-bcdc-f1011bbb20a1"},{"name":"Remove a permission from a role","id":"c2e5bcd3-f04f-4449-a6b5-613e0a8e17a1","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":{"raw":"http://keyrock/v1/applications/:application_id/roles/:role_id/permissions/:permission_id","protocol":"http","host":["keyrock"],"path":["v1","applications",":application_id","roles",":role_id","permissions",":permission_id"],"variable":[{"key":"application_id","value":"{{application_id}}"},{"key":"role_id","value":"{{role_id}}"},{"key":"permission_id","value":"{{permission_id}}"}]},"description":"To remove a permission using the REST API make a DELETE request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header."},"response":[],"_postman_id":"c2e5bcd3-f04f-4449-a6b5-613e0a8e17a1"}],"id":"204220dc-c2cc-4bcb-a055-55ced5a47477","description":"Having created a set of application permissions, and a series of application roles, the\nnext step is to assign the relevant permissions to each role - in other words defining\n*Who can do What*.\n","event":[{"listen":"prerequest","script":{"id":"8db293bc-96b4-4bd2-a1f8-7ba3dae0caa2","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"7c23615b-d9b9-459d-bfd0-4a136e2f0116","type":"text/javascript","exec":[""]}}],"_postman_id":"204220dc-c2cc-4bcb-a055-55ced5a47477"}],"id":"38396b28-c95c-482a-8991-e09bff4c72ca","description":"Any FIWARE application can be broken down into a collection of microservices. These microservices connect together to read\nand alter the state of the real world. Security can be added to these services by restricting actions on these resources\ndown to users how have appropriate permissions. It is therefore necessary to define an application to offer a set of permissible\nactions and to hold a list of permitted users (or groups of users i.e. an Organization)\n\nApplications are therefore a conceptual bucket holding who can do what on which resource.\n\n## Video : Creating Applications with the Keyrock GUI\n\n[![](http://img.youtube.com/vi/pjsl0eHpFww/0.jpg)](https://www.youtube.com/watch?v=pjsl0eHpFww&t=470 \" Creating Applications\")\n\nClick on the image above to watch a video demonstrating how to create applications using the **Keyrock** GUI\n","event":[{"listen":"prerequest","script":{"id":"f573a683-5a7e-47be-beeb-8dca8ab2e105","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"a7ec04f6-840c-4ce0-9f8a-c515b494c8cd","type":"text/javascript","exec":[""]}}],"_postman_id":"38396b28-c95c-482a-8991-e09bff4c72ca"},{"name":"Authorizing Application Access","item":[{"name":"Authorizing Organizations","item":[{"name":"Grant a role to a organization","id":"11053d92-2de2-45ab-be7e-6bd24e39ac5d","request":{"method":"PUT","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/organizations/{{organization-id}}/roles/{{role-id}}/organization_roles/member","description":"To grant an organization access to an application, click on the appliation to get to the details\npage and scroll to the bottom of the page, click the **Authorize** button and select the relevant\norganization.\n\n![](https://fiware.github.io/tutorials.Roles-Permissions/img/add-role-to-org.png)\n\nA Role can be granted to either `members` or `owners` of an Organization. Using\nthe REST API, the role can be granted making a PUT request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header."},"response":[],"_postman_id":"11053d92-2de2-45ab-be7e-6bd24e39ac5d"},{"name":"List granted organization roles","id":"5e21a545-ff4f-4e17-977e-235f9ed149c1","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/organizations/{{organization-id}}/roles","description":"A full list of roles granted to an organization can be retrieved by making a GET request to the\n`/v1/applications/{{application-id}}/organizations/{{organization-id}}/roles` endpoint.\n\nThe response shows all roles assigned to the organization."},"response":[],"_postman_id":"5e21a545-ff4f-4e17-977e-235f9ed149c1"},{"name":"Revoke a role from an organization","id":"710dc07c-47fe-4b8c-b589-4e6a33310fae","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/organizations/{{organization-id}}/roles/{{role-id}}/organization_roles/member","description":"To revoke a role using the REST API make a DELETE request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header.\n\nThe following example revokes a role to `members` of the organization."},"response":[],"_postman_id":"710dc07c-47fe-4b8c-b589-4e6a33310fae"}],"id":"e2593700-ef51-4988-b3f5-9acb3b454a65","description":"A role cannot be granted to an organization unless the role has already been defined within the application itself.","event":[{"listen":"prerequest","script":{"id":"2bf17df7-0d1d-4912-a69c-0e8dc22bf337","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"6a3aa613-dad6-461c-81a9-f5520737af11","type":"text/javascript","exec":[""]}}],"_postman_id":"e2593700-ef51-4988-b3f5-9acb3b454a65"},{"name":"Authorizing Individual User Accounts","item":[{"name":"Grant a role to a user","id":"2444781b-332e-458c-8bc8-914bc911335f","request":{"method":"PUT","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/users/{{user-id}}/roles/{{role-id}}","description":"Granting User access via the GUI can be done in the same manner as for organizations.\n\nUsing the REST API, the role can be granted making a PUT request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header."},"response":[],"_postman_id":"2444781b-332e-458c-8bc8-914bc911335f"},{"name":"List granted users roles","id":"299227b8-02b1-41af-b1a3-9b1d4ba2336e","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/users/{{user-id}}/roles","description":"To list the roles granted to an Individual user, make a GET request to the\n`v1/applications/{{application-id}}/users/{{user-id}}/roles` endpoint\n\nThe response returns all roles assigned to the user"},"response":[],"_postman_id":"299227b8-02b1-41af-b1a3-9b1d4ba2336e"},{"name":"Revoke a role from a user","id":"668e4a0b-5a06-46ba-990c-6e84dc3c400c","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/users/{{user-id}}/roles/{{role-id}}","description":"To revoke a role using the REST API make a DELETE request as shown, including\nthe ``, `` and `` in the URL path and identifying\nthemselves using an `X-Auth-Token` in the header."},"response":[],"_postman_id":"668e4a0b-5a06-46ba-990c-6e84dc3c400c"}],"id":"22a1c81c-9eea-4b9f-b8f2-e3466ccdb215","event":[{"listen":"prerequest","script":{"id":"e9f051d3-a4fb-4c7d-af66-9b06b9189bd1","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"4f8592fb-8ef9-4ef1-a492-551664ca9ad6","type":"text/javascript","exec":[""]}}],"_postman_id":"22a1c81c-9eea-4b9f-b8f2-e3466ccdb215"}],"id":"f694977f-e120-44b1-bca3-7c7e8d6cceba","event":[{"listen":"prerequest","script":{"id":"90440d97-8fd8-4924-92a6-42e2814a247c","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"2163dca2-a57a-43a6-90f7-f93b390f66f9","type":"text/javascript","exec":[""]}}],"_postman_id":"f694977f-e120-44b1-bca3-7c7e8d6cceba"},{"name":"List Application Grantees","item":[{"name":"List Authorized Organizations","id":"082d11f0-bc4f-4216-a33a-37eb8da97156","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json","disabled":true},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/organizations","description":"To list all organizations which are authorized to use an application, make a GET request to the\n`/v1/applications/{{application-id}}/organizations` endpoint.\n\nThe response returns all organizations which can access the application and the roles \nthey have been assigned. Individual members are not listed."},"response":[],"_postman_id":"082d11f0-bc4f-4216-a33a-37eb8da97156"},{"name":"List Authorized Users","id":"8194bff6-4b40-4b64-8628-7f256d175f14","request":{"method":"GET","header":[{"key":"Accept","value":"application/json","disabled":true},{"key":"Content-Type","value":"application/json","disabled":true},{"key":"X-Auth-token","value":"{{X-Auth-token}}"}],"body":{"mode":"formdata","formdata":[]},"url":"http://{{keyrock}}/v1/applications/{{application-id}}/users","description":"To list all individual users who are authorized to use an application, make a GET request to the\n`/v1/applications/{{application-id}}/users` endpoint.\n\nThe response returns all individual users who can access the application and the roles they have been assigned. Note that users of an organization granted access are not listed."},"response":[],"_postman_id":"8194bff6-4b40-4b64-8628-7f256d175f14"}],"id":"e37742dc-d60d-49ea-a425-4d9f6c0dcf55","description":"By creating a series of roles and granting them to Users and Organizations, we have made an association\nbetween them. The REST API offers two convienience methods exist to list all the grantees of an application","event":[{"listen":"prerequest","script":{"id":"ef14cbd3-c04f-42d8-9ee2-173da8750af0","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"546ea302-d34e-4f2f-93cb-3cbf4cf58683","type":"text/javascript","exec":[""]}}],"_postman_id":"e37742dc-d60d-49ea-a425-4d9f6c0dcf55"}],"event":[{"listen":"prerequest","script":{"id":"cd5d20f3-ebba-4899-91e3-b2ba19741d1c","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"22898b65-e6dc-4fa4-b8e7-2f92d35bd620","type":"text/javascript","exec":[""]}}],"variable":[{"key":"keyrock","value":"localhost:3005"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},{"key":"X-Subject-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},{"key":"user-id","value":"bbbbbbbb-good-0000-0000-000000000000"},{"key":"organization-id","value":"security-team-0000-0000-000000000000"},{"key":"application-id","value":"tutorial-dckr-site-0000-xpresswebapp"},{"key":"role-id","value":"64535f4d-04b6-4688-a9bb-81b8df7c4e2c"},{"key":"permission-id","value":"c21983d5-58f9-4bcc-b2b0-f21819080ad0"}]}