API v2: Safes¶
directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.
Data structures¶
Attribute | Type | Required | Description |
---|---|---|---|
id | string | yes | Read-only object Identifier |
name | string | yes | Unique safe’s name |
blocked | boolean; default value false |
yes | |
reason | string | if blocked == true |
|
login_reason | boolean; default value false |
yes | Enable sending login reason for connection |
use_ticketing_system | boolean; default value false |
yes | |
require_confirmation | boolean; default value false |
yes | Enable confirmation of each connection |
otp_in_access_gateway | boolean; default value true |
yes | Enable generating OTP in the Access Gateway |
webclient | boolean; default value true |
yes | Enable connecting to the session in browser |
confirmation_timeout | number; default value 5 |
yes | |
inactivity_limit | number; default value 0 |
yes | |
time_limit | number; default value 0 |
yes | |
note_access | string {none, read, write}; default value none |
Access level to the notes | |
required_votes | number; default value 0 |
yes | How many voters will be voting for the access request |
backup_id | string | no | Target destination ID for storing session data |
rdp | SafeRDPAttributes | If protocol == rdp |
|
ssh | SafeSSHAttributes | If protocol == ssh |
|
vnc | SafeVNCAttributes | If protocol == vnc |
|
created_at | datetime | Read-only | |
modified_at | datetime | Read-only | |
removed | boolean | Read-only | |
last_login | datetime | Read-only | |
accounts | object-array | Read-only; expensive to use; JSON object array containing id , name , and type of assigned accounts. |
|
builtin | boolean | Read-only; expensive to use; if true , the object is not editable. |
|
hidden | boolean | Read-only; expensive to use; if true , the object is hidden in UI. |
Attribute | Type | Required | Description |
---|---|---|---|
rdp_audin | boolean; default value true |
yes | Audio input redirection |
rdp_cliprdr | boolean; default value true |
yes | Clipboard redirection |
rdp_depth | number | no | Max. color depth |
rdp_rdpdr | boolean; default value true |
yes | |
rdp_rdpsnd | boolean; default value true |
yes | Sound redirection |
rdp_rdrynvc | boolean; default value true |
yes | |
rdp_resolution | string | no | Max. resolution |
rdp_suspend | boolean; default value true |
yes | Enable content to not be available for viewing when the user minimizes its client application |
rdp_tsmf | boolean; default value true |
yes |
Attribute | Type | Required |
---|---|---|
ssh_agent | boolean; default value true |
yes |
ssh_environment | boolean; default value true |
yes |
ssh_exec | boolean; default value true |
yes |
ssh_port_forwarding | boolean; default value true |
yes |
ssh_scp | boolean; default value true |
yes |
ssh_session | boolean; default value true |
yes |
ssh_shell | boolean; default value true |
yes |
ssh_sftp | boolean; default value true |
yes |
ssh_terminal | boolean; default value true |
yes |
ssh_x11 | boolean; default value true |
yes |
Attribute | Type | Required | Description |
---|---|---|---|
vnc_clipcli | boolean; default value true |
yes | Enable a user to be allowed to paste text into the VNC server computer |
vnc_clipsrv | boolean; default value true |
yes | Enable a user to be allowed to copy and paste text from the VNC server computer into the user’s computer |
Request for retrieving available attributes of the SafeModel
Method | GET
|
Path | /api/v2/objspec/safe
|
Attribute | Type | Required | Description |
---|---|---|---|
id | string | yes | Read-only object Identifier. |
user_id | string | yes | Immutable. Uniqueness is required in the combination of attribute user_id with attribute safe_id . |
safe_id | string | yes | Immutable. Uniqueness is required in the combination of attribute safe_id with attribute user_id . |
blocked | boolean; default value false |
yes | |
position | number | ||
password_visible | boolean; default value false |
yes | Allow a user to use Secret Checkout feature and view passwords in the Access Gateway. |
use_time_policy | boolean; default value false |
yes | |
valid_since | datetime (h:m:s); default value -infinity |
yes | Beginning access time. |
valid_to | datetime (h:m:s); default value infinity |
yes | Ending access time. |
user_name | string | Read-only; Expensive to use. | |
safe_name | string | Read-only; Expensive to use. | |
created_at | datetime | Read-only. | |
modified_at | datetime | Read-only. | |
removed | boolean | Read-only. | |
builtin | boolean | Read-only; Expensive to use; If true , the object is not editable. |
|
hidden | boolean | Read-only; Expensive to use; If true , the object is hidden in UI. |
Request for retrieving available attributes of the UserSafeAssignmentModel
Method | GET
|
Path | /api/v2/objspec/user_safe
|
Attribute | Type | Required | Description |
---|---|---|---|
id | string | yes | Read-only object Identifier. |
user_safe_id | string | Read-only object Identifier. | |
user_id | string | yes | Immutable. |
safe_id | string | yes | Immutable. |
day_of_week | number | yes | Value range from 1 to 7 . |
valid_from | datetime (h:m:s) | yes | Beginning access time. |
valid_to | datetime (h:m:s) | yes | Ending access time. |
created_at | datetime | Read-only. | |
modified_at | datetime | Read-only. | |
removed | boolean | Read-only. |
Request for retrieving available attributes of the UserSafeTimePolicyAssignmentModel
Method | GET
|
Path | /api/v2/objspec/user_safe_time_policy
|
Attribute | Type | Required | Description |
---|---|---|---|
id | string | yes | Read-only object Identifier |
account_id | string | yes | Immutable. Uniqueness is required in the combination of attribute account_id with attributes safe_id and listener_id . |
safe_id | string | yes | Immutable. Uniqueness is required in the combination of attribute safe_id with attributes account_id and listener_id . |
listener_id | string | no | Immutable. Uniqueness is required in the combination of attribute listener_id with attributes account_id and safe_id . |
account_name | string | Read-only; expensive to use | |
account_type | string | Read-only; expensive to use | |
protocol | string | Read-only; expensive to use | |
server_id | string | Read-only; expensive to use; null if pool is assigned. |
|
server_name | string | Read-only; expensive to use; null if pool is assigned. |
|
pool_id | string | Read-only; expensive to use; null if server is assigned. |
|
pool_name | string | Read-only; expensive to use; null if server is assigned. |
|
safe_name | string | Read-only; expensive to use | |
listener_name | string | Read-only; expensive to use | |
created_at | datetime | Read-only | |
modified_at | datetime | Read-only | |
removed | boolean | Read-only | |
builtin | boolean | Read-only; expensive to use; if true , the object is not editable. |
|
hidden | boolean | Read-only; expensive to use; if true , the object is hidden in UI. |
Request for retrieving available attributes of the AccountSafeListenerAssignmentModel
Method | GET
|
Path | /api/v2/objspec/account_safe_listener
|
Attribute | Type | Required | Description |
---|---|---|---|
id | string | Read-only, protected object Identifier | |
to_user_id | string | yes | Immutable. Expects unique for_safe_id |
for_safe_id | string | yes | Immutable. Expects unique to_user_id |
for_safe_name | string | Read-only, expensive to use | |
to_user_name | string | Read-only, expensive to use | |
to_user_role | string | Read-only, expensive to use | |
created_at | string | Read-only | |
modified_at | string | Read-only | |
removed | boolean | Read-only |
Request for retrieving available attributes of the SafeGrantAssignmentModel
Method | GET
|
Path | /api/v2/objspec/safe_grant
|
Note
To check allowed methods, available URL parameters and possible responses please refer to the API overview section.
The next chapter describes procedures for creating separate requests.
Refer to the Batch operations topic to create nested requests for operating on the Safe objects.
Retrieving safes list¶
Request
Method | GET
|
Path | /api/v2/safe
|
Example request
Sending GET https://10.0.0.0/api/v2/safe
Response
{ "result": "success",
"safe": [
{
"id": "123678819172646913",
"name": "main",
"blocked": false,
"login_reason": false,
"use_ticketing_system": false,
"require_confirmation": false,
"otp_in_access_gateway": true,
"webclient": true,
"confirmation_timeout": 5,
"inactivity_limit": 0,
"time_limit": 0,
"note_access": "none",
"required_votes": 0,
"rdp_audin": true,
"rdp_cliprdr": true,
"rdp_rdpdr": true,
"rdp_rdpsnd": true,
"rdp_rdrynvc": true,
"rdp_suspend": true,
"rdp_tsmf": true,
"ssh_agent": true,
"ssh_environment": true,
"ssh_exec": true,
"ssh_port_forwarding": true,
"ssh_scp": true,
"ssh_session": true,
"ssh_shell": true,
"ssh_sftp": true,
"ssh_terminal": true,
"ssh_x11": true,
"vnc_clipcli": true,
"vnc_clipsrv": true,
"created_at": "2022-10-20 02:01:38.366865-07",
"modified_at": "2022-10-26 03:26:45.530129-07",
"last_login": "-infinity",
"accounts": [
"122678819172646913",
"1232678819172646914",
"1232678819172646919"
]}]}
Creating a safe¶
Request
Method | POST
|
Path | /api/v2/safe
|
Headers | Content-Type: Application/JSON
|
Body | SafeModel
|
Example request
Sending POST https://10.0.0.0/api/v2/safe
{ "name": "my-1st-safe" }
Response
{ "result": "success",
"safe": {
"id": "1232678819172646915" }}
Retrieving a safe¶
Request
Method | GET
|
Path | /api/v2/safe/<id>
|
Example request
Sending GET https://10.0.0.0/api/v2/safe/1232678819172646915
Response
{ "result": "success",
"safe": {
"id": "1232678819172646915",
"name": "my-1st-safe",
"blocked": false,
"login_reason": false,
"use_ticketing_system": false,
"require_confirmation": false,
"otp_in_access_gateway": true,
"webclient": true,
"confirmation_timeout": 5,
"inactivity_limit": 0,
"time_limit": 0,
"note_access": "none",
"required_votes": 0,
"rdp_audin": true,
"rdp_cliprdr": true,
"rdp_rdpdr": true,
"rdp_rdpsnd": true,
"rdp_rdrynvc": true,
"rdp_suspend": true,
"rdp_tsmf": true,
"ssh_agent": true,
"ssh_environment": true,
"ssh_exec": true,
"ssh_port_forwarding": true,
"ssh_scp": true,
"ssh_session": true,
"ssh_shell": true,
"ssh_sftp": true,
"ssh_terminal": true,
"ssh_x11": true,
"vnc_clipcli": true,
"vnc_clipsrv": true,
"created_at": "2022-10-27 02:26:22.951762-07",
"modified_at": "2022-10-27 02:26:22.951762-07",
"last_login": "-infinity" }}
Modifying a safe¶
Request
Method | PATCH
|
Path | /api/v2/safe/<id>
|
Headers | Content-Type: Application/JSON
|
Body | SafeModel
|
Example request: Enabling the Just-in-Time feature for a safe that would wait for 5 authorized users to vote for access
Sending PATCH https://10.0.0.0/api/v2/safe/1232678819172646915
{ "required_votes": 5}
Response
{ "result": "success" }
Retrieving users’ time policy settings within safes¶
Request
Method | GET
|
Path | /api/v2/user/safe/time_policy
|
Example request
Sending GET https://10.0.0.0/api/v2/user/safe/time_policy
Response (User’s time policy is declared separately for each day)
{
"result": "success",
"user_safe_time_policy": [
{
"id": "4602678819172646913",
"safe_id": "4602678819172646913",
"user_id": "1232678819172646915",
"day_of_week": 2, <--- A user has access to the safe on Tuesday
"valid_from": "09:00:00", <--- User's access starts at 9:00
"valid_to": "14:00:00", <--- and ends at 14:00
"created_at": "2022-10-26 02:25:19.155648-07",
"modified_at": "2022-10-26 02:30:40.677788-07"
},
{
"id": "4602678819172646914",
"safe_id": "4602678819172646913",
"user_id": "1232678819172646915",
"day_of_week": 3, <--- A user has access to the safe on Wednesday
"valid_from": "09:15:00", <--- User's access starts at 9:15
"valid_to": "14:15:00", <--- and ends at 14:15
"created_at": "2022-10-26 02:32:11.781045-07",
"modified_at": "2022-10-26 02:32:11.781045-07"
}]}
Modifying a user’s time policy settings within a safe¶
Request
Method | PATCH
|
Path | /api/v2/user/safe/time_policy/<id>
|
Body | UserSafeTimePolicyAssignment
|
Example request: Changing the day of user’s access to Monday
Sending PATCH https://10.0.0.0/api/v2/user/safe/time_policy/1232678819172646913
{ "day_of_week": 1}
Response
{ "result": "success" }
Retrieving user’s settings within a safe¶
Request
Method | GET
|
Path | /api/v2/user/<user_id>/safe/<safe_id>
|
Modifying a user within a safe¶
Request
Method | PATCH
|
Path | /api/v2/user/<user_id>/safe/<safe_id>
|
Body | UserSafeAssignment
|
Example request: Allow a user to use Secret Checkout feature and view passwords in the Access Gateway
Sending PATCH https://10.0.0.0/api/v2/user/1232678819172646914/safe/12302678819172646913
{"password_visible": true}
Response
{ "result": "success" }
Granting management privileges¶
Request
Method | POST
|
Path | /api/v2/grant/safe
|
Body | {
to_user_id: 1234567890,
for_safe_id: 1234567891
}
|
Retrieving account-safe-listener assignments list¶
Request
Method | GET
|
Path | /api/v2/account/safe/listener
|
Creating an account-safe-listener assignments¶
Request
Method | POST
|
Path | /api/v2/account/safe/listener
|
Headers | Content-Type: Application/JSON
|
Body | AccountSafeListenerAssignmentModel
|
Example request
Sending POST https://10.0.0.0/api/v2/account/safe/listener
{ "account_id": 1232678819172646919,
"safe_id": 1232678819172646913,
"listener_id": 1232678819172646914 }
Response
{ "result": "success",
"account_safe_listener": {} }
Deleting an account-safe-listener assignment¶
Request
Method | DELETE
|
Path | /api/v2/account/<account_id>/safe/<safe_id>/listener/<listener_id>
|