Examples: Access control queries for troubleshooting (Preview)
Note
This feature is supported for hosted customers only and is in preview mode. If you want to be an early adopter, contact Contrast support.
This topic provides examples of how to use the Contrast API to get access control details when you troubleshoot authorization issues.
To use the API to get role-based access control information for a user, you need a role that includes the Manage organization and Manage platform organization actions.
User ID query
Use this query to get a user's ID.
Set these environment variables:
HOSTNAME=http://<YourHostName> ADMIN_APIKEY=<ServiceKey> ADMIN_AUTH=<AdminAuthorization> ORGID=<OrganizationId> USER_EMAIL=<UserEmail> USERID=<obtained in the next step>
In the Contrast web interface, you can get variable values under the user menu > User settings for the administrator or the user.
Replace
<YourHostName>
with the URL for your Contrast instance. For example:https://mycompany.com/Contrast
.Replace
<ServiceKey>
with the Service key for the administrator.Replace
<AdminAuthorization>
with the Authorization header for the administrator.Replace
<OrganizationID>
with the ID for the organization where the user is a member.Replace
<UserEmail>
with the user's email address used to log in to Contrast.
To find the user's ID, run this query.
curl -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/users/$USER_EMAIL" \ -H "API-Key: $ADMIN_APIKEY" \ -H "Authorization: $ADMIN_AUTH"
Sample response with the user ID highlighted:
{ "userId": "4790deb8-972d-47c8-b2d0-219617999c83", "username": "contrast_view", "organizationId": "2f95790d-64dd-4344-9b1c-920021d112bb", "firstName": "NX374ERI11", "lastName": "KFG0S17TX6", "status": "ACTIVE", "type": "STANDARD", "enabled": true, "language": "en", "dateTimePreferences": { "dateFormat": "MM/dd/yyyy", "timeFormat": "hh:mm a", "timeZone": "EST" }, "auditDates": { "lastLoginTime": "2024-05-29T14:28:00.000+00:00", "creationDate": "2024-04-23T20:33:21.000+00:00" }, "userAccessGroupMembership": [ { "userAccessGroupId": "725e7af7-8cf4-44b3-a6d2-b30e6df6573e" }, { "userAccessGroupId": "eeb65497-1e65-4eb3-99af-b781a4ce7d29" }, { "userAccessGroupId": "12565428-1063-41c4-ada0-cbee082f5eca" } ], "apiOnly": false, "external": false, "serviceKey": "demo" }
Assign the user ID to the USERID variable:
USERID=4790deb8-972d-47c8-b2d0-219617999c83
User access query
Run this query to get all access control details for a user.
curl -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/access-control-query/users/$USERID" \ -H "API-Key: $ADMIN_APIKEY" \ -H "Authorization: $ADMIN_AUTH"
Login permission query
Run this query to determine if a user has login permissions.
The user must have a role that includes at least the View organization action. Run this query:
curl -s -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/access-control-query/users/$USERID" -H "API-Key: $ADMIN_APIKEY" -H "Authorization: $ADMIN_AUTH" \ | jq | grep ORG_SETTINGS | sort | uniq | wc -l | if grep -q 0; then echo "Not configured for login"; else echo "Configured for login"; fi
Sample result:
Configured for login
User role query
Run this query to find all the roles assigned to a user.
curl -s -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/access-control-query/users/$USERID" -H "API-Key: $ADMIN_APIKEY" -H "Authorization: $ADMIN_AUTH" \ | jq | grep roleName | sort | uniq
Sample result:
"roleName": "ORGANIZATION_VIEW_ROLE", "roleName": "rg with 1 app role",
User access group query
Run this query to find all the user access groups assigned to the user.
curl -s -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/access-control-query/users/$USERID" -H "API-Key: $ADMIN_APIKEY" -H "Authorization: $ADMIN_AUTH" \ | jq | grep userAccessGroupName | sort | uniq
Sample result:
"userAccessGroupName": "Organization View", "userAccessGroupName": "rg with 1 app uag",
Resource types, actions, and ID query
Run this query to get a list of of resources, actions and IDs for a user.
curl -s -X GET --location "$HOSTNAME/api/v4/organizations/$ORGID/access-control-query/users/$USERID" \ -H "API-Key: $ADMIN_ADMIN_APIKEY" \ -H "Authorization: $ADMIN_AUTH" | jq '.accessList[] | "\(.resourceType) \(.actions) \(.resourceId)"' | sort | uniq
Sample result:
"APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] 0383916c-956b-418b-a114-0ffc3420cb1c" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] 1a7539c4-2339-4524-958d-b60482ebf1f8" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] 2762d3b4-1033-406e-94cc-f4040b6e7111" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] 7843ab03-84a7-4f21-93bf-37e7bf47f94d" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] 97b1a6a1-ee34-4974-9ee2-4c92733de2bb" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] a8b804ad-cbe4-43e7-a03f-3f639f5680ab" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] d0c389d7-744c-4f2a-b391-8bf41c0dc09c" "APPLICATION [\"APPLICATION_EDIT\",\"APPLICATION_RULES_ADMIN\",\"APPLICATION_ADMIN\",\"APPLICATION_VIEW\"] de9248b1-e8f5-43b9-a4e3-8a65e844691d" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] 0383916c-956b-418b-a114-0ffc3420cb1c" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] 1a7539c4-2339-4524-958d-b60482ebf1f8" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] 2762d3b4-1033-406e-94cc-f4040b6e7111" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] 7843ab03-84a7-4f21-93bf-37e7bf47f94d" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] 97b1a6a1-ee34-4974-9ee2-4c92733de2bb" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] a8b804ad-cbe4-43e7-a03f-3f639f5680ab" "APPLICATION [\"PROTECT_ACCESS\",\"PROTECT_POLICIES_MANAGE\"] d0c389d7-744c-4f2a-b391-8bf41c0dc09c"