diff --git a/.vscode/settings.json b/.vscode/settings.json index c48d27f575b3..f08edb9dab38 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -23,15 +23,16 @@ "todo-tree.tree.showCountsInTree": true, "todo-tree.tree.showBadges": true, "yaml.customTags": [ - "!Find sequence", - "!KeyOf scalar", - "!Context scalar", - "!Context sequence", - "!Format sequence", "!Condition sequence", - "!Env sequence", + "!Context scalar", + "!Enumerate sequence", "!Env scalar", - "!If sequence" + "!Find sequence", + "!Format sequence", + "!If sequence", + "!Index scalar", + "!KeyOf scalar", + "!Value scalar" ], "typescript.preferences.importModuleSpecifier": "non-relative", "typescript.preferences.importModuleSpecifierEnding": "index", diff --git a/authentik/blueprints/management/commands/make_blueprint_schema.py b/authentik/blueprints/management/commands/make_blueprint_schema.py index 6e482665d58c..9b3f27b60200 100644 --- a/authentik/blueprints/management/commands/make_blueprint_schema.py +++ b/authentik/blueprints/management/commands/make_blueprint_schema.py @@ -113,16 +113,19 @@ def build(self): ) model_path = f"{model._meta.app_label}.{model._meta.model_name}" self.schema["properties"]["entries"]["items"]["oneOf"].append( - self.template_entry(model_path, serializer) + self.template_entry(model_path, model, serializer) ) - def template_entry(self, model_path: str, serializer: Serializer) -> dict: + def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict: """Template entry for a single model""" model_schema = self.to_jsonschema(serializer) model_schema["required"] = [] def_name = f"model_{model_path}" def_path = f"#/$defs/{def_name}" self.schema["$defs"][def_name] = model_schema + def_name_perm = f"model_{model_path}_permissions" + def_path_perm = f"#/$defs/{def_name_perm}" + self.schema["$defs"][def_name_perm] = self.model_permissions(model) return { "type": "object", "required": ["model", "identifiers"], @@ -135,6 +138,7 @@ def template_entry(self, model_path: str, serializer: Serializer) -> dict: "default": "present", }, "conditions": {"type": "array", "items": {"type": "boolean"}}, + "permissions": {"$ref": def_path_perm}, "attrs": {"$ref": def_path}, "identifiers": {"$ref": def_path}, }, @@ -185,3 +189,20 @@ def to_jsonschema(self, serializer: Serializer) -> dict: if required: result["required"] = required return result + + def model_permissions(self, model: type[Model]) -> dict: + perms = [x[0] for x in model._meta.permissions] + for action in model._meta.default_permissions: + perms.append(f"{action}_{model._meta.model_name}") + return { + "type": "array", + "items": { + "type": "object", + "required": ["permission"], + "properties": { + "permission": {"type": "string", "enum": perms}, + "user": {"type": "integer"}, + "role": {"type": "string"}, + }, + }, + } diff --git a/authentik/blueprints/tests/fixtures/rbac_object.yaml b/authentik/blueprints/tests/fixtures/rbac_object.yaml new file mode 100644 index 000000000000..75c10eb8779c --- /dev/null +++ b/authentik/blueprints/tests/fixtures/rbac_object.yaml @@ -0,0 +1,24 @@ +version: 1 +entries: + - model: authentik_core.user + id: user + identifiers: + username: "%(id)s" + attrs: + name: "%(id)s" + - model: authentik_rbac.role + id: role + identifiers: + name: "%(id)s" + - model: authentik_flows.flow + identifiers: + slug: "%(id)s" + attrs: + designation: authentication + name: foo + title: foo + permissions: + - permission: view_flow + user: !KeyOf user + - permission: view_flow + role: !KeyOf role diff --git a/authentik/blueprints/tests/fixtures/rbac_role.yaml b/authentik/blueprints/tests/fixtures/rbac_role.yaml new file mode 100644 index 000000000000..0a145e26fa30 --- /dev/null +++ b/authentik/blueprints/tests/fixtures/rbac_role.yaml @@ -0,0 +1,8 @@ +version: 1 +entries: + - model: authentik_rbac.role + identifiers: + name: "%(id)s" + attrs: + permissions: + - authentik_blueprints.view_blueprintinstance diff --git a/authentik/blueprints/tests/fixtures/rbac_user.yaml b/authentik/blueprints/tests/fixtures/rbac_user.yaml new file mode 100644 index 000000000000..33cff0513903 --- /dev/null +++ b/authentik/blueprints/tests/fixtures/rbac_user.yaml @@ -0,0 +1,9 @@ +version: 1 +entries: + - model: authentik_core.user + identifiers: + username: "%(id)s" + attrs: + name: "%(id)s" + permissions: + - authentik_blueprints.view_blueprintinstance diff --git a/authentik/blueprints/tests/test_v1_rbac.py b/authentik/blueprints/tests/test_v1_rbac.py new file mode 100644 index 000000000000..87784a7e95c1 --- /dev/null +++ b/authentik/blueprints/tests/test_v1_rbac.py @@ -0,0 +1,57 @@ +"""Test blueprints v1""" + +from django.test import TransactionTestCase +from guardian.shortcuts import get_perms + +from authentik.blueprints.v1.importer import Importer +from authentik.core.models import User +from authentik.flows.models import Flow +from authentik.lib.generators import generate_id +from authentik.lib.tests.utils import load_fixture +from authentik.rbac.models import Role + + +class TestBlueprintsV1RBAC(TransactionTestCase): + """Test Blueprints rbac attribute""" + + def test_user_permission(self): + """Test permissions""" + uid = generate_id() + import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid) + + importer = Importer.from_string(import_yaml) + self.assertTrue(importer.validate()[0]) + self.assertTrue(importer.apply()) + user = User.objects.filter(username=uid).first() + self.assertIsNotNone(user) + self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"])) + + def test_role_permission(self): + """Test permissions""" + uid = generate_id() + import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid) + + importer = Importer.from_string(import_yaml) + self.assertTrue(importer.validate()[0]) + self.assertTrue(importer.apply()) + role = Role.objects.filter(name=uid).first() + self.assertIsNotNone(role) + self.assertEqual( + list(role.group.permissions.all().values_list("codename", flat=True)), + ["view_blueprintinstance"], + ) + + def test_object_permission(self): + """Test permissions""" + uid = generate_id() + import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid) + + importer = Importer.from_string(import_yaml) + self.assertTrue(importer.validate()[0]) + self.assertTrue(importer.apply()) + flow = Flow.objects.filter(slug=uid).first() + user = User.objects.filter(username=uid).first() + role = Role.objects.filter(name=uid).first() + self.assertIsNotNone(flow) + self.assertEqual(get_perms(user, flow), ["view_flow"]) + self.assertEqual(get_perms(role.group, flow), ["view_flow"]) diff --git a/authentik/blueprints/v1/common.py b/authentik/blueprints/v1/common.py index 21b923f2e79b..713bc32f35b5 100644 --- a/authentik/blueprints/v1/common.py +++ b/authentik/blueprints/v1/common.py @@ -1,7 +1,7 @@ """transfer common classes""" from collections import OrderedDict -from collections.abc import Iterable, Mapping +from collections.abc import Generator, Iterable, Mapping from copy import copy from dataclasses import asdict, dataclass, field, is_dataclass from enum import Enum @@ -58,6 +58,15 @@ class BlueprintEntryDesiredState(Enum): MUST_CREATED = "must_created" +@dataclass +class BlueprintEntryPermission: + """Describe object-level permissions""" + + permission: Union[str, "YAMLTag"] + user: Union[int, "YAMLTag", None] = field(default=None) + role: Union[str, "YAMLTag", None] = field(default=None) + + @dataclass class BlueprintEntry: """Single entry of a blueprint""" @@ -69,6 +78,7 @@ class BlueprintEntry: conditions: list[Any] = field(default_factory=list) identifiers: dict[str, Any] = field(default_factory=dict) attrs: dict[str, Any] | None = field(default_factory=dict) + permissions: list[BlueprintEntryPermission] = field(default_factory=list) id: str | None = None @@ -150,6 +160,17 @@ def get_model(self, blueprint: "Blueprint") -> str: """Get the blueprint model, with yaml tags resolved if present""" return str(self.tag_resolver(self.model, blueprint)) + def get_permissions( + self, blueprint: "Blueprint" + ) -> Generator[BlueprintEntryPermission, None, None]: + """Get permissions of this entry, with all yaml tags resolved""" + for perm in self.permissions: + yield BlueprintEntryPermission( + permission=self.tag_resolver(perm.permission, blueprint), + user=self.tag_resolver(perm.user, blueprint), + role=self.tag_resolver(perm.role, blueprint), + ) + def check_all_conditions_match(self, blueprint: "Blueprint") -> bool: """Check all conditions of this entry match (evaluate to True)""" return all(self.tag_resolver(self.conditions, blueprint)) diff --git a/authentik/blueprints/v1/importer.py b/authentik/blueprints/v1/importer.py index 92f008901fb3..79e8a288e899 100644 --- a/authentik/blueprints/v1/importer.py +++ b/authentik/blueprints/v1/importer.py @@ -16,6 +16,7 @@ from django.db.transaction import atomic from django.db.utils import IntegrityError from guardian.models import UserObjectPermission +from guardian.shortcuts import assign_perm from rest_framework.exceptions import ValidationError from rest_framework.serializers import BaseSerializer, Serializer from structlog.stdlib import BoundLogger, get_logger @@ -35,6 +36,7 @@ PropertyMapping, Provider, Source, + User, UserSourceConnection, ) from authentik.enterprise.license import LicenseKey @@ -54,11 +56,13 @@ from authentik.flows.models import FlowToken, Stage from authentik.lib.models import SerializerModel from authentik.lib.sentry import SentryIgnoredException +from authentik.lib.utils.reflection import get_apps from authentik.outposts.models import OutpostServiceConnection from authentik.policies.models import Policy, PolicyBindingModel from authentik.policies.reputation.models import Reputation from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser +from authentik.rbac.models import Role from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType from authentik.tenants.models import Tenant @@ -136,6 +140,16 @@ def transaction_rollback(): pass +def rbac_models() -> dict: + models = {} + for app in get_apps(): + for model in app.get_models(): + if not is_model_allowed(model): + continue + models[model._meta.model_name] = app.label + return models + + class Importer: """Import Blueprint from raw dict or YAML/JSON""" @@ -154,7 +168,10 @@ def __init__(self, blueprint: Blueprint, context: dict | None = None): def default_context(self): """Default context""" - return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()} + return { + "goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid(), + "goauthentik.io/rbac/models": rbac_models(), + } @staticmethod def from_string(yaml_input: str, context: dict | None = None) -> "Importer": @@ -320,6 +337,15 @@ def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None: ) from exc return serializer + def _apply_permissions(self, instance: Model, entry: BlueprintEntry): + """Apply object-level permissions for an entry""" + for perm in entry.get_permissions(self._import): + if perm.user is not None: + assign_perm(perm.permission, User.objects.get(pk=perm.user), instance) + if perm.role is not None: + role = Role.objects.get(pk=perm.role) + role.assign_permission(perm.permission, obj=instance) + def apply(self) -> bool: """Apply (create/update) models yaml, in database transaction""" try: @@ -384,6 +410,7 @@ def _apply_models(self, raise_errors=False) -> bool: if "pk" in entry.identifiers: self.__pk_map[entry.identifiers["pk"]] = instance.pk entry._state = BlueprintEntryState(instance) + self._apply_permissions(instance, entry) elif state == BlueprintEntryDesiredState.ABSENT: instance: Model | None = serializer.instance if instance.pk: diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index afa7fc908b14..5355c0535acd 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -5,6 +5,7 @@ from typing import Any from django.contrib.auth import update_session_auth_hash +from django.contrib.auth.models import Permission from django.contrib.sessions.backends.cache import KEY_PREFIX from django.core.cache import cache from django.db.models.functions import ExtractHour @@ -33,15 +34,21 @@ ) from guardian.shortcuts import get_objects_for_user from rest_framework.decorators import action -from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField +from rest_framework.exceptions import ValidationError +from rest_framework.fields import ( + BooleanField, + CharField, + ChoiceField, + DateTimeField, + IntegerField, + ListField, + SerializerMethodField, +) from rest_framework.request import Request from rest_framework.response import Response from rest_framework.serializers import ( - BooleanField, - DateTimeField, ListSerializer, PrimaryKeyRelatedField, - ValidationError, ) from rest_framework.validators import UniqueValidator from rest_framework.viewsets import ModelViewSet @@ -78,6 +85,7 @@ from authentik.flows.views.executor import QS_KEY_TOKEN from authentik.lib.avatars import get_avatar from authentik.rbac.decorators import permission_required +from authentik.rbac.models import get_permission_choices from authentik.stages.email.models import EmailStage from authentik.stages.email.tasks import send_mails from authentik.stages.email.utils import TemplateEmailMessage @@ -141,12 +149,19 @@ def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) if SERIALIZER_CONTEXT_BLUEPRINT in self.context: self.fields["password"] = CharField(required=False, allow_null=True) + self.fields["permissions"] = ListField( + required=False, child=ChoiceField(choices=get_permission_choices()) + ) def create(self, validated_data: dict) -> User: """If this serializer is used in the blueprint context, we allow for directly setting a password. However should be done via the `set_password` method instead of directly setting it like rest_framework.""" password = validated_data.pop("password", None) + permissions = Permission.objects.filter( + codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])] + ) + validated_data["user_permissions"] = permissions instance: User = super().create(validated_data) self._set_password(instance, password) return instance @@ -155,6 +170,10 @@ def update(self, instance: User, validated_data: dict) -> User: """Same as `create` above, set the password directly if we're in a blueprint context""" password = validated_data.pop("password", None) + permissions = Permission.objects.filter( + codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])] + ) + validated_data["user_permissions"] = permissions instance = super().update(instance, validated_data) self._set_password(instance, password) return instance diff --git a/authentik/providers/saml/api/property_mappings.py b/authentik/providers/saml/api/property_mappings.py index 5108de995473..346219568efc 100644 --- a/authentik/providers/saml/api/property_mappings.py +++ b/authentik/providers/saml/api/property_mappings.py @@ -23,6 +23,7 @@ class SAMLPropertyMappingFilter(PropertyMappingFilterSet): class Meta(PropertyMappingFilterSet.Meta): model = SAMLPropertyMapping + fields = PropertyMappingFilterSet.Meta.fields + ["saml_name", "friendly_name"] class SAMLPropertyMappingViewSet(UsedByMixin, ModelViewSet): diff --git a/authentik/rbac/api/rbac.py b/authentik/rbac/api/rbac.py index e00ea5ec514a..397d8696d6df 100644 --- a/authentik/rbac/api/rbac.py +++ b/authentik/rbac/api/rbac.py @@ -59,6 +59,12 @@ class Meta: ] +class PermissionAssignResultSerializer(PassiveSerializer): + """Result from assigning permissions to a user/role""" + + id = CharField() + + class PermissionFilter(FilterSet): """Filter permissions""" diff --git a/authentik/rbac/api/rbac_assigned_by_roles.py b/authentik/rbac/api/rbac_assigned_by_roles.py index fab814f17502..04492703b064 100644 --- a/authentik/rbac/api/rbac_assigned_by_roles.py +++ b/authentik/rbac/api/rbac_assigned_by_roles.py @@ -16,7 +16,7 @@ from authentik.core.api.utils import ModelSerializer, PassiveSerializer from authentik.policies.event_matcher.models import model_choices -from authentik.rbac.api.rbac import PermissionAssignSerializer +from authentik.rbac.api.rbac import PermissionAssignResultSerializer, PermissionAssignSerializer from authentik.rbac.decorators import permission_required from authentik.rbac.models import Role @@ -28,7 +28,7 @@ class RoleObjectPermissionSerializer(ModelSerializer): model = ReadOnlyField(source="content_type.model") codename = ReadOnlyField(source="permission.codename") name = ReadOnlyField(source="permission.name") - object_pk = ReadOnlyField() + object_pk = CharField() class Meta: model = GroupObjectPermission @@ -88,8 +88,9 @@ class RoleAssignedPermissionViewSet(ListModelMixin, GenericViewSet): @extend_schema( request=PermissionAssignSerializer(), responses={ - 204: OpenApiResponse(description="Successfully assigned"), + 200: PermissionAssignResultSerializer(many=True), }, + operation_id="rbac_permissions_assigned_by_roles_assign", ) @action(methods=["POST"], detail=True, pagination_class=None, filter_backends=[]) def assign(self, request: Request, *args, **kwargs) -> Response: @@ -98,10 +99,12 @@ def assign(self, request: Request, *args, **kwargs) -> Response: role: Role = self.get_object() data = PermissionAssignSerializer(data=request.data) data.is_valid(raise_exception=True) + ids = [] with atomic(): for perm in data.validated_data["permissions"]: - assign_perm(perm, role.group, data.validated_data["model_instance"]) - return Response(status=204) + assigned_perm = assign_perm(perm, role.group, data.validated_data["model_instance"]) + ids.append(PermissionAssignResultSerializer(instance={"id": assigned_perm.pk}).data) + return Response(ids, status=200) @permission_required("authentik_rbac.unassign_role_permissions") @extend_schema( diff --git a/authentik/rbac/api/rbac_assigned_by_users.py b/authentik/rbac/api/rbac_assigned_by_users.py index 403fac1df104..8a225978080d 100644 --- a/authentik/rbac/api/rbac_assigned_by_users.py +++ b/authentik/rbac/api/rbac_assigned_by_users.py @@ -9,7 +9,7 @@ from guardian.shortcuts import assign_perm, remove_perm from rest_framework.decorators import action from rest_framework.exceptions import ValidationError -from rest_framework.fields import BooleanField, ReadOnlyField +from rest_framework.fields import BooleanField, CharField, ReadOnlyField from rest_framework.mixins import ListModelMixin from rest_framework.request import Request from rest_framework.response import Response @@ -19,7 +19,7 @@ from authentik.core.api.utils import ModelSerializer from authentik.core.models import User, UserTypes from authentik.policies.event_matcher.models import model_choices -from authentik.rbac.api.rbac import PermissionAssignSerializer +from authentik.rbac.api.rbac import PermissionAssignResultSerializer, PermissionAssignSerializer from authentik.rbac.decorators import permission_required @@ -30,7 +30,7 @@ class UserObjectPermissionSerializer(ModelSerializer): model = ReadOnlyField(source="content_type.model") codename = ReadOnlyField(source="permission.codename") name = ReadOnlyField(source="permission.name") - object_pk = ReadOnlyField() + object_pk = CharField() class Meta: model = UserObjectPermission @@ -90,8 +90,9 @@ class UserAssignedPermissionViewSet(ListModelMixin, GenericViewSet): @extend_schema( request=PermissionAssignSerializer(), responses={ - 204: OpenApiResponse(description="Successfully assigned"), + 200: PermissionAssignResultSerializer(many=True), }, + operation_id="rbac_permissions_assigned_by_users_assign", ) @action(methods=["POST"], detail=True, pagination_class=None, filter_backends=[]) def assign(self, request: Request, *args, **kwargs) -> Response: @@ -101,10 +102,12 @@ def assign(self, request: Request, *args, **kwargs) -> Response: raise ValidationError("Permissions cannot be assigned to an internal service account.") data = PermissionAssignSerializer(data=request.data) data.is_valid(raise_exception=True) + ids = [] with atomic(): for perm in data.validated_data["permissions"]: - assign_perm(perm, user, data.validated_data["model_instance"]) - return Response(status=204) + assigned_perm = assign_perm(perm, user, data.validated_data["model_instance"]) + ids.append(PermissionAssignResultSerializer(instance={"id": assigned_perm.pk}).data) + return Response(ids, status=200) @permission_required("authentik_core.unassign_user_permissions") @extend_schema( diff --git a/authentik/rbac/api/rbac_roles.py b/authentik/rbac/api/rbac_roles.py index 60542dfc4f5f..bd84923b1400 100644 --- a/authentik/rbac/api/rbac_roles.py +++ b/authentik/rbac/api/rbac_roles.py @@ -6,7 +6,12 @@ from guardian.models import GroupObjectPermission from guardian.shortcuts import get_objects_for_group from rest_framework.fields import SerializerMethodField -from rest_framework.mixins import ListModelMixin +from rest_framework.mixins import ( + DestroyModelMixin, + ListModelMixin, + RetrieveModelMixin, + UpdateModelMixin, +) from rest_framework.viewsets import GenericViewSet from authentik.api.pagination import SmallerPagination @@ -64,10 +69,12 @@ class Meta(RoleObjectPermissionSerializer.Meta): class RolePermissionFilter(FilterSet): """Role permission filter""" - uuid = UUIDFilter("group__role__uuid", required=True) + uuid = UUIDFilter("group__role__uuid") -class RolePermissionViewSet(ListModelMixin, GenericViewSet): +class RolePermissionViewSet( + ListModelMixin, UpdateModelMixin, RetrieveModelMixin, DestroyModelMixin, GenericViewSet +): """Get a role's assigned object permissions""" serializer_class = ExtraRoleObjectPermissionSerializer diff --git a/authentik/rbac/api/rbac_users.py b/authentik/rbac/api/rbac_users.py index 95a31de7687f..8951a5df8cf8 100644 --- a/authentik/rbac/api/rbac_users.py +++ b/authentik/rbac/api/rbac_users.py @@ -6,7 +6,12 @@ from guardian.models import UserObjectPermission from guardian.shortcuts import get_objects_for_user from rest_framework.fields import SerializerMethodField -from rest_framework.mixins import ListModelMixin +from rest_framework.mixins import ( + DestroyModelMixin, + ListModelMixin, + RetrieveModelMixin, + UpdateModelMixin, +) from rest_framework.viewsets import GenericViewSet from authentik.api.pagination import SmallerPagination @@ -64,10 +69,12 @@ class Meta(UserObjectPermissionSerializer.Meta): class UserPermissionFilter(FilterSet): """User-assigned permission filter""" - user_id = NumberFilter("user__id", required=True) + user_id = NumberFilter("user__id") -class UserPermissionViewSet(ListModelMixin, GenericViewSet): +class UserPermissionViewSet( + ListModelMixin, UpdateModelMixin, RetrieveModelMixin, DestroyModelMixin, GenericViewSet +): """Get a users's assigned object permissions""" serializer_class = ExtraUserObjectPermissionSerializer diff --git a/authentik/rbac/api/roles.py b/authentik/rbac/api/roles.py index 86b2f7cd65fa..a9c1fa7cb0c2 100644 --- a/authentik/rbac/api/roles.py +++ b/authentik/rbac/api/roles.py @@ -1,15 +1,44 @@ """RBAC Roles""" +from django.contrib.auth.models import Permission +from rest_framework.fields import ( + ChoiceField, + ListField, +) from rest_framework.viewsets import ModelViewSet +from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT from authentik.core.api.used_by import UsedByMixin from authentik.core.api.utils import ModelSerializer -from authentik.rbac.models import Role +from authentik.rbac.models import Role, get_permission_choices class RoleSerializer(ModelSerializer): """Role serializer""" + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + if SERIALIZER_CONTEXT_BLUEPRINT in self.context: + self.fields["permissions"] = ListField( + required=False, child=ChoiceField(choices=get_permission_choices()) + ) + + def create(self, validated_data: dict) -> Role: + permissions = Permission.objects.filter( + codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])] + ) + instance: Role = super().create(validated_data) + instance.group.permissions.set(permissions) + return instance + + def update(self, instance: Role, validated_data: dict) -> Role: + permissions = Permission.objects.filter( + codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])] + ) + instance: Role = super().update(instance, validated_data) + instance.group.permissions.set(permissions) + return instance + class Meta: model = Role fields = ["pk", "name"] diff --git a/authentik/rbac/models.py b/authentik/rbac/models.py index 87ea23dcb434..80d744940368 100644 --- a/authentik/rbac/models.py +++ b/authentik/rbac/models.py @@ -2,6 +2,7 @@ from uuid import uuid4 +from django.contrib.auth.models import Permission from django.db import models from django.db.transaction import atomic from django.utils.translation import gettext_lazy as _ @@ -11,6 +12,26 @@ from authentik.lib.models import SerializerModel +def get_permissions(): + return ( + Permission.objects.all() + .select_related("content_type") + .filter( + content_type__app_label__startswith="authentik", + ) + ) + + +def get_permission_choices() -> list[tuple[str, str]]: + return [ + ( + f"{x.content_type.app_label}.{x.codename}", + f"{x.content_type.app_label}.{x.codename}", + ) + for x in get_permissions() + ] + + class Role(SerializerModel): """RBAC role, which can have different permissions (both global and per-object) attached to it.""" diff --git a/authentik/rbac/tests/test_api_assigned_by_roles.py b/authentik/rbac/tests/test_api_assigned_by_roles.py index a7ea300721a9..31619178346d 100644 --- a/authentik/rbac/tests/test_api_assigned_by_roles.py +++ b/authentik/rbac/tests/test_api_assigned_by_roles.py @@ -73,7 +73,7 @@ def test_assign_global(self): "permissions": ["authentik_stages_invitation.view_invitation"], }, ) - self.assertEqual(res.status_code, 204) + self.assertEqual(res.status_code, 200) self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation")) def test_assign_object(self): @@ -96,7 +96,7 @@ def test_assign_object(self): "object_pk": str(inv.pk), }, ) - self.assertEqual(res.status_code, 204) + self.assertEqual(res.status_code, 200) self.assertTrue( self.user.has_perm( "authentik_stages_invitation.view_invitation", diff --git a/authentik/rbac/tests/test_api_assigned_by_users.py b/authentik/rbac/tests/test_api_assigned_by_users.py index 0d35ab845bc6..191bf0f60271 100644 --- a/authentik/rbac/tests/test_api_assigned_by_users.py +++ b/authentik/rbac/tests/test_api_assigned_by_users.py @@ -79,7 +79,7 @@ def test_assign_global(self): "permissions": ["authentik_stages_invitation.view_invitation"], }, ) - self.assertEqual(res.status_code, 204) + self.assertEqual(res.status_code, 200) self.assertTrue(self.user.has_perm("authentik_stages_invitation.view_invitation")) def test_assign_global_internal_sa(self): @@ -121,7 +121,7 @@ def test_assign_object(self): "object_pk": str(inv.pk), }, ) - self.assertEqual(res.status_code, 204) + self.assertEqual(res.status_code, 200) self.assertTrue( self.user.has_perm( "authentik_stages_invitation.view_invitation", diff --git a/authentik/rbac/tests/test_api_permissions_roles.py b/authentik/rbac/tests/test_api_permissions_roles.py index 3cd050f35bba..a849450bd373 100644 --- a/authentik/rbac/tests/test_api_permissions_roles.py +++ b/authentik/rbac/tests/test_api_permissions_roles.py @@ -32,7 +32,7 @@ def test_list(self): ) self.role.assign_permission("authentik_stages_invitation.view_invitation", obj=inv) res = self.client.get(reverse("authentik_api:permissions-roles-list")) - self.assertEqual(res.status_code, 400) + self.assertEqual(res.status_code, 200) def test_list_role(self): """Test list of all permissions""" diff --git a/authentik/rbac/tests/test_api_permissions_users.py b/authentik/rbac/tests/test_api_permissions_users.py index 3386b8ed13f5..882a2f6acc54 100644 --- a/authentik/rbac/tests/test_api_permissions_users.py +++ b/authentik/rbac/tests/test_api_permissions_users.py @@ -33,7 +33,7 @@ def test_list(self): ) assign_perm("authentik_stages_invitation.view_invitation", self.user, inv) res = self.client.get(reverse("authentik_api:permissions-users-list")) - self.assertEqual(res.status_code, 400) + self.assertEqual(res.status_code, 200) def test_list_role(self): """Test list of all permissions""" diff --git a/blueprints/default/rbac-role-read-only.yaml b/blueprints/default/rbac-role-read-only.yaml new file mode 100644 index 000000000000..6327370ae31c --- /dev/null +++ b/blueprints/default/rbac-role-read-only.yaml @@ -0,0 +1,28 @@ +metadata: + name: Default - RBAC - Read-only +version: 1 +entries: + - model: authentik_rbac.role + identifiers: + name: authentik Read-only + id: role + attrs: + permissions: !Enumerate [ + !Context goauthentik.io/rbac/models, + SEQ, + !Format [ + "%s.view_%s", + !Value 0, + !Index 0, + ], + ] + - model: authentik_core.group + identifiers: + name: authentik Read-only + attrs: + roles: + - !KeyOf role + is_superuser: false + attributes: + notes: | + An group with an auto-generated role that allows read-only permissions on all objects. diff --git a/blueprints/schema.json b/blueprints/schema.json index f0cbd4a8248d..91e6b3936936 100644 --- a/blueprints/schema.json +++ b/blueprints/schema.json @@ -70,6 +70,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_tenants.domain_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_tenants.domain" }, @@ -107,6 +110,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_crypto.certificatekeypair_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_crypto.certificatekeypair" }, @@ -144,6 +150,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_flows.flow_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_flows.flow" }, @@ -181,6 +190,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_flows.flowstagebinding_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_flows.flowstagebinding" }, @@ -218,6 +230,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_outposts.dockerserviceconnection_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_outposts.dockerserviceconnection" }, @@ -255,6 +270,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_outposts.kubernetesserviceconnection_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_outposts.kubernetesserviceconnection" }, @@ -292,6 +310,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_outposts.outpost_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_outposts.outpost" }, @@ -329,6 +350,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_dummy.dummypolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_dummy.dummypolicy" }, @@ -366,6 +390,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_event_matcher.eventmatcherpolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_event_matcher.eventmatcherpolicy" }, @@ -403,6 +430,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_expiry.passwordexpirypolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_expiry.passwordexpirypolicy" }, @@ -440,6 +470,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_expression.expressionpolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_expression.expressionpolicy" }, @@ -477,6 +510,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_password.passwordpolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_password.passwordpolicy" }, @@ -514,6 +550,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies_reputation.reputationpolicy_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies_reputation.reputationpolicy" }, @@ -551,6 +590,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_policies.policybinding_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_policies.policybinding" }, @@ -588,6 +630,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_ldap.ldapprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_ldap.ldapprovider" }, @@ -625,6 +670,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_oauth2.scopemapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_oauth2.scopemapping" }, @@ -662,6 +710,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_oauth2.oauth2provider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_oauth2.oauth2provider" }, @@ -699,6 +750,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_proxy.proxyprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_proxy.proxyprovider" }, @@ -736,6 +790,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_radius.radiusprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_radius.radiusprovider" }, @@ -773,6 +830,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_radius.radiusproviderpropertymapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_radius.radiusproviderpropertymapping" }, @@ -810,6 +870,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_saml.samlprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_saml.samlprovider" }, @@ -847,6 +910,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_saml.samlpropertymapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_saml.samlpropertymapping" }, @@ -884,6 +950,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_scim.scimprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_scim.scimprovider" }, @@ -921,6 +990,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_scim.scimmapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_scim.scimmapping" }, @@ -958,6 +1030,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_rbac.role_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_rbac.role" }, @@ -995,6 +1070,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_ldap.ldapsource_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_ldap.ldapsource" }, @@ -1032,6 +1110,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_ldap.ldapsourcepropertymapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_ldap.ldapsourcepropertymapping" }, @@ -1069,6 +1150,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_oauth.oauthsource_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_oauth.oauthsource" }, @@ -1106,6 +1190,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_oauth.useroauthsourceconnection_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_oauth.useroauthsourceconnection" }, @@ -1143,6 +1230,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_plex.plexsource_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_plex.plexsource" }, @@ -1180,6 +1270,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_plex.plexsourceconnection_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_plex.plexsourceconnection" }, @@ -1217,6 +1310,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_saml.samlsource_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_saml.samlsource" }, @@ -1254,6 +1350,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_saml.usersamlsourceconnection_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_saml.usersamlsourceconnection" }, @@ -1291,6 +1390,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_scim.scimsource_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_scim.scimsource" }, @@ -1328,6 +1430,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_sources_scim.scimsourcepropertymapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_sources_scim.scimsourcepropertymapping" }, @@ -1365,6 +1470,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_duo.authenticatorduostage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_duo.authenticatorduostage" }, @@ -1402,6 +1510,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_duo.duodevice_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_duo.duodevice" }, @@ -1439,6 +1550,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_sms.authenticatorsmsstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_sms.authenticatorsmsstage" }, @@ -1476,6 +1590,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_sms.smsdevice_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_sms.smsdevice" }, @@ -1513,6 +1630,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_static.authenticatorstaticstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_static.authenticatorstaticstage" }, @@ -1550,6 +1670,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_static.staticdevice_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_static.staticdevice" }, @@ -1587,6 +1710,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_totp.authenticatortotpstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_totp.authenticatortotpstage" }, @@ -1624,6 +1750,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_totp.totpdevice_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_totp.totpdevice" }, @@ -1661,6 +1790,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_validate.authenticatorvalidatestage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_validate.authenticatorvalidatestage" }, @@ -1698,6 +1830,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_webauthn.authenticatorwebauthnstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_webauthn.authenticatorwebauthnstage" }, @@ -1735,6 +1870,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_authenticator_webauthn.webauthndevice_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_authenticator_webauthn.webauthndevice" }, @@ -1772,6 +1910,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_captcha.captchastage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_captcha.captchastage" }, @@ -1809,6 +1950,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_consent.consentstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_consent.consentstage" }, @@ -1846,6 +1990,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_consent.userconsent_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_consent.userconsent" }, @@ -1883,6 +2030,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_deny.denystage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_deny.denystage" }, @@ -1920,6 +2070,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_dummy.dummystage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_dummy.dummystage" }, @@ -1957,6 +2110,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_email.emailstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_email.emailstage" }, @@ -1994,6 +2150,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_identification.identificationstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_identification.identificationstage" }, @@ -2031,6 +2190,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_invitation.invitationstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_invitation.invitationstage" }, @@ -2068,6 +2230,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_invitation.invitation_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_invitation.invitation" }, @@ -2105,6 +2270,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_password.passwordstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_password.passwordstage" }, @@ -2142,6 +2310,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_prompt.prompt_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_prompt.prompt" }, @@ -2179,6 +2350,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_prompt.promptstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_prompt.promptstage" }, @@ -2216,6 +2390,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_user_delete.userdeletestage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_user_delete.userdeletestage" }, @@ -2253,6 +2430,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_user_login.userloginstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_user_login.userloginstage" }, @@ -2290,6 +2470,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_user_logout.userlogoutstage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_user_logout.userlogoutstage" }, @@ -2327,6 +2510,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_user_write.userwritestage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_user_write.userwritestage" }, @@ -2364,6 +2550,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_brands.brand_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_brands.brand" }, @@ -2401,6 +2590,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_blueprints.blueprintinstance_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_blueprints.blueprintinstance" }, @@ -2438,6 +2630,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_core.group_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_core.group" }, @@ -2475,6 +2670,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_core.user_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_core.user" }, @@ -2512,6 +2710,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_core.application_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_core.application" }, @@ -2549,6 +2750,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_core.token_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_core.token" }, @@ -2586,6 +2790,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_enterprise.license_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_enterprise.license" }, @@ -2623,6 +2830,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_google_workspace.googleworkspaceprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_google_workspace.googleworkspaceprovider" }, @@ -2660,6 +2870,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_google_workspace.googleworkspaceprovidermapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_google_workspace.googleworkspaceprovidermapping" }, @@ -2697,6 +2910,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_microsoft_entra.microsoftentraprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_microsoft_entra.microsoftentraprovider" }, @@ -2734,6 +2950,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_microsoft_entra.microsoftentraprovidermapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_microsoft_entra.microsoftentraprovidermapping" }, @@ -2771,6 +2990,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_rac.racprovider_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_rac.racprovider" }, @@ -2808,6 +3030,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_rac.endpoint_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_rac.endpoint" }, @@ -2845,6 +3070,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping" }, @@ -2882,6 +3110,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_stages_source.sourcestage_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_stages_source.sourcestage" }, @@ -2919,6 +3150,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_events.event_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_events.event" }, @@ -2956,6 +3190,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_events.notificationtransport_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_events.notificationtransport" }, @@ -2993,6 +3230,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_events.notification_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_events.notification" }, @@ -3030,6 +3270,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_events.notificationrule_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_events.notificationrule" }, @@ -3067,6 +3310,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_events.notificationwebhookmapping_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_events.notificationwebhookmapping" }, @@ -3104,6 +3350,9 @@ "type": "boolean" } }, + "permissions": { + "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint_permissions" + }, "attrs": { "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint" }, @@ -3138,6 +3387,32 @@ }, "required": [] }, + "model_authentik_tenants.domain_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_domain", + "change_domain", + "delete_domain", + "view_domain" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_crypto.certificatekeypair": { "type": "object", "properties": { @@ -3160,6 +3435,32 @@ }, "required": [] }, + "model_authentik_crypto.certificatekeypair_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_certificatekeypair", + "change_certificatekeypair", + "delete_certificatekeypair", + "view_certificatekeypair" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_flows.flow": { "type": "object", "properties": { @@ -3250,6 +3551,36 @@ }, "required": [] }, + "model_authentik_flows.flow_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "export_flow", + "inspect_flow", + "view_flow_cache", + "clear_flow_cache", + "add_flow", + "change_flow", + "delete_flow", + "view_flow" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_flows.flowstagebinding": { "type": "object", "properties": { @@ -3300,6 +3631,32 @@ }, "required": [] }, + "model_authentik_flows.flowstagebinding_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_flowstagebinding", + "change_flowstagebinding", + "delete_flowstagebinding", + "view_flowstagebinding" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_outposts.dockerserviceconnection": { "type": "object", "properties": { @@ -3334,6 +3691,32 @@ }, "required": [] }, + "model_authentik_outposts.dockerserviceconnection_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_dockerserviceconnection", + "change_dockerserviceconnection", + "delete_dockerserviceconnection", + "view_dockerserviceconnection" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_outposts.kubernetesserviceconnection": { "type": "object", "properties": { @@ -3361,6 +3744,32 @@ }, "required": [] }, + "model_authentik_outposts.kubernetesserviceconnection_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_kubernetesserviceconnection", + "change_kubernetesserviceconnection", + "delete_kubernetesserviceconnection", + "view_kubernetesserviceconnection" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_outposts.outpost": { "type": "object", "properties": { @@ -3409,6 +3818,32 @@ }, "required": [] }, + "model_authentik_outposts.outpost_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_outpost", + "change_outpost", + "delete_outpost", + "view_outpost" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_dummy.dummypolicy": { "type": "object", "properties": { @@ -3441,6 +3876,32 @@ }, "required": [] }, + "model_authentik_policies_dummy.dummypolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_dummypolicy", + "change_dummypolicy", + "delete_dummypolicy", + "view_dummypolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_event_matcher.eventmatcherpolicy": { "type": "object", "properties": { @@ -3664,6 +4125,32 @@ }, "required": [] }, + "model_authentik_policies_event_matcher.eventmatcherpolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_eventmatcherpolicy", + "change_eventmatcherpolicy", + "delete_eventmatcherpolicy", + "view_eventmatcherpolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_expiry.passwordexpirypolicy": { "type": "object", "properties": { @@ -3690,6 +4177,32 @@ }, "required": [] }, + "model_authentik_policies_expiry.passwordexpirypolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_passwordexpirypolicy", + "change_passwordexpirypolicy", + "delete_passwordexpirypolicy", + "view_passwordexpirypolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_expression.expressionpolicy": { "type": "object", "properties": { @@ -3711,6 +4224,32 @@ }, "required": [] }, + "model_authentik_policies_expression.expressionpolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_expressionpolicy", + "change_expressionpolicy", + "delete_expressionpolicy", + "view_expressionpolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_password.passwordpolicy": { "type": "object", "properties": { @@ -3798,6 +4337,32 @@ }, "required": [] }, + "model_authentik_policies_password.passwordpolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_passwordpolicy", + "change_passwordpolicy", + "delete_passwordpolicy", + "view_passwordpolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies_reputation.reputationpolicy": { "type": "object", "properties": { @@ -3828,6 +4393,32 @@ }, "required": [] }, + "model_authentik_policies_reputation.reputationpolicy_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_reputationpolicy", + "change_reputationpolicy", + "delete_reputationpolicy", + "view_reputationpolicy" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_policies.policybinding": { "type": "object", "properties": { @@ -3880,10 +4471,36 @@ }, "required": [] }, - "model_authentik_providers_ldap.ldapprovider": { - "type": "object", - "properties": { - "name": { + "model_authentik_policies.policybinding_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_policybinding", + "change_policybinding", + "delete_policybinding", + "view_policybinding" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, + "model_authentik_providers_ldap.ldapprovider": { + "type": "object", + "properties": { + "name": { "type": "string", "minLength": 1, "title": "Name" @@ -3967,6 +4584,32 @@ }, "required": [] }, + "model_authentik_providers_ldap.ldapprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_ldapprovider", + "change_ldapprovider", + "delete_ldapprovider", + "view_ldapprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_oauth2.scopemapping": { "type": "object", "properties": { @@ -4003,6 +4646,32 @@ }, "required": [] }, + "model_authentik_providers_oauth2.scopemapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_scopemapping", + "change_scopemapping", + "delete_scopemapping", + "view_scopemapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_oauth2.oauth2provider": { "type": "object", "properties": { @@ -4118,6 +4787,32 @@ }, "required": [] }, + "model_authentik_providers_oauth2.oauth2provider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_oauth2provider", + "change_oauth2provider", + "delete_oauth2provider", + "view_oauth2provider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_proxy.proxyprovider": { "type": "object", "properties": { @@ -4227,6 +4922,32 @@ }, "required": [] }, + "model_authentik_providers_proxy.proxyprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_proxyprovider", + "change_proxyprovider", + "delete_proxyprovider", + "view_proxyprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_radius.radiusprovider": { "type": "object", "properties": { @@ -4275,6 +4996,32 @@ }, "required": [] }, + "model_authentik_providers_radius.radiusprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_radiusprovider", + "change_radiusprovider", + "delete_radiusprovider", + "view_radiusprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_radius.radiusproviderpropertymapping": { "type": "object", "properties": { @@ -4300,6 +5047,32 @@ }, "required": [] }, + "model_authentik_providers_radius.radiusproviderpropertymapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_radiusproviderpropertymapping", + "change_radiusproviderpropertymapping", + "delete_radiusproviderpropertymapping", + "view_radiusproviderpropertymapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_saml.samlprovider": { "type": "object", "properties": { @@ -4423,6 +5196,32 @@ }, "required": [] }, + "model_authentik_providers_saml.samlprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_samlprovider", + "change_samlprovider", + "delete_samlprovider", + "view_samlprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_saml.samlpropertymapping": { "type": "object", "properties": { @@ -4460,6 +5259,32 @@ }, "required": [] }, + "model_authentik_providers_saml.samlpropertymapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_samlpropertymapping", + "change_samlpropertymapping", + "delete_samlpropertymapping", + "view_samlpropertymapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_scim.scimprovider": { "type": "object", "properties": { @@ -4510,6 +5335,32 @@ }, "required": [] }, + "model_authentik_providers_scim.scimprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_scimprovider", + "change_scimprovider", + "delete_scimprovider", + "view_scimprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_scim.scimmapping": { "type": "object", "properties": { @@ -4535,6 +5386,32 @@ }, "required": [] }, + "model_authentik_providers_scim.scimmapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_scimmapping", + "change_scimmapping", + "delete_scimmapping", + "view_scimmapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_rbac.role": { "type": "object", "properties": { @@ -4543,10 +5420,510 @@ "maxLength": 150, "minLength": 1, "title": "Name" + }, + "permissions": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "authentik_blueprints.add_blueprintinstance", + "authentik_blueprints.change_blueprintinstance", + "authentik_blueprints.delete_blueprintinstance", + "authentik_blueprints.view_blueprintinstance", + "authentik_brands.add_brand", + "authentik_brands.change_brand", + "authentik_brands.delete_brand", + "authentik_brands.view_brand", + "authentik_core.add_application", + "authentik_core.change_application", + "authentik_core.delete_application", + "authentik_core.view_application", + "authentik_core.add_authenticatedsession", + "authentik_core.change_authenticatedsession", + "authentik_core.delete_authenticatedsession", + "authentik_core.view_authenticatedsession", + "authentik_core.add_group", + "authentik_core.add_user_to_group", + "authentik_core.change_group", + "authentik_core.delete_group", + "authentik_core.remove_user_from_group", + "authentik_core.view_group", + "authentik_core.add_propertymapping", + "authentik_core.change_propertymapping", + "authentik_core.delete_propertymapping", + "authentik_core.view_propertymapping", + "authentik_core.add_provider", + "authentik_core.change_provider", + "authentik_core.delete_provider", + "authentik_core.view_provider", + "authentik_core.add_source", + "authentik_core.change_source", + "authentik_core.delete_source", + "authentik_core.view_source", + "authentik_core.add_token", + "authentik_core.change_token", + "authentik_core.delete_token", + "authentik_core.view_token", + "authentik_core.view_token_key", + "authentik_core.add_user", + "authentik_core.assign_user_permissions", + "authentik_core.change_user", + "authentik_core.delete_user", + "authentik_core.impersonate", + "authentik_core.preview_user", + "authentik_core.reset_user_password", + "authentik_core.unassign_user_permissions", + "authentik_core.view_user", + "authentik_core.view_user_applications", + "authentik_core.add_usersourceconnection", + "authentik_core.change_usersourceconnection", + "authentik_core.delete_usersourceconnection", + "authentik_core.view_usersourceconnection", + "authentik_crypto.add_certificatekeypair", + "authentik_crypto.change_certificatekeypair", + "authentik_crypto.delete_certificatekeypair", + "authentik_crypto.view_certificatekeypair", + "authentik_enterprise.add_license", + "authentik_enterprise.change_license", + "authentik_enterprise.delete_license", + "authentik_enterprise.view_license", + "authentik_enterprise.add_licenseusage", + "authentik_enterprise.change_licenseusage", + "authentik_enterprise.delete_licenseusage", + "authentik_enterprise.view_licenseusage", + "authentik_events.add_event", + "authentik_events.change_event", + "authentik_events.delete_event", + "authentik_events.view_event", + "authentik_events.add_notification", + "authentik_events.change_notification", + "authentik_events.delete_notification", + "authentik_events.view_notification", + "authentik_events.add_notificationrule", + "authentik_events.change_notificationrule", + "authentik_events.delete_notificationrule", + "authentik_events.view_notificationrule", + "authentik_events.add_notificationtransport", + "authentik_events.change_notificationtransport", + "authentik_events.delete_notificationtransport", + "authentik_events.view_notificationtransport", + "authentik_events.add_notificationwebhookmapping", + "authentik_events.change_notificationwebhookmapping", + "authentik_events.delete_notificationwebhookmapping", + "authentik_events.view_notificationwebhookmapping", + "authentik_events.run_task", + "authentik_events.view_systemtask", + "authentik_flows.add_flow", + "authentik_flows.change_flow", + "authentik_flows.clear_flow_cache", + "authentik_flows.delete_flow", + "authentik_flows.export_flow", + "authentik_flows.inspect_flow", + "authentik_flows.view_flow", + "authentik_flows.view_flow_cache", + "authentik_flows.add_flowstagebinding", + "authentik_flows.change_flowstagebinding", + "authentik_flows.delete_flowstagebinding", + "authentik_flows.view_flowstagebinding", + "authentik_flows.add_flowtoken", + "authentik_flows.change_flowtoken", + "authentik_flows.delete_flowtoken", + "authentik_flows.view_flowtoken", + "authentik_flows.add_stage", + "authentik_flows.change_stage", + "authentik_flows.delete_stage", + "authentik_flows.view_stage", + "authentik_outposts.add_dockerserviceconnection", + "authentik_outposts.change_dockerserviceconnection", + "authentik_outposts.delete_dockerserviceconnection", + "authentik_outposts.view_dockerserviceconnection", + "authentik_outposts.add_kubernetesserviceconnection", + "authentik_outposts.change_kubernetesserviceconnection", + "authentik_outposts.delete_kubernetesserviceconnection", + "authentik_outposts.view_kubernetesserviceconnection", + "authentik_outposts.add_outpost", + "authentik_outposts.change_outpost", + "authentik_outposts.delete_outpost", + "authentik_outposts.view_outpost", + "authentik_outposts.add_outpostserviceconnection", + "authentik_outposts.change_outpostserviceconnection", + "authentik_outposts.delete_outpostserviceconnection", + "authentik_outposts.view_outpostserviceconnection", + "authentik_policies.add_policy", + "authentik_policies.change_policy", + "authentik_policies.clear_policy_cache", + "authentik_policies.delete_policy", + "authentik_policies.view_policy", + "authentik_policies.view_policy_cache", + "authentik_policies.add_policybinding", + "authentik_policies.change_policybinding", + "authentik_policies.delete_policybinding", + "authentik_policies.view_policybinding", + "authentik_policies.add_policybindingmodel", + "authentik_policies.change_policybindingmodel", + "authentik_policies.delete_policybindingmodel", + "authentik_policies.view_policybindingmodel", + "authentik_policies_dummy.add_dummypolicy", + "authentik_policies_dummy.change_dummypolicy", + "authentik_policies_dummy.delete_dummypolicy", + "authentik_policies_dummy.view_dummypolicy", + "authentik_policies_event_matcher.add_eventmatcherpolicy", + "authentik_policies_event_matcher.change_eventmatcherpolicy", + "authentik_policies_event_matcher.delete_eventmatcherpolicy", + "authentik_policies_event_matcher.view_eventmatcherpolicy", + "authentik_policies_expiry.add_passwordexpirypolicy", + "authentik_policies_expiry.change_passwordexpirypolicy", + "authentik_policies_expiry.delete_passwordexpirypolicy", + "authentik_policies_expiry.view_passwordexpirypolicy", + "authentik_policies_expression.add_expressionpolicy", + "authentik_policies_expression.change_expressionpolicy", + "authentik_policies_expression.delete_expressionpolicy", + "authentik_policies_expression.view_expressionpolicy", + "authentik_policies_password.add_passwordpolicy", + "authentik_policies_password.change_passwordpolicy", + "authentik_policies_password.delete_passwordpolicy", + "authentik_policies_password.view_passwordpolicy", + "authentik_policies_reputation.add_reputation", + "authentik_policies_reputation.change_reputation", + "authentik_policies_reputation.delete_reputation", + "authentik_policies_reputation.view_reputation", + "authentik_policies_reputation.add_reputationpolicy", + "authentik_policies_reputation.change_reputationpolicy", + "authentik_policies_reputation.delete_reputationpolicy", + "authentik_policies_reputation.view_reputationpolicy", + "authentik_providers_google_workspace.add_googleworkspaceprovider", + "authentik_providers_google_workspace.change_googleworkspaceprovider", + "authentik_providers_google_workspace.delete_googleworkspaceprovider", + "authentik_providers_google_workspace.view_googleworkspaceprovider", + "authentik_providers_google_workspace.add_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.change_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.delete_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.view_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.add_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.change_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.delete_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.view_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.add_googleworkspaceprovideruser", + "authentik_providers_google_workspace.change_googleworkspaceprovideruser", + "authentik_providers_google_workspace.delete_googleworkspaceprovideruser", + "authentik_providers_google_workspace.view_googleworkspaceprovideruser", + "authentik_providers_ldap.add_ldapprovider", + "authentik_providers_ldap.change_ldapprovider", + "authentik_providers_ldap.delete_ldapprovider", + "authentik_providers_ldap.view_ldapprovider", + "authentik_providers_microsoft_entra.add_microsoftentraprovider", + "authentik_providers_microsoft_entra.change_microsoftentraprovider", + "authentik_providers_microsoft_entra.delete_microsoftentraprovider", + "authentik_providers_microsoft_entra.view_microsoftentraprovider", + "authentik_providers_microsoft_entra.add_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.change_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.delete_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.view_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.add_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.change_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.delete_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.view_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.add_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.change_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.delete_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.view_microsoftentraprovideruser", + "authentik_providers_oauth2.add_accesstoken", + "authentik_providers_oauth2.change_accesstoken", + "authentik_providers_oauth2.delete_accesstoken", + "authentik_providers_oauth2.view_accesstoken", + "authentik_providers_oauth2.add_authorizationcode", + "authentik_providers_oauth2.change_authorizationcode", + "authentik_providers_oauth2.delete_authorizationcode", + "authentik_providers_oauth2.view_authorizationcode", + "authentik_providers_oauth2.add_devicetoken", + "authentik_providers_oauth2.change_devicetoken", + "authentik_providers_oauth2.delete_devicetoken", + "authentik_providers_oauth2.view_devicetoken", + "authentik_providers_oauth2.add_oauth2provider", + "authentik_providers_oauth2.change_oauth2provider", + "authentik_providers_oauth2.delete_oauth2provider", + "authentik_providers_oauth2.view_oauth2provider", + "authentik_providers_oauth2.add_refreshtoken", + "authentik_providers_oauth2.change_refreshtoken", + "authentik_providers_oauth2.delete_refreshtoken", + "authentik_providers_oauth2.view_refreshtoken", + "authentik_providers_oauth2.add_scopemapping", + "authentik_providers_oauth2.change_scopemapping", + "authentik_providers_oauth2.delete_scopemapping", + "authentik_providers_oauth2.view_scopemapping", + "authentik_providers_proxy.add_proxyprovider", + "authentik_providers_proxy.change_proxyprovider", + "authentik_providers_proxy.delete_proxyprovider", + "authentik_providers_proxy.view_proxyprovider", + "authentik_providers_rac.add_connectiontoken", + "authentik_providers_rac.change_connectiontoken", + "authentik_providers_rac.delete_connectiontoken", + "authentik_providers_rac.view_connectiontoken", + "authentik_providers_rac.add_endpoint", + "authentik_providers_rac.change_endpoint", + "authentik_providers_rac.delete_endpoint", + "authentik_providers_rac.view_endpoint", + "authentik_providers_rac.add_racpropertymapping", + "authentik_providers_rac.change_racpropertymapping", + "authentik_providers_rac.delete_racpropertymapping", + "authentik_providers_rac.view_racpropertymapping", + "authentik_providers_rac.add_racprovider", + "authentik_providers_rac.change_racprovider", + "authentik_providers_rac.delete_racprovider", + "authentik_providers_rac.view_racprovider", + "authentik_providers_radius.add_radiusprovider", + "authentik_providers_radius.change_radiusprovider", + "authentik_providers_radius.delete_radiusprovider", + "authentik_providers_radius.view_radiusprovider", + "authentik_providers_radius.add_radiusproviderpropertymapping", + "authentik_providers_radius.change_radiusproviderpropertymapping", + "authentik_providers_radius.delete_radiusproviderpropertymapping", + "authentik_providers_radius.view_radiusproviderpropertymapping", + "authentik_providers_saml.add_samlpropertymapping", + "authentik_providers_saml.change_samlpropertymapping", + "authentik_providers_saml.delete_samlpropertymapping", + "authentik_providers_saml.view_samlpropertymapping", + "authentik_providers_saml.add_samlprovider", + "authentik_providers_saml.change_samlprovider", + "authentik_providers_saml.delete_samlprovider", + "authentik_providers_saml.view_samlprovider", + "authentik_providers_scim.add_scimmapping", + "authentik_providers_scim.change_scimmapping", + "authentik_providers_scim.delete_scimmapping", + "authentik_providers_scim.view_scimmapping", + "authentik_providers_scim.add_scimprovider", + "authentik_providers_scim.change_scimprovider", + "authentik_providers_scim.delete_scimprovider", + "authentik_providers_scim.view_scimprovider", + "authentik_providers_scim.add_scimprovidergroup", + "authentik_providers_scim.change_scimprovidergroup", + "authentik_providers_scim.delete_scimprovidergroup", + "authentik_providers_scim.view_scimprovidergroup", + "authentik_providers_scim.add_scimprovideruser", + "authentik_providers_scim.change_scimprovideruser", + "authentik_providers_scim.delete_scimprovideruser", + "authentik_providers_scim.view_scimprovideruser", + "authentik_rbac.add_role", + "authentik_rbac.assign_role_permissions", + "authentik_rbac.change_role", + "authentik_rbac.delete_role", + "authentik_rbac.unassign_role_permissions", + "authentik_rbac.view_role", + "authentik_rbac.access_admin_interface", + "authentik_rbac.edit_system_settings", + "authentik_rbac.view_system_info", + "authentik_rbac.view_system_settings", + "authentik_sources_ldap.add_ldapsource", + "authentik_sources_ldap.change_ldapsource", + "authentik_sources_ldap.delete_ldapsource", + "authentik_sources_ldap.view_ldapsource", + "authentik_sources_ldap.add_ldapsourcepropertymapping", + "authentik_sources_ldap.change_ldapsourcepropertymapping", + "authentik_sources_ldap.delete_ldapsourcepropertymapping", + "authentik_sources_ldap.view_ldapsourcepropertymapping", + "authentik_sources_oauth.add_oauthsource", + "authentik_sources_oauth.change_oauthsource", + "authentik_sources_oauth.delete_oauthsource", + "authentik_sources_oauth.view_oauthsource", + "authentik_sources_oauth.add_useroauthsourceconnection", + "authentik_sources_oauth.change_useroauthsourceconnection", + "authentik_sources_oauth.delete_useroauthsourceconnection", + "authentik_sources_oauth.view_useroauthsourceconnection", + "authentik_sources_plex.add_plexsource", + "authentik_sources_plex.change_plexsource", + "authentik_sources_plex.delete_plexsource", + "authentik_sources_plex.view_plexsource", + "authentik_sources_plex.add_plexsourceconnection", + "authentik_sources_plex.change_plexsourceconnection", + "authentik_sources_plex.delete_plexsourceconnection", + "authentik_sources_plex.view_plexsourceconnection", + "authentik_sources_saml.add_samlsource", + "authentik_sources_saml.change_samlsource", + "authentik_sources_saml.delete_samlsource", + "authentik_sources_saml.view_samlsource", + "authentik_sources_saml.add_usersamlsourceconnection", + "authentik_sources_saml.change_usersamlsourceconnection", + "authentik_sources_saml.delete_usersamlsourceconnection", + "authentik_sources_saml.view_usersamlsourceconnection", + "authentik_sources_scim.add_scimsource", + "authentik_sources_scim.change_scimsource", + "authentik_sources_scim.delete_scimsource", + "authentik_sources_scim.view_scimsource", + "authentik_sources_scim.add_scimsourcegroup", + "authentik_sources_scim.change_scimsourcegroup", + "authentik_sources_scim.delete_scimsourcegroup", + "authentik_sources_scim.view_scimsourcegroup", + "authentik_sources_scim.add_scimsourcepropertymapping", + "authentik_sources_scim.change_scimsourcepropertymapping", + "authentik_sources_scim.delete_scimsourcepropertymapping", + "authentik_sources_scim.view_scimsourcepropertymapping", + "authentik_sources_scim.add_scimsourceuser", + "authentik_sources_scim.change_scimsourceuser", + "authentik_sources_scim.delete_scimsourceuser", + "authentik_sources_scim.view_scimsourceuser", + "authentik_stages_authenticator_duo.add_authenticatorduostage", + "authentik_stages_authenticator_duo.change_authenticatorduostage", + "authentik_stages_authenticator_duo.delete_authenticatorduostage", + "authentik_stages_authenticator_duo.view_authenticatorduostage", + "authentik_stages_authenticator_duo.add_duodevice", + "authentik_stages_authenticator_duo.change_duodevice", + "authentik_stages_authenticator_duo.delete_duodevice", + "authentik_stages_authenticator_duo.view_duodevice", + "authentik_stages_authenticator_sms.add_authenticatorsmsstage", + "authentik_stages_authenticator_sms.change_authenticatorsmsstage", + "authentik_stages_authenticator_sms.delete_authenticatorsmsstage", + "authentik_stages_authenticator_sms.view_authenticatorsmsstage", + "authentik_stages_authenticator_sms.add_smsdevice", + "authentik_stages_authenticator_sms.change_smsdevice", + "authentik_stages_authenticator_sms.delete_smsdevice", + "authentik_stages_authenticator_sms.view_smsdevice", + "authentik_stages_authenticator_static.add_authenticatorstaticstage", + "authentik_stages_authenticator_static.change_authenticatorstaticstage", + "authentik_stages_authenticator_static.delete_authenticatorstaticstage", + "authentik_stages_authenticator_static.view_authenticatorstaticstage", + "authentik_stages_authenticator_static.add_staticdevice", + "authentik_stages_authenticator_static.change_staticdevice", + "authentik_stages_authenticator_static.delete_staticdevice", + "authentik_stages_authenticator_static.view_staticdevice", + "authentik_stages_authenticator_static.add_statictoken", + "authentik_stages_authenticator_static.change_statictoken", + "authentik_stages_authenticator_static.delete_statictoken", + "authentik_stages_authenticator_static.view_statictoken", + "authentik_stages_authenticator_totp.add_authenticatortotpstage", + "authentik_stages_authenticator_totp.change_authenticatortotpstage", + "authentik_stages_authenticator_totp.delete_authenticatortotpstage", + "authentik_stages_authenticator_totp.view_authenticatortotpstage", + "authentik_stages_authenticator_totp.add_totpdevice", + "authentik_stages_authenticator_totp.change_totpdevice", + "authentik_stages_authenticator_totp.delete_totpdevice", + "authentik_stages_authenticator_totp.view_totpdevice", + "authentik_stages_authenticator_validate.add_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.change_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.delete_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.view_authenticatorvalidatestage", + "authentik_stages_authenticator_webauthn.add_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.change_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.delete_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.view_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.add_webauthndevice", + "authentik_stages_authenticator_webauthn.change_webauthndevice", + "authentik_stages_authenticator_webauthn.delete_webauthndevice", + "authentik_stages_authenticator_webauthn.view_webauthndevice", + "authentik_stages_authenticator_webauthn.add_webauthndevicetype", + "authentik_stages_authenticator_webauthn.change_webauthndevicetype", + "authentik_stages_authenticator_webauthn.delete_webauthndevicetype", + "authentik_stages_authenticator_webauthn.view_webauthndevicetype", + "authentik_stages_captcha.add_captchastage", + "authentik_stages_captcha.change_captchastage", + "authentik_stages_captcha.delete_captchastage", + "authentik_stages_captcha.view_captchastage", + "authentik_stages_consent.add_consentstage", + "authentik_stages_consent.change_consentstage", + "authentik_stages_consent.delete_consentstage", + "authentik_stages_consent.view_consentstage", + "authentik_stages_consent.add_userconsent", + "authentik_stages_consent.change_userconsent", + "authentik_stages_consent.delete_userconsent", + "authentik_stages_consent.view_userconsent", + "authentik_stages_deny.add_denystage", + "authentik_stages_deny.change_denystage", + "authentik_stages_deny.delete_denystage", + "authentik_stages_deny.view_denystage", + "authentik_stages_dummy.add_dummystage", + "authentik_stages_dummy.change_dummystage", + "authentik_stages_dummy.delete_dummystage", + "authentik_stages_dummy.view_dummystage", + "authentik_stages_email.add_emailstage", + "authentik_stages_email.change_emailstage", + "authentik_stages_email.delete_emailstage", + "authentik_stages_email.view_emailstage", + "authentik_stages_identification.add_identificationstage", + "authentik_stages_identification.change_identificationstage", + "authentik_stages_identification.delete_identificationstage", + "authentik_stages_identification.view_identificationstage", + "authentik_stages_invitation.add_invitation", + "authentik_stages_invitation.change_invitation", + "authentik_stages_invitation.delete_invitation", + "authentik_stages_invitation.view_invitation", + "authentik_stages_invitation.add_invitationstage", + "authentik_stages_invitation.change_invitationstage", + "authentik_stages_invitation.delete_invitationstage", + "authentik_stages_invitation.view_invitationstage", + "authentik_stages_password.add_passwordstage", + "authentik_stages_password.change_passwordstage", + "authentik_stages_password.delete_passwordstage", + "authentik_stages_password.view_passwordstage", + "authentik_stages_prompt.add_prompt", + "authentik_stages_prompt.change_prompt", + "authentik_stages_prompt.delete_prompt", + "authentik_stages_prompt.view_prompt", + "authentik_stages_prompt.add_promptstage", + "authentik_stages_prompt.change_promptstage", + "authentik_stages_prompt.delete_promptstage", + "authentik_stages_prompt.view_promptstage", + "authentik_stages_source.add_sourcestage", + "authentik_stages_source.change_sourcestage", + "authentik_stages_source.delete_sourcestage", + "authentik_stages_source.view_sourcestage", + "authentik_stages_user_delete.add_userdeletestage", + "authentik_stages_user_delete.change_userdeletestage", + "authentik_stages_user_delete.delete_userdeletestage", + "authentik_stages_user_delete.view_userdeletestage", + "authentik_stages_user_login.add_userloginstage", + "authentik_stages_user_login.change_userloginstage", + "authentik_stages_user_login.delete_userloginstage", + "authentik_stages_user_login.view_userloginstage", + "authentik_stages_user_logout.add_userlogoutstage", + "authentik_stages_user_logout.change_userlogoutstage", + "authentik_stages_user_logout.delete_userlogoutstage", + "authentik_stages_user_logout.view_userlogoutstage", + "authentik_stages_user_write.add_userwritestage", + "authentik_stages_user_write.change_userwritestage", + "authentik_stages_user_write.delete_userwritestage", + "authentik_stages_user_write.view_userwritestage", + "authentik_tenants.add_domain", + "authentik_tenants.change_domain", + "authentik_tenants.delete_domain", + "authentik_tenants.view_domain", + "authentik_tenants.add_tenant", + "authentik_tenants.change_tenant", + "authentik_tenants.delete_tenant", + "authentik_tenants.view_tenant" + ] + }, + "title": "Permissions" } }, "required": [] }, + "model_authentik_rbac.role_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "assign_role_permissions", + "unassign_role_permissions", + "add_role", + "change_role", + "delete_role", + "view_role" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_ldap.ldapsource": { "type": "object", "properties": { @@ -4724,6 +6101,32 @@ }, "required": [] }, + "model_authentik_sources_ldap.ldapsource_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_ldapsource", + "change_ldapsource", + "delete_ldapsource", + "view_ldapsource" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_ldap.ldapsourcepropertymapping": { "type": "object", "properties": { @@ -4749,6 +6152,32 @@ }, "required": [] }, + "model_authentik_sources_ldap.ldapsourcepropertymapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_ldapsourcepropertymapping", + "change_ldapsourcepropertymapping", + "delete_ldapsourcepropertymapping", + "view_ldapsourcepropertymapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_oauth.oauthsource": { "type": "object", "properties": { @@ -4914,6 +6343,32 @@ }, "required": [] }, + "model_authentik_sources_oauth.oauthsource_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_oauthsource", + "change_oauthsource", + "delete_oauthsource", + "view_oauthsource" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_oauth.useroauthsourceconnection": { "type": "object", "properties": { @@ -4938,6 +6393,32 @@ }, "required": [] }, + "model_authentik_sources_oauth.useroauthsourceconnection_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_useroauthsourceconnection", + "change_useroauthsourceconnection", + "delete_useroauthsourceconnection", + "view_useroauthsourceconnection" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_plex.plexsource": { "type": "object", "properties": { @@ -5047,6 +6528,32 @@ }, "required": [] }, + "model_authentik_sources_plex.plexsource_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_plexsource", + "change_plexsource", + "delete_plexsource", + "view_plexsource" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_plex.plexsourceconnection": { "type": "object", "properties": { @@ -5068,6 +6575,32 @@ }, "required": [] }, + "model_authentik_sources_plex.plexsourceconnection_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_plexsourceconnection", + "change_plexsourceconnection", + "delete_plexsourceconnection", + "view_plexsourceconnection" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_saml.samlsource": { "type": "object", "properties": { @@ -5248,15 +6781,41 @@ }, "required": [] }, - "model_authentik_sources_saml.usersamlsourceconnection": { - "type": "object", - "properties": { - "identifier": { - "type": "string", - "minLength": 1, - "title": "Identifier" - }, - "icon": { + "model_authentik_sources_saml.samlsource_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_samlsource", + "change_samlsource", + "delete_samlsource", + "view_samlsource" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, + "model_authentik_sources_saml.usersamlsourceconnection": { + "type": "object", + "properties": { + "identifier": { + "type": "string", + "minLength": 1, + "title": "Identifier" + }, + "icon": { "type": "string", "minLength": 1, "title": "Icon" @@ -5264,6 +6823,32 @@ }, "required": [] }, + "model_authentik_sources_saml.usersamlsourceconnection_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_usersamlsourceconnection", + "change_usersamlsourceconnection", + "delete_usersamlsourceconnection", + "view_usersamlsourceconnection" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_scim.scimsource": { "type": "object", "properties": { @@ -5314,6 +6899,32 @@ }, "required": [] }, + "model_authentik_sources_scim.scimsource_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_scimsource", + "change_scimsource", + "delete_scimsource", + "view_scimsource" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_sources_scim.scimsourcepropertymapping": { "type": "object", "properties": { @@ -5339,6 +6950,32 @@ }, "required": [] }, + "model_authentik_sources_scim.scimsourcepropertymapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_scimsourcepropertymapping", + "change_scimsourcepropertymapping", + "delete_scimsourcepropertymapping", + "view_scimsourcepropertymapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_duo.authenticatorduostage": { "type": "object", "properties": { @@ -5469,6 +7106,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_duo.authenticatorduostage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatorduostage", + "change_authenticatorduostage", + "delete_authenticatorduostage", + "view_authenticatorduostage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_duo.duodevice": { "type": "object", "properties": { @@ -5482,6 +7145,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_duo.duodevice_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_duodevice", + "change_duodevice", + "delete_duodevice", + "view_duodevice" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_sms.authenticatorsmsstage": { "type": "object", "properties": { @@ -5634,6 +7323,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_sms.authenticatorsmsstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatorsmsstage", + "change_authenticatorsmsstage", + "delete_authenticatorsmsstage", + "view_authenticatorsmsstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_sms.smsdevice": { "type": "object", "properties": { @@ -5647,6 +7362,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_sms.smsdevice_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_smsdevice", + "change_smsdevice", + "delete_smsdevice", + "view_smsdevice" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_static.authenticatorstaticstage": { "type": "object", "properties": { @@ -5766,6 +7507,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_static.authenticatorstaticstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatorstaticstage", + "change_authenticatorstaticstage", + "delete_authenticatorstaticstage", + "view_authenticatorstaticstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_static.staticdevice": { "type": "object", "properties": { @@ -5779,6 +7546,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_static.staticdevice_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_staticdevice", + "change_staticdevice", + "delete_staticdevice", + "view_staticdevice" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_totp.authenticatortotpstage": { "type": "object", "properties": { @@ -5894,6 +7687,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_totp.authenticatortotpstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatortotpstage", + "change_authenticatortotpstage", + "delete_authenticatortotpstage", + "view_authenticatortotpstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_totp.totpdevice": { "type": "object", "properties": { @@ -5907,6 +7726,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_totp.totpdevice_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_totpdevice", + "change_totpdevice", + "delete_totpdevice", + "view_totpdevice" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_validate.authenticatorvalidatestage": { "type": "object", "properties": { @@ -6059,6 +7904,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_validate.authenticatorvalidatestage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatorvalidatestage", + "change_authenticatorvalidatestage", + "delete_authenticatorvalidatestage", + "view_authenticatorvalidatestage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_webauthn.authenticatorwebauthnstage": { "type": "object", "properties": { @@ -6204,6 +8075,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_webauthn.authenticatorwebauthnstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_authenticatorwebauthnstage", + "change_authenticatorwebauthnstage", + "delete_authenticatorwebauthnstage", + "view_authenticatorwebauthnstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_authenticator_webauthn.webauthndevice": { "type": "object", "properties": { @@ -6216,6 +8113,32 @@ }, "required": [] }, + "model_authentik_stages_authenticator_webauthn.webauthndevice_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_webauthndevice", + "change_webauthndevice", + "delete_webauthndevice", + "view_webauthndevice" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_captcha.captchastage": { "type": "object", "properties": { @@ -6344,6 +8267,32 @@ }, "required": [] }, + "model_authentik_stages_captcha.captchastage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_captchastage", + "change_captchastage", + "delete_captchastage", + "view_captchastage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_consent.consentstage": { "type": "object", "properties": { @@ -6452,6 +8401,32 @@ }, "required": [] }, + "model_authentik_stages_consent.consentstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_consentstage", + "change_consentstage", + "delete_consentstage", + "view_consentstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_consent.userconsent": { "type": "object", "properties": { @@ -6607,6 +8582,32 @@ }, "required": [] }, + "model_authentik_stages_consent.userconsent_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_userconsent", + "change_userconsent", + "delete_userconsent", + "view_userconsent" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_deny.denystage": { "type": "object", "properties": { @@ -6704,6 +8705,32 @@ }, "required": [] }, + "model_authentik_stages_deny.denystage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_denystage", + "change_denystage", + "delete_denystage", + "view_denystage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_dummy.dummystage": { "type": "object", "properties": { @@ -6801,6 +8828,32 @@ }, "required": [] }, + "model_authentik_stages_dummy.dummystage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_dummystage", + "change_dummystage", + "delete_dummystage", + "view_dummystage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_email.emailstage": { "type": "object", "properties": { @@ -6961,6 +9014,32 @@ }, "required": [] }, + "model_authentik_stages_email.emailstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_emailstage", + "change_emailstage", + "delete_emailstage", + "view_emailstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_identification.identificationstage": { "type": "object", "properties": { @@ -7119,6 +9198,32 @@ }, "required": [] }, + "model_authentik_stages_identification.identificationstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_identificationstage", + "change_identificationstage", + "delete_identificationstage", + "view_identificationstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_invitation.invitationstage": { "type": "object", "properties": { @@ -7217,6 +9322,32 @@ }, "required": [] }, + "model_authentik_stages_invitation.invitationstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_invitationstage", + "change_invitationstage", + "delete_invitationstage", + "view_invitationstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_invitation.invitation": { "type": "object", "properties": { @@ -7254,6 +9385,32 @@ }, "required": [] }, + "model_authentik_stages_invitation.invitation_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_invitation", + "change_invitation", + "delete_invitation", + "view_invitation" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_password.passwordstage": { "type": "object", "properties": { @@ -7379,6 +9536,32 @@ }, "required": [] }, + "model_authentik_stages_password.passwordstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_passwordstage", + "change_passwordstage", + "delete_passwordstage", + "view_passwordstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_prompt.prompt": { "type": "object", "properties": { @@ -7556,6 +9739,32 @@ }, "required": [] }, + "model_authentik_stages_prompt.prompt_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_prompt", + "change_prompt", + "delete_prompt", + "view_prompt" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_prompt.promptstage": { "type": "object", "properties": { @@ -7665,6 +9874,32 @@ }, "required": [] }, + "model_authentik_stages_prompt.promptstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_promptstage", + "change_promptstage", + "delete_promptstage", + "view_promptstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_user_delete.userdeletestage": { "type": "object", "properties": { @@ -7758,6 +9993,32 @@ }, "required": [] }, + "model_authentik_stages_user_delete.userdeletestage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_userdeletestage", + "change_userdeletestage", + "delete_userdeletestage", + "view_userdeletestage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_user_login.userloginstage": { "type": "object", "properties": { @@ -7890,6 +10151,32 @@ }, "required": [] }, + "model_authentik_stages_user_login.userloginstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_userloginstage", + "change_userloginstage", + "delete_userloginstage", + "view_userloginstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_user_logout.userlogoutstage": { "type": "object", "properties": { @@ -7983,6 +10270,32 @@ }, "required": [] }, + "model_authentik_stages_user_logout.userlogoutstage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_userlogoutstage", + "change_userlogoutstage", + "delete_userlogoutstage", + "view_userlogoutstage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_user_write.userwritestage": { "type": "object", "properties": { @@ -8110,6 +10423,32 @@ }, "required": [] }, + "model_authentik_stages_user_write.userwritestage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_userwritestage", + "change_userwritestage", + "delete_userwritestage", + "view_userwritestage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_brands.brand": { "type": "object", "properties": { @@ -8187,6 +10526,32 @@ }, "required": [] }, + "model_authentik_brands.brand_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_brand", + "change_brand", + "delete_brand", + "view_brand" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_blueprints.blueprintinstance": { "type": "object", "properties": { @@ -8215,6 +10580,32 @@ }, "required": [] }, + "model_authentik_blueprints.blueprintinstance_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_blueprintinstance", + "change_blueprintinstance", + "delete_blueprintinstance", + "view_blueprintinstance" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_core.group": { "type": "object", "properties": { @@ -8257,6 +10648,34 @@ }, "required": [] }, + "model_authentik_core.group_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_user_to_group", + "remove_user_from_group", + "add_group", + "change_group", + "delete_group", + "view_group" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_core.user": { "type": "object", "properties": { @@ -8325,10 +10744,514 @@ ], "minLength": 1, "title": "Password" + }, + "permissions": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "authentik_blueprints.add_blueprintinstance", + "authentik_blueprints.change_blueprintinstance", + "authentik_blueprints.delete_blueprintinstance", + "authentik_blueprints.view_blueprintinstance", + "authentik_brands.add_brand", + "authentik_brands.change_brand", + "authentik_brands.delete_brand", + "authentik_brands.view_brand", + "authentik_core.add_application", + "authentik_core.change_application", + "authentik_core.delete_application", + "authentik_core.view_application", + "authentik_core.add_authenticatedsession", + "authentik_core.change_authenticatedsession", + "authentik_core.delete_authenticatedsession", + "authentik_core.view_authenticatedsession", + "authentik_core.add_group", + "authentik_core.add_user_to_group", + "authentik_core.change_group", + "authentik_core.delete_group", + "authentik_core.remove_user_from_group", + "authentik_core.view_group", + "authentik_core.add_propertymapping", + "authentik_core.change_propertymapping", + "authentik_core.delete_propertymapping", + "authentik_core.view_propertymapping", + "authentik_core.add_provider", + "authentik_core.change_provider", + "authentik_core.delete_provider", + "authentik_core.view_provider", + "authentik_core.add_source", + "authentik_core.change_source", + "authentik_core.delete_source", + "authentik_core.view_source", + "authentik_core.add_token", + "authentik_core.change_token", + "authentik_core.delete_token", + "authentik_core.view_token", + "authentik_core.view_token_key", + "authentik_core.add_user", + "authentik_core.assign_user_permissions", + "authentik_core.change_user", + "authentik_core.delete_user", + "authentik_core.impersonate", + "authentik_core.preview_user", + "authentik_core.reset_user_password", + "authentik_core.unassign_user_permissions", + "authentik_core.view_user", + "authentik_core.view_user_applications", + "authentik_core.add_usersourceconnection", + "authentik_core.change_usersourceconnection", + "authentik_core.delete_usersourceconnection", + "authentik_core.view_usersourceconnection", + "authentik_crypto.add_certificatekeypair", + "authentik_crypto.change_certificatekeypair", + "authentik_crypto.delete_certificatekeypair", + "authentik_crypto.view_certificatekeypair", + "authentik_enterprise.add_license", + "authentik_enterprise.change_license", + "authentik_enterprise.delete_license", + "authentik_enterprise.view_license", + "authentik_enterprise.add_licenseusage", + "authentik_enterprise.change_licenseusage", + "authentik_enterprise.delete_licenseusage", + "authentik_enterprise.view_licenseusage", + "authentik_events.add_event", + "authentik_events.change_event", + "authentik_events.delete_event", + "authentik_events.view_event", + "authentik_events.add_notification", + "authentik_events.change_notification", + "authentik_events.delete_notification", + "authentik_events.view_notification", + "authentik_events.add_notificationrule", + "authentik_events.change_notificationrule", + "authentik_events.delete_notificationrule", + "authentik_events.view_notificationrule", + "authentik_events.add_notificationtransport", + "authentik_events.change_notificationtransport", + "authentik_events.delete_notificationtransport", + "authentik_events.view_notificationtransport", + "authentik_events.add_notificationwebhookmapping", + "authentik_events.change_notificationwebhookmapping", + "authentik_events.delete_notificationwebhookmapping", + "authentik_events.view_notificationwebhookmapping", + "authentik_events.run_task", + "authentik_events.view_systemtask", + "authentik_flows.add_flow", + "authentik_flows.change_flow", + "authentik_flows.clear_flow_cache", + "authentik_flows.delete_flow", + "authentik_flows.export_flow", + "authentik_flows.inspect_flow", + "authentik_flows.view_flow", + "authentik_flows.view_flow_cache", + "authentik_flows.add_flowstagebinding", + "authentik_flows.change_flowstagebinding", + "authentik_flows.delete_flowstagebinding", + "authentik_flows.view_flowstagebinding", + "authentik_flows.add_flowtoken", + "authentik_flows.change_flowtoken", + "authentik_flows.delete_flowtoken", + "authentik_flows.view_flowtoken", + "authentik_flows.add_stage", + "authentik_flows.change_stage", + "authentik_flows.delete_stage", + "authentik_flows.view_stage", + "authentik_outposts.add_dockerserviceconnection", + "authentik_outposts.change_dockerserviceconnection", + "authentik_outposts.delete_dockerserviceconnection", + "authentik_outposts.view_dockerserviceconnection", + "authentik_outposts.add_kubernetesserviceconnection", + "authentik_outposts.change_kubernetesserviceconnection", + "authentik_outposts.delete_kubernetesserviceconnection", + "authentik_outposts.view_kubernetesserviceconnection", + "authentik_outposts.add_outpost", + "authentik_outposts.change_outpost", + "authentik_outposts.delete_outpost", + "authentik_outposts.view_outpost", + "authentik_outposts.add_outpostserviceconnection", + "authentik_outposts.change_outpostserviceconnection", + "authentik_outposts.delete_outpostserviceconnection", + "authentik_outposts.view_outpostserviceconnection", + "authentik_policies.add_policy", + "authentik_policies.change_policy", + "authentik_policies.clear_policy_cache", + "authentik_policies.delete_policy", + "authentik_policies.view_policy", + "authentik_policies.view_policy_cache", + "authentik_policies.add_policybinding", + "authentik_policies.change_policybinding", + "authentik_policies.delete_policybinding", + "authentik_policies.view_policybinding", + "authentik_policies.add_policybindingmodel", + "authentik_policies.change_policybindingmodel", + "authentik_policies.delete_policybindingmodel", + "authentik_policies.view_policybindingmodel", + "authentik_policies_dummy.add_dummypolicy", + "authentik_policies_dummy.change_dummypolicy", + "authentik_policies_dummy.delete_dummypolicy", + "authentik_policies_dummy.view_dummypolicy", + "authentik_policies_event_matcher.add_eventmatcherpolicy", + "authentik_policies_event_matcher.change_eventmatcherpolicy", + "authentik_policies_event_matcher.delete_eventmatcherpolicy", + "authentik_policies_event_matcher.view_eventmatcherpolicy", + "authentik_policies_expiry.add_passwordexpirypolicy", + "authentik_policies_expiry.change_passwordexpirypolicy", + "authentik_policies_expiry.delete_passwordexpirypolicy", + "authentik_policies_expiry.view_passwordexpirypolicy", + "authentik_policies_expression.add_expressionpolicy", + "authentik_policies_expression.change_expressionpolicy", + "authentik_policies_expression.delete_expressionpolicy", + "authentik_policies_expression.view_expressionpolicy", + "authentik_policies_password.add_passwordpolicy", + "authentik_policies_password.change_passwordpolicy", + "authentik_policies_password.delete_passwordpolicy", + "authentik_policies_password.view_passwordpolicy", + "authentik_policies_reputation.add_reputation", + "authentik_policies_reputation.change_reputation", + "authentik_policies_reputation.delete_reputation", + "authentik_policies_reputation.view_reputation", + "authentik_policies_reputation.add_reputationpolicy", + "authentik_policies_reputation.change_reputationpolicy", + "authentik_policies_reputation.delete_reputationpolicy", + "authentik_policies_reputation.view_reputationpolicy", + "authentik_providers_google_workspace.add_googleworkspaceprovider", + "authentik_providers_google_workspace.change_googleworkspaceprovider", + "authentik_providers_google_workspace.delete_googleworkspaceprovider", + "authentik_providers_google_workspace.view_googleworkspaceprovider", + "authentik_providers_google_workspace.add_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.change_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.delete_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.view_googleworkspaceprovidergroup", + "authentik_providers_google_workspace.add_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.change_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.delete_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.view_googleworkspaceprovidermapping", + "authentik_providers_google_workspace.add_googleworkspaceprovideruser", + "authentik_providers_google_workspace.change_googleworkspaceprovideruser", + "authentik_providers_google_workspace.delete_googleworkspaceprovideruser", + "authentik_providers_google_workspace.view_googleworkspaceprovideruser", + "authentik_providers_ldap.add_ldapprovider", + "authentik_providers_ldap.change_ldapprovider", + "authentik_providers_ldap.delete_ldapprovider", + "authentik_providers_ldap.view_ldapprovider", + "authentik_providers_microsoft_entra.add_microsoftentraprovider", + "authentik_providers_microsoft_entra.change_microsoftentraprovider", + "authentik_providers_microsoft_entra.delete_microsoftentraprovider", + "authentik_providers_microsoft_entra.view_microsoftentraprovider", + "authentik_providers_microsoft_entra.add_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.change_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.delete_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.view_microsoftentraprovidergroup", + "authentik_providers_microsoft_entra.add_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.change_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.delete_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.view_microsoftentraprovidermapping", + "authentik_providers_microsoft_entra.add_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.change_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.delete_microsoftentraprovideruser", + "authentik_providers_microsoft_entra.view_microsoftentraprovideruser", + "authentik_providers_oauth2.add_accesstoken", + "authentik_providers_oauth2.change_accesstoken", + "authentik_providers_oauth2.delete_accesstoken", + "authentik_providers_oauth2.view_accesstoken", + "authentik_providers_oauth2.add_authorizationcode", + "authentik_providers_oauth2.change_authorizationcode", + "authentik_providers_oauth2.delete_authorizationcode", + "authentik_providers_oauth2.view_authorizationcode", + "authentik_providers_oauth2.add_devicetoken", + "authentik_providers_oauth2.change_devicetoken", + "authentik_providers_oauth2.delete_devicetoken", + "authentik_providers_oauth2.view_devicetoken", + "authentik_providers_oauth2.add_oauth2provider", + "authentik_providers_oauth2.change_oauth2provider", + "authentik_providers_oauth2.delete_oauth2provider", + "authentik_providers_oauth2.view_oauth2provider", + "authentik_providers_oauth2.add_refreshtoken", + "authentik_providers_oauth2.change_refreshtoken", + "authentik_providers_oauth2.delete_refreshtoken", + "authentik_providers_oauth2.view_refreshtoken", + "authentik_providers_oauth2.add_scopemapping", + "authentik_providers_oauth2.change_scopemapping", + "authentik_providers_oauth2.delete_scopemapping", + "authentik_providers_oauth2.view_scopemapping", + "authentik_providers_proxy.add_proxyprovider", + "authentik_providers_proxy.change_proxyprovider", + "authentik_providers_proxy.delete_proxyprovider", + "authentik_providers_proxy.view_proxyprovider", + "authentik_providers_rac.add_connectiontoken", + "authentik_providers_rac.change_connectiontoken", + "authentik_providers_rac.delete_connectiontoken", + "authentik_providers_rac.view_connectiontoken", + "authentik_providers_rac.add_endpoint", + "authentik_providers_rac.change_endpoint", + "authentik_providers_rac.delete_endpoint", + "authentik_providers_rac.view_endpoint", + "authentik_providers_rac.add_racpropertymapping", + "authentik_providers_rac.change_racpropertymapping", + "authentik_providers_rac.delete_racpropertymapping", + "authentik_providers_rac.view_racpropertymapping", + "authentik_providers_rac.add_racprovider", + "authentik_providers_rac.change_racprovider", + "authentik_providers_rac.delete_racprovider", + "authentik_providers_rac.view_racprovider", + "authentik_providers_radius.add_radiusprovider", + "authentik_providers_radius.change_radiusprovider", + "authentik_providers_radius.delete_radiusprovider", + "authentik_providers_radius.view_radiusprovider", + "authentik_providers_radius.add_radiusproviderpropertymapping", + "authentik_providers_radius.change_radiusproviderpropertymapping", + "authentik_providers_radius.delete_radiusproviderpropertymapping", + "authentik_providers_radius.view_radiusproviderpropertymapping", + "authentik_providers_saml.add_samlpropertymapping", + "authentik_providers_saml.change_samlpropertymapping", + "authentik_providers_saml.delete_samlpropertymapping", + "authentik_providers_saml.view_samlpropertymapping", + "authentik_providers_saml.add_samlprovider", + "authentik_providers_saml.change_samlprovider", + "authentik_providers_saml.delete_samlprovider", + "authentik_providers_saml.view_samlprovider", + "authentik_providers_scim.add_scimmapping", + "authentik_providers_scim.change_scimmapping", + "authentik_providers_scim.delete_scimmapping", + "authentik_providers_scim.view_scimmapping", + "authentik_providers_scim.add_scimprovider", + "authentik_providers_scim.change_scimprovider", + "authentik_providers_scim.delete_scimprovider", + "authentik_providers_scim.view_scimprovider", + "authentik_providers_scim.add_scimprovidergroup", + "authentik_providers_scim.change_scimprovidergroup", + "authentik_providers_scim.delete_scimprovidergroup", + "authentik_providers_scim.view_scimprovidergroup", + "authentik_providers_scim.add_scimprovideruser", + "authentik_providers_scim.change_scimprovideruser", + "authentik_providers_scim.delete_scimprovideruser", + "authentik_providers_scim.view_scimprovideruser", + "authentik_rbac.add_role", + "authentik_rbac.assign_role_permissions", + "authentik_rbac.change_role", + "authentik_rbac.delete_role", + "authentik_rbac.unassign_role_permissions", + "authentik_rbac.view_role", + "authentik_rbac.access_admin_interface", + "authentik_rbac.edit_system_settings", + "authentik_rbac.view_system_info", + "authentik_rbac.view_system_settings", + "authentik_sources_ldap.add_ldapsource", + "authentik_sources_ldap.change_ldapsource", + "authentik_sources_ldap.delete_ldapsource", + "authentik_sources_ldap.view_ldapsource", + "authentik_sources_ldap.add_ldapsourcepropertymapping", + "authentik_sources_ldap.change_ldapsourcepropertymapping", + "authentik_sources_ldap.delete_ldapsourcepropertymapping", + "authentik_sources_ldap.view_ldapsourcepropertymapping", + "authentik_sources_oauth.add_oauthsource", + "authentik_sources_oauth.change_oauthsource", + "authentik_sources_oauth.delete_oauthsource", + "authentik_sources_oauth.view_oauthsource", + "authentik_sources_oauth.add_useroauthsourceconnection", + "authentik_sources_oauth.change_useroauthsourceconnection", + "authentik_sources_oauth.delete_useroauthsourceconnection", + "authentik_sources_oauth.view_useroauthsourceconnection", + "authentik_sources_plex.add_plexsource", + "authentik_sources_plex.change_plexsource", + "authentik_sources_plex.delete_plexsource", + "authentik_sources_plex.view_plexsource", + "authentik_sources_plex.add_plexsourceconnection", + "authentik_sources_plex.change_plexsourceconnection", + "authentik_sources_plex.delete_plexsourceconnection", + "authentik_sources_plex.view_plexsourceconnection", + "authentik_sources_saml.add_samlsource", + "authentik_sources_saml.change_samlsource", + "authentik_sources_saml.delete_samlsource", + "authentik_sources_saml.view_samlsource", + "authentik_sources_saml.add_usersamlsourceconnection", + "authentik_sources_saml.change_usersamlsourceconnection", + "authentik_sources_saml.delete_usersamlsourceconnection", + "authentik_sources_saml.view_usersamlsourceconnection", + "authentik_sources_scim.add_scimsource", + "authentik_sources_scim.change_scimsource", + "authentik_sources_scim.delete_scimsource", + "authentik_sources_scim.view_scimsource", + "authentik_sources_scim.add_scimsourcegroup", + "authentik_sources_scim.change_scimsourcegroup", + "authentik_sources_scim.delete_scimsourcegroup", + "authentik_sources_scim.view_scimsourcegroup", + "authentik_sources_scim.add_scimsourcepropertymapping", + "authentik_sources_scim.change_scimsourcepropertymapping", + "authentik_sources_scim.delete_scimsourcepropertymapping", + "authentik_sources_scim.view_scimsourcepropertymapping", + "authentik_sources_scim.add_scimsourceuser", + "authentik_sources_scim.change_scimsourceuser", + "authentik_sources_scim.delete_scimsourceuser", + "authentik_sources_scim.view_scimsourceuser", + "authentik_stages_authenticator_duo.add_authenticatorduostage", + "authentik_stages_authenticator_duo.change_authenticatorduostage", + "authentik_stages_authenticator_duo.delete_authenticatorduostage", + "authentik_stages_authenticator_duo.view_authenticatorduostage", + "authentik_stages_authenticator_duo.add_duodevice", + "authentik_stages_authenticator_duo.change_duodevice", + "authentik_stages_authenticator_duo.delete_duodevice", + "authentik_stages_authenticator_duo.view_duodevice", + "authentik_stages_authenticator_sms.add_authenticatorsmsstage", + "authentik_stages_authenticator_sms.change_authenticatorsmsstage", + "authentik_stages_authenticator_sms.delete_authenticatorsmsstage", + "authentik_stages_authenticator_sms.view_authenticatorsmsstage", + "authentik_stages_authenticator_sms.add_smsdevice", + "authentik_stages_authenticator_sms.change_smsdevice", + "authentik_stages_authenticator_sms.delete_smsdevice", + "authentik_stages_authenticator_sms.view_smsdevice", + "authentik_stages_authenticator_static.add_authenticatorstaticstage", + "authentik_stages_authenticator_static.change_authenticatorstaticstage", + "authentik_stages_authenticator_static.delete_authenticatorstaticstage", + "authentik_stages_authenticator_static.view_authenticatorstaticstage", + "authentik_stages_authenticator_static.add_staticdevice", + "authentik_stages_authenticator_static.change_staticdevice", + "authentik_stages_authenticator_static.delete_staticdevice", + "authentik_stages_authenticator_static.view_staticdevice", + "authentik_stages_authenticator_static.add_statictoken", + "authentik_stages_authenticator_static.change_statictoken", + "authentik_stages_authenticator_static.delete_statictoken", + "authentik_stages_authenticator_static.view_statictoken", + "authentik_stages_authenticator_totp.add_authenticatortotpstage", + "authentik_stages_authenticator_totp.change_authenticatortotpstage", + "authentik_stages_authenticator_totp.delete_authenticatortotpstage", + "authentik_stages_authenticator_totp.view_authenticatortotpstage", + "authentik_stages_authenticator_totp.add_totpdevice", + "authentik_stages_authenticator_totp.change_totpdevice", + "authentik_stages_authenticator_totp.delete_totpdevice", + "authentik_stages_authenticator_totp.view_totpdevice", + "authentik_stages_authenticator_validate.add_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.change_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.delete_authenticatorvalidatestage", + "authentik_stages_authenticator_validate.view_authenticatorvalidatestage", + "authentik_stages_authenticator_webauthn.add_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.change_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.delete_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.view_authenticatorwebauthnstage", + "authentik_stages_authenticator_webauthn.add_webauthndevice", + "authentik_stages_authenticator_webauthn.change_webauthndevice", + "authentik_stages_authenticator_webauthn.delete_webauthndevice", + "authentik_stages_authenticator_webauthn.view_webauthndevice", + "authentik_stages_authenticator_webauthn.add_webauthndevicetype", + "authentik_stages_authenticator_webauthn.change_webauthndevicetype", + "authentik_stages_authenticator_webauthn.delete_webauthndevicetype", + "authentik_stages_authenticator_webauthn.view_webauthndevicetype", + "authentik_stages_captcha.add_captchastage", + "authentik_stages_captcha.change_captchastage", + "authentik_stages_captcha.delete_captchastage", + "authentik_stages_captcha.view_captchastage", + "authentik_stages_consent.add_consentstage", + "authentik_stages_consent.change_consentstage", + "authentik_stages_consent.delete_consentstage", + "authentik_stages_consent.view_consentstage", + "authentik_stages_consent.add_userconsent", + "authentik_stages_consent.change_userconsent", + "authentik_stages_consent.delete_userconsent", + "authentik_stages_consent.view_userconsent", + "authentik_stages_deny.add_denystage", + "authentik_stages_deny.change_denystage", + "authentik_stages_deny.delete_denystage", + "authentik_stages_deny.view_denystage", + "authentik_stages_dummy.add_dummystage", + "authentik_stages_dummy.change_dummystage", + "authentik_stages_dummy.delete_dummystage", + "authentik_stages_dummy.view_dummystage", + "authentik_stages_email.add_emailstage", + "authentik_stages_email.change_emailstage", + "authentik_stages_email.delete_emailstage", + "authentik_stages_email.view_emailstage", + "authentik_stages_identification.add_identificationstage", + "authentik_stages_identification.change_identificationstage", + "authentik_stages_identification.delete_identificationstage", + "authentik_stages_identification.view_identificationstage", + "authentik_stages_invitation.add_invitation", + "authentik_stages_invitation.change_invitation", + "authentik_stages_invitation.delete_invitation", + "authentik_stages_invitation.view_invitation", + "authentik_stages_invitation.add_invitationstage", + "authentik_stages_invitation.change_invitationstage", + "authentik_stages_invitation.delete_invitationstage", + "authentik_stages_invitation.view_invitationstage", + "authentik_stages_password.add_passwordstage", + "authentik_stages_password.change_passwordstage", + "authentik_stages_password.delete_passwordstage", + "authentik_stages_password.view_passwordstage", + "authentik_stages_prompt.add_prompt", + "authentik_stages_prompt.change_prompt", + "authentik_stages_prompt.delete_prompt", + "authentik_stages_prompt.view_prompt", + "authentik_stages_prompt.add_promptstage", + "authentik_stages_prompt.change_promptstage", + "authentik_stages_prompt.delete_promptstage", + "authentik_stages_prompt.view_promptstage", + "authentik_stages_source.add_sourcestage", + "authentik_stages_source.change_sourcestage", + "authentik_stages_source.delete_sourcestage", + "authentik_stages_source.view_sourcestage", + "authentik_stages_user_delete.add_userdeletestage", + "authentik_stages_user_delete.change_userdeletestage", + "authentik_stages_user_delete.delete_userdeletestage", + "authentik_stages_user_delete.view_userdeletestage", + "authentik_stages_user_login.add_userloginstage", + "authentik_stages_user_login.change_userloginstage", + "authentik_stages_user_login.delete_userloginstage", + "authentik_stages_user_login.view_userloginstage", + "authentik_stages_user_logout.add_userlogoutstage", + "authentik_stages_user_logout.change_userlogoutstage", + "authentik_stages_user_logout.delete_userlogoutstage", + "authentik_stages_user_logout.view_userlogoutstage", + "authentik_stages_user_write.add_userwritestage", + "authentik_stages_user_write.change_userwritestage", + "authentik_stages_user_write.delete_userwritestage", + "authentik_stages_user_write.view_userwritestage", + "authentik_tenants.add_domain", + "authentik_tenants.change_domain", + "authentik_tenants.delete_domain", + "authentik_tenants.view_domain", + "authentik_tenants.add_tenant", + "authentik_tenants.change_tenant", + "authentik_tenants.delete_tenant", + "authentik_tenants.view_tenant" + ] + }, + "title": "Permissions" } }, "required": [] }, + "model_authentik_core.user_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "reset_user_password", + "impersonate", + "assign_user_permissions", + "unassign_user_permissions", + "preview_user", + "view_user_applications", + "add_user", + "change_user", + "delete_user", + "view_user" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_core.application": { "type": "object", "properties": { @@ -8394,6 +11317,32 @@ }, "required": [] }, + "model_authentik_core.application_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_application", + "change_application", + "delete_application", + "view_application" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_core.token": { "type": "object", "properties": { @@ -8451,6 +11400,33 @@ }, "required": [] }, + "model_authentik_core.token_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "view_token_key", + "add_token", + "change_token", + "delete_token", + "view_token" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_enterprise.license": { "type": "object", "properties": { @@ -8462,6 +11438,32 @@ }, "required": [] }, + "model_authentik_enterprise.license_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_license", + "change_license", + "delete_license", + "view_license" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_google_workspace.googleworkspaceprovider": { "type": "object", "properties": { @@ -8540,6 +11542,32 @@ }, "required": [] }, + "model_authentik_providers_google_workspace.googleworkspaceprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_googleworkspaceprovider", + "change_googleworkspaceprovider", + "delete_googleworkspaceprovider", + "view_googleworkspaceprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_google_workspace.googleworkspaceprovidermapping": { "type": "object", "properties": { @@ -8565,6 +11593,32 @@ }, "required": [] }, + "model_authentik_providers_google_workspace.googleworkspaceprovidermapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_googleworkspaceprovidermapping", + "change_googleworkspaceprovidermapping", + "delete_googleworkspaceprovidermapping", + "view_googleworkspaceprovidermapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_microsoft_entra.microsoftentraprovider": { "type": "object", "properties": { @@ -8636,6 +11690,32 @@ }, "required": [] }, + "model_authentik_providers_microsoft_entra.microsoftentraprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_microsoftentraprovider", + "change_microsoftentraprovider", + "delete_microsoftentraprovider", + "view_microsoftentraprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_microsoft_entra.microsoftentraprovidermapping": { "type": "object", "properties": { @@ -8661,6 +11741,32 @@ }, "required": [] }, + "model_authentik_providers_microsoft_entra.microsoftentraprovidermapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_microsoftentraprovidermapping", + "change_microsoftentraprovidermapping", + "delete_microsoftentraprovidermapping", + "view_microsoftentraprovidermapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_rac.racprovider": { "type": "object", "properties": { @@ -8708,6 +11814,32 @@ }, "required": [] }, + "model_authentik_providers_rac.racprovider_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_racprovider", + "change_racprovider", + "delete_racprovider", + "view_racprovider" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_rac.endpoint": { "type": "object", "properties": { @@ -8764,6 +11896,32 @@ }, "required": [] }, + "model_authentik_providers_rac.endpoint_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_endpoint", + "change_endpoint", + "delete_endpoint", + "view_endpoint" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_providers_rac.racpropertymapping": { "type": "object", "properties": { @@ -8793,6 +11951,32 @@ }, "required": [] }, + "model_authentik_providers_rac.racpropertymapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_racpropertymapping", + "change_racpropertymapping", + "delete_racpropertymapping", + "view_racpropertymapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_stages_source.sourcestage": { "type": "object", "properties": { @@ -8896,6 +12080,32 @@ }, "required": [] }, + "model_authentik_stages_source.sourcestage_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_sourcestage", + "change_sourcestage", + "delete_sourcestage", + "view_sourcestage" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_events.event": { "type": "object", "properties": { @@ -8968,6 +12178,32 @@ }, "required": [] }, + "model_authentik_events.event_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_event", + "change_event", + "delete_event", + "view_event" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_events.notificationtransport": { "type": "object", "properties": { @@ -9002,6 +12238,32 @@ }, "required": [] }, + "model_authentik_events.notificationtransport_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_notificationtransport", + "change_notificationtransport", + "delete_notificationtransport", + "view_notificationtransport" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_events.notification": { "type": "object", "properties": { @@ -9088,6 +12350,32 @@ }, "required": [] }, + "model_authentik_events.notification_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_notification", + "change_notification", + "delete_notification", + "view_notification" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_events.notificationrule": { "type": "object", "properties": { @@ -9125,6 +12413,32 @@ }, "required": [] }, + "model_authentik_events.notificationrule_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_notificationrule", + "change_notificationrule", + "delete_notificationrule", + "view_notificationrule" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_events.notificationwebhookmapping": { "type": "object", "properties": { @@ -9141,6 +12455,32 @@ }, "required": [] }, + "model_authentik_events.notificationwebhookmapping_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_notificationwebhookmapping", + "change_notificationwebhookmapping", + "delete_notificationwebhookmapping", + "view_notificationwebhookmapping" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } + }, "model_authentik_blueprints.metaapplyblueprint": { "type": "object", "properties": { @@ -9155,6 +12495,32 @@ } }, "required": [] + }, + "model_authentik_blueprints.metaapplyblueprint_permissions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "permission" + ], + "properties": { + "permission": { + "type": "string", + "enum": [ + "add_metaapplyblueprint", + "change_metaapplyblueprint", + "delete_metaapplyblueprint", + "view_metaapplyblueprint" + ] + }, + "user": { + "type": "integer" + }, + "role": { + "type": "string" + } + } + } } } } diff --git a/schema.yml b/schema.yml index 169f01e51a69..abe058e533a0 100644 --- a/schema.yml +++ b/schema.yml @@ -14825,6 +14825,10 @@ paths: operationId: propertymappings_saml_list description: SAMLPropertyMapping Viewset parameters: + - in: query + name: friendly_name + schema: + type: string - in: query name: managed schema: @@ -14859,6 +14863,10 @@ paths: description: Number of results to return per page. schema: type: integer + - in: query + name: saml_name + schema: + type: string - name: search required: false in: query @@ -15953,10 +15961,6 @@ paths: operationId: propertymappings_source_scim_list description: SCIMSourcePropertyMapping Viewset parameters: - - in: query - name: expression - schema: - type: string - in: query name: managed schema: @@ -15965,6 +15969,10 @@ paths: type: string explode: true style: form + - in: query + name: managed__isnull + schema: + type: boolean - in: query name: name schema: @@ -15987,11 +15995,6 @@ paths: description: Number of results to return per page. schema: type: integer - - in: query - name: pm_uuid - schema: - type: string - format: uuid - name: search required: false in: query @@ -21393,7 +21396,7 @@ paths: description: '' /rbac/permissions/assigned_by_roles/{uuid}/assign/: post: - operationId: rbac_permissions_assigned_by_roles_assign_create + operationId: rbac_permissions_assigned_by_roles_assign description: |- Assign permission(s) to role. When `object_pk` is set, the permissions are only assigned to the specific object, otherwise they are assigned globally. @@ -21416,8 +21419,14 @@ paths: security: - authentik: [] responses: - '204': - description: Successfully assigned + '200': + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PermissionAssignResult' + description: '' '400': content: application/json: @@ -21614,7 +21623,7 @@ paths: description: '' /rbac/permissions/assigned_by_users/{id}/assign/: post: - operationId: rbac_permissions_assigned_by_users_assign_create + operationId: rbac_permissions_assigned_by_users_assign description: Assign permission(s) to user parameters: - in: path @@ -21634,8 +21643,14 @@ paths: security: - authentik: [] responses: - '204': - description: Successfully assigned + '200': + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PermissionAssignResult' + description: '' '400': content: application/json: @@ -21719,7 +21734,6 @@ paths: schema: type: string format: uuid - required: true tags: - rbac security: @@ -21743,6 +21757,146 @@ paths: schema: $ref: '#/components/schemas/GenericError' description: '' + /rbac/permissions/roles/{id}/: + get: + operationId: rbac_permissions_roles_retrieve + description: Get a role's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this group object permission. + required: true + tags: + - rbac + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraRoleObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + put: + operationId: rbac_permissions_roles_update + description: Get a role's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this group object permission. + required: true + tags: + - rbac + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraRoleObjectPermissionRequest' + required: true + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraRoleObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + patch: + operationId: rbac_permissions_roles_partial_update + description: Get a role's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this group object permission. + required: true + tags: + - rbac + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PatchedExtraRoleObjectPermissionRequest' + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraRoleObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + delete: + operationId: rbac_permissions_roles_destroy + description: Get a role's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this group object permission. + required: true + tags: + - rbac + security: + - authentik: [] + responses: + '204': + description: No response body + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' /rbac/permissions/users/: get: operationId: rbac_permissions_users_list @@ -21776,7 +21930,6 @@ paths: name: user_id schema: type: integer - required: true tags: - rbac security: @@ -21800,6 +21953,146 @@ paths: schema: $ref: '#/components/schemas/GenericError' description: '' + /rbac/permissions/users/{id}/: + get: + operationId: rbac_permissions_users_retrieve + description: Get a users's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this user object permission. + required: true + tags: + - rbac + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraUserObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + put: + operationId: rbac_permissions_users_update + description: Get a users's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this user object permission. + required: true + tags: + - rbac + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraUserObjectPermissionRequest' + required: true + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraUserObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + patch: + operationId: rbac_permissions_users_partial_update + description: Get a users's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this user object permission. + required: true + tags: + - rbac + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PatchedExtraUserObjectPermissionRequest' + security: + - authentik: [] + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/ExtraUserObjectPermission' + description: '' + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' + delete: + operationId: rbac_permissions_users_destroy + description: Get a users's assigned object permissions + parameters: + - in: path + name: id + schema: + type: integer + description: A unique integer value identifying this user object permission. + required: true + tags: + - rbac + security: + - authentik: [] + responses: + '204': + description: No response body + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/ValidationError' + description: '' + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/GenericError' + description: '' /rbac/roles/: get: operationId: rbac_roles_list @@ -36544,8 +36837,6 @@ components: readOnly: true object_pk: type: string - title: Object ID - readOnly: true name: type: string readOnly: true @@ -36575,6 +36866,15 @@ components: - name - object_description - object_pk + ExtraRoleObjectPermissionRequest: + type: object + description: User permission with additional object-related data + properties: + object_pk: + type: string + minLength: 1 + required: + - object_pk ExtraUserObjectPermission: type: object description: User permission with additional object-related data @@ -36594,8 +36894,6 @@ components: readOnly: true object_pk: type: string - title: Object ID - readOnly: true name: type: string readOnly: true @@ -36625,6 +36923,15 @@ components: - name - object_description - object_pk + ExtraUserObjectPermissionRequest: + type: object + description: User permission with additional object-related data + properties: + object_pk: + type: string + minLength: 1 + required: + - object_pk FilePathRequest: type: object description: Serializer to upload file @@ -42500,6 +42807,20 @@ components: expression: type: string minLength: 1 + PatchedExtraRoleObjectPermissionRequest: + type: object + description: User permission with additional object-related data + properties: + object_pk: + type: string + minLength: 1 + PatchedExtraUserObjectPermissionRequest: + type: object + description: User permission with additional object-related data + properties: + object_pk: + type: string + minLength: 1 PatchedFlowRequest: type: object description: Flow Serializer @@ -44497,6 +44818,14 @@ components: minLength: 1 required: - permissions + PermissionAssignResult: + type: object + description: Result from assigning permissions to a user/role + properties: + id: + type: string + required: + - id PlexAuthenticationChallenge: type: object description: Challenge shown to the user in identification stage @@ -46317,8 +46646,6 @@ components: readOnly: true object_pk: type: string - title: Object ID - readOnly: true name: type: string readOnly: true @@ -49162,8 +49489,6 @@ components: readOnly: true object_pk: type: string - title: Object ID - readOnly: true name: type: string readOnly: true diff --git a/web/src/admin/rbac/RoleObjectPermissionForm.ts b/web/src/admin/rbac/RoleObjectPermissionForm.ts index 7c5fc4721703..f423c5974203 100644 --- a/web/src/admin/rbac/RoleObjectPermissionForm.ts +++ b/web/src/admin/rbac/RoleObjectPermissionForm.ts @@ -53,7 +53,7 @@ export class RoleObjectPermissionForm extends ModelForm } send(data: RoleAssignData): Promise { - return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssignCreate({ + return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssign({ uuid: data.role, permissionAssignRequest: { permissions: Object.keys(data.permissions).filter((key) => data.permissions[key]), diff --git a/web/src/admin/rbac/UserObjectPermissionForm.ts b/web/src/admin/rbac/UserObjectPermissionForm.ts index 026c580563c1..335bd011030b 100644 --- a/web/src/admin/rbac/UserObjectPermissionForm.ts +++ b/web/src/admin/rbac/UserObjectPermissionForm.ts @@ -54,7 +54,7 @@ export class UserObjectPermissionForm extends ModelForm } send(data: UserAssignData): Promise { - return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssignCreate({ + return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssign({ id: data.user, permissionAssignRequest: { permissions: Object.keys(data.permissions).filter((key) => data.permissions[key]), diff --git a/web/src/admin/roles/RolePermissionForm.ts b/web/src/admin/roles/RolePermissionForm.ts index b059083a669f..95ad8a796a10 100644 --- a/web/src/admin/roles/RolePermissionForm.ts +++ b/web/src/admin/roles/RolePermissionForm.ts @@ -37,7 +37,7 @@ export class RolePermissionForm extends ModelForm } async send(data: RolePermissionAssign) { - await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssignCreate({ + await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssign({ uuid: this.roleUuid || "", permissionAssignRequest: { permissions: data.permissions, diff --git a/web/src/admin/users/UserPermissionForm.ts b/web/src/admin/users/UserPermissionForm.ts index 989b2d10288d..2d3d804de36b 100644 --- a/web/src/admin/users/UserPermissionForm.ts +++ b/web/src/admin/users/UserPermissionForm.ts @@ -37,7 +37,7 @@ export class UserPermissionForm extends ModelForm } async send(data: UserPermissionAssign) { - await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssignCreate({ + await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssign({ id: this.userId || 0, permissionAssignRequest: { permissions: data.permissions, diff --git a/website/developer-docs/blueprints/v1/models.md b/website/developer-docs/blueprints/v1/models.md index 26ecd03ce0d3..f392c8295cbe 100644 --- a/website/developer-docs/blueprints/v1/models.md +++ b/website/developer-docs/blueprints/v1/models.md @@ -2,7 +2,9 @@ Some models behave differently and allow for access to different API fields when created via blueprint. -### `authentik_core.token` +## `authentik_core.token` + +### `key` :::info Requires authentik 2023.4 @@ -26,7 +28,9 @@ For example: intent: api ``` -### `authentik_core.user` +## `authentik_core.user` + +### `password` :::info Requires authentik 2023.6 @@ -49,7 +53,29 @@ For example: password: this-should-be-a-long-value ``` -### `authentik_core.application` +### `permissions` + +:::info +Requires authentik 2024.8 +::: + +The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints. + +For example: + +```yaml +# [...] +- model: authentik_core.user + identifiers: + username: test-user + attrs: + permissions: + - authentik_blueprints.view_blueprintinstance +``` + +## `authentik_core.application` + +### `icon` :::info Requires authentik 2023.5 @@ -69,7 +95,9 @@ For example: icon: https://goauthentik.io/img/icon.png ``` -### `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource` +## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource` + +### `icon` :::info Requires authentik 2023.5 @@ -89,7 +117,9 @@ For example: icon: https://goauthentik.io/img/icon.png ``` -### `authentik_flows.flow` +## `authentik_flows.flow` + +### `icon` :::info Requires authentik 2023.5 @@ -110,3 +140,25 @@ For example: designation: authentication background: https://goauthentik.io/img/icon.png ``` + +## `authentik_rbac.role` + +### `permissions` + +:::info +Requires authentik 2024.8 +::: + +The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints. + +For example: + +```yaml +# [...] +- model: authentik_rbac.role + identifiers: + name: test-role + attrs: + permissions: + - authentik_blueprints.view_blueprintinstance +``` diff --git a/website/developer-docs/blueprints/v1/structure.md b/website/developer-docs/blueprints/v1/structure.md index ee2f3e74b456..fd819bca8aa2 100644 --- a/website/developer-docs/blueprints/v1/structure.md +++ b/website/developer-docs/blueprints/v1/structure.md @@ -60,6 +60,11 @@ entries: designation: stage_configuration name: default-oobe-setup title: Welcome to authentik! + # Optionally set object-level permissions on the object + # Requires authentik 2024.8 + permissions: + - permission: inspect_flow + user: !Find [authentik_core.user, [username, akadmin]] ``` ## Special Labels diff --git a/website/developer-docs/blueprints/v1/tags.md b/website/developer-docs/blueprints/v1/tags.md index a931063b8396..7ec1ff15a1b7 100644 --- a/website/developer-docs/blueprints/v1/tags.md +++ b/website/developer-docs/blueprints/v1/tags.md @@ -7,15 +7,15 @@ For VS Code, for example, add these entries to your `settings.json`: ``` { "yaml.customTags": [ - "!KeyOf scalar", + "!Condition sequence", + "!Context scalar", + "!Enumerate sequence", "!Env scalar", "!Find sequence", - "!Context scalar", "!Format sequence", "!If sequence", - "!Condition sequence", - "!Enumerate sequence", "!Index scalar", + "!KeyOf scalar", "!Value scalar" ] }