Manage resource owner consent.
This tool features commands that allow you to invoke consent management operations over the Identity Broker REST API. Consent is authorization by a resource owner to allow access to resources by an application. See the --help-subcommands option for a list of supported sub-commands.
Add consent
consent-admin add-consent --owner joe --application Example.com --action Read \ --purpose Marketing --resource E-mail --resource Name
consent-admin add-consent --owner joe --application Example.com \ --scope marketing
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--application {name}
Description | The name of the application associated with the consent |
Required | Yes |
Multi-Valued | No |
--scope {scope}
Description | The name of a scope providing the action, purpose and resources for which consent is given |
Required | No |
Multi-Valued | No |
--action {action}
Description | The name of an action for which consent is given |
Required | No |
Multi-Valued | No |
--resource {resource}
Description | The name of a resource for which consent is given |
Required | No |
Multi-Valued | Yes |
--purpose {purpose}
Description | The name of a purpose for which consent is given |
Required | No |
Multi-Valued | No |
List policy decision history for the specified resource owner. There are numerous options available to filter the results
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--application {name}
Description | The name of the application associated with the consent |
Required | No |
Multi-Valued | No |
--decision {decision}
Description | Filter records by policy decision, e.g. Permit or Deny |
Required | No |
Multi-Valued | No |
--action {action}
Description | The name of an action for which consent is given |
Required | No |
Multi-Valued | No |
--purpose {name}
Description | The name of the purpose associated with the consent |
Required | No |
Multi-Valued | No |
--resourceURN {URN}
Description | Filter records by resource URN |
Required | No |
Multi-Valued | No |
--resource {name}
Description | Filter records by resource Name |
Required | No |
Multi-Valued | No |
--startTime {startTime}
Description | Exclude records created before the specified time. Time may be specified in absolute form or relative form. Relative form is -Xu where X is an integer and u are units e.g. -2h (2 hours ago), -5d (5 days ago). The leading '-' is required, and value units are: m (minute), h (hour), d (day), w (week), M (30-day month), y (365 day year). Absolute form is an ISO8601 timestamp where fields to the right are optional. e.g. 2013-01-29T13:47:36.876Z, 2013-01-29. The delimiter characters '-' and ':' are required. If no timezone is specified the server's timezone is assumed |
Required | No |
Multi-Valued | No |
--endTime {endTime}
Description | Exclude records created after the specified time. Time may be specified in absolute form or relative form. Relative form is +Xu where X is an integer and u are units e.g. +2h (2 hours after the start time, +5d (5 days after the start time). The leading '+' is required, and value units are: m (minute), h (hour), d (day), w (week), M (30-day month), y (365 day year). Absolute form is an ISO8601 timestamp where fields to the right are optional. e.g. 2013-01-29T13:47:36.876Z, 2013-01-29. The delimiter characters '-' and ':' are required. If no timezone is specified the server's timezone is assumed |
Required | No |
Multi-Valued | No |
--startIndex {startIndex}
Description | The index number of the first item to be provided in the results. The default value is 0 |
Lower Bound | 0 |
Required | No |
Multi-Valued | No |
--count {count}
Description | The maximum number of items to be provided in the results. By default there is no maximum |
Lower Bound | 1 |
Required | No |
Multi-Valued | No |
--tab-delimited
Description | Indicates that consent with multiple resource values should display the values all on one line separated by tabs instead of providing each value on a separate line |
--validate
Description | Validate the provided options to ensure they reference objects that exist in the Broker Store. By default, this validation is not performed so that any records referencing deleted objects may be found |
--sortBy {sortBy}
Description | Specifies how the results should be sorted. Allowed values are: application, action, purpose, timestamp, owner, decision |
Default Value | timestamp |
Required | No |
Multi-Valued | No |
--sortOrder {sortOrder}
Description | Specifies how sorted results should be ordered. Allowed values are: ascending, descending |
Required | No |
Multi-Valued | No |
List consent change history for a given resource owner
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--sortBy {sortBy}
Description | Specifies how the results should be sorted. Allowed values are: OPERATION_ASCENDING, OPERATION_DESCENDING, ACTOR_ASCENDING, ACTOR_DESCENDING, APP_NAME_ASCENDING, APP_NAME_DESCENDING, DATETIME_ASCENDING, DATETIME_DESCENDING, PURPOSE_NAME_ASCENDING, PURPOSE_NAME_DESCENDING, RESOURCE_NAME_ASCENDING, RESOURCE_NAME_DESCENDING |
Required | No |
Multi-Valued | No |
--operation {operation}
Description | Include only records matching the given action type. Allowed values are: capture, revoke |
Required | No |
Multi-Valued | No |
--filterSubstring {substring}
Description | Include only records where the given substring matches a concatenation of the actor, action type, timestamp, application, action and purpose (ignoring differences in case) |
Required | No |
Multi-Valued | No |
--startTime {startTime}
Description | Exclude records created before the specified time. Time may be specified in absolute form or relative form. Relative form is -Xu where X is an integer and u are units e.g. -2h (2 hours ago), -5d (5 days ago). The leading '-' is required, and value units are: m (minute), h (hour), d (day), w (week), M (30-day month), y (365 day year). Absolute form is an ISO8601 timestamp where fields to the right are optional. e.g. 2013-01-29T13:47:36.876Z, 2013-01-29. The delimiter characters '-' and ':' are required. If no timezone is specified the server's timezone is assumed |
Required | No |
Multi-Valued | No |
--endTime {endTime}
Description | Exclude records created after the specified time. Time may be specified in absolute form or relative form. Relative form is +Xu where X is an integer and u are units e.g. +2h (2 hours after the start time, +5d (5 days after the start time). The leading '+' is required, and value units are: m (minute), h (hour), d (day), w (week), M (30-day month), y (365 day year). Absolute form is an ISO8601 timestamp where fields to the right are optional. e.g. 2013-01-29T13:47:36.876Z, 2013-01-29. The delimiter characters '-' and ':' are required. If no timezone is specified the server's timezone is assumed |
Required | No |
Multi-Valued | No |
--startIndex {startIndex}
Description | The index number of the first item to be provided in the results. The default value is 0 |
Lower Bound | 0 |
Required | No |
Multi-Valued | No |
--count {count}
Description | The maximum number of items to be provided in the results. By default there is no maximum |
Lower Bound | 1 |
Required | No |
Multi-Valued | No |
List consent
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--application {name}
Description | The name of the application associated with the consent |
Required | No |
Multi-Valued | No |
--resource {name}
Description | The name of the resource associated with the consent |
Required | No |
Multi-Valued | No |
--startIndex {startIndex}
Description | The index number of the first item to be provided in the results. The default value is 0 |
Lower Bound | 0 |
Required | No |
Multi-Valued | No |
--count {count}
Description | The maximum number of items to be provided in the results. By default there is no maximum |
Lower Bound | 1 |
Required | No |
Multi-Valued | No |
--tab-delimited
Description | Indicates that consent with multiple resource values should display the values all on one line separated by tabs instead of providing each value on a separate line |
List applications for which a given owner has granted consent
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--sortBy {sortBy}
Description | Specifies how the results should be sorted. Allowed values are: NAME_ASCENDING,NAME_DESCENDING,TRUST_LEVEL_ASCENDING,OAUTH2_ENABLED,OAUTH2_DISABLED,TRUST_LEVEL_DESCENDING |
Required | No |
Multi-Valued | No |
--startIndex {startIndex}
Description | The index number of the first item to be provided in the results. The default value is 0 |
Lower Bound | 0 |
Required | No |
Multi-Valued | No |
--count {count}
Description | The maximum number of items to be provided in the results. By default there is no maximum |
Lower Bound | 1 |
Required | No |
Multi-Valued | No |
List resources for which a given owner has granted consent
--owner {owner}
Description | The resource owner |
Required | Yes |
Multi-Valued | No |
--sortBy {sortBy}
Description | Specifies how the results should be sorted. Allowed values are: NAME_ASCENDING,NAME_DESCENDING,URN_ASCENDING,URN_DESCENDING,TRUST_LEVEL_ASCENDING,TRUST_LEVEL_DESCENDING |
Required | No |
Multi-Valued | No |
--startIndex {startIndex}
Description | The index number of the first item to be provided in the results. The default value is 0 |
Lower Bound | 0 |
Required | No |
Multi-Valued | No |
--count {count}
Description | The maximum number of items to be provided in the results. By default there is no maximum |
Lower Bound | 1 |
Required | No |
Multi-Valued | No |
Revoke consent
consent-admin revoke-consent --application Example.com
consent-admin revoke-consent --application Example.com --owner joe
consent-admin revoke-consent --application Example.com --owner joe \ --purpose Marketing
consent-admin revoke-consent --application Example.com --owner joe \ --resource E-mail
consent-admin revoke-consent --application Example.com --owner joe \ --resource E-mail --purpose Marketing
--application {name}
Description | The name of the application associated with the consent |
Required | Yes |
Multi-Valued | No |
--owner {owner}
Description | The resource owner |
Required | No |
Multi-Valued | No |
--resource {name}
Description | The name of the resource associated with the consent |
Required | No |
Multi-Valued | No |
--purpose {name}
Description | The name of the purpose associated with the consent |
Required | No |
Multi-Valued | No |
-V
--version
Description | Display Identity Broker version information |
-H
--help
Description | Display general usage information |
--help-debug
Description | Display help for using debug options |
Advanced | Yes |
-h {host}
--hostname {host}
Description | Identity Broker hostname or IP address |
Default Value | localhost |
Required | No |
Multi-Valued | No |
-p {port}
--httpPort {port}
Description | Identity Broker HTTP/S port number [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
-Z
--useSSL
Description | Use SSL for secure communication with the server [Default: from the local Identity Broker configuration] |
-X
--trustAll
Description | Trust all server SSL certificates |
-P {trustStorePath}
--trustStorePath {trustStorePath}
Description | Certificate trust store path |
Required | No |
Multi-Valued | No |
--propertiesFilePath {propertiesFilePath}
Description | Path to the file that contains default property values used for command-line arguments |
Required | No |
Multi-Valued | No |
--noPropertiesFile
Description | Specify that no properties file will be used to get default command-line argument values |
-n
--no-prompt
Description | Use non-interactive mode. If data in the command is missing, you will not be prompted and the tool will fail |
--adminHostname {host}
Description | The Identity Broker Admin service hostname or IP address, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--adminHttpPort {port}
Description | The Identity Broker Admin service HTTP(S) port number, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
-u {authid}
--authId {authid}
Description | The administrator or user ID used to authenticate with the server |
Required | No |
Multi-Valued | No |
-w {password}
--authPassword {password}
Description | The administrator or user password used to authenticate with the server |
Required | No |
Multi-Valued | No |
-j {path}
--authPasswordFile {path}
Description | The path to a file containing the administrator or user password used to authenticate with the server |
Required | No |
Multi-Valued | No |
--authClientID {client_id}
Description | The client ID of the internal Identity Broker application, needed by the tool itself to obtain a bearer token to access the server [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--authClientSecret {client_secret}
Description | The client secret of the internal Identity Broker application, needed by the tool itself to obtain a bearer token to access the server [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--userMetadataHostname {host}
Description | The Identity Broker User Metadata service hostname or IP address, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--userMetadataHttpPort {port}
Description | The Identity Broker User Metadata service HTTP(S) port number, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--scimHostname {host}
Description | The Identity Broker SCIM service hostname or IP address, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--scimHttpPort {port}
Description | The Identity Broker SCIM service HTTP(S) port number, if it differs from that of the OAuth service [Default: from the local Identity Broker configuration] |
Required | No |
Multi-Valued | No |
--script-friendly
Description | Use script-friendly mode |
-F {batchFilePath}
--batch-file {batchFilePath}
Description | Path to a file containing a sequence of commands to run |
Required | No |
Multi-Valued | No |
-c
--continueOnError
Description | Continue processing even if there are errors |
-Q
--quiet
Description | Use quiet mode |
--help-subcommands
Description | Display all subcommands |