User Management

Available Functionality

Platform management APIs expose the following platform functionality:

Management scenarios	Authentication methods
User management—create, update, or delete users or groups, and manage organization settings	External applications

Base URL

All Platform Management API calls are made using HTTP methods to the base URL.

It is recommended to encrypt the data you send via API calls, by using the https protocol.

Note:

For Automation Cloud and Automation Suite deployments, all Identity Server URLs contain the /identity_ segment.
For standalone deployments, all Identity Server URLs contain the /identity segment.

Resource List

Platform Management APIs give your application control over the following resources:

User Management

Audit

GET {BaseURL}/identity/api/AuditQuery/{organizationId} - Retrieves the audit logs for the specified organization ID.
GET {BaseURL}/identity/api/AuditQuery/{organizationId}/download - Downloads the audit logs for the specified organization ID.

Group

GET {BaseURL}/identity/api/Group/{partitionGlobalId} - Retrieves all local and built-in groups from the specified partition ID (either organization or tenant).
GET {BaseURL}/identity/api/Group/{partitionGlobalId}/{groupId} - Retrieves the specified local or built-in group in the specified partition ID.
POST {BaseURL}/identity/api/Group - Creates a new local group.
PUT {BaseURL}/identity/api/Group/{groupId} - Updates a local group information.
DELETE {BaseURL}/identity/api/Group/{partitionGlobalId} - Deletes all local groups from the specified partition ID (either organization or tenant).
DELETE {BaseURL}/identity/api/Group/{partitionGlobalId}/{groupId} - Deletes the specified local group.

MessageTemplate

GET {BaseURL}/identity/api/MessageTemplate - Retrieves a message template using the provided filter.
GET {BaseURL}/identity/api/MessageTemplate/{templateId} - Retrieves the specified message template.
PUT {BaseURL}/identity/api/MessageTemplate/{templateId}- Updates the specified message template.

RobotAccount

GET {BaseURL}/identity/api/RobotAccount/{partitionGlobalId} - Retrieves all robot accounts in the specified partition ID (either organization or tenant).
GET {BaseURL}/identity/api/RobotAccount/{partitionGlobalId}/{robotAccountId} - Retrieves the specified robot account in the specified partition ID.
POST {BaseURL}/identity/api/RobotAccount - Creates a new robot account.
PUT {BaseURL}/identity/api/RobotAccount/{robotAccountId} - Updates the specified robot account information.
DELETE {BaseURL}/identity/api/RobotAccount/{partitionGlobalId}/{robotAccountId} - Deletes the specified robot account.
DELETE {BaseURL}/identity/api/RobotAccount/{partitionGlobalId} - Deletes all robot accounts in the specified partition ID.

Setting

GET {BaseURL}/identity/api/Setting - Retrieves an application settings based on a list of keys for a specific tenant.
PUT {BaseURL}/identity/api/Setting - Updates or creates new settings in a specific tenant.

User

GET {BaseURL}/identity/api/User/{userId} - Retrieves information about the specified user.
POST {BaseURL}/identity/api/User - Creates a new user. This endpoint is idempotent: Trying to overwrite a user deletes the existing one.
POST {BaseURL}/identity/api/User/BulkCreate - Creates users in bulk.
POST {BaseURL}/identity/api/User/{userId}/changepassword - Updates the password for the specified user.
PUT {BaseURL}/identity/api/User/{userId} - Updates the specifid user information.
DELETE {BaseURL}/identity/api/User - Deletes all users.
DELETE {BaseURL}/identity/api/User/{userId} - Deletes the specified user.

UserLoginAttempt

GET {BaseURL}/identity/api/User/{userId}/loginAttempts - Retrieves the login attempts of the specified user.

Scopes Per API Resource

Scopes define your application level of access to the Platform Management resources.

For example, to generate an authentication token for your application, you pass in several scopes. When your application makes an API call to access a resource, the token is validated against the resource scopes. If the resource is included in the scopes you passed in at token request, the call is successful, and it further checks for user permissions per endpoint (Read permissions for GET requests, and Write permissions for POST, PUT, or DELETE requests). Otherwise, the server rejects the call.

Permissions Per Endpoint

Permissions grant your application users the access to a specific functionality inside a resource. Each permission is linked to a scope. After your application successfully accesses the resource, the server checks if the authenticated user has the right permission for the corresponding method of the endpoint.

For example, you may restrict some users from deleting or updating user groups, but still they can view them.

Generically, GET methods require Read permissions, while POST, PUT, and DELETE methods require Write permissions.

Scopes and Permissions List

User Management

The table below summarizes the required scopes and permissions to perform a specific action:

Resource	Scopes	Permissions
AuditQuery	PM.Audit	PM.Audit.Read (for GET requests)
Group	PM.Group	PM.Group.Read (for GET requests) PM.Group.Write (for POST, PUT, and DELETE requests)
MessageTemplate	PM.MessageTemplate	PM.MessageTemplate.Read (for GET requests) PM.MessageTemplate.Write (for PUT requests)
RobotAccount	PM.RobotAccount	PM.RobotAccount.Read (for GET requests) PM.RobotAccount.Write (for POST, PUT, and DELETE requests)
Setting	PM.Setting	PM.Setting.Read (for GET requests) PM.Setting.Write (for PUT requests)
User	PM.User	PM.User.Read (for GET requests) PM.User.Write (for POST, PUT, or DELETE requests)
UserLoginAttempt	PM.UserLoginAttempt	PM.UserLoginAttempt.Read (for GET requests)