API Documentation v1

REST API Access Manager 2024.2.0.0 Manual for Developers

Glossary

Term Meaning
AM BAYOOSOFT Access Manager
API Application Programming Interface
REST REpresentational State Transfer
HTTP Hypertext Transfer Protocol
URI Uniform Resource Identifier
JSON JavaScript Object Notation

Introduction

The Access Manager API allows external software products to control functions of Access Manager. The API is HTTP-based RESTful API which adhere the REST architectural constraints.

General

Paths

All paths in the API start with {Domain}/api/{version}. The current version of the API is v1.

An access to an API resource is thus for example via the URL http://{domain}/api/v1/resource.

Special characters in query parameters must be encoded if necessary. In some cases it may be necessary to replace a blank character by %20, a backslash \ by %5C and the forward slash / by %2F. For example, \\\\server\\name\\share name\\folder name becomes %5C%5Cserver%20name%5Cshare%20name%5Cfolder%20name.

Validation

All actions, that can be performed using the API, can also be performed via the AM web frontends. However, input data is validated less strictly by the API than it is by the web frontends. Meaning, a request that causes a validation error by the web frontend could still be valid for the API.

System generated IDs

Throughout the AM API, artificial IDs, generated by the system, are used to identify resources. A resource ID returned by the API will remain valid as long as the resource exists but may become invalid if certain aspects of the resource (e.g.its name) change. Also, it cannot be guaranteed that resource IDs remain compatible over several versions of AM.

Error messages

The error messages provided by the AM API are only informational.

HTTP Messages

The client and server talk to each other via messages. Clients send a request to the server, and the server replies with a response. Apart from the actual data, these messages also contain some metadata about the message. It is important to have some background knowledge about the HTTP 1.1 request and response formats.

HTTP Request

An HTTP request has the format which consists of:

<VERB> is one of the HTTP methods like GET, PUT, POST, DELETE etc.

<URI> is the URI of the resource on which the operation is going to be performed.

<HTTP Version> is the version of HTTP, generally HTTP v1.1.

<Request Header> contains the metadata as a collection of key-value pairs of headers and their values. These settings contain information about the message and its sender like client type, the formats the client supports, format type of the message body, cache settings for the response, and many more information.

<Request Body> is the actual message content. In this API, if the content has been provided in request body to any method of the service, it should always be in JSON format.

HTTP Response

An HTTP Response has the format which consists of:

The server returns <Response Code>, which contains the status of the request. This response code is generally the 3-digit HTTP status code.

Status codes indicate the result of the HTTP request.

Code Meaning
1XX Informational
2XX Success
3XX Redirection
4XX Client Error
5XX Server Error

<Response Header> contains the metadata and settings about the response message.

<Response Body> contains the representation of data if returned by the method.

Authentication

To access the API, the user must have been assigned the role API User. The user rights can be assigned or updated under Administrator / Settings / System Roles.

Authentication in AM API is always done against active directory users. A technical service account should be created in order to access the API. The available authentication methods depend on IIS configuration. The following methods have been tested to work:

The used method depends on the client's capabilities and operating system. Basic Authentication guarantees maximum compatibility, but please make sure to use TLS / SSL secured connection because credentials are transmitted in clear text.

Token-based authentication using OAuth or OAuth2 mechanism is currently not supported.

Resources and Methods

The following chapters describe all resources provided by the Access Manager API and their applicable methods.

The following modules of Access Manager are relevant:

Dependent on the module, some parameters can only have values as shown in the table below.

module location permission
FolderManagement Full UNC directory path (e.g., \\server\share\folder) read, write
SharePoint URL (e.g., https://example.com/site) read, write, design
ThirdParty Item Collection/Item (e.g., Printers/Inkjet) See Permission Set of Location.
Profile Profile name (e.g., Marketing) profilemembership

In addition to the possible error responses described in each of the following chapters, every API method can return the error response 400 Bad Request. This response indicates that the request was malformed and should not be repeated without modifications. Possible reasons for a 400 response include:

Permissions

With the resource Permissions, access rights or permissions for supported locations can be managed. It can be accessed by the path /permissions.

The JSON representation of a permission object is defined below:

CreatePermissionModel:

{
  "module": "FolderManagement or SharePoint or ThirdParty or Profile",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User or Profile",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or UserProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership", // See permission set of location
  "valid_from": "YYYY-MM-DD", // optional date
  "valid_through": "YYYY-MM-DD" // optional date
}

PermissionResponseModel:

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ", // System generated permission id
  "module": "FolderManagement or SharePoint or ThirdParty or Profile",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User or Profile",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or UserProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership", // See permission set of location
  "valid_from": "YYYY-MM-DD", // optional date
  "valid_through": "YYYY-MM-DD" // optional date
}

Get Permissions by URL Parameters

GET /api/v1/permissions

Gets a list of permissions filtered by user_id or location.

This method only returns individual (direct) permissions or permissions via profiles on a location.
To get the effective permissions on a location, use Get Effective Permissions of a Location on the Locations resource.

Parameters

Name In Type Required Description
module query TargetType false Can be one or more valid module strings, separated by commas. If omitted, falls back to FolderManagement.
location query string false Either location or user_id is required.
subject_type query SubjectType false Can be User or Profile or both, separated by comma. If omitted, falls back to User.
user_id query string false Either location or user_id is required.
permission query string false none
valid_from query string(date) false none
valid_through query string(date) false none

Detailed descriptions

subject_type: Can be User or Profile or both, separated by comma. If omitted, falls back to User.
If user_id is supplied, the combination of both User and Profile is not allowed.
When using User, user_id must be an active directory user or group name.
When using Profile, user_id must be a profile name.

Enumerated Values

Parameter Value
module FolderManagement
module SharePoint
module Profile
module ThirdParty
subject_type User
subject_type Profile

Example responses

200 Response

[
  {
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "module": "FolderManagement",
    "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
    "subject_type": "User",
    "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
    "permission": "read or write or design or owner or member or visitor or profilemembership",
    "valid_from": "2024-07-26",
    "valid_through": "2024-07-26",
    "comment": "string"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) list of permissions. Inline
409 Conflict If neither user_id nor location are provided, the message "At least one of the filter parameters location or user_id is required." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [PermissionResponseModel] false none none
» id string true none System generated permission id.
» module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
» location string true none Must be a UNC path, URL, 3rd-Party-Item location or profile name, depending on module.
» subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
» user_id string true none Must be an Active Directory user sAMAccountName or group name with NetBIOS domain name prefix, a Microsoft Entra user principal name, or a profile name, depending on subject_type.
» permission string true none See Permission Set of Location.
» valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
» valid_through string(date)¦null false none Optional expiration date.
» comment string¦null false none Optional permission comment

Enumerated Values

Property Value
module FolderManagement
module SharePoint
module Profile
module ThirdParty
subject_type User
subject_type Profile

Add Permission

POST /api/v1/permissions

Adds new privileges to a user or a profile on a certain location.

The request body must be a JSON object containing the module, location, subject_type, user_id, the permission to grant, and optional start (valid_from) and expiration (valid_through) dates.

If the supplied location uses supplementary permissions, and the supplied user_id already has different permissions on the location, the supplied permission is added to the user’s permissions and the start (valid_from) and expiration (valid_through) dates are replaced on all of the user’s permissions on the location.

Body parameter

{
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Parameters

Name In Type Required Description
body body CreatePermissionModel true none

Example responses

201 Response

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Responses

Status Meaning Description Schema
201 Created Response Header: Location: /api/v1/permissions/{permissionId} PermissionResponseModel
400 Bad Request If the request model is invalid, the message "The request is invalid." is returned. ErrorResponseModel
409 Conflict If the given user_id does not exist in the identity store identified by subject_type, the message "The request is invalid." is returned. If location is invalid, the message "Location not found." is returned. If permission is invalid, the message "Invalid permission." is returned. If the user, group or profile is already permitted, the message "Subject already permitted." is returned. If the user, group or profile cannot be permitted on the supplied location because of mismatching Active Directory domains or Microsoft Entra tenants, the message "The domain or tenant of the supplied subject and location do not match." is returned. ErrorResponseModel

Get Permission by PermissionId

GET /api/v1/permissions/{permissionId}

Gets the permission details of the provided permissionId.

Parameters

Name In Type Required Description
permissionId path string true System generated permission id.

Example responses

200 Response

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Responses

Status Meaning Description Schema
200 OK A single permission for locations using exclusive permissions or a list of permissions for locations using supplementary permissions. PermissionResponseModel
404 Not Found If the given permissionId does not exist in AM, the message "Permission not found." is returned. ErrorResponseModel

Remove Permission

DELETE /api/v1/permissions/{permissionId}

Removes the permission identified by permissionId.

Parameters

Name In Type Required Description
permissionId path string true System generated permission id.
permission query string false If the location uses supplementary permissions, the permission to be deleted can be identified using the optional query parameter permission.
comment query string false Optional permission comment

Detailed descriptions

permission: If the location uses supplementary permissions, the permission to be deleted can be identified using the optional query parameter permission.
If the permission parameter is omitted, all permissions of the user on the location are deleted.

Example responses

404 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
204 No Content No Content None
404 Not Found If the given permissionId does not exist in AM, the message "Permission not found." is returned. ErrorResponseModel
409 Conflict If permission is invalid, the message "Invalid permission." is returned. ErrorResponseModel

Update Permission

PUT /api/v1/permissions/{permissionId}

Updates the access rights (permission) or also start (valid_from) and expiry (valid_through) dates of a user or a profile to access a particular location.

The permission must already exist in the system.
It cannot be used to create new permissions.
The request body must be a JSON object containing the permission to update and optional start (valid_from) and expiry (valid_through) dates.
The permissionId must be passed in the URL.
If the start (valid_from) or expiry (valid_through) date is null or not provided in the request, it will be removed from AM.

If the location uses supplementary permissions, the permission parameter must contain the value *.
Only valid_from and valid_through are updated on all permissions of the user on the location.

Body parameter

{
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Parameters

Name In Type Required Description
permissionId path string true System generated permission id.
body body UpdatePermissionModel true none

Example responses

200 Response

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Responses

Status Meaning Description Schema
200 OK A single permission for locations using exclusive permissions or a list of permissions for locations using supplementary permissions. PermissionResponseModel
400 Bad Request If the request model is invalid, the message "The request is invalid." is returned. ErrorResponseModel
404 Not Found If the given permissionId does not exist in AM, the message "Permission not found." is returned. ErrorResponseModel
409 Conflict If permission is invalid, the message "Invalid permission." is returned. ErrorResponseModel

Scheduler

With the resource Scheduler, jobs can be scheduled. It can be accessed by the path /scheduler.

Schedule Renew Access Settings

POST /api/v1/scheduler/triggers/renew_access_settings

Schedules a job that renews the access settings.

This method works differently depending on the value of field offset_minutes:

The job being scheduled and the required format of path depend on the supplied module:

Supplied module Example path Job name
FolderManagement \\server\share\folder MaintainFolderPermissions
SharePoint http://host/path MaintainSitePermissions
ThirdParty ItemCollectionName/ItemName MaintainItemPermissions

Body parameter

{
  "offset_minutes": 10,
  "data": {
    "module": "FolderManagement",
    "path": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName"
  }
}

Parameters

Name In Type Required Description
body body RenewAccessSettingsTriggerRequestModel false none

Example responses

409 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Success Response. None
409 Conflict If the combination of module and path is incorrect, the message "Location not found." is returned. ErrorResponseModel

Locations

With the resource Locations, different kinds of information about locations like folders and sites can be requested. It can be accessed by the path /locations.

Each AM module supports different types of locations. The following types are supported:

module type subtypes Example location Description
FolderManagement ResourceGroup Server Can, but does not have to, represent a fileserver
FolderCollection \\server\share Can, but does not have to, represent a network share on a fileserver
ManagedFolderCollection \\server\share Can, but does not have to, represent a network share on a fileserver whose access permissions are being managed by AM
Folder \\server\share\folder A filesystem folder below a network share on a fileserver
RightsFolder \\server\share\folder A folder whose access permissions are being managed by AM
SharePoint SiteCollection https://example.com A web site collection on a SharePoint server
ManagedSiteCollection https://example.com A web site collection whose access permissions are being managed by AM
Site https://example.com/site A web site below a web site collection on a SharePoint server
ManagedSite https://example.com/site A web site whose access permissions are being managed by AM
ThirdParty ThirdPartyItemCollection [ActiveDirectoryItemCollection] Printers A collection of 3rd party items backed by Active Directory groups
[MsTeamsItemCollection] Teams Collection A collection of 3rd party items backed by Microsoft Teams
[SharePointItemCollection] Site Collection A collection of 3rd party items backed by Microsoft SharePoint
ThirdPartyItem [ActiveDirectoryItem] Printers/Inkjet A 3rd party item backed by Active Directory groups whose Active Directory group memberships are being managed by AM
[MsTeamsItem, MsTeamsTeam] Teams Collection/Marketing Team A 3rd party item backed by Microsoft Teams whose Team memberships are being managed by AM
[SharePointItem, SharePointSite, SharePointTeamSiteMs365Group] Site Collection/Marketing Team Site A 3rd party item backed by a Microsoft SharePoint Team Site with a Microsoft 365 Group whose permissions are being managed by AM
[SharePointItem, SharePointSite, SharePointTeamSiteSpGroups] Site Collection/Other Team Site A 3rd party item backed by a Microsoft SharePoint Team Site with SharePoint Groups whose permissions are being managed by AM
[SharePointItem, SharePointSite, SharePointCommunicationSite] Site Collection/Public Marketing Site A 3rd party item backed by a Microsoft SharePoint Communication Site whose permissions are being managed by AM
Profile UserProfile Marketing A user profile within Access Manager with no responsibles assigned
ManagedUserProfile Marketing A user profile within Access Manager with at least one responsible assigned
OrgProfile Marketing An organizational profile within Access Manager

Get Locations by URL Parameters

GET /api/v1/locations

Gets a possibly filtered list of all locations known to AM.

The list can optionally be filtered using a combination of query parameters. Omitted filters are not applied. The following query parameters are supported:

module: If set, only locations of the given module are returned. Required, if location is set.

onlyVisibleInSsp: If set to true, only locations that are visible in the AM Self Service Portal (SSP) are returned.
Setting this filter to false has the same effect as omitting it: all locations are returned regardless of their visibility in the SSP.
This filter is ignored if location is set.

location: Load only the given location. If set, module must also be specified and onlyVisibleInSsp is ignored.

A successful request will return a (possibly empty) unordered list of location objects.
Each location object contains a system generated location identifier (id), a module, a location (e.g., folder path or site URL), a type (e.g., RightsFolder or ManagedSite) and the fields requests_enabled and supplementary_permissions.

requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection.
On location object of other types, it will always be null.
requests_enabled indicates, whether permissions on this location can be requested using the SSP.
It has no impact on the request API resource.
As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.

supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).

Parameters

Name In Type Required Description
Module query TargetType false If set, only locations of the given module are returned. Required, if location is set.
OnlyVisibleInSsp query boolean false If set to true, only locations that are visible in the AM Self Service Portal (SSP) are returned.
Location query string false Load only the given location. If set, module must also be specified and onlyVisibleInSsp is ignored.

Detailed descriptions

OnlyVisibleInSsp: If set to true, only locations that are visible in the AM Self Service Portal (SSP) are returned. Setting this filter to false has the same effect as omitting it: all locations are returned regardless of their visibility in the SSP. This filter is ignored if location is set.

Enumerated Values

Parameter Value
Module FolderManagement
Module SharePoint
Module Profile
Module ThirdParty

Example responses

200 Response

[
  {
    "type": "ResourceGroup",
    "id": "Zm0tZl9pZC00Mg",
    "requests_enabled": true,
    "supplementary_permissions": true,
    "module": "FolderManagement",
    "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of LocationResponseModel, ResourceGroupResponseModel or FolderCollectionResponseModel. Inline
400 Bad Request If module is invalid, the message "The value 'module' is not valid for Module." is returned. ErrorResponseModel

Response Schema

Enumerated Values

Property Value
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
domain_mode SingleDomain
domain_mode MultiDomain
domain_mode MultiDomainOptimized
deviation_strategy IdentifyAndCorrect
deviation_strategy Identify
deviation_strategy Ignore
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile

Add Location

POST /api/v1/locations

Adds a new location.

The required format of the request model varies based on the location type:

ResourceGroup: CreateResourceGroupModel

{
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName",
  "description": "string"
}

FolderCollection: CreateFolderCollectionModel

{
  "type": "FolderCollection",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder",
  "resource_group_id": "Zm0tcmdpZC0x",
  "display_name": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "MultiDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true
}

If any other location type is provided, the API will respond with a 400 Bad Request response.

Body parameter

{
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Parameters

Name In Type Required Description
body body any true An instance of CreateResourceGroupModel or CreateFolderCollectionModel.

Example responses

201 Response

{
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Responses

Status Meaning Description Schema
201 Created Response Header: Location: /api/v1/locations/{locationId}. Response Body: An instance of ResourceGroupResponseModel or FolderCollectionResponseModel. Inline
400 Bad Request If the request model is invalid, the message "The request is invalid." is returned. If the given location does not support creation, the message "Provided location does not support this operation." is returned. ErrorResponseModel
409 Conflict If the provided location is invalid, the message "Invalid location." is returned. If the provided resource_group_id is invalid, the message "Invalid resource group id." is returned. ErrorResponseModel

Response Schema

Enumerated Values

Property Value
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
domain_mode SingleDomain
domain_mode MultiDomain
domain_mode MultiDomainOptimized
deviation_strategy IdentifyAndCorrect
deviation_strategy Identify
deviation_strategy Ignore
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile

Get Information by LocationId

GET /api/v1/locations/{locationId}

Returns details of the location identified by the provided locationId.

This requires an HTTP GET query including the locationId is sent to /locations.

Parameters

Name In Type Required Description
locationId path string true System generated location id.

Example responses

200 Response

{
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Responses

Status Meaning Description Schema
200 OK An instance of LocationResponseModel, ResourceGroupResponseModel or FolderCollectionResponseModel. Inline
404 Not Found If the given location does not exist in AM, the message "Location not found." is returned. ErrorResponseModel

Response Schema

Enumerated Values

Property Value
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
domain_mode SingleDomain
domain_mode MultiDomain
domain_mode MultiDomainOptimized
deviation_strategy IdentifyAndCorrect
deviation_strategy Identify
deviation_strategy Ignore
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile

Remove Location

DELETE /api/v1/locations/{locationId}

Removes the location identified by the provided locationId.

This requires an HTTP DELETE query including the locationId is sent to /locations.

Only locations of type ResourceGroup, ManagedFolderCollection and FolderCollection support deletion. If any other location type is provided, the API will respond with a 400 Bad Request response.

Body parameter

{
  "type": "ResourceGroup"
}

Parameters

Name In Type Required Description
locationId path string true System generated location id.
body body LocationRequestModel true none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
204 No Content No Content None
400 Bad Request If the request model is invalid, the message "The request is invalid." is returned. If the given location does not support deleting, the message "Provided location does not support this operation." is returned. If the provided locationId does not match the location type, the message "Provided locationId does not match location type." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict Only resource groups that don't contain any folder collections can be deleted. If the given location is a resource group and still contains folder collections, the message "Resource group contains folder collections." is returned. ErrorResponseModel

Update Location

PUT /api/v1/locations/{locationId}

Updates the properties of the particular location.

The location must already exist in the system.
It cannot be used to create a new location.

the JSON object is required to contain the type of the location to update and additional required properties in the request body. The locationId is required to be passed in the URL.
The type of the location cannot be changed.
If any property is null or not provided in the request,
it will be removed from AM.

The required format of the request model varies based on the location type:

ResourceGroup: UpdateResourceGroupModel

{
  "type": "ResourceGroup",
  "location": "ResourceGroupName",
  "description": "string"
}

FolderCollection or ManagedFolderCollection: UpdateFolderCollectionModel

{
  "type": "FolderCollection",
  "display_name": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "MultiDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true
}

If any other location type is provided, the API will respond with a 400 Bad Request response.

Body parameter

{
  "type": "ResourceGroup"
}

Parameters

Name In Type Required Description
locationId path string true System generated location id.
body body any true An instance of UpdateResourceGroupModel or UpdateFolderCollectionModel.

Example responses

200 Response

{
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Responses

Status Meaning Description Schema
200 OK An instance of ResourceGroupResponseModel or FolderCollectionResponseModel. Inline
400 Bad Request If the request model is invalid, the message "The request is invalid." is returned. If the given location does not support updating, the message "Provided location does not support this operation." is returned. If the provided locationId does not match the location type, the message "Provided locationId does not match location type." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the provided location is invalid, the message "Invalid location." is returned. ErrorResponseModel

Response Schema

Enumerated Values

Property Value
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
domain_mode SingleDomain
domain_mode MultiDomain
domain_mode MultiDomainOptimized
deviation_strategy IdentifyAndCorrect
deviation_strategy Identify
deviation_strategy Ignore
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile

Get Owners of a Location

GET /api/v1/locations/{locationId}/owners

Gets the owners of the location identified by the provided locationId.

This requires an HTTP GET query including the locationId is sent to /locations and the part /owners behind the id.

Only locations of type FolderCollection, ManagedFolderCollection, Folder, RightsFolder, SiteCollection, ManagedSiteCollection, Site, ManagedSite and ThirdPartyItem support owners. If the provided locationId belongs to a ResourceGroup, a ThirdPartyItemCollection, a UserProfile, a ManagedUserProfile, or an OrgProfile, the API will respond with a 400 Bad Request response.

Parameters

Name In Type Required Description
locationId path string true System generated location id.

Example responses

200 Response

[
  {
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "location_id": "Zm0tZl9pZC00Mg",
    "user_id": "DOMAIN\\account.name"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of location owners. Inline
400 Bad Request If the given location does not support owners, the message "Provided location does not support this operation." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationUserResponseModel] false none none
» id string¦null false none System generated location user id
» location_id string¦null false none System generated location id
» user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

Replace Owners of a Location

PUT /api/v1/locations/{locationId}/owners

Replaces the owners of the location identified by locationId with the provided list of owners.

Only locations of type FolderCollection, ManagedFolderCollection, Folder, RightsFolder, SiteCollection, ManagedSiteCollection, Site, ManagedSite and ThirdPartyItem support owners. If the provided locationId belongs to a ResourceGroup, a ThirdPartyItemCollection, a UserProfile, a ManagedUserProfile, or an OrgProfile, the API will respond with a 400 Bad Request response.

If the location is managed, i.e. it is a ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, or ThirdPartyItem, the provided list of owners must contain at least one entry. Otherwise, the API will respond with a 409 Conflict response.

Body parameter

[
  {
    "user_id": "DOMAIN\\account.name"
  }
]

Parameters

Name In Type Required Description
locationId path string true System generated location id.
body body LocationUserRequestModel true An list of LocationUserRequestModels.

Example responses

200 Response

[
  {
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "location_id": "Zm0tZl9pZC00Mg",
    "user_id": "DOMAIN\\account.name"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of location owners. Inline
400 Bad Request If the location does not support owners, the message "Provided location does not support this operation." is returned.
If any of the provided owners does not exist, the message "The following users were not found: [list of account names]" is returned. ErrorResponseModel
404 Not Found If the location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the location is managed and the provided list of owners is empty, the message "Managed locations must have at least one owner." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationUserResponseModel] false none none
» id string¦null false none System generated location user id
» location_id string¦null false none System generated location id
» user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

Get Responsibles of a Location

GET /api/v1/locations/{locationId}/responsibles

Gets the responsibles of the location identified by the provided locationId.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support responsibles. If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection or a Site, the API will respond with a 409 Conflict response. If it belongs to any other location type, the API will respond with a 400 Bad Request response.

Parameters

Name In Type Required Description
locationId path string true System generated location id.

Example responses

200 Response

[
  {
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "location_id": "Zm0tZl9pZC00Mg",
    "user_id": "DOMAIN\\account.name"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of location responsibles. Inline
400 Bad Request If the given location does not support responsibles, the message "Provided location does not support this operation." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the given location is unmanaged, the message "Provided location is unmanaged." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationUserResponseModel] false none none
» id string¦null false none System generated location user id
» location_id string¦null false none System generated location id
» user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

Replace Responsible of a Location

PUT /api/v1/locations/{locationId}/responsibles

Replaces the responsible of the location identified by locationId with the provided list of responsibles.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support responsibles. If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection or a Site, the API will respond with a 409 Conflict response. If it belongs to any other location type, the API will respond with a 400 Bad Request response.

Unless the location is a UserProfile, ManagedUserProfile or OrgProfile, the provided list of responsibles must contain at least one entry. Otherwise, the API will respond with a 409 Conflict response.

If the location is a UserProfile and has a member synchronization group configured, the API will respond with a 409 Conflict response.

Body parameter

[
  {
    "user_id": "DOMAIN\\account.name"
  }
]

Parameters

Name In Type Required Description
locationId path string true System generated location id.
body body LocationUserRequestModel true An list of LocationUserRequestModels.

Example responses

200 Response

[
  {
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "location_id": "Zm0tZl9pZC00Mg",
    "user_id": "DOMAIN\\account.name"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of location responsibles. Inline
400 Bad Request If the location does not support responsibles, the message "Provided location does not support this operation." is returned.
If any of the provided responsibles does not exist, the message "The following users were not found: [list of account names]" is returned. ErrorResponseModel
404 Not Found If the location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the given location is unmanaged, the message "Provided location is unmanaged." is returned.

If the provided list of responsibles is empty and the location is not a UserProfile, ManagedUserProfile or OrgProfile, the message "Managed locations must have at least one responsible." is returned.
If the location is a UserProfile and has a Member Synchronization Group configured, the message "User profiles with member synchronization groups configured do not support responsibles." is returned.|ErrorResponseModel|

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationUserResponseModel] false none none
» id string¦null false none System generated location user id
» location_id string¦null false none System generated location id
» user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

Get Effective Permissions of a Location

GET /api/v1/locations/{locationId}/effective-permissions

Gets the effective permissions on the location identified by the provided locationId.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support effective permissions.
If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection, or a Site, the API will respond with a 409 Conflict response.
If it belongs to any other location type, the API will respond with a 400 Bad Request response.

This method only returns effective permissions on the location.
To get direct permissions, use Get Permissions by URL Parameters.
Note that profiles only have direct members, so effective and direct permissions should be identical.

Parameters

Name In Type Required Description
locationId path string true System generated location id.

Example responses

200 Response

[
  {
    "permission": "read or write or design or profilemembership",
    "valid_from": "2024-07-26",
    "valid_through": "2024-07-26",
    "origin": "string",
    "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
    "location_id": "Zm0tZl9pZC00Mg",
    "user_id": "DOMAIN\\account.name"
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of effective permissions. Inline
400 Bad Request If the given location does not support effective permissions, the message "Provided location does not support this operation." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the given location is unmanaged, the message "Provided location is unmanaged." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationEffectivePermissionResponseModel] false none none
» permission string¦null false none See Permission Set of Location.
» valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
» valid_through string(date)¦null false none Optional expiration date.
» origin string¦null false none null or name of the origin profile.
» id string¦null false none System generated location user id
» location_id string¦null false none System generated location id
» user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

Get Permission Set of a Location

GET /api/v1/locations/{locationId}/permission-set

Gets the permission set on the location identified by the provided locationId.

The permissions in this set are those that must be used when working with permissions on this location.
For example, when creating a permission assign request.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile have a permission set.

Parameters

Name In Type Required Description
locationId path string true System generated location id.

Example responses

200 Response

[
  {
    "permission": "read or write or design or profilemembership",
    "display_names": {
      "en": "Read",
      "de": "Lesen"
    },
    "default": true
  }
]

Responses

Status Meaning Description Schema
200 OK An unordered list of permission definitions. Inline
400 Bad Request If the given location does not have a permission set, the message "Provided location does not support this operation." is returned. ErrorResponseModel
404 Not Found If the given location does not exist in AM, the message "Provided location does not exist." is returned. ErrorResponseModel
409 Conflict If the given location is unmanaged, the message "Provided location is unmanaged." is returned. ErrorResponseModel

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [LocationPermissionSetModel] false none none
» permission string¦null false none The permission id to be used to identify this permission on all API methods where a permission must be provided.
» display_names object¦null false none Display names for this permission in all languages.
»» additionalProperties string¦null false none none
» default boolean false none Indicates whether this is the default permission of the permission set.

Agent Groups

With the resource AgentGroups, information about agent groups can be requested. It can be accessed by the path /agent-groups.

Get Agent Groups

GET /api/v1/agent-groups

Returns a list of all agent groups known to AM.

Example responses

200 Response

[
  {
    "name": "string",
    "description": "string",
    "assigned_agents": [
      {
        "name": "string",
        "last_config_update": "2024-07-26",
        "status": "IsUnassigned"
      }
    ],
    "assigned_locations": [
      {
        "type": "ResourceGroup",
        "module": "FolderManagement",
        "location": "string",
        "id": "Zm0tZl9pZC00Mg",
        "requests_enabled": true,
        "supplementary_permissions": true
      }
    ]
  }
]

Responses

Status Meaning Description Schema
200 OK A (possibly empty) unordered list of agent groups. Inline

Response Schema

Status Code 200

Name Type Required Restrictions Description
anonymous [AgentGroupResponseModel] false none none
» name string¦null false none none
» description string¦null false none none
» assigned_agents [AgentResponseModel]¦null false none none
»» name string¦null false none none
»» last_config_update string(date)¦null false none none
»» status AgentStatus false none none
» assigned_locations [ILocationResponseModel]¦null false none none
»» type LocationType false none none
»» module TargetType false none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
»» location string¦null false none none
»» id string¦null false none none
»» requests_enabled boolean¦null false none none
»» supplementary_permissions boolean false none none

Enumerated Values

Property Value
status IsUnassigned
status IsAssigned
status UnassignmentPending
status AssignmentPending
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty

Requests

With the resource Requests, different kinds of requests can be managed. All request types share the common path prefix /requests. The following sections describe the types of requests that can be managed via the AM API.

Each request type supports different types of locations. Invalid combinations of request types and location types will result in a 409 Conflict error response with the message "Location not found". The Permission Assignment request type also supports requests for membership in a user profile.

Request type Supported location types
Permission Assignment ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, ManagedUserProfile
Permission Removal ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem
Permission Update ThirdPartyItem
Responsible Role Assignment ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem
Location Creation FolderCollection, ManagedFolderCollection, Folder, RightsFolder, SiteCollection, ManagedSiteCollection, Site, ManagedSite

Add Location Creation Request

POST /api/v1/requests/location-creations

Adds a new request for a new managed location below a certain managed or unmanaged parent location.

The JSON representation of a new location request object is defined below:

RequestLocationRequestModel:

{
  "module": "FolderManagement or SharePoint",
  "location": "\\\\server\\share\\folder or http://host/path",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "new_location_name": "subfolder or subsite",
  "site_template": "STS#0", // only required if module is SharePoint
  "permission": "read or write or design", // optional
  "comment": "string"
}

If the field permission is omitted, the user will not be permitted on the new location, but the location will still be created.

The field site_template is only required if module is SharePoint.
Available site templates can be requested from SharePoint, e.g. via the REST API like this:

URL: http://{sharepoint-server}/{site-collection}/{site}/_api/web/GetAvailableWebTemplates(lcid=1033,doincludecrosslanguage=true) Method GET Query Parameters: $select=Name, $filter=IsHidden eq false and IsRootWebOnly eq false Example: http://{sharepoint-server}/{site-collection}/{site}/_api/web/GetAvailableWebTemplates(lcid=1033,doincludecrosslanguage=true)?$select=Name&$filter=IsHidden eq false and IsRootWebOnly eq false

Body parameter

{
  "new_location_name": "subfolder or subsite",
  "site_template": "STS#0",
  "permission": "read or write or design",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Parameters

Name In Type Required Description
body body RequestLocationRequestModel false none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Accepted None
400 Bad Request If the module is not specified, the message "The request is invalid." is returned. If the given user_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given requestor_id does not exist in Active Directory, the message "The request is invalid." is returned. ErrorResponseModel
409 Conflict If specified module is not supported, the message "The specified module is not supported." is returned. If the given location does not exist in Access Manager, the message "Location not found." is returned. If the given site_template is not available on the given location, the message "Invalid site template." is returned. ErrorResponseModel

Add Permission Assignment Request

POST /api/v1/requests/permission-assignments

Adds a new request for permission assignments on a location (e.g., a folder) and for membership assignment in a user profile.

These requests only work for locations that use the exclusive permission grant logic.
For those locations that use the supplementary permission grant logic,
the "Permission-Update-Request" must be used.

The JSON representation of a permission assignment request object is defined below:

RequestPermissionRequestModel:

{
  "module": "FolderManagement or SharePoint or ThirdParty or Profile",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "permission": "read or write or design or owner or member or visitor or profilemembership", // See permission set of location
  "valid_from": "YYYY-MM-DD", // optional date
  "valid_through": "YYYY-MM-DD", // optional date
  "comment": "string"
}

Body parameter

{
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Parameters

Name In Type Required Description
body body RequestPermissionRequestModel true none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Accepted None
400 Bad Request If module is not specified, the message "The request is invalid." is returned. If an unsupported module is specified, the message "The specified module is not supported." is returned. If valid_through is now or in the past, the message "Valid through has to be in the future." is returned. If valid_from is after valid through, the the message "Valid from has to be before valid through." is returned. If permission is invalid, the message "The request is invalid." is returned. If permission grant logic of the location is supplementary, the message "This request only works for resources that use exclusive permission logic." is returned. ErrorResponseModel
409 Conflict If the given user_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given requestor_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given location does not exist in Access Manager, the message "Location not found." is returned. ErrorResponseModel

Add Permission Removal Request

POST /api/v1/requests/permission-removals

Adds a new permission removal request for a user on a certain location.

These requests only work for locations that use the exclusive permission grant logic.
For those locations that use the supplementary permission grant logic, the "Permission-Update-Request" must be used.

The JSON representation of a permission removal request object is defined below:

RequestWithCommentRequestModel:

{
  "module": "FolderManagement or SharePoint or ThirdParty",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "comment": "string"
}

Body parameter

{
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Parameters

Name In Type Required Description
body body RequestWithCommentRequestModel false none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Accepted None
400 Bad Request If module is not specified, the message "The request is invalid." is returned. If an unsupported module is specified, the message "The specified module is not supported." is returned. If permission grant logic of the location is supplementary, the message "This request only works for resources that use exclusive permission logic." is returned. ErrorResponseModel
409 Conflict If the given user_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given requestor_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given location does not exist in Access Manager, the message "Location not found." is returned. ErrorResponseModel

Add Permission Update Request

POST /api/v1/requests/permission-updates

Adds a new request for permission updates on a 3rd party item that uses the supplementary permission logic.

The JSON representation of a permission update request object is defined below:

RequestMultiPermissionRequestModel:

{
  "module": "ThirdParty",
  "location": "ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "permissions": [
    "permission01",
    "permission02"
  ], // See permission set of location
  "valid_through": "YYYY-MM-DD", // optional date
  "comment": "string"
}

Body parameter

{
  "permissions": [
    "permission01",
    "permission02"
  ],
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Parameters

Name In Type Required Description
body body RequestMultiPermissionRequestModel false none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Accepted None
400 Bad Request If module is not specified, the message "The request is invalid." is returned. If an unsupported module is specified, the message "The specified module is not supported." is returned. If valid_through is now or in the past, the message "Valid through has to be in the future." is returned. If any permission is invalid, the the message "The request is invalid." is returned. If permission grant logic of the location is exclusive, the message "This request only works for resources that use supplementary permission logic." is returned. ErrorResponseModel
409 Conflict If the given user_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given requestor_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given location does not exist in Access Manager, the message "Location not found." is returned. ErrorResponseModel

Add Responsible Role Assignment Request

POST /api/v1/requests/responsible-role-assignments

Adds a new request for the responsible role for a user on a certain location.

The JSON representation of a responsible role assignment request object is defined below:

RequestWithCommentRequestModel:

{
  "module": "FolderManagement or SharePoint or ThirdParty",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "comment": "string"
}

Body parameter

{
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Parameters

Name In Type Required Description
body body RequestWithCommentRequestModel false none

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
202 Accepted Accepted None
400 Bad Request If module is not specified, the message "The request is invalid." is returned. If an unsupported module is specified, the message "The specified module is not supported." is returned. ErrorResponseModel
409 Conflict If the given user_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given requestor_id does not exist in Active Directory, the message "The request is invalid." is returned. If the given location does not exist in Access Manager, the message "Location not found." is returned. ErrorResponseModel

ManagedLocations

Delete Managed Location

DELETE /api/v1/managed-locations/{locationId}

Removes the location identified by the provided locationId.

Only locations of type RightsFolder, ManagedSite, ManagedFolderCollection, ManagedSiteCollection and ThirdPartyItem support removal of permission management.
If the provided locationId is not managed, the API will respond with a 404 Not Found response.
If it belongs to any unsupported location type, the API will respond with a 400 Bad Request response.

mode must be one of RetainGroupRemoveMembers, RetainGroupKeepMembers, DeleteAccessManagerGroups or DeleteInTargetSystem, where DeleteAccessManagerGroups is only supported by RightsFolder, ManagedSite, ManagedFolderCollection and ManagedSiteCollection and RetainGroupRemoveMembers and DeleteInTargetSystem are only supported by ThirdPartyItem.
If the mode is not supported by the location type, the API will respond with a 400 Bad Request response.

Parameters

Name In Type Required Description
locationId path string true System generated location id.
mode header RemovePermissionManagementMode true The mode with which the permission management is removed.

Enumerated Values

Parameter Value
mode RetainGroupRemoveMembers
mode RetainGroupKeepMembers
mode DeleteAccessManagerGroups
mode DeleteInTargetSystem

Example responses

400 Response

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Responses

Status Meaning Description Schema
204 No Content No Content None
400 Bad Request If the request is invalid, the message "The request is invalid." is returned.

If the given location does not support deletion, the message "Provided location does not support this operation." is returned. If the provided locationId does not support the mode, the message "Provided location does not support this operation." is returned.|ErrorResponseModel| |404|Not Found|If the given location does not exist in AM or is an unmanaged location, the message "Provided location does not exist." is returned.|ErrorResponseModel|

Add Managed Location

POST /api/v1/managed-locations

Adds a new managed location.

The required format of the request model varies based on the location type:

OrgProfile: CreateProfileModel

{
  "type": "OrgProfile",
  "module": "Profile",
  "location": "ProfileName",
  "cluster_path": "/",
  "description": "Description",
  "self_service_description": "Self Service Description",
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
}

UserProfile: CreateUserProfileModel

{
  "type": "UserProfile",
  "module": "Profile",
  "location": "ProfileName",
  "cluster_path": "/",
  "description": "Description",
  "self_service_description": "Self Service Description",
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "member_sync_group_name": "DOMAIN\\group.name",
  "use_profile_permission_groups": false,
  "self_service_enabled": true
}

RightsFolder: CreateRightsFolderModel

{
  "type": "RightsFolder",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder",
  "container_id": "Zm0tZl9pZC0x",
  "owner_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "self_service_enabled": true,
  "data_protection_classification_name": "topSecret",
  "inherit_rights": true
}

Body parameter

{
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Parameters

Name In Type Required Description
body body any true An instance of CreateProfileModel or CreateUserProfileModel or CreateRightsFolderModel.

Example responses

201 Response

{
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Responses

Status Meaning Description Schema
201 Created Response Header: Location: /api/v1/locations/{locationId}.
Response Body: An instance of ProfileResponseModel or UserProfileResponseModel or RightsFolderResponseModel. Inline
400 Bad Request The return message indicates the reason for failure. ErrorResponseModel

Response Schema

Enumerated Values

Property Value
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
domain_mode SingleDomain
domain_mode MultiDomain
domain_mode MultiDomainOptimized
deviation_strategy IdentifyAndCorrect
deviation_strategy Identify
deviation_strategy Ignore
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile
module FolderManagement
module SharePoint
module Profile
module ThirdParty
type ResourceGroup
type FolderCollection
type ManagedFolderCollection
type Folder
type RightsFolder
type SiteCollection
type ManagedSiteCollection
type Site
type ManagedSite
type ThirdPartyItemCollection
type ThirdPartyItem
type UserProfile
type ManagedUserProfile
type OrgProfile

Schemas

AgentGroupResponseModel

{
  "name": "string",
  "description": "string",
  "assigned_agents": [
    {
      "name": "string",
      "last_config_update": "2024-07-26",
      "status": "IsUnassigned"
    }
  ],
  "assigned_locations": [
    {
      "type": "ResourceGroup",
      "module": "FolderManagement",
      "location": "string",
      "id": "Zm0tZl9pZC00Mg",
      "requests_enabled": true,
      "supplementary_permissions": true
    }
  ]
}

Properties

Name Type Required Restrictions Description
name string¦null false none none
description string¦null false none none
assigned_agents [AgentResponseModel]¦null false none none
assigned_locations [ILocationResponseModel]¦null false none none

AgentResponseModel

{
  "name": "string",
  "last_config_update": "2024-07-26",
  "status": "IsUnassigned"
}

Properties

Name Type Required Restrictions Description
name string¦null false none none
last_config_update string(date)¦null false none none
status AgentStatus false none none

AgentStatus

"IsUnassigned"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous IsUnassigned
anonymous IsAssigned
anonymous UnassignmentPending
anonymous AssignmentPending

CreateFolderCollectionModel

{
  "resource_group_id": "Zm0tZl9pZC00Mg",
  "display_name": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "SingleDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true,
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Properties

Name Type Required Restrictions Description
resource_group_id string true none Must be a system generated location id belonging to a resource group. See Get Locations by URL Parameters.
display_name string true none none
enable_rights_management boolean false none none
agent_group_name string true none See Get Agent Groups.
domain_mode DomainMode false none none
organizational_unit string true none none
local_ad_group_naming_pattern string true none none
global_ad_group_naming_pattern string true none none
admin_group string true none none
browse_group string true none none
enable_access_groups boolean false none none
enable_new_folder_requests_on_folder_collection boolean false none none
deviation_strategy DeviationStrategy false none none
always_take_ownership boolean false none none
audit_ownership_changes boolean false none none
enable_realtime_permissions boolean false none none

CreateLocationModel

{
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Properties

Name Type Required Restrictions Description
type LocationType true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.

CreateLocationWithResponsiblesModel

{
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

CreatePermissionModel

{
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Properties

Name Type Required Restrictions Description
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Must be a UNC path, URL, 3rd-Party-Item location or profile name, depending on module.
subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be an Active Directory user sAMAccountName or group name with NetBIOS domain name prefix, a Microsoft Entra user principal name, or a profile name, depending on subject_type.
permission string true none See Permission Set of Location.
valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
valid_through string(date)¦null false none Optional expiration date.
comment string¦null false none Optional permission comment

CreateProfileModel

{
  "cluster_path": "/",
  "description": "string",
  "self_service_description": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
cluster_path string true none none
description string¦null false none none
self_service_description string¦null false none none

CreateResourceGroupModel

{
  "description": "string",
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Properties

Name Type Required Restrictions Description
description string¦null false none none

CreateRightsFolderModel

{
  "inherit_rights": true,
  "container_id": "Zm0tZl9pZC00Mg",
  "owner_account_names": [
    "string"
  ],
  "self_service_enabled": true,
  "data_protection_classification_name": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
inherit_rights boolean false none none
container_id string true none Must be a system generated location id belonging to a collection. See Get Locations by URL Parameters.
owner_account_names [string] true none none
self_service_enabled boolean false none none
data_protection_classification_name string¦null false none none
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

CreateUserProfileModel

{
  "member_sync_group_name": "DOMAIN\\group.name",
  "use_profile_permission_groups": true,
  "self_service_enabled": true,
  "cluster_path": "/",
  "description": "string",
  "self_service_description": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
member_sync_group_name string¦null false none Optional If a member synchronization group is supplied, responsible_account_names must be empty
use_profile_permission_groups boolean¦null false none Optional If left empty, the default value defined in the settings within AM is used.
self_service_enabled boolean¦null false none Optional If left empty, the default value defined in the settings within AM is used.
If a member synchronization group is supplied, it will be ignored and always be set to false.
cluster_path string true none none
description string¦null false none none
self_service_description string¦null false none none
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

DeviationStrategy

"IdentifyAndCorrect"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous IdentifyAndCorrect
anonymous Identify
anonymous Ignore

DomainMode

"SingleDomain"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous SingleDomain
anonymous MultiDomain
anonymous MultiDomainOptimized

ErrorResponseModel

{
  "message": "The request is invalid.",
  "model_state": {
    "model_property": [
      "Error description."
    ]
  }
}

Properties

Name Type Required Restrictions Description
message string¦null false none none
model_state object¦null false none none
» additionalProperties any false none none

FolderCollectionResponseModel

{
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": null,
  "supplementary_permissions": false,
  "resource_group_id": "Zm0tZl9pZC00Mg",
  "display_name": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "SingleDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
resource_group_id string true none Must be a system generated location id belonging to a resource group. See Get Locations by URL Parameters.
display_name string true none none
enable_rights_management boolean false none none
agent_group_name string true none See Get Agent Groups.
domain_mode DomainMode false none none
organizational_unit string true none none
local_ad_group_naming_pattern string true none none
global_ad_group_naming_pattern string true none none
admin_group string true none none
browse_group string true none none
enable_access_groups boolean false none none
enable_new_folder_requests_on_folder_collection boolean false none none
deviation_strategy DeviationStrategy false none none
always_take_ownership boolean false none none
audit_ownership_changes boolean false none none
enable_realtime_permissions boolean false none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

ILocationResponseModel

{
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "string",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true
}

Properties

Name Type Required Restrictions Description
type LocationType false none none
module TargetType false none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string¦null false none none
id string¦null false none none
requests_enabled boolean¦null false none none
supplementary_permissions boolean false none none

LocationEffectivePermissionResponseModel

{
  "permission": "read or write or design or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "origin": "string",
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "location_id": "Zm0tZl9pZC00Mg",
  "user_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
permission string¦null false none See Permission Set of Location.
valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
valid_through string(date)¦null false none Optional expiration date.
origin string¦null false none null or name of the origin profile.
id string¦null false none System generated location user id
location_id string¦null false none System generated location id
user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

LocationPermissionSetModel

{
  "permission": "read or write or design or profilemembership",
  "display_names": {
    "en": "Read",
    "de": "Lesen"
  },
  "default": true
}

Properties

Name Type Required Restrictions Description
permission string¦null false none The permission id to be used to identify this permission on all API methods where a permission must be provided.
display_names object¦null false none Display names for this permission in all languages.
» additionalProperties string¦null false none none
default boolean false none Indicates whether this is the default permission of the permission set.

LocationRequestModel

{
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
type LocationType true none none

LocationResponseModel

{
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Properties

Name Type Required Restrictions Description
type LocationType true none none
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.

LocationType

"ResourceGroup"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous ResourceGroup
anonymous FolderCollection
anonymous ManagedFolderCollection
anonymous Folder
anonymous RightsFolder
anonymous SiteCollection
anonymous ManagedSiteCollection
anonymous Site
anonymous ManagedSite
anonymous ThirdPartyItemCollection
anonymous ThirdPartyItem
anonymous UserProfile
anonymous ManagedUserProfile
anonymous OrgProfile

LocationUserRequestModel

{
  "user_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

LocationUserResponseModel

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "location_id": "Zm0tZl9pZC00Mg",
  "user_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location user id
location_id string¦null false none System generated location id
user_id string true none Active directory user sAMAccountName with NetBIOS domain name prefix, or a profile name

PermissionResponseModel

{
  "id": "Zm0tNDItYXUtRE9NQUlOXGFjY291bnQubmFtZQ",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ProfileName",
  "subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected] or ProfileName",
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Properties

Name Type Required Restrictions Description
id string true none System generated permission id.
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Must be a UNC path, URL, 3rd-Party-Item location or profile name, depending on module.
subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be an Active Directory user sAMAccountName or group name with NetBIOS domain name prefix, a Microsoft Entra user principal name, or a profile name, depending on subject_type.
permission string true none See Permission Set of Location.
valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
valid_through string(date)¦null false none Optional expiration date.
comment string¦null false none Optional permission comment

ProfileResponseModel

{
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "cluster_path": "/",
  "description": "string",
  "self_service_description": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
cluster_path string true none none
description string¦null false none none
self_service_description string¦null false none none
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

RemovePermissionManagementMode

"RetainGroupRemoveMembers"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous RetainGroupRemoveMembers
anonymous RetainGroupKeepMembers
anonymous DeleteAccessManagerGroups
anonymous DeleteInTargetSystem

RenewAccessSettingsDataModel

{
  "module": "FolderManagement",
  "path": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName"
}

Properties

Name Type Required Restrictions Description
module TargetType false none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
path string true none Must be a UNC path, URL or 3rd-Party-Item location, depending on module.

RenewAccessSettingsTriggerRequestModel

{
  "offset_minutes": 10,
  "data": {
    "module": "FolderManagement",
    "path": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName"
  }
}

Properties

Name Type Required Restrictions Description
offset_minutes integer(int32) false none Optional delay in minutes.
data RenewAccessSettingsDataModel true none none

RequestLocationRequestModel

{
  "new_location_name": "subfolder or subsite",
  "site_template": "STS#0",
  "permission": "read or write or design",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
new_location_name string true none The name for the new location.
site_template string¦null false none Only required if module is SharePoint
permission string¦null false none Must be a valid permission from the permission set of the location (always use the english named value).
comment string¦null false none Optional comment. Can be any text.
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string¦null false none Must be a location matching the module, or the name of a managed user profile if Profile is selected as module.
user_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be the Active Directory user sAMAccountName or group name with NetBIOS domain name prefix or the Microsoft Entra user principal name of the user or group that should be granted the permission.
requestor_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
requestor_id string true none Must be the active directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user.

RequestMultiPermissionRequestModel

{
  "permissions": [
    "permission01",
    "permission02"
  ],
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
permissions [string] true none Must be an array of valid permission from the permission set of the location or can be an empty array to remove permissions.
valid_from string(date)¦null false none Optional start date. It is only processed if module is Profile. It must be a date before valid_through.
valid_through string(date)¦null false none Optional expiration date. It must be a date in the future.
comment string¦null false none Optional comment. Can be any text.
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string¦null false none Must be a location matching the module, or the name of a managed user profile if Profile is selected as module.
user_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be the Active Directory user sAMAccountName or group name with NetBIOS domain name prefix or the Microsoft Entra user principal name of the user or group that should be granted the permission.
requestor_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
requestor_id string true none Must be the active directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user.

RequestPermissionRequestModel

{
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
permission string true none Must be a valid permission from the permission set of the location (always use the english named value).
valid_from string(date)¦null false none Optional start date. It is only processed if module is Profile. It must be a date before valid_through.
valid_through string(date)¦null false none Optional expiration date. It must be a date in the future.
comment string¦null false none Optional comment. Can be any text.
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string¦null false none Must be a location matching the module, or the name of a managed user profile if Profile is selected as module.
user_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be the Active Directory user sAMAccountName or group name with NetBIOS domain name prefix or the Microsoft Entra user principal name of the user or group that should be granted the permission.
requestor_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
requestor_id string true none Must be the active directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user.

RequestWithCommentRequestModel

{
  "comment": "string",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User",
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or [email protected]",
  "requestor_subject_type": "User",
  "requestor_id": "DOMAIN\\account.name"
}

Properties

Name Type Required Restrictions Description
comment string¦null false none Optional comment. Can be any text.
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string¦null false none Must be a location matching the module, or the name of a managed user profile if Profile is selected as module.
user_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
user_id string true none Must be the Active Directory user sAMAccountName or group name with NetBIOS domain name prefix or the Microsoft Entra user principal name of the user or group that should be granted the permission.
requestor_subject_type SubjectType false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.
requestor_id string true none Must be the active directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user.

ResourceGroupResponseModel

{
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": null,
  "supplementary_permissions": false,
  "description": "string",
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
description string¦null false none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

RightsFolderResponseModel

{
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "inherit_rights": true,
  "container_id": "Zm0tZl9pZC00Mg",
  "owner_account_names": [
    "string"
  ],
  "self_service_enabled": true,
  "data_protection_classification_name": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
inherit_rights boolean false none none
container_id string true none Must be a system generated location id belonging to a collection. See Get Locations by URL Parameters.
owner_account_names [string] true none none
self_service_enabled boolean false none none
data_protection_classification_name string¦null false none none
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none

SubjectType

"User"

Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.

Properties

Name Type Required Restrictions Description
anonymous string false none Determines the type of user_id. If omitted, falls back to User. When using User, user_id must be an active directory user or group name. When using Profile, user_id must be a profile name.

Enumerated Values

Property Value
anonymous User
anonymous Profile

TargetType

"FolderManagement"

Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.

Properties

Name Type Required Restrictions Description
anonymous string false none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.

Enumerated Values

Property Value
anonymous FolderManagement
anonymous SharePoint
anonymous Profile
anonymous ThirdParty

ThirdPartyLocationResponseModel

{
  "subtypes": [
    "ActiveDirectoryItemCollection"
  ],
  "type": "ResourceGroup",
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName"
}

Properties

Name Type Required Restrictions Description
subtypes [ThirdPartyLocationSubtype]¦null false none none

ThirdPartyLocationSubtype

"ActiveDirectoryItemCollection"

Properties

Name Type Required Restrictions Description
anonymous string false none none

Enumerated Values

Property Value
anonymous ActiveDirectoryItemCollection
anonymous ActiveDirectoryItem
anonymous MsTeamsItemCollection
anonymous MsTeamsItem
anonymous MsTeamsTeam
anonymous SharePointItemCollection
anonymous SharePointItem
anonymous SharePointSite
anonymous SharePointTeamSiteMs365Group
anonymous SharePointTeamSiteSpGroups
anonymous SharePointCommunicationSite

UpdateFolderCollectionModel

{
  "display_name": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "SingleDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true,
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
display_name string true none none
enable_rights_management boolean false none none
agent_group_name string true none none
domain_mode DomainMode false none none
organizational_unit string true none none
local_ad_group_naming_pattern string true none none
global_ad_group_naming_pattern string true none none
admin_group string true none none
browse_group string true none none
enable_access_groups boolean false none none
enable_new_folder_requests_on_folder_collection boolean false none none
deviation_strategy DeviationStrategy false none none
always_take_ownership boolean false none none
audit_ownership_changes boolean false none none
enable_realtime_permissions boolean false none none

UpdateLocationModel

{
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
type LocationType true none none

UpdatePermissionModel

{
  "permission": "read or write or design or owner or member or visitor or profilemembership",
  "valid_from": "2024-07-26",
  "valid_through": "2024-07-26",
  "comment": "string"
}

Properties

Name Type Required Restrictions Description
permission string true none See Permission Set of Location.
valid_from string(date)¦null false none Optional start date, only valid for profile permissions.
valid_through string(date)¦null false none Optional expiration date.
comment string¦null false none Optional permission comment

UpdateResourceGroupModel

{
  "location": "ResourceGroupName",
  "description": "string",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
location string true none none
description string¦null false none none

UserProfileResponseModel

{
  "id": "Zm0tZl9pZC00Mg",
  "requests_enabled": true,
  "supplementary_permissions": true,
  "member_sync_group_name": "DOMAIN\\group.name",
  "use_profile_permission_groups": true,
  "self_service_enabled": true,
  "cluster_path": "/",
  "description": "string",
  "self_service_description": "string",
  "responsible_account_names": [
    "string"
  ],
  "module": "FolderManagement",
  "location": "ResourceGroupName or \\\\server\\share\\folder or http://host/path or ItemCollectionName or ItemCollectionName/ItemName or ProfileName",
  "type": "ResourceGroup"
}

Properties

Name Type Required Restrictions Description
id string¦null false none System generated location id.
requests_enabled boolean¦null false none requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection. On location object of other types, it will always be null. requests_enabled indicates, whether permissions on this location can be requested using the SSP. It has no impact on the request API resource. As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.
supplementary_permissions boolean false none supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).
member_sync_group_name string¦null false none Optional If a member synchronization group is supplied, responsible_account_names must be empty
use_profile_permission_groups boolean¦null false none Optional If left empty, the default value defined in the settings within AM is used.
self_service_enabled boolean¦null false none Optional If left empty, the default value defined in the settings within AM is used.
If a member synchronization group is supplied, it will be ignored and always be set to false.
cluster_path string true none none
description string¦null false none none
self_service_description string¦null false none none
responsible_account_names [string] true none none
module TargetType true none Determines the type of location. For RenewAccessSettingsDataModel: Determines the type of path. If omitted, falls back to FolderManagement.
location string true none Can be a resource group name, UNC path, URL, 3rd-Party-Item-Collection name, 3rd-Party-Item location or profile name, depending on module.
type LocationType true none none