The Operator Access API allows managing existing Operators for a given account. Here Operators with allowed roles are able to invite new Operators into their accounts, assign roles to them and apply attribute based restrictive conditions, so that they can only access data relevant to their context.
By creating Operator Accesses, one is adding Operators to a given account so that they can access resources on that account. Upon creation of operator accesses, their names, operator ID, access policies and restrictive conditions must be provided - this will qualify their access in the platform.
Assign Roles
An Operator allowed to manage other operator accesses can assign or remove access policies to their subordinates by making use of the API.
For example, a factory administrator Operator can assign the Factory User role to another Operator by:
In order to get a list of all available roles, Operators must use the Access Policies API .
Restrictive Conditions
Beyond access policies - that define what resources an Operator can access and the operations they can make on those resources - it is also possible to restrict access based on attribute filtering. Restrictive conditions are represented by the conditions field of an Operator Access payload. Jump to the API schema to find more about the syntax.
A certain sourcing manager that is responsible for 10 different factories may only need access to data that is relevant to those factories. Moreover, factory administrators may only need access to data that is produced on their factory.
This level of restrictive conditions can be achieved by adding conditions to the Operator Access document through this API.
Read about Restrictive Conditions to understand the concept and common use case examples.
Restrictive Conditions on Operator Access API
The Operator Access API supports restrictive conditions on an access policy ID. Meaning that for a given API key with a restrictive condition on accessPolicyId the API will only allow this API key to manage actors whose assigned access policies are present on the caller's restrictive conditions.
Getting "my own" current access
To retrieve their own access details for a given account, operators can reach the /me API using their access API key. This is available for almost all roles for any Operators with a valid API key and will return the current Operator access details, including their restrictions and detailed roles.
Dashboards and Apps that need to make operations on behalf of Operators can adjust feature restrictions based on the caller's access retrieved through this endpoint.
API Status
General Availability:
/accounts/{accountId}/operatorAccess/{operatorAccessId}
/accounts/{accountId}/operatorAccess
/me
/accounts/{accountId}/operatorAccess/{operatorAccessId}
/accounts/{accountId}/operatorAccess
/meOperatorAccessDocument Data Model
An object representing an operator access.
.name (string, required)
The name of the operator.
.description (string)
The description of the operator access.
.operator (string, required)
The operator ID
.policies (array of string, max. 100, required)
An array of policy IDs
.conditions (array of string, max. 256, required)
A conditions array.
.tags (array of string)
Array of string tags associated with this resource.
.identifiers (IdentifiersDocument)
Various identifiers (EPC, GTIN, etc.) as a JSON object with
one or more key-value pairs.
.customFields (CustomFieldsDocument)
Object of case-sensititve key-value pairs of custom fields
associated with the resource.
Create an Operator Access
Creates an operator access for account
Get an account Operator access
Reads and returns account operator access by ID
Read all Operator Accesses
Read all operator access for given account
Update operator access by ID
Updates and returns operator access by ID
Delete an Operator Access
Deletes an account operator access by ID
Get the caller's own account Operator access and inline policies
Reads and returns account operator access and inline policies based on the caller's API key.