System Administration Permissions

Is Permission Granted

All methods return an object containing permission information based on the authenticated staff user.

Check a single permission

GET /api/.../sysadmin/permissions/granted/{id}?ownerID={ownerID}

If ownerID > 0, checks permission for a specific granting organization. If the permission is not owned, the ownerID value is ignored. If ownerID = 0, returns IsPermitted set to true if permission is granted at *any* organization. In this scenarion, it will not return the list though.

Check a single permission for group of orgs

GET /api/.../sysadmin/permissions/granted/{id}?ownerIDs={ownerID}

Allows the caller to check a single permission at a single time when provided with a comma delimited list of org ids. Returns IsPermitted equal to true if the permission for all orgs is granted. Returns IsPermitted equal to false if permission is not granted. If a permission is not granted, the associated permission description will be provided in the PermissionDescriptions array.

Return a list of granting orgs for a single permission

GET /api/.../sysadmin/permissions/granted/{id}?returnGrantingOrgs=true

Returns a list of all granting organization IDs for the specific permission. This type of list may be used to determine if a user is permitted to do an operation at *any* organization. Returns IsPermitted set to true if at least one organization grants the permission to the caller. This is a common call to make when the caller needs to filter a list based on permissions.

Check a group of permissions

GET /api/.../sysadmin/permissions/granted?ids={ids}&ownerID={ownerID}

Allows the caller to check a group of permissions at a single time when provided with a comma delimited list of permission ids. Returns IsPermitted equal to true if all of the permissions are granted. Returns IsPermitted equal to false if any permission is not granted. If a permission is not granted, the associated permission description will be provided in the PermissionDescriptions array. If ownerID > 0, checks permission for a specific granting organization. If the permission is not owned, the ownerID value is ignored. If ownerID = 0, checks each individual permission for granted rights at *any* organization.

Return a list of granting orgs for a group of permissions

GET /api/.../sysadmin/permissions/granted?ids={ids}&returnGrantingOrgs=true

Allows the caller to check a group of permissions at a single time when provided with a comma delimited list of permission ids. Returns the intersecting set of granting organization IDs based on the provided list of permissions. Returns IsPermitted equal to true if all of the permissions are granted at at least one intersecting granting organization. Returns IsPermitted equal to false if no intersecting granting organization can be found. If IsPermitted is false, the associated "not permitted" permission descriptions will be provided in the PermissionDescriptions array. This type of list may be used to filter lists.

Clear a user's cached permissions

DELETE /api/.../sysadmin/permissions/users/{id}

Allows the caller to clear any cached permissions for the logged in user. The id supplied must match the logged in user ID supplied in the API credentials. This does not clear permission overrides.

Add user override permissions using OAUTH2 OIDC id token

POST /api/.../sysadmin/permissions/users/{id}/overrides

In order to perform certain operations, permissions are required. If a user does not have permission, temporary permission may be granted by using permission overrides. This endpoint provides permission override support for OAuth installations. It accepts an ID token in JWT format and a list of permission ids and owners.

Permissions may only be overridden for the current "logged on user" and the id token will be validated. An id token may only be used a single time to perform an override.

If successful, the result will contain IsPermitted set to true. The permission list descriptions will be empty. If any permission is not overridden, the result will contain IsPermitted set to false. The permission list will contain descriptions for all permissions not overridden.

Notes

Permissions may be owned or not owned. If a permission is owned, it may be owned at the system, library and/or branch levels. That means a specific organization is allowed to control the permission. If a permission is not owned, there is only a single value in the database. Organization is not a factor with non-owned permissions.

There are 2 main scenarios for checking permissions.

  • Given a permission ID, you want to return if the user is granted permission. An owner ID should be supplied. This is the typical scenario.
  • Return a list of all owner IDs that grant the specific permission. Do not provide an owner ID. Example, the find tool must filter out results based on the list of granting owners for the specific permission.

If an owner ID is supplied, the method will attempt to determine if the permission is granted. If a permission is not owned, it's still ok to pass in an owner ID. It will simply be ignored. For this reason it's best to always pass in an owner ID unless you specifically know the permission is not owned or you want to return a list of all granting owner IDs.

If an owner ID is not supplied, permission may still be evaluated if the permission is not owned. Otherwise, a list list of granting owner IDs will be returned.

Override Credentials

If the calling user ID is not granted permission. The method will check for the presence of valid override credentials in the HTTP request header. If present, the override user ID will be used to check for permission.

Permission IDs

A list of permission IDs may be found here.


Request Information

Parameters
Name Type Required Description
id Integer Yes Permission Id. Define this parameter in the request URI.
ids String Yes Comma delimited list of permission Ids. Define this parameter in the request URI.
ownerID Integer See description. Sets the owner (granting organization) ID to check for a specific permission. May not be used with returnGrantingOrgs query string value.
returnGrantingOrgs Boolean See description. Set to yes to list all organizations that grant a specific permission to the user. May not be used with ownerID query string value.

Response Information

The PermissionDescriptions array only contains data when a permission is not granted. This data may be used to request override information from the caller.

DtoPermissionResult Object
Property Type Description
IsPermitted Boolean Overall result of permission check.
OwnerIDs Int[] When called with the returnGrantingOrgs query string value, returns a list of granting organization IDs.
PermissionDescriptions DtoPermissionDescription[] If a permission is not permitted, its information will be contained here.
DtoPermissionDescription Object
Property Type Description
Subsystem Int SA permission subsystem ID:
  • Acquisitions = 1
  • Circulation = 2
  • Cataloging = 3
  • SystemAdministration = 4
  • PublicAccessCatalog = 5
  • Serials = 6
  • FindTool = 7
  • PolarisFusion = 8
PermissionID Int Permission ID.
ControlRecordName String Name of SA permission control record.
PermissionName String Name of permission.
Permitted Boolean Is this permission permitted?
AllowOverride Boolean Internal use only.
Owner Int Owning organization ID that granted/denied this permission.
IsOwned Int Internal use only.
Owners Int[] Internal use only.
OverrideUserID Int Internal use only.
Example: Permission is permitted
application/json, text/json
{
    "IsPermitted":true,
    "OwnerIDs":null,
    "PermissionDescriptions":[]
}
Example: Permission is not permitted
application/json, text/json
{
    "IsPermitted":false,
    "OwnerIDs":null,
    "PermissionDescriptions":[
        {
            "Subsystem":2,
            "PermissionID":83,
            "ControlRecordName":"Patron registration",
            "PermissionName":"Create",
            "Permitted":false,
            "AllowOverride":true,
            "Owner":3,
            "IsOwned":true,
            "Owners":[],
            "OverrideUserID":0
        }
    ]
}
Example: Return granting orgs. Permitted at orgs 3 and 5
application/json, text/json
{
    "IsPermitted":true,
    "OwnerIDs":[
        3,
        5
    ],
    "PermissionDescriptions":[]
}
Example: Return granting orgs. Two permissions are not permitted.
application/json, text/json
{
    "IsPermitted":false,
    "OwnerIDs":[],
    "PermissionDescriptions":[ {
            "Subsystem":2,
            "PermissionID":84,
            "ControlRecordName":"Patron registration",
            "PermissionName":"Modify",
            "Permitted":false,
            "AllowOverride":true,
            "Owner":0,
            "IsOwned":true,
            "Owners":[],
            "OverrideUserID":0
        },
        {
            "Subsystem":2,
            "PermissionID":87,
            "ControlRecordName":"Patron registration",
            "PermissionName":"Create express registration record",
            "Permitted":false,
            "AllowOverride":true,
            "Owner":0,
            "IsOwned":true,
            "Owners":[],
            "OverrideUserID":0
        }
    ]
}

HTTP Response Codes

Code Description
200 OK. Success