This article discusses how to use the JumpCloud API to control User Elevated Permissions at the User Group level and\/or at the User Group \u2192 Device Group Bind level. The goal is to allow administrators to have better high-level control over the permissions that their users have across devices while minimizing the maintenance overhead that can come with managing User Device permissions on an individual basis.<\/p>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
Note that the JumpCloud API currently only supports\u00a0POST<\/code>\u00a0and\u00a0
PUT<\/code>\u00a0for\u00a0
User Groups<\/code>.\u00a0
PUT<\/code>\u00a0saves the provided state to the object at the given ID. This means that to modify the attributes field, all\u00a0
User Group<\/code>\u00a0fields must be included in the request as the object is intended to be saved. Retrieve all other\u00a0
User Group<\/code>\u00a0fields and attribute properties and include them in the request if the goal is only to modify the\u00a0
sudo<\/code>\u00a0properties.<\/p>\n\n\n\n
cURL to get data from an existing group:<\/p>\n\n\n\n
\ncurl https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY”<\/p>\n<\/div><\/div>\n\n\n\n
Returning something similar to:<\/p>\n\n\n\n
\n{
\u00a0“attributes”:{
\u00a0 “ldapGroups”:[
\u00a0 \u00a0 \u00a0 {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0“name”:”MYGROUP”
\u00a0 \u00a0 \u00a0 }
\u00a0 \u00a0]
\u00a0},\u00a0
\u00a0“id”:”60f84e262921680001dbe9ba”,
\u00a0“name”:”My User Group”,
\u00a0“type”:”user_group”,
\u00a0“email”:”mydemogroup@business.com”,
\u00a0“description”:”A user group for demonstration”,
\u00a0“memberSuggestionsNotify”:false,
\u00a0“memberQuery”:{
\u00a0 \u00a0“queryType”:”FilterQuery”,
\u00a0 \u00a0“filters”:[
\u00a0 \u00a0 \u00a0 {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 “field”:”company”,
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 “operator”:”eq”,
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 “value”:”MyCompany”
\u00a0 \u00a0 \u00a0 \u00a0}
\u00a0 \u00a0 \u00a0]
\u00a0 \u00a0}
}<\/p>\n<\/div><\/div>\n\n\n\n
Modifying User Group Elevated Permissions<\/h3>\n\n\n\n
To elevate permissions for users in this User Group, add the\u00a0sudo<\/code>\u00a0property to the\u00a0attributes<\/code>\u00a0as below:<\/p>\n\n\n\n
\n“attributes”:{
\u00a0\u00a0 “ldapGroups”:[
\u00a0\u00a0\u00a0\u00a0\u00a0 {
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “name”:”MYGROUP”
\u00a0\u00a0\u00a0\u00a0\u00a0 }
\u00a0\u00a0 ]”sudo”:{
\u00a0\u00a0\u00a0\u00a0\u00a0 “enabled”:true,
\u00a0\u00a0\u00a0\u00a0\u00a0 “withoutPassword”:true
\u00a0\u00a0 }
}<\/p>\n<\/div><\/div>\n\n\n\n
Example cURL to elevate permissions for all\u00a0User<\/code>\u00a0members of\u00a0User Group<\/code>\u00a0to passwordless sudo with the above\u00a0attributes<\/code>\u00a0included in the request:<\/p>\n\n\n\n
\n
curl -X PUT https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0“attributes”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“ldapGroups”:[
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“name”:”MYGROUP”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“sudo”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“enabled”:true,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“withoutPassword”:true
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0“id”:”60f84e262921680001dbe9ba”,
\u00a0\u00a0\u00a0“name”:”My User Group”,
\u00a0\u00a0\u00a0“type”:”user_group”,
\u00a0\u00a0\u00a0“email”:”mydemogroup@business.com”,
\u00a0\u00a0\u00a0“description”:”A user group for demonstration”,
\u00a0\u00a0\u00a0“memberSuggestionsNotify”:false,
\u00a0\u00a0\u00a0“memberQuery”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“queryType”:”FilterQuery”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“filters”:[
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“field”:”company”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“operator”:”eq”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“value”:”MyCompany”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0}
}’<\/p>\n<\/div><\/div>\n\n\n\n
Removing User Group Elevated Permissions<\/h3>\n\n\n\n
Removing elevated permissions consists of removing the\u00a0sudo<\/code>\u00a0property from the\u00a0User Group<\/code>‘s\u00a0attributes.<\/code><\/p>\n\n\n\n
Example cURL to remove elevated permissions with\u00a0sudo<\/code>\u00a0removed:<\/p>\n\n\n\n
\ncurl -X PUT https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0“attributes”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“ldapGroups”:[
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“name”:”MYGROUP”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0“id”:”60f84e262921680001dbe9ba”,
\u00a0\u00a0\u00a0“name”:”My User Group”,
\u00a0\u00a0\u00a0“type”:”user_group”,
\u00a0\u00a0\u00a0“email”:”mydemogroup@business.com”,
\u00a0\u00a0\u00a0“description”:”A user group for demonstration”,
\u00a0\u00a0\u00a0“memberSuggestionsNotify”:false,
\u00a0\u00a0\u00a0“memberQuery”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“queryType”:”FilterQuery”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“filters”:[
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“field”:”company”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“operator”:”eq”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“value”:”MyCompany”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0}
}’
<\/p>\n<\/div><\/div>\n\n\n\n
Again, the entirety of the group’s properties is included except for the modified\u00a0attributes<\/code>\u00a0which no longer include the\u00a0sudo<\/code>\u00a0property:<\/p>\n\n\n\n
\n“attributes”:{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“ldapGroups”:[
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“name”:”MYGROUP”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0}<\/p>\n<\/div><\/div>\n\n\n\n
Verifying User Group Elevated Permissions<\/h3>\n\n\n\n\nPOST<\/code>ing and PUT<\/code>ing groups returns the saved object, allowing for inspection of the response for confirmation.<\/li>\n<\/ul>\n\n\n\nElevated Permissions User Group \u2192 Device Group Associations<\/h2>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
\n- User Group\u00a0ID (60f84e262921680001dbe9ba\u00a0for the example)<\/li>\n\n\n\n
- Device Group\u00a0ID (60d9f2c796021e000117f31a\u00a0for the example)<\/li>\n\n\n\n
- JumpCloud API Key (redacted for the example)<\/li>\n<\/ul>\n\n\n\n
Creating User Group \u2192 Device Group Associations<\/h3>\n\n\n\n
cURL for creating a new User Group \u2192 Device Group association with elevated permissions:<\/p>\n\n\n\n
\n- This example sets the elevated permissions to\u00a0
passwordless sudo.<\/code><\/li>\n<\/ul>\n\n\n\n\ncurl -X POST https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba\/associations \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“op”: “add”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“type”: “system_group”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“id”: “60d9f2c796021e000117f31a”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“attributes”: {
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“sudo”: {
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“enabled”: true,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“withoutPassword”: true
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}’<\/p>\n<\/div><\/div>\n\n\n\n
Removing User Group \u2192 Device Group Associations<\/h3>\n\n\n\n
cURL for removing a User Group \u2192 Device Group association:<\/p>\n\n\n\n
\ncurl -X POST https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba\/associations \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“op”: “remove”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“type”: “system_group”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“id”: “60d9f2c796021e000117f31a”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}’<\/p>\n<\/div><\/div>\n\n\n\n
Modifying Existing User Group \u2192 Device Group Associations<\/h3>\n\n\n\n
cURL for modifying elevated permissions on an existing User Group \u2192 Device Group association:<\/p>\n\n\n\n
\n- This example sets the elevated permissions to\u00a0
sudo.<\/code><\/li>\n<\/ul>\n\n\n\n\ncurl -X POST https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba\/associations \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“op”: “update”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“type”: “system_group”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“id”: “60d9f2c796021e000117f31a”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“attributes”: {
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“sudo”: {
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“enabled”: true,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“withoutPassword”: false
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}’<\/p>\n<\/div><\/div>\n\n\n\n
cURL for removing elevated permissions on an existing User Group \u2192 Device Group association:<\/p>\n\n\n\n
\ncurl -X POST https:\/\/console.jumpcloud.com\/api\/v2\/usergroups\/60f84e262921680001dbe9ba\/associations \\
\u00a0\u00a0-H ‘Accept: application\/json’ \\
\u00a0\u00a0-H ‘Content-Type: application\/json’ \\
\u00a0\u00a0-H “x-api-key: $JC_API_KEY” \\
\u00a0\u00a0-d ‘{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“op”: “update”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“type”: “system_group”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“id”: “60d9f2c796021e000117f31a”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“attributes”: {}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}’<\/p>\n<\/div><\/div>\n\n\n\n
Again, note that this was accomplished by removing the sudo<\/code> property from the attributes.<\/code><\/p>\n\n\n\n
Verifying User Group \u2192 Device Group Association Permissions<\/h3>\n\n\n\n\n- cURL for retrieving User Groups \u2192 Device Groups (referred to as\u00a0
system_group<\/code>\u00a0in the API) associations:<\/li>\n<\/ul>\n\n\n\n\n