Bulk Entitlements Download API (Early Access)
POST
https://app.balkan.id/api/rest/v0/entitlements/download-url
Entitlements
BalkanID Entitlements Download CSV Format
Sample CSV
| Project | Privilege Name | Privilege Value | Identity ID | Username | Name | Connection | Connection Type | Resource | Resource Type | Employee ID | Labels | Identity Type | Connection Provider | Connection Provider Type | Metadata | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| balkanid | pull | true | ayden@example.com | 01234567 | koch71 | Ayden Koch | read | repository-role | ops | repository | ||||||
| balkanid | push | false | ayden@example.com | 01234567 | koch71 | Ayden Koch | read | repository-role | ops | repository | ||||||
| balkanid | admin | false | ayden@example.com | 01234567 | koch71 | Ayden Koch | read | repository-role | ops | repository | ||||||
| balkanid | pull | true | ayden@example.com | 01234567 | koch71 | Ayden Koch | admin | repository-role | ops | repository | ||||||
| balkanid | push | true | ayden@example.com | 01234567 | koch71 | Ayden Koch | admin | repository-role | ops | repository | ||||||
| balkanid | admin | true | ayden@example.com | 01234567 | koch71 | Ayden Koch | admin | repository-role | ops | repository | [{"source":"brn:bid:balkanid:::02GFREWAWDFR3RG264H6QWERT5:app:compute/privileged","version":"20220726","value":{"text":"Privileged"},"key":"entitlement/privileged"}] |
Column Definitions
| Column Name | Column Description |
|---|---|
| Project | This is a “project”-level of organization in your application. This can be a Github organization, Slack organization, AWS account number, Azure directory, Google domain, Okta Site URL, etc. In the sample CSV, this is a Github organization “balkanid”. While optional, it is recommended that you provide Project value. If not provided, the Project value is set to “default”. |
| Entitlement BRN | The Unique identifier for the entitlement. |
| Privilege Name | The name of the action/permission/entitlement. These are typically actions that can be taken on a resource. In the sample CSV, these are “pull”, “push”, and “admin”, which are actions associated with a repository. |
| Privilege Value | In many cases, these will be “true”. In some cases, it is useful to model an explicit deny by including entitlements where Privilege Value is “false”. In the sample CSV, we see both “true” and “false” privilege values. |
| The email associated with the identity to which this entitlement belongs to, if available. In the sample CSV, this is “ayden@example.com”. | |
| Identity ID | Some applications have an ID that is separate from email or username. This is the place to include that ID. |
| Username | The username associated with the identity to which this entitlement belongs to. In the sample CSV, this is “koch71”. |
| Name | The name of the identity to which this entitlement belongs to, if available. This can be the name of a person, a service account, or other names. |
| Connection | Connection describes how the identity (identified by the Username) gains the privilege (identified by Privilege Name and Privilege Value) to the resource (identified by Resource and Resource Type). In the sample CSV, the connection is the repository role granted to the identity: “read” and “admin”. |
| Connection Type | Connection Type describes the type of the Connection. Typical connection types are “role”, “policy”, “group”, but can include others depending on your application authorization structure. In the sample CSV, this is “repository-role”. |
| Resource | The resource this entitlement references. In the sample CSV, the resource is the “ops” repository. |
| Resource Type | A useful resource type that groups resources in your application. This can be a Github repository/organization/application, AWS service, a Slack channel, etc. In the sample CSV, the resource type is “repository”. |
| Employee ID | ID of the Employee, if mapped |
| Labels | Insights such as privileged, sod, outlier, over entitled. |
| Identity Type | Type of the identity, such as user, service account, group, etc. |
| Connection Provider | The provider of the connection, such as admins etc. |
| Connection Provider Type | The type of the connection provider, such as group, etc. |
| Metadata | Additional metadata about the entitlement. |
| App | The application that the entitlement is for. |
| Identity Type | The type of the identity. |
Download the CSV file via the pre-signed URL
To use the polling URL, first send an HTTP request with the method
HEAD to the pollingUrl.If the response status code is
404, the file is not ready, and you should retry this polling request after a delay.If the response status code is
200, the file is ready, and you may proceed to download the CSV from the received url.Request
Header Params
X-Api-Key-ID
string
optional
X-Api-Key-Secret
string
optional
Content-Type
string
optional
Default:
application/json
Body Params application/json