Permissions endpoints: API v1

This version is out of date. For current versions, see Puppet Enterprise support lifecycle.

You assign permissions to user roles to manage user access to objects in PE. The Permissions endpoints enable you to get information about available objects and the permissions that can be constructed for those objects. You can also check an array of permissions.

Permission keys

The available values for these keys are available from the “/types” endpoint (see below).

Key Explanation Example
object_type A string identifying the type of object this permission applies to. "node_groups"
action A string indicating the type of action this permission permits. "modify_children"
instance A string containing the primary ID of the object instance this permission applies to, or "*" indicating that it applies to all instances. If the given action does not allow instance specification, "*" should always be used. "cec7e830-555b-11e4-916c-0800200c9a66" or "*"

GET /types

Lists the objects that integrate with RBAC and demonstrates the permissions that can be constructed, by picking the appropriate object_type, action, and instance triple. Authentication is required.

The has_instances flag indicates that the action permission is instance-specific if true, or false if this action permission does not require instance specification.


  • 200 OK A listing of types.
  • 401 Unauthorized If no user is logged in.
  • 403 Forbidden If the current user lacks permissions to view the types.

Example return:

[{ "object_type": "node_groups",
   "display_name": "Node Groups",
   "description": "Groups that nodes can be assigned to."
   "actions": [{ "name": "view",
                 "display_name": "View",
                 "description": "View the node groups",
                 "has_instances": true
                 "display_name": "Configure",
                 "description": "Modify description, variables and classes",
                 "has_instances": true
                }, ...]

POST /permitted

Checks an array of permissions for the subject identified by the submitted identifier.

This endpoint takes a “token” in the form of a user or a user group’s UUID and a list of permissions. This returns true or false for each permission queried, representing whether the subject is permitted to take the given action. This takes into account the full evaluation of permissions, including inherited roles and matching general permissions against more specific queries. A query for users:edit:1 returns true if the subject has users:edit:1 and/or users:edit:*.

Example body:

{"token": "<subject uuid>",
 "permissions": [{"object_type": "node_groups",
                  "action": "edit_rules",
                  "instance": "4"},
                 {"object_type": "users",
                  "action": "disable",
                  "instance": "1"}]

The first permission is querying whether the subject specified by the token is permitted to perform the edit_rules action on the instance of node_groups identified by the ID 4. Note that in reality, node groups and users use UUIDs as their IDs.

Example return:

[true, false]

Each queried permission has a corresponding Boolean in the returned array. The index of the submitted array of permissions matches the index of the returned array of Booleans. Given the above example submission, this return means the subject is permitted node_groups:edit_rules:4 but not permitted users:disable:1.


  • 200 OK An array of Boolean values representing whether each submitted action on a specific object type and instance is permitted for the subject. The array always has the same length as the submitted array and each returned value corresponds to the submitted permission query at the same index.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.