Policies API
Policies define what actions users are allowed or denied to perform on resources. Console uses an IAM-style policy system with service:action action strings.
Policy Object
| Field | Type | Description |
|---|---|---|
_id | string | Unique identifier |
arn | string | Policy ARN (arn:s42:iam::{company_id}:policy/{type}/{name}) |
name | string | Policy name |
description | string | Human-readable description |
type | string | system, managed, or inline |
document | object | Policy document with statements |
is_deprecated | boolean | Whether policy is deprecated |
created_at | string | ISO 8601 creation timestamp |
updated_at | string | ISO 8601 last update timestamp |
Policy Document
{
"version": "2025-01-01",
"statements": [
{
"sid": "AllowReadUsers",
"effect": "Allow",
"actions": ["users:list", "users:get"],
"resources": ["*"]
}
]
}
Statement Fields
| Field | Type | Required | Description |
|---|---|---|---|
sid | string | No | Statement identifier |
effect | string | Yes | Allow or Deny |
actions | string[] | Yes | Action patterns (e.g. users:list, users:*, *) |
resources | string[] | Yes | Resource ARN patterns or * |
List Policies
Returns all policies visible to the current user (managed policies + company's custom policies).
GET
/v1/policiesRequired Permission: policies:list
Example Request:
curl https://api.console.solucao42.com.br/v1/policies \
-H "Authorization: Bearer YOUR_TOKEN"
Response: 200 OK
{
"total": 3,
"quantity": 3,
"records": [
{
"_id": "507f1f77bcf86cd799439011",
"arn": "arn:s42:iam::policy/managed/ReadOnly",
"name": "ReadOnly",
"description": "Read-only access to all resources",
"type": "managed",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ReadAll",
"effect": "Allow",
"actions": ["users:list", "users:get", "connections:list"],
"resources": ["*"]
}
]
},
"is_deprecated": false,
"created_at": "2025-01-01T00:00:00.000Z",
"updated_at": "2025-01-01T00:00:00.000Z"
}
]
}
Get Policy
Returns a single policy by ID.
GET
/v1/policies/:idRequired Permission: policies:get
List Available Actions
Returns all available service:action strings that can be used in policy documents.
GET
/v1/policies/actionsAuthentication: Required (no specific permission needed)
Example Response:
{
"services": {
"users": ["users:list", "users:get", "users:invite", "users:update", ...],
"connections": ["connections:list", "connections:get", "connections:create", ...],
"visualizations": ["visualizations:list", "visualizations:get", "visualizations:execute", ...]
},
"all": ["users:list", "users:get", ..., "data_api:execute", "data_api:get_job"]
}
Create Policy
Creates a new custom policy for your company.
POST
/v1/policiesRequired Permission: policies:create
Request Body:
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Policy name (unique within company) |
description | string | No | Human-readable description |
document | object | Yes | Policy document with statements |
Example Request:
curl -X POST https://api.console.solucao42.com.br/v1/policies \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Dashboard Viewer",
"description": "Can view and execute dashboards",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ViewDashboards",
"effect": "Allow",
"actions": [
"dashboards:list",
"dashboards:get",
"visualizations:list",
"visualizations:get",
"visualizations:execute",
"analysis-folders:list",
"analysis-folders:get"
],
"resources": ["*"]
}
]
}
}'
Response: 201 Created
Update Policy
Updates an existing custom policy.
PUT
/v1/policies/:idRequired Permission: policies:update
caution
System and managed policies (type: system or type: managed) cannot be updated via the API.
Delete Policy
Deletes a custom policy.
DELETE
/v1/policies/:idRequired Permission: policies:delete
Response: 204 No Content
Clone Policy
Creates a copy of an existing policy (including managed policies) as a new custom policy.
POST
/v1/policies/:id/cloneRequired Permission: policies:create
Pre-defined Managed Policies
These policies are available in every company and can be attached to groups but not modified.
| Policy | Key Actions |
|---|---|
FullAdmin | * |
ReadOnly | *:list, *:get, read-only actions across all services |
UserManager | users:list/get/invite/update/activate/deactivate/assign_groups/remove_groups |
GroupManager | groups:*, policies:list/get |
ApiKeyManager | users:list_integration_users/create_integration_user/delete_integration_user, api_keys:* |
ConnectionManager | connections:*, vpn_profiles:*, managed-tables:*, metadata:read |
VisualizationViewer | dashboards:list/get/schedule, visualizations:list/get/execute/schedule, data_api:execute/get_job |
VisualizationManager | visualizations:*, dashboards:share/schedule, analysis-folders:*, data_api:execute/get_job |
AnalyticsAuthor | visualizations:*, dashboards:*, analysis-folders:*, share_tags:*, viz_api_endpoints:*, data_api:execute/get_job |
KnowledgeManager | concepts:*, semantic:*, ontology:*, knowledge_reviews:*, metadata:read |
DataEngineer | connections:*, vpn_profiles:*, managed-tables:*, metadata:read |
PolicyManager | policies:* |
CompanyAdmin | company:* |
DataAPIConsumer | data_api:execute/get_job |
Code Examples
- JavaScript
- cURL
const API_URL = 'https://api.console.solucao42.com.br';
// List all available policies
async function listPolicies(token) {
const response = await fetch(`${API_URL}/v1/policies`, {
headers: { 'Authorization': `Bearer ${token}` },
});
return response.json();
}
// Create a custom policy
async function createPolicy(token, policy) {
const response = await fetch(`${API_URL}/v1/policies`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(policy),
});
return response.json();
}
// Usage
const dashboardViewerPolicy = await createPolicy(token, {
name: 'Dashboard Viewer',
description: 'View and execute dashboards only',
document: {
version: '2025-01-01',
statements: [
{
sid: 'ViewDashboards',
effect: 'Allow',
actions: [
'dashboards:list',
'dashboards:get',
'visualizations:list',
'visualizations:get',
'visualizations:execute',
],
resources: ['*'],
},
],
},
});
console.log(`Created policy: ${dashboardViewerPolicy._id}`);
TOKEN="your-jwt-token"
# List policies
curl -s "https://api.console.solucao42.com.br/v1/policies" \
-H "Authorization: Bearer $TOKEN" | jq
# List available actions
curl -s "https://api.console.solucao42.com.br/v1/policies/actions" \
-H "Authorization: Bearer $TOKEN" | jq '.all'
# Create policy
curl -s -X POST "https://api.console.solucao42.com.br/v1/policies" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Dashboard Viewer",
"description": "View and execute dashboards only",
"document": {
"version": "2025-01-01",
"statements": [
{
"sid": "ViewDashboards",
"effect": "Allow",
"actions": [
"dashboards:list",
"dashboards:get",
"visualizations:list",
"visualizations:get",
"visualizations:execute"
],
"resources": ["*"]
}
]
}
}' | jq
# Delete policy
curl -s -X DELETE "https://api.console.solucao42.com.br/v1/policies/POLICY_ID" \
-H "Authorization: Bearer $TOKEN"
Best Practices
- Start from managed policies — clone a managed policy and adjust rather than building from scratch
- Use
Denysparingly —DenyoverridesAllowfrom any other policy; use it only for explicit exceptions - Least privilege — grant only the actions users actually need
- Descriptive names —
Analytics Team Vieweris better thanPolicy 1 - Test before assigning — verify a policy does what you expect using the
/v1/auth/permissionsendpoint