Subscribe to Help Center RSS FeedThis article discusses how to use the JumpCloud API to control User Elevated Permissions at the User Group level and/or at the User Group → Device Group Bind level. The goal is to allow administrators to have better high-level control over the permissions that their users have across devices while minimizing the maintenance overhead that can come with managing User Device permissions on an individual basis.
Elevated Permissions on User Groups
Prerequisites:
- User Group ID (60f84e262921680001dbe9ba in the examples)
- JumpCloud API key (redacted in the examples)
Getting Existing User Group Data
Note that the JumpCloud API currently only supports POST and PUT for User Groups. PUT saves the provided state to the object at the given ID. This means that to modify the attributes field, all User Group fields must be included in the request as the object is intended to be saved. Retrieve all other User Group fields and attribute properties and include them in the request if the goal is only to modify the sudo properties.
cURL to get data from an existing group:
curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY"
Returning something similar to:
{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}
Modifying User Group Elevated Permissions
To elevate permissions for users in this User Group, add the sudo property to the attributes as below:
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]"sudo":{
"enabled":true,
"withoutPassword":true
}
}
Example cURL to elevate permissions for all User members of User Group to passwordless sudo with the above attributes included in the request:
curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
],
"sudo":{
"enabled":true,
"withoutPassword":true
}
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}'
Removing User Group Elevated Permissions
Removing elevated permissions consists of removing the sudo property from the User Group's attributes.
Example cURL to remove elevated permissions with sudo removed:
curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}'
Again, the entirety of the group's properties is included except for the modified attributes which no longer include the sudo property:
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
}
Verifying User Group Elevated Permissions
POSTing andPUTing groups returns the saved object, allowing for inspection of the response for confirmation.
Elevated Permissions User Group → Device Group Associations
Prerequisites:
- User Group ID (60f84e262921680001dbe9ba for the example)
- Device Group ID (60d9f2c796021e000117f31a for the example)
- JumpCloud API Key (redacted for the example)
Creating User Group → Device Group Associations
cURL for creating a new User Group → Device Group association with elevated permissions:
- This example sets the elevated permissions to
passwordless sudo.
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "add",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {
"sudo": {
"enabled": true,
"withoutPassword": true
}
}
}'
Removing User Group → Device Group Associations
cURL for removing a User Group → Device Group association:
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "remove",
"type": "system_group",
"id": "60d9f2c796021e000117f31a"
}'
Modifying Existing User Group → Device Group Associations
cURL for modifying elevated permissions on an existing User Group → Device Group association:
- This example sets the elevated permissions to
sudo.
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "update",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {
"sudo": {
"enabled": true,
"withoutPassword": false
}
}
}'
cURL for removing elevated permissions on an existing User Group → Device Group association:
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "update",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {}
}'
Again, note that this was accomplished by removing the sudo property from the attributes.
Verifying User Group → Device Group Association Permissions
- cURL for retrieving User Groups → Device Groups (referred to as
system_groupin the API) associations:
curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations?targets%5B0%5D=system_group \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY"
Returning something similar:
[
{
"attributes": {
"sudo": {
"withoutPassword": true,
"enabled": true
}
},
"to": {
"attributes": null,
"id": "60d9f2c796021e000117f31a",
"type": "system_group"
}
}
]
- In this case, the returned JSON indicates that the group has
passwordless sudoelevated permissions to thesystem_groupwith id60d9f2c796021e000117f31a.
The response from the /associations endpoint is a list of Device Groups, so it may return many associations that may need to be inspected to confirm elevated permissions for a specific group.
Permission Caveats
- It is recommended to have the
sudoproperty as one of two states (below). - If no elevated permissions are desired, it is advisable to remove the
sudoattribute entirely from theattributesobject.
"sudo":{
"enabled":true,
"withoutPassword":false
}
Passwordless sudo:
"sudo":{
"enabled":true,
"withoutPassword":true
}
In this Article
Learn More