User Group Elevated Permissions via JumpCloud API

This article discusses how to use the JumpCloud API to control User Elevated Permissions at the User Group level and/or at the User Group → Device Group Bind level. The goal is to allow administrators to have better high-level control over the permissions that their users have across devices while minimizing the maintenance overhead that can come with managing User Device permissions on an individual basis.

Elevated Permissions on User Groups

Prerequisites:

  • User Group ID (60f84e262921680001dbe9ba in the examples)
  • JumpCloud API key (redacted in the examples)

Getting Existing User Group Data

Note that the JumpCloud API currently only supports POST and PUT for User GroupsPUT saves the provided state to the object at the given ID. This means that to modify the attributes field, all User Group fields must be included in the request as the object is intended to be saved. Retrieve all other User Group fields and attribute properties and include them in the request if the goal is only to modify the sudo properties.

cURL to get data from an existing group:

curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY"

Returning something similar to:

{
 "attributes":{
  "ldapGroups":[
      {
         "name":"MYGROUP"
      }
   ]
 }, 
 "id":"60f84e262921680001dbe9ba",
 "name":"My User Group",
 "type":"user_group",
 "email":"[email protected]",
 "description":"A user group for demonstration",
 "memberSuggestionsNotify":false,
 "memberQuery":{
   "queryType":"FilterQuery",
   "filters":[
      {
          "field":"company",
          "operator":"eq",
          "value":"MyCompany"
       }
     ]
   }
}

Modifying User Group Elevated Permissions

To elevate permissions for users in this User Group, add the sudo property to the attributes as below:

"attributes":{
   "ldapGroups":[
      {
         "name":"MYGROUP"
      }
   ]"sudo":{
      "enabled":true,
      "withoutPassword":true
   }
}

Example cURL to elevate permissions for all User members of User Group to passwordless sudo with the above attributes included in the request:


curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
   "attributes":{
      "ldapGroups":[
         {
            "name":"MYGROUP"
         }
      ],
      "sudo":{
         "enabled":true,
         "withoutPassword":true
      }
   },
   "id":"60f84e262921680001dbe9ba",
   "name":"My User Group",
   "type":"user_group",
   "email":"[email protected]",
   "description":"A user group for demonstration",
   "memberSuggestionsNotify":false,
   "memberQuery":{
      "queryType":"FilterQuery",
      "filters":[
         {
            "field":"company",
            "operator":"eq",
            "value":"MyCompany"
         }
      ]
   }
}'

Removing User Group Elevated Permissions

Removing elevated permissions consists of removing the sudo property from the User Group's attributes.

Example cURL to remove elevated permissions with sudo removed:

curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
   "attributes":{
      "ldapGroups":[
         {
            "name":"MYGROUP"
         }
      ]
   },
   "id":"60f84e262921680001dbe9ba",
   "name":"My User Group",
   "type":"user_group",
   "email":"[email protected]",
   "description":"A user group for demonstration",
   "memberSuggestionsNotify":false,
   "memberQuery":{
      "queryType":"FilterQuery",
      "filters":[
         {
            "field":"company",
            "operator":"eq",
            "value":"MyCompany"
         }
      ]
   }
}'

Again, the entirety of the group's properties is included except for the modified attributes which no longer include the sudo property:

"attributes":{
      "ldapGroups":[
         {
            "name":"MYGROUP"
         }
      ]
   }

Verifying User Group Elevated Permissions

  • POSTing and PUTing groups returns the saved object, allowing for inspection of the response for confirmation.

Elevated Permissions User Group → Device Group Associations

Prerequisites:

  • User Group ID (60f84e262921680001dbe9ba for the example)
  • Device Group ID (60d9f2c796021e000117f31a for the example)
  • JumpCloud API Key (redacted for the example)

Creating User Group → Device Group Associations

cURL for creating a new User Group → Device Group association with elevated permissions:

  • This example sets the elevated permissions to passwordless sudo.

curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
        "op": "add",
        "type": "system_group",
        "id": "60d9f2c796021e000117f31a",
        "attributes": {
          "sudo": {
            "enabled": true,
            "withoutPassword": true
          }
        }
      }'

Removing User Group → Device Group Associations

cURL for removing a User Group → Device Group association:

curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
        "op": "remove",
        "type": "system_group",
        "id": "60d9f2c796021e000117f31a"
      }'

Modifying Existing User Group → Device Group Associations

cURL for modifying elevated permissions on an existing User Group → Device Group association:

  • This example sets the elevated permissions to sudo.

curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
        "op": "update",
        "type": "system_group",
        "id": "60d9f2c796021e000117f31a",
        "attributes": {
          "sudo": {
            "enabled": true,
            "withoutPassword": false
          }
        }
      }'

cURL for removing elevated permissions on an existing User Group → Device Group association:

curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY" \
  -d '{
        "op": "update",
        "type": "system_group",
        "id": "60d9f2c796021e000117f31a",
        "attributes": {}
      }'

Again, note that this was accomplished by removing the sudo property from the attributes.

Verifying User Group → Device Group Association Permissions

  • cURL for retrieving User Groups → Device Groups (referred to as system_group in the API) associations:

curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations?targets%5B0%5D=system_group \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "x-api-key: $JC_API_KEY"

Returning something similar:

[
  {
    "attributes": {
      "sudo": {
        "withoutPassword": true,
        "enabled": true
      }
    },
    "to": {
      "attributes": null,
      "id": "60d9f2c796021e000117f31a",
      "type": "system_group"
    }
  }
]

  • In this case, the returned JSON indicates that the group has passwordless sudo elevated permissions to the system_group with id 60d9f2c796021e000117f31a.

Note:

The response from the /associations endpoint is a list of Device Groups, so it may return many associations that may need to be inspected to confirm elevated permissions for a specific group.

Permission Caveats

  • It is recommended to have the sudo property as one of two states (below).
  • If no elevated permissions are desired, it is advisable to remove the sudo attribute entirely from the attributes object.

"sudo":{
    "enabled":true,
    "withoutPassword":false
  }

Passwordless sudo:

"sudo":{
    "enabled":true,
    "withoutPassword":true
  }

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case