This article discusses how to use the JumpCloud API to control User Elevated Permissions at the User Group level and/or at the User Group → Device Group Bind level. The goal is to allow administrators to have better high-level control over the permissions that their users have across devices while minimizing the maintenance overhead that can come with managing User Device permissions on an individual basis.
Elevated Permissions on User Groups
Prerequisites:
- User Group ID (60f84e262921680001dbe9ba in the examples)
- JumpCloud API key (redacted in the examples)
Getting Existing User Group Data
Note that the JumpCloud API currently only supports POST
and PUT
for User Groups
. PUT
saves the provided state to the object at the given ID. This means that to modify the attributes field, all User Group
fields must be included in the request as the object is intended to be saved. Retrieve all other User Group
fields and attribute properties and include them in the request if the goal is only to modify the sudo
properties.
cURL to get data from an existing group:
curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY"
Returning something similar to:
{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}
Modifying User Group Elevated Permissions
To elevate permissions for users in this User Group, add the sudo
property to the attributes
as below:
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]"sudo":{
"enabled":true,
"withoutPassword":true
}
}
Example cURL to elevate permissions for all User
members of User Group
to passwordless sudo with the above attributes
included in the request:
curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
],
"sudo":{
"enabled":true,
"withoutPassword":true
}
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}'
Removing User Group Elevated Permissions
Removing elevated permissions consists of removing the sudo
property from the User Group
's attributes.
Example cURL to remove elevated permissions with sudo
removed:
curl -X PUT https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
},
"id":"60f84e262921680001dbe9ba",
"name":"My User Group",
"type":"user_group",
"email":"[email protected]",
"description":"A user group for demonstration",
"memberSuggestionsNotify":false,
"memberQuery":{
"queryType":"FilterQuery",
"filters":[
{
"field":"company",
"operator":"eq",
"value":"MyCompany"
}
]
}
}'
Again, the entirety of the group's properties is included except for the modified attributes
which no longer include the sudo
property:
"attributes":{
"ldapGroups":[
{
"name":"MYGROUP"
}
]
}
Verifying User Group Elevated Permissions
POST
ing andPUT
ing groups returns the saved object, allowing for inspection of the response for confirmation.
Elevated Permissions User Group → Device Group Associations
Prerequisites:
- User Group ID (60f84e262921680001dbe9ba for the example)
- Device Group ID (60d9f2c796021e000117f31a for the example)
- JumpCloud API Key (redacted for the example)
Creating User Group → Device Group Associations
cURL for creating a new User Group → Device Group association with elevated permissions:
- This example sets the elevated permissions to
passwordless sudo.
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "add",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {
"sudo": {
"enabled": true,
"withoutPassword": true
}
}
}'
Removing User Group → Device Group Associations
cURL for removing a User Group → Device Group association:
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "remove",
"type": "system_group",
"id": "60d9f2c796021e000117f31a"
}'
Modifying Existing User Group → Device Group Associations
cURL for modifying elevated permissions on an existing User Group → Device Group association:
- This example sets the elevated permissions to
sudo.
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "update",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {
"sudo": {
"enabled": true,
"withoutPassword": false
}
}
}'
cURL for removing elevated permissions on an existing User Group → Device Group association:
curl -X POST https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY" \
-d '{
"op": "update",
"type": "system_group",
"id": "60d9f2c796021e000117f31a",
"attributes": {}
}'
Again, note that this was accomplished by removing the sudo
property from the attributes.
Verifying User Group → Device Group Association Permissions
- cURL for retrieving User Groups → Device Groups (referred to as
system_group
in the API) associations:
curl https://console.jumpcloud.com/api/v2/usergroups/60f84e262921680001dbe9ba/associations?targets%5B0%5D=system_group \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $JC_API_KEY"
Returning something similar:
[
{
"attributes": {
"sudo": {
"withoutPassword": true,
"enabled": true
}
},
"to": {
"attributes": null,
"id": "60d9f2c796021e000117f31a",
"type": "system_group"
}
}
]
- In this case, the returned JSON indicates that the group has
passwordless sudo
elevated permissions to thesystem_group
with id60d9f2c796021e000117f31a.
The response from the /associations
endpoint is a list of Device Groups, so it may return many associations that may need to be inspected to confirm elevated permissions for a specific group.
Permission Caveats
- It is recommended to have the
sudo
property as one of two states (below). - If no elevated permissions are desired, it is advisable to remove the
sudo
attribute entirely from theattributes
object.
"sudo":{
"enabled":true,
"withoutPassword":false
}
Passwordless sudo:
"sudo":{
"enabled":true,
"withoutPassword":true
}