Protegrity AI Team Edition

• 1: Introduction to Protegrity AI Team Edition
• 2: Overview
• 3: Features
• 3.1: NFA
• 3.1.1: Installing NFA
• 3.1.1.1: Prerequisites
• 3.1.1.2: Setting up and Deploying the NFA
• 3.1.2: Protegrity REST APIs
• 3.1.2.1: Accessing the Protegrity REST APIs
• 3.1.2.2: View the Protegrity REST API Specification Document
• 3.1.2.3: Using the Common REST API Endpoints
• 3.1.2.4: Using the Policy Management REST APIs
• 3.1.2.5: Using the Encrypted Resilient Package REST APIs
• 3.1.2.6: Using the Authentication and Token Management REST APIs
• 3.1.3: Protegrity Command Line Interface (CLI) Reference
• 3.1.3.1: Administrator Command Line Interface (CLI) Reference
• 3.1.3.2: Policy Management Command Line Interface (CLI) Reference
• 3.1.3.2.1: Using the Policy Management Command Line Interface (CLI)
• 3.2: Data Discovery
• 3.2.1: Installing Data-Discovery
• 3.3: Gen AI
• 3.3.1: Semantic Guardrails
• 3.3.1.1: Prerequisites
• 3.3.1.2: Installing Semantic Guardrails
• 3.3.1.3: Testing the Semantic Guardrails deployment with NFA
• 3.3.1.4: Configuring Semantic Guardrails with NFA
• 3.3.1.5: Uninstalling Semantic Guardrails
• 3.3.2: Protegrity Agent
• 3.3.2.1: Prerequisites
• 3.3.2.2: Installing Protegrity Agent
• 3.3.2.2.1: Installing Protegrity Agent
• 3.3.2.2.2: Post deployment configurations
• 3.3.2.2.3: Accessing Protegrity Agent
• 3.3.2.3: Configuring Protegrity Agent with NFA
• 3.3.2.4: Using Protegrity Agent
• 3.3.2.5: Appendix - Features and Capabilities
• 3.4: Protectors
• 3.4.1: Application Protector
• 3.4.1.1: Application Protector Java
• 3.4.1.1.1: Installing the Application Protector Java
• 3.4.1.2: Application Protector Python
• 3.4.1.2.1: Installing the Application Protector Python
• 3.4.1.3: Application Protector .Net
• 3.4.1.3.1: Installing the Application Protector .Net
• 3.4.2: Big Data Protector
• 3.4.2.1: Amazon EMR Protector
• 3.4.2.1.1: Installing the Amazon Elastic MapReduce Protector
• 3.4.2.2: CDP-AWS-DataHub Protector
• 3.4.2.2.1: Installing the CDP-AWS-DataHub Protector
• 3.4.3: Application Protector Java Container
• 3.4.3.1: Installing the Application Protector Java Container
• 3.4.4: REST Container
• 3.4.4.1: Installing the REST Container
• 3.4.5: Cloud Protector
• 3.5: Gen AI Add-ons
• 3.5.1: Anonymization
• 3.5.1.1: Installing Anonymization
• 3.5.1.2: Uninstalling and Cleanup Anonymization
• 3.5.2: Synthetic Data
• 3.5.2.1: Installing Synthetic Data
• 3.5.2.2: Uninstalling and Cleanup Synthetic Data

1 - Introduction to Protegrity AI Team Edition

Protegrity AI Team Edition is a container-based data protection solution designed for teams and mid-enterprise organizations that need to safeguard sensitive data across AI, GenAI, and analytics workloads.

It delivers core Protegrity capabilities, including governance, discovery, protection, and privacy. This is provided in a lightweight, containerized form factor that emphasizes fast deployment, simplified operations, and consistent enforcement of data security policies across environments.

Built on a modular, microservices architecture, it moves away from the legacy appliance model to align with modern DevOps practices. The result is a deployment that scales easily, integrates natively with existing CI/CD pipelines, and supports governing agents and securing departmental data.

Purpose and Audience

Protegrity AI Team Edition is intended for:

• Organizations seeking to protect data used in AI or analytics pipelines.
• Teams that require fast deployment cycles and simplified upgrades.
• Customers who need enterprise-grade data protection in a form that can start small, operate independently, and later scale into Protegrity AI Enterprise Edition.

Tech Preview Release Model

A Tech Preview is a controlled early release that allows customers to test new capabilities in real environments before general availability. It lets selected customers peek behind the curtain to try emerging features, validate real-world fit, and provide input on product development before the final, fully supported release. It is not feature-complete, may change based on input, and typically comes without SLA-grade support.

• Release Date: November 17, 2025
• Intended Use: Testing, training, demonstrations, and feedback.
• Known Limitations:
  • No Graphical User Interface (GUI).
  • Policy management limited to create/delete operations.
  • No backup/restore.
  • No audit store policy management.
  • Not upgradable to GA.
  • No license enforcement.
• Restrictions:
  • Not for production use.
  • Does not include all capabilities planned for version 1.0.
  • Setup may require direct assistance from Protegrity.

2 - Overview

The Protegrity AI Team Edition Tech Preview introduces a modern, container-based approach to data protection built on a microservices architecture. It enables organizations to evaluate how Protegrity’s methods, such as, policy management, anonymization, discovery, and semantic controls, integrate into AI and analytics pipelines.

Architecture and Design Principles

Protegrity AI Team Edition delivers core Protegrity capabilities. This includes governance, discovery, protection, privacy, and semantic controls. It is provided in a lightweight, containerized form factor that emphasizes fast deployment, simplified operations, and consistent enforcement of data security policies across environments. It is designed around five engineering goals: ease of deployment, high availability, scalability, extensibility, and maintainability.

Core Services

All deployments include a standardized set of common services delivered by a microservices architecture provide routing, security, and audit capabilities for all features and protectors.

Feature Set

The Tech Preview release of Protegrity AI Team Edition includes a limited but functional subset of capabilities for evaluation.

The various features compatible with Protegrity AI Team Edition are provided here.

* - Available for purchase as an add-on.

Protegrity Protectors

Protegrity AI Team Edition protectors enable organizations to embed data protection directly where data is processed, inside applications, analytics engines, or cloud-native data systems.

Application Protectors

Application protectors provide data protection directly within applications or runtime containers. They are suitable for teams developing secure APIs or microservices that handle sensitive data in languages such as Java, Python, or .NET.

Cloud API Protector

The Cloud API protector extends Protegrity protection to AWS serverless and API-based workloads. It is typically used for securing transient data handled by AWS Lambda or similar function-based architectures.

Cloud-Native Data Warehouse Protectors

Cloud-Native Data Warehouse protectors apply field-level protection inside analytics environments such as Snowflake, Redshift, and Athena. These protectors preserve query usability and analytical fidelity while maintaining data confidentiality.

Big Data Protectors

Big Data protectors integrate with large-scale analytics and data lake environments to secure data during ETL, batch, or stream processing operations.

Features Included in the AI Team Edition

The following features are available with the AI Team Edition:

• Policy Management using AI Agent
• Data Discovery
• Semantic Guardrails
• Any one protector from each of the following families:
  • Application protector
  • Cloud protector
  • Big Data protector

The following features are additional add-ons that must be purchased separately:

• Anonymization
• Synthetic Data

3 - Features

Installing NFA

Before using the AI Team Edition features, install the NFA.

Installing the Gen AI features

Use the automated installer provided or use manual steps for installing the GenAI features. Ensure that the namespaces used are consistent, else features installed using manual steps cannot be removed using the automated installer.

1. Log in to the NFA CLI.
2. Navigate to the deployment/iac-setup directory.
3. Run the following command.

./install_features.sh

4. Enter the number for the feature that must be installed.

Bootstrapping Policy Management

Note: This is an optional step. Please run this if you need to initialize the pim and create sample data elements, datastores, policies etc for testing purposes. This script will not deploy them, it is up to the end user to decide what gets deployed.

Generating Access Token for Authentication

Navigate back to the root directory (deployment/) to run the bootstrap script:

# From iac-setup directory, go back to root
cd ..

# Generate access token
TOKEN=$(curl -s -i -X 'POST' 'https://eclipse.aws.protegrity.com/pty/v1/auth/login/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'loginname=admin' \
  -d 'password=Admin123!' \
  -k  \
  | grep -i 'pty_access_jwt_token:' \
  | awk '{print $2}' \
  | tr -d '\r')

Note: The variable $TOKEN is utilized in subsequent scripts. Therefore, users should execute the above block and initialize the $TOKEN variable prior to running the scripts below.

Running the Bootstrap Script

./bootstrap-pim.sh --host eclipse.aws.protegrity.com --token $TOKEN

Expected output:

Configured host: eclipse.aws.protegrity.com
Wait for devops to come alive
Devops is alive
Bootstrap environment...
Bootstrap done
Wait for hubcontroller to come alive
Hubcontroller is alive
Creating datastores...
Creating roles...
Adding members...
Creating custom alphabet...
Creating masks...
Creating data elements...
Creating policies...
Creating rules...
Creating trusted applications...
Finished!

Note: This example assumes there is an /etc/hosts entry for eclipse.aws.protegrity.com, which points to the address listed for the above load balancer.

Deploying Policies

After the PIM has been initialized, and the resources have been created, you can deploy datastores, applications, and policies.

List available resources:

# List datastores
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/datastores

# List applications
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/applications

# List policies
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/policies

Deploy a combination:

curl -k -H "Authorization: Bearer $TOKEN" -H "content-type: application/json" -X POST https://eclipse.aws.protegrity.com/pty/v2/pim/datastores/1/deploy -d '{"policies": ["1"], "applications": ["1"]}'

Where 1 is the UID from the above requests.

Compatibility list

The following containers and versions are compatible with the AI Team Edition.

3.1 - NFA

Beyond infrastructure, NFA introduces a suite of common microservices that act as the backbone for AI Team Edition features. These include ingress control for secure traffic routing, certificate management for request validation, and robust authentication and authorization services. NFA also integrates Insight for audit logging and analytics, leveraging OpenSearch and OpenDashboards for visualization and compliance reporting. On top of this foundation, AI Team Edition delivers advanced capabilities such as policy management, anonymization, data discovery, semantic guardrails, and synthetic data generation. All these features are orchestrated within the NFA cluster. This modular approach ensures scalability, security, and flexibility, making NFA a strategic enabler for organizations adopting cloud-first and containerized environments.

3.1.1 - Installing NFA

The New Foundational Architecture (NFA) is the core framework that forms the AI Team Edition. It is designed to deliver a modern, cloud-native experience for data security and governance. Built on Kubernetes, NFA uses a containerized architecture that simplifies deployment and scaling. Using OpenTofu scripts and Helm charts, administrators can stand up clusters with minimal manual intervention, ensuring consistency and reducing operational overhead.

3.1.1.1 - Prerequisites

Ensure that you have completed the following prerequisites before deploying the NFA.

Baseline EKS Cluster Setup

This section provides instructions for deploying the NFA baseline environment on an AWS EKS cluster using OpenTofu and Make utility.

Software Prerequisites

Before you begin installing the NFA, ensure you have the following prerequisites met:

1. IAM Roles: Contact your IT team to create the necessary IAM roles with the following permissions to create and manage AWS EKS resources:

• Amazon EKS cluster IAM Role: Required to manage the Kubernetes cluster. This user requires the following policies:
  • AmazonEKSBlockStoragePolicy - This is a managed policy by AWS.
  • AmazonEKSClusterPolicy - This is a managed policy by AWS.
  • AmazonEKSComputePolicy - This is a managed policy by AWS.
  • AmazonEKSLoadBalancingPolicy - This is a managed policy by AWS.
  • AmazonEKSNetworkingPolicy - This is a managed policy by AWS.
  • AmazonEKSVPCResourceController - This is a managed policy by AWS.
  • AmazonEKSServicePolicy - This is a managed policy by AWS.
  • AmazonEBSCSIDriverPolicy - This is a managed policy by AWS.
• Amazon EKS node IAM Role: Required to communicate with the node. This user requires the following policies:
  • AmazonEBSCSIDriverPolicy - This is a managed policy by AWS.
  • AmazonEC2ContainerRegistryReadOnly - This is a managed policy by AWS.
  • AmazonEKS_CNI_Policy - This is a managed policy by AWS.
  • AmazonEKSWorkerNodePolicy - This is a managed policy by AWS.
  • AmazonSSMManagedInstanceCore - This is a managed policy by AWS.
• Amazon EKS node IAM Role: Required to communicate with the node. This user requires the following policies:
  • AmazonEBSCSIDriverPolicy - This is a managed policy by AWS.
  • AmazonEC2ContainerRegistryReadOnly - This is a managed policy by AWS.
  • AmazonEKS_CNI_Policy - This is a managed policy by AWS.
  • AmazonEKSWorkerNodePolicy - This is a managed policy by AWS.
  • AmazonSSMManagedInstanceCore - This is a managed policy by AWS.

For more information about AWS managed policies, refer to the section AWS managed policies for Amazon Elastic Kubernetes Service in the AWS documentation.

2. Jump box or local machine - Use a dedicated EC2 instance (RHEL 10 , Debian 13, Debian 12, or Ubuntu 24.04) for deployment.

3.1.1.2 - Setting up and Deploying the NFA

Perform the following steps to set up and deploy the NFA:

• Downloading and Extracting the Recipe for Deploying NFA
• Installing the NFA

Downloading and Extracting the Recipe for Deploying NFA

This section describes the steps to download and extract the recipe for deploying the NFA.

Note: If you have set up the jump box previously, then run the make clean command. This ensures that the local repository on the jump box and the clusters are cleaned up before proceeding with a new installation.

Download the Team-Edition-All-64_x86-64_0.9.0.12.tar archive from repository and extract it:

# Create deployment directory
mkdir deployment && cd deployment

# Download the archive
wget https://artifactory.protegrity.com/artifactory/eclipse/eclipse-init/latest/Team-Edition-All-64_x86-64_0.9.0.12.tar

# Extract the archive
tar -xvf Team-Edition-All-64_x86-64_0.9.0.12.tar

Installing the NFA

The repository provides a bootstrap script that automatically installs or updates the following software on the jump box:

• AWS CLI - Required to communicate with your AWS account.
• OpenTofu - Required to manage infrastructure as code.
• kubectl - Required to communicate with the Kubernetes cluster.
• Helm - Required to manage Kubernetes packages.
• Make - Required to run the OpenTofu automation scripts.
• jq - Required to parse JSON.

The bootstrap script also checks if you have the required permissions on AWS. It then sets up the EKS cluster and installs the microservices required for deploying the NFA.

The bootstrap script asks for variables to be set to complete your deployment. Follow the instructions on the screen:

./bootstrap.sh

The script will prompt for the following variables. Press ENTER to accept the default value.

1. eks_cluster_name - Name of the EKS cluster. The default value is opencluster-v1.

   The following characters are allowed:

   • Lowercase letters: a-z
   • Numbers: 0-9
   • Hyphens: -

   The following characters are not allowed:

   • Uppercase letters: A-Z
   • Underscores: _
   • Spaces
   • Any special characters such as: / ? * + % ! @ # $ ^ & ( ) = [ ] { } : ; , .
   • Leading or trailing hyphens
   • More than 50 characters

   For guidelines on creating an Amazon EKS cluster, refer to the section Create an Amazon EKS cluster in the Amazon EKS User Guide.

2. vpc_id: The script automatically queries for the available VPCs. Type the VPC ID that is available.

3. private subnet ID - The script automatically queries for the available VPC subnets. You are prompted to enter two private subnet IDs. Specify two private subnet IDs from different regions.
   The script then automatically updates the VPC CIDR block based on your VPC details.

4. ingress_fqdn - Fully Qualified Domain Name for your ingress. The default value is eclipse.aws.protegrity.com.

5. global_image_reg - Global image repository from where the container images will be retrieved. The default value is artifactory.protegrity.com:443.

6. Enter the registry user name. If you are using artifactory as the global image repository, then leave this value blank.

7. Enter registry password. If you are using artifactory as the global image repository, then leave this value blank.

A variables.tf.bak backup file is created that saves a copy of all the values that you have specified for the variables. After you enter all the values, you are prompted to apply the changes to the variables.tf file. Type yes to apply the changes.

Note: The cluster creation process can take 10-15 minutes.

If the session is terminated during installation due to network issues, power outage, and so on, then the installation stops. To restart the installation, run the following commands:

make clean
./boostrap.sh

Accessing the NFA UI

To access the Web UI, you need to map the Ingress hostname to the Load Balancer’s IP address in your local hosts file.

1. Get Ingress Details: Find the hostname and the AWS Load Balancer address.

   kubectl get ingress -A
   

   The output will look something like this:

   NAME      CLASS    HOSTS                      ADDRESS                                                              PORTS   AGE
   eclipse   <none>   eclipse.aws.protegrity.com   internal-a1412...us-east-1.elb.amazonaws.com                         80      20m
   

2. Find the Load Balancer IP: Use ping on the ADDRESS from the output above to resolve its IP address.

   ping internal-a1412824c35d942aa9373733bd3b8cca-391878848.us-east-1.elb.amazonaws.com
   

   Copy the IP address from the ping output (e.g., 192.0.2.1).

3. Update Your Hosts File: Add an entry to your local hosts file to map the hostname to the IP address.

   • Linux/macOS: /etc/hosts
   • Windows: C:\Windows\System32\drivers\etc\hosts

   Example Entry:

   192.0.2.1     eclipse.aws.protegrity.com
   

4. Access the UI: You can now access the Web UI in your browser.

   • URL: https://eclipse.aws.protegrity.com
   • Default User Credentials: user: admin, password: Admin123!

Prerequisites

1. SSH Keys: You need the SSH private key that corresponds to the public key configured in the pty-cli pod.
2. Network Access: Ensure you have network connectivity to the cluster.
3. Hosts File Update: Same as the Web UI access, update your hosts file to map eclipse.aws.protegrity.com to the load balancer IP.

The private key to access the CLI pod will be in the iac-setup directory. The key file is ssh_host_rsa_key.

For Linux/macOS Users

From the iac-setup directory:

ssh -i ssh_host_rsa_key -p 22 ptyitusr@eclipse.aws.protegrity.com

With options to skip host key checking:

ssh -i ssh_host_rsa_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 22 ptyitusr@eclipse.aws.protegrity.com

For Windows Users

1. Using Windows SSH Client (Windows 10/11 with OpenSSH):

   ssh -i C:\path\to\iac-setup\ssh_host_rsa_key -p 22 ptyitusr@eclipse.aws.protegrity.com
   

2. Using PuTTY:

   • Host Name: eclipse.aws.protegrity.com
   • Port: 22
   • Connection Type: SSH
   • Under Connection > SSH > Auth, browse and select your private key file (.ppk format)
   • Username: ptyitusr

CLI Usage

Once connected, you’ll see the Protegrity CLI welcome banner. You’ll be prompted for:

• Username: Your Protegrity application username (default: admin)
• Password: Your Protegrity application password (default: Admin123!)

The CLI supports two main command categories:

• pim: Policy Information Management commands for data protection policies
• admin: User, Role, Permission, and Group management commands

Getting Started with the CLI

Please refer the documentation for the CLI here: Protegrity Command Line Interface (CLI) Reference

Installing Protegrity AI Team Edition Features

This section describes how to install the Protegrity AI Team Edition features on the NFA.

1. Run the following command to navigate to the iac-setup directory.

   cd deployment/iac-setup

2. Run the following command to install the Protegrity AI Team Edition features.

# From iac-setup directory

./install_features.sh

The Protegrity AI Team Edition Features installer for Tech Preview appears. It shows the following options:

--- Install ---
 1. Install Data Discovery
 2. Install Semantic Guardrails
 3. Install Anonymization
 4. Install Synthetic Data
--- Uninstall ---
 5. Uninstall Data Discovery
 6. Uninstall Semantic Guardrails
 7. Uninstall Anonymization
 8. Uninstall Synthetic Data
--- Other ---
 9. List Installed Products
 10. Exit

3. Type any value from 1 to 4 to install the Protegrity AI Team Edition features.

   The corresponding option is executed.

   For example, if you type 1, then the installer installs Data Discover on the NFA.

   After the command is executed, press ENTER to continue.

Note: Before installing Semantic Guardrails, you need to install Data Discovery. If you try and install Semantic Guardrails without installing Data Discovery, then you are first prompted to install Data Discovery.

4. Type any values from 5 to 8 to uninstall any feature that you have already installed. A prompt appears to confirm the installation. Type y to uninstall the feature.

   After the command is executed, press ENTER to continue.

5. Type 9 to list the features that have been installed.

   The installer checks the status of all the products and then displays the installation status for each product.

6. Type 10 to exit the installer.

The installation logs are saved in the /tmp/protegrity_installer.log file.

Bootstrapping Policy Management

Note: This is an optional step. Please run this if you need to initialize the pim and create sample data elements, datastores, policies etc for testing purposes. This script will not deploy them, it is up to the end user to decide what gets deployed.

Generating Access Token for Authentication

Navigate back to the root directory (eclipse-init/) to run the bootstrap script:

# From iac-setup directory, go back to root
cd ..

# Generate access token
TOKEN=$(curl -s -i -X 'POST' 'https://eclipse.aws.protegrity.com/pty/v1/auth/login/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'loginname=admin' \
  -d 'password=Admin123!' \
  -k  \
  | grep -i 'pty_access_jwt_token:' \
  | awk '{print $2}' \
  | tr -d '\r')

Note: The variable $TOKEN is utilized in subsequent scripts. Therefore, users should execute the above block and initialize the $TOKEN variable prior to running the scripts below.

Running the Bootstrap Script

./bootstrap-pim.sh --host eclipse.aws.protegrity.com --token $TOKEN

Expected output:

Configured host: eclipse.aws.protegrity.com
Wait for devops to come alive
Devops is alive
Bootstrap environment...
Bootstrap done
Wait for hubcontroller to come alive
Hubcontroller is alive
Creating datastores...
Creating roles...
Adding members...
Creating custom alphabet...
Creating masks...
Creating data elements...
Creating policies...
Creating rules...
Creating trusted applications...
Finished!

Note: This example assumes there is an /etc/hosts entry for eclipse.aws.protegrity.com, which points to the address listed for the above load balancer.

Deploying Policies

After the PIM has been initialized, and the resources have been created, you can deploy datastores, applications, and policies.

List available resources:

# List datastores
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/datastores

# List applications
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/applications

# List policies
curl -k -H "Authorization: Bearer $TOKEN" -X GET https://eclipse.aws.protegrity.com/pty/v2/pim/policies

Deploy a combination:

curl -k -H "Authorization: Bearer $TOKEN" -H "content-type: application/json" -X POST https://eclipse.aws.protegrity.com/pty/v2/pim/datastores/1/deploy -d '{"policies": ["1"], "applications": ["1"]}'

Where 1 is the UID from the above requests.

Troubleshooting

• Permission denied (publickey): Ensure you’re using the correct private key that matches the authorized_keys in the pod
• Connection refused: Verify the load balancer IP and hosts file configuration
• Key format issues: Ensure your private key is in the correct format (OpenSSH format for Linux/macOS, .ppk for PuTTY)

Management commands

The following section lists the commands to manage the Kubernetes cluster.

Available Makefile Targets

From the iac-setup directory:

• make or make run: Deploys the entire stack
• make clean: Destroys all resources created by setup and cleans up Helm/Kubernetes components
• make check-tools: Verifies that all required CLI tools are installed and available in your PATH

Cleaning up the EKS Resources

To destroy all created resources, including the EKS cluster and related components, run the following commands.

# Navigate setup directory
cd iac-setup

# Clean up all resources
make clean

3.1.2 - Protegrity REST APIs

The Protegrity REST APIs include the following APIs:

• Policy Management REST APIs The Policy Management REST APIs are used to create or manage policies.
• Encrypted Resilient Package APIs The Encrypted Resilient Package REST APIs include the REST API that is used to encrypt and export a resilient package, which is used by the resilient protectors.
  For more information on how the REST API is used to export the encrypted resilient package in an immutable policy deployment, refer to the section DevOps Approach for Application Protector.

3.1.2.1 - Accessing the Protegrity REST APIs

The following section lists the requirements for accessing the Protegrity REST APIs.

1. Available endpoints - Protegrity has enabled the following endpoints to access the REST APIs.

   Base URL

   https://{ESA IP address or Hostname}/pty/<Version>/<API>

   Where:

   • ESA IP address or Hostname: Specifies the IP address or Hostname of the ESA.
   • Version: Specifies the version of the API.
   • API: Endpoint of the REST API.

2. Authentication - You can access the REST APIs using basic authentication, client certificates, or tokens. The authentication depends on the type of REST API that you are using. For more information about accessing the REST APIs using these authentication mechanisms, refer to the section Accessing REST API Resources.

3. Authorization - You must assign the permissions to roles for accessing the REST APIs. For more information about the roles and permissions required, refer to the section Managing Roles.

3.1.2.2 - View the Protegrity REST API Specification Document

The steps mentioned in this section contains the usage of Docker containers and services to download and launch the images for Swagger Editor within a Docker container.

For more information about Docker, refer to the Docker documentation.

The following example uses Swagger Editor to view the REST API specification document. In this example, JSON Web Token (JWT) is used to authenticate the REST API.

1. Install and start the Swagger Editor.

2. Download the Swagger Editor image within a Docker container using the following command.

   docker pull swaggerapi/swagger-editor
   

3. Launch the Docker container using the following command.

   docker run -d -p 8888:8080 swaggerapi/swagger-editor
   

4. Paste the following address on a browser window to access the Swagger Editor using the specified host port.

   http://localhost:8888/
   

5. Download the REST API specification document using the following command.

   curl -H "Authorization: Bearer ${TOKEN}" "https://<NFA IP address or Hostname>/pty/<Version>/<API>/doc" -H "accept: application/x-yaml" --output api-doc.yaml 
   

   In this command:

   • TOKEN is the environment variable that contains the JWT token used to authenticate the REST API.
   • <Version> is the version number of the API. For example, v1 or v2.
   • <API> is the API for which you want to download the OpenAPI specifications document. For example, specify the value as pim to download the OpenAPI specifications for the Policy Management REST API. Similarly, specify the value as auth to download the OpenAPI specifications for the Authentication and Token Management API.
     For more information about the Policy Management REST APIs, refer to the section Using the Policy Management REST APIs.
     For more information about the Authentication and Token Management REST APIs, refer to the section Using the Authentication and Token Management REST APIs

6. Drag and drop the downloaded api-doc.yaml* file into a browser window of the Swagger Editor.

Generating the REST API Samples Using the Swagger Editor

Perform the following steps to generate samples using the Swagger Editor.

1. Open the api-doc.yaml* file in the Swagger Editor.

2. On the Swagger Editor UI, click on the required API request.

3. Click Try it out.

4. Enter the parameters for the API request.

5. Click Execute.

   The generated Curl command and the URL for the request appears in the Responses section.

3.1.2.3 - Using the Common REST API Endpoints

The following section specifies the common operations that are applicable to all the Protegrity REST APIs.

The Base URL for each API will change depending on the version of the API being used. The following table specifies the version that you must use when executing the common operations for each API.

Common REST API Endpoints

The following table lists the common operations for the Protegrity REST APIs.

Retrieving the Supported Service Versions

This API retrieves the service versions that are supported by the corresponding REST API service on the ESA.

Base URL

https://{ESA IP address}/pty/<Version>/<API>

Path

/version

Method

GET

CURL request syntax

curl -H "Authorization: Bearer TOKEN" -X GET "https://{ESA IP address}/pty/<Version>/<API>/version"

In this command, Token indicates the JWT token used for authenticating the API.

Alternatively, you can also store the JWT token in an environment variable named TOKEN, as shown in the following command.

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://{ESA IP address}/pty/<Version>/<API>/version"

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Sample CURL request

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://10.10.101.43/pty/v1/rps/version"

This sample request uses the JWT token authentication.

Sample CURL response

{"version":"1.8.1","buildVersion":"1.8.1-alpha+605.gfe6b1d.master"}

Retrieving the Service Health Information

This API request retrieves the health information of the REST API service and identifies whether the service is running.

Base URL

https://{ESA IP address}/pty/<Version>/<API>

Path

/health

Method

GET

CURL request syntax

curl -H "Authorization: Bearer <TOKEN>" -X GET "https://{ESA IP address}/pty/<Version>/<API>/health"

In this command, Token indicates the JWT token used for authenticating the API.

Alternatively, you can also store the JWT token in an environment variable named TOKEN, as shown in the following command.

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://{ESA IP address}/pty/<Version>/<API>/health"

Authentication credentials

TOKEN - Enviroment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Sample CURL request

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://10.10.101.43/pty/v2/pim/health"

This sample request uses the JWT token authentication.

Sample CURL response

{
  "isHealthy" : true
}

Where,

• isHealthy: true - Indicates that the service is up and running.
• isHealthy: false - Indicates that the service is down.

Retrieving the API Specification Document

This API request retrieves the API specification document.

Base URL

https://{ESA IP address}/pty/<Version>/<API>

Path

/doc

Method

GET

CURL request syntax

curl -H "Authorization: Bearer <Token>" -X GET "https://{ESA IP address}/pty/<Version>/<API>/doc"

In this command, Token indicates the JWT token used for authenticating the API.

Alternatively, you can also store the JWT token in an environment variable named TOKEN, as shown in the following command.

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://{ESA IP address}/pty/<Version>/<API>/doc"

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Sample CURL requests

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://10.10.101.43/pty/v1/rps/doc"

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://10.10.101.43/pty/v1/rps/doc" -o "rps.yaml"

These sample requests uses the JWT token authentication.

Sample CURL responses

The Encrypted Resilient Package API specification document is displayed as a response. If you have specified the “-o” parameter in the CURL request, then the API specification is copied to a file specified in the command. You can use the Swagger UI to view the API specification document.

Retrieving the Log Level

This API request retrieves current log level set for the REST API service logs.

Base URL

https://{ESA IP address}/pty/<Version>/<API>

Path

/log

Method

GET

CURL request syntax

curl -H "Authorization: Bearer <TOKEN>" -X GET "https://{ESA IP address}/pty/<Version>/<API>/log"

In this command, Token indicates the JWT token used for authenticating the API.

Alternatively, you can also store the JWT token in an environment variable named TOKEN, as shown in the following command.

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://{ESA IP address}/pty/<Version>/<API>/log"

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Sample CURL request

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://10.10.101.43/pty/v2/pim/log"

This sample request uses the JWT token authentication.

Sample CURL response

{
  "level": "INFO"
}

Setting Log Level for the REST API Service Log

This API request changes the REST API service log level during run-time. The level set through this resource persists until the corresponding service is restarted. This log level overrides the log level defined in the configuration.

Base URL

https://{ESA IP address}/pty/<Version>/<API>

Path

/log

Method

POST

CURL request syntax

curl -X POST "https://{ESA IP Address}/pty/<Version>/<API>/log" -H "Authorization: Bearer <TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"level\":\"log level\"}"

In this command, Token indicates the JWT token used for authenticating the API.

Alternatively, you can also store the JWT token in an environment variable named TOKEN, as shown in the following command.

curl -X POST "https://{ESA IP Address}/pty/<Version>/<API>/log" -H "Authorization: Bearer ${TOKEN}" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"level\":\"log level\"}"

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Request body elements

log level

Set the log level. The log level can be set to SEVERE, WARNING, INFO, CONFIG, FINE, FINER, or FINEST.

Sample CURL request

curl -X POST "https://{ESA IP Address}/pty/v1/rps/log" -H "Authorization: Bearer ${TOKEN}" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"level\":\"SEVERE\"}"

This sample request uses the JWT token authentication.

Sample response

The log level is set successfully.

3.1.2.4 - Using the Policy Management REST APIs

The user accessing these APIs must have the Security Officer permission for write access and the Security Viewer permission for read-only access.
For more information about the roles and permissions required, refer to the section Managing Roles.

The Policy Management API uses the v2 version.

If you want to perform common operations using the Policy Management REST API, then refer the section Using the Common REST API Endpoints.

The following table provides section references that explain usage of some of the Policy Management REST APIs. It includes an example workflow to work with the Policy Management functions. If you want to view all the Policy Management APIs, then use the /doc API to retrieve the API specification.

Initializing the Policy Management

This section explains how you can initialize Policy Management to create the keys-related data and the policy repository.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/init

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/init" -H "accept: application/json"

This sample request uses the JWT token authentication.

Creating a Manual Role

This section explains how you can create a manual role that accepts all the users.

For more information about working with roles, refer to the section Working with Roles.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/roles

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/roles" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"name\":\"ROLE\",\"mode\":\"MANUAL\",\"allowAll\": true}

This sample request uses the JWT token authentication.

Creating Data Elements

This section explains how you can create data elements.

For more information about working with data elements, refer to the section Working with Data Elements.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/roles

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/dataelements" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"name\": \"DE_ALPHANUM\",\"description\": \"DE_ALPHANUM\",\"alphaNumericToken\":{\"tokenizer\":\"SLT_1_3\",\"fromLeft\": 0,\"fromRight\": 0,\"lengthPreserving\": true, \"allowShort\": \"YES\"}}"

This sample request uses the JWT token authentication.

Creating Policy

This section explains how you can create a policy.

For more information about working with policies, refer to the section Creating Policies.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/policies

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/policies" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"name\":\"POLICY\",\"description\": \"POLICY\", \"template\":{\"access\":{\"protect\":true,\"reProtect\":true,\"unProtect\":true},\"audit\":{\"success\":{\"protect\":false,\"reProtect\":false,\"unProtect\":false},\"failed\":{\"protect\":false,\"reProtect\":false,\"unProtect\":false}}}}"

This sample request uses the JWT token authentication.

Adding Roles and Data Elements to a Policy

This section explains how you can add roles and data elements to a policy.

For more information about adding roles and data elements to a policy, refer to the sections Adding Data Elements to Policy and Adding Roles to Policy respectively.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/policies/1/rules

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/policies/1/rules" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"role\":\"1\",\"dataElement\":\"1\",\"noAccessOperation\":\"EXCEPTION\",\"permission\":{\"access\":{\"protect\":true,\"reProtect\":true,\"unProtect\":true},\"audit\":{\"success\":{\"protect\":false,\"reProtect\":false,\"unProtect\":false},\"failed\":{\"protect\":false,\"reProtect\":false,\"unProtect\":false}}}}"

This sample request uses the JWT token authentication.

Creating a Default Data Store

This section explains how you can create a default data store.

For more information about working with data stores, refer to the section Creating a Data Store.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/datastores

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/datastores" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"name\":\"DS\",\"description\": \"DS\", \"default\":true}"

This sample request uses the JWT token authentication.

Deploying the Data Store

This section explains how you can deploy policies or trusted applications linked to a specific data store or multiple data stores.

For more information about deploying the Data Store, refer to the section Deploying Data Stores to Protectors.

Deploying a Specific Data Store

This section explains how you can deploy policies and trusted applications linked to a specific data store. The specifications provided for the specific data store are applied and becomes the end-result.

Note: If you deploy an array with empty policies or trusted applications, or both, then the connected protectors contain empty definitions for these respective items.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/datastores/{dataStoreUid}/deploy

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address or Hostname}:443/pty/v2/pim/datastores/{dataStoreUid}/deploy" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"policies\":[\"1\"],\"applications\":[\"1\"]}"

This sample request uses the JWT token authentication.

Deploying Data Stores

This section explains how you can deploy data stores, which can contain the linking of either the policies or trusted applications, or both for the deployment.

Note: If you deploy a data store containing an array with empty policies or trusted applications, or both, then the connected protectors contain empty definitions for these respective items.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/deploy

Method

POST

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X POST "https://{ESA IP address}:443/pty/v2/pim/deploy" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"dataStores\":[{\"uid\":\"1\",\"policies\":[\"1\"],\"applications\":[\"1\"]},{\"uid\":\"2\",\"policies\":[\"2\"],\"applications\":[\"2\"]}]}"

This sample request uses the JWT token authentication.

Getting the Deployment Information

This section explains how you can check the complete deployment information. This service returns the list of the data stores with the connected policies and trusted applications.

Note: The result might contain data store information that is pending deployment after combining the Policy Management operations performed through the ESA Web UI and PIM API.

Base URL

https://{ESA IP address or Hostname}/pty/v2

Authentication credentials

TOKEN - Environment variable containing the JWT token.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Path

/pim/deploy

Method

GET

Sample Request

curl -H "Authorization: Bearer ${TOKEN}" -X GET "https://{ESA IP address or Hostname}:443/pty/v2/pim/deploy" -H "accept: application/json"

This sample request uses the JWT token authentication.

3.1.2.5 - Using the Encrypted Resilient Package REST APIs

The Encrypted Resilient Package API is only used by the Immutable Resilient protectors.

Before you begin:

• Ensure that the concept of resilient protectors and necessity of a resilient package is understood.
  For more information on how the REST API is used to export the encrypted resilient package in an immutable policy deployment, refer to the section DevOps Approach for Application Protector.

• Ensure that the RPS service is running on the ESA.

• The user accessing this API must have the Export Resilient Package permission.
  For more information about the roles and permissions required, refer to the section Managing Roles.

The Encrypted Resilient Package API uses the v1 version.

If you want to perform common operations using the Encrypted Resilient Package API, then refer the section Using the Common REST API Endpoints.

The following table provides a section reference to the Encrypted Resilient Package API.

Exporting Resilient Package Using GET Method

This API request exports the resilient package that can be used with resilient protectors. You can use the Basic authentication, Certificate authentication, and JWT authentication for encrypting and exporting the resilient package.

Warning: Do not modify the package that has been exported using the RPS Service API. If you modify the exported package, then the package will get corrupted.

The resilient package that has been exported using the Encrypted Resilient Package API is not FIPS-compliant.

Base URL

https://<ESA IP address or Hostname>/pty/v1/rps

Path

/export

Method

GET

CURL request syntax

Export API

curl -H "Authorization: Bearer <TOKEN>" -X GET https://<ESA IP address or Hostname>/pty/v1/rps/export/<fingerprint>?version=1\&coreVersion=1 -H "Content-Type: application/json" -o rps.json

In this command, TOKEN indicates the JWT token used for authenticating the API.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Query Parameters

fingerprint

Specify the fingerprint of the Data Store Export Key. The fingerprint is used to identify which Data Store to export and which export key to use for protecting the resilient package. The user with the Security Officer permissions must share the fingerprint of the Export Key with the user who is executing this API.

version

Set the schema version of the exported resilient package that is supported by the specific protector.

coreVersion

Set the Core policy schema version that is supported by the specific protector.

Sample CURL request

Export API

curl -H "Authorization: Bearer $<TOKEN>" -X GET https://<ESA IP address or Hostname>/pty/v1/rps/export/a7fdbc0cccc954e00920a4520787f0a08488db8e0f77f95aa534c5f80477c03a?version=1\&coreVersion=1 -H "Content-Type: application/json" -o rps.json

This sample request uses the JWT token authentication.

Sample response

The rps.json file is exported using the public key associated with the specified fingerprint.

Protect the encrypted resilient package with standard file permissions to ensure that only the dedicated protectors can access the package.

Exporting Resilient Package Using POST Method (Deprecated)

Note: The POST method of the Export API has been deprecated. A DevOps user can use this API with any public-private key pair of their choosing. Instead of the POST method, it is recommended to use the GET method for exporting a protected resilient package.
If you want to disable this API, contact Protegrity Support.

This API request exports the resilient package that can be used with resilient protectors. You can use the Basic authentication, Certificate authentication, and JWT authentication for encrypting and exporting the resilient package.

Warning: Do not modify the package that has been exported using the RPS Service API. If you modify the exported package, then the package will get corrupted.

The resilient package that has been exported using the Encrypted Resilient Package API is not FIPS-compliant.

Base URL

https://<ESA IP address or Hostname>/pty/v1/rps

Path

/export

Method

POST

CURL request syntax

Export API - KEK

curl -H "Authorization: Bearer <TOKEN>" -X POST https://<ESA IP address or Hostname>/pty/v1/rps/export\?version=1\&coreVersion=1 -H "Content-Type: application/json" --data '{
    "kek":{
"publicKey":{
"label": "<Key_name>",
"algorithm": "<RSA_Algorithm>",
"value": "<Value of publickey>"
}
}' -o rps.json

In this command, TOKEN indicates the JWT token used for authenticating the API.
For more information about creating a JWT token, refer to the section Generating JWT for REST APIs.

Note: You can download the resilient package only from the IP address that is part of the allowed servers list connected to a Data Store. This is only applicable for the 10.0.x and 10.1.0 protectors.

Query parameters

version

Set the schema version of the exported resilient package that is supported by the specific protector.

coreVersion

Set the Core policy schema version that is supported by the specific protector.

Request body elements

Encryption Method

The kek encryption can be used to protect the exported file.

Sample CURL request

Export API - KEK

curl -H "Authorization: Bearer $<TOKEN>" -X POST https://<ESA IP address or Hostname>/pty/v1/rps/export\?version=1\&coreVersion=1 -H "Content-Type: application/json" --data '{
    "kek":{
"publicKey":{
"label": "key_name",
"algorithm": "RSA_OAEP_SHA256",
"value": "-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1eq9vH5Dq8pwPqOSqB0YdY6ehBRNWCgYhh9z1X093id+42eTRDHMOpLXRLhOMdgOeeyEsue1s5ZEOKY9j2TcaVTRwLhSMfacjugfiknnUESziUi9mt+XFnSgk7n4t5EF7fjvriOQvHCp24xCbtwKQlOT3x4zUs/REyJ8FXSrFEvrzbb/mEFfYhp2J6c90CKYqbDX6SFW8WjphDb/kgqg/KfT8AlsllAnci4CZ+7u0Iw7GsRvEvrVUCbBsXfB7InTst3hTc4A7iiY36kSEn78mXtfLjWiMpzEBxOteohmXKgSAynI7nI8c0ZhHSoZLUSJ2IQUi25ho8uxd/v3fedTTD91zRTxMJKw8XDrwjXllH7FGgsWBUenkO2lRlfIYBDctjv1MB+QJlNo+gOTGg8sJ1czBm20VQHHcyHpCKNu2gKzqWqSU6iGcwGXPCKY8/yEpNyPVFS/i7GAp10jO+QdOBskPviiLFN5kMh05ZGBpyNvfAQantwGv15Ip0RJ3LTQbKE62DAGNcdP6rizwm9SSt0WcG58OenBX5eB0gWBRrZI5s3EkhThYXyxbvFWObMWb/3jMsE+O22NvqAxWSasPR1zS1WBf25ush3v6BGBO4Frl5kBRrTCSSfAZBDha5VqXOqR1XIdQKf8wKn5DSScpMRuyf3ymRGQf915CC7zwp0CAwEAAQ==-----END PUBLIC KEY-----"}
}
}' -o rps.json

This sample request uses the JWT token authentication.

Sample response

The rps.json file is exported.

Protect the encrypted resilient package with standard file permissions to ensure that only the dedicated protectors can access the package.

3.1.2.6 - Using the Authentication and Token Management REST APIs

The Authentication and Token Management API uses the v2 version.

If you want to perform common operations using the Authentication and Token REST API, then refer the section Using the Common REST API Endpoints.

The following table provides section references that explain usage of some of the Authentication and Token REST APIs. It includes sample examples to work with the Authentication and Token functions. If you want to view all the Authentication and Token APIs, then use the /doc API to retrieve the API specification.

Token Management

The following section lists the commonly used APIs to manage tokens.

Generate token

This API explains how you can generate an access token for authenticating the APIs.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/login/token

Method

POST

Request Body

• loginname: User name for authentication.
• password: Password for authentication.

Result This API returns JWT access token in the response header and the refresh token in the response body. You can use the refresh token in the Refresh token API to obtain new access tokens without logging again.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/login/token' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'loginname=<User name>&password=<Password>!'

The login name and password are default for the MVP.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": 0,
  "data": {
    "refreshToken": "eyJhbGciOiJIUzUxMiIsInR5cCcZQ",
    "expiresIn": 1800,
    "refreshExpiresIn": 1800
  },
  "messages": []
}

Response header

content-length: 832 
 content-type: application/json 
 date: Thu,16 Oct 2025 10:30:53 GMT 
 pty_access_jwt_token: eyJhbGciOiJSUzI1NiIsInR4YRUw 
 strict-transport-security: max-age=31536000; includeSubDomains 

Refresh token

This API explains how to refresh an access token using the refresh token.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/login/refresh

Method

POST

Request Body

• refreshToken: Refresh token for getting a new access token.

Result This API returns a new JWT access token in the response header and a new refresh token in the response body. You can use this refresh token to obtain new access tokens without logging again.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/login/token/refresh' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "refreshToken": "eyJhbGciOiJIUzUxMiIsInR5cCINGFeZEf8hw"
}
'

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": 0,
  "data": {
    "refreshToken": "MSkVFZiRl3Jkwi0uJQ",
    "expiresIn": 1800,
    "refreshExpiresIn": 1799
  },
  "messages": []
}

Response header

content-length: 832 
 content-type: application/json 
 date: Thu,16 Oct 2025 10:36:28 GMT 
 pty_access_jwt_token: eyJhbGciOiJSUzI1Nim95VHqh00vHfr8ip9RhyO-4FcxQ 
 strict-transport-security: max-age=31536000; includeSubDomains

Roles and Permissions Management

The following section lists the commonly used APIs for managing user roles and permissions.

List all permissions

This API lists all the permissions that are applicable to the user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/permissions

Method

GET

Request Body No parameters.

Result This API returns a list of all the permissions available for the logged in user.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/permissions' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

[
  {
    "id": "faf70fd8-1c6d-4209-b64a-e9db37bbf58b",
    "name": "keycloak_viewer",
    "description": "Keycloak Viewer",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "b0ae18f9-fb85-4b1e-86fe-51b9f0fd8e53",
    "name": "cli_admin",
    "description": "Command Line Admin",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "cfb4d416-85f2-4b5b-a7d9-95bedfb5c57f",
    "name": "can_access_ap",
    "description": "Permission to access application",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "f03fcfcd-0aa9-4fcb-862f-01227f093516",
    "name": "can_create_token",
    "description": "Can Create JWT Token",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "ab434af4-8a49-430b-8306-9089744cd37c",
    "name": "keycloak_manager",
    "description": "Keycloak Manager",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "46142cfb-be47-4936-b399-7afcb4eea2cc",
    "name": "web_viewer",
    "description": "Appliance web viewer",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "1ced685a-7a02-4820-84bd-1dafa6273e13",
    "name": "uma_protection",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "f0a84500-e19a-4be2-a712-b01cc94b448d",
    "name": "can_proxy_ap",
    "description": "Proxy for a an application",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "efe391ed-032e-494e-ac62-20368cb4e41e",
    "name": "can_export_certificates",
    "description": "Can download protector certificates",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "43e7648d-49a8-4813-bf86-3d5bf31bfe7c",
    "name": "Shell_Accounts",
    "description": "Accounts that have cli access",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "0bb2cd71-01c4-4634-b77f-2d65dcdb5e8e",
    "name": "can_login_web",
    "description": "Web Login Permission",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "ce93275f-5cd2-4905-8237-89f4dbf2cc48",
    "name": "web_admin",
    "description": "Appliance web manager",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "e70d3988-4dfe-4411-b6df-c2181eb16b03",
    "name": "security_officer",
    "description": "Security Officer",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "aee1f91e-08fa-4c14-94ad-1d3b1cf08d4b",
    "name": "nfa_insight",
    "description": "Access to Insights and Insight Dashboard",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  },
  {
    "id": "28f7ad8b-1d7c-49e0-95c8-6bde2a4bfba5",
    "name": "can_fetch_package",
    "description": "Can download resilient packages",
    "composite": false,
    "clientRole": true,
    "containerId": "a09679da-b559-4856-8d29-6d39aa6485a1"
  }
]

List all roles

This API lists all the roles applicable to the user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/roles

Method

GET

Request Body No parameters.

Result This API returns a list of all the roles available for the logged in user.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

[
  {
    "name": "directory_admin",
    "description": "Directory Administrator",
    "composite": true,
    "permissions": [
      "keycloak_manager"
    ]
  },
  {
    "name": "policy_proxy_user",
    "description": "Policy Proxy User",
    "composite": true,
    "permissions": [
      "can_proxy_ap"
    ]
  },
  {
    "name": "security_viewer",
    "description": "Security Administrator Viewer",
    "composite": true,
    "permissions": [
      "keycloak_viewer",
      "can_login_web"
    ]
  },
  {
    "name": "policy_user",
    "description": "Policy User",
    "composite": true,
    "permissions": [
      "can_access_ap"
    ]
  },
  {
    "name": "security_admin",
    "description": "Security Administrator",
    "composite": true,
    "permissions": [
      "cli_admin",
      "can_create_token",
      "web_admin",
      "keycloak_manager",
      "security_officer",
      "eclipse_insight",
      "can_fetch_package",
      "can_export_certificates"
    ]
  }
]

Update role

This API enables you to update an existing role and its permissions.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/roles

Method

PUT

Request Body

• name: Role name.
• description: Description of the role.
• permissions: List of permissions that need to be updated for the existing role.

Result This API updates the existing role and its permissions.

Sample Request

curl -X 'PUT' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "admin",
  "description": "Administrator role",
  "permissions": [
    "perm1",
    "perm2"
  ]
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "role_name": "admin",
  "status": "updated"
}

Create role

This API enables you to create a role.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/roles

Method

POST

Request Body

• name: Role name.
• description: Description of the role.
• permissions: List of permissions that need to created for the existing role.

Result This API creates a roles with the requested permissions.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "admin",
  "description": "Administrator role",
  "permissions": [
    "perm1",
    "perm2"
  ]
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "role_name": "admin",
  "status": "created"
}

Delete role

This API enables you to delete a role.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/roles

Method

DELETE

Request Body

• name: Role name.

Result This API deletes the specific role.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "admin"
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "role_name": "admin",
  "status": "deleted"
}

User Management

The following section lists the commonly used APIs for managing users.

Create user endpoint

This API enables you to create a user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users

Method

POST

Request Body

• username: Name of the user. This is a mandatory field
• email: Email of the user.
• firstName: First name of the user.
• lastName: Last name of the user.
• enabled: Enable the user.
• password: Password for the user.
• roles: Roles to be assigned to the user.
• groups: Groups in which the user is included.

Result This API creates a user with a unique user ID.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "username": "alpha",
  "email": "alpha@example.com",
  "firstName": "Alpha",
  "lastName": "User",
  "enabled": true,
  "password": "StrongPassword123!",
  "roles": [
    "directory_admin"
  ]
  
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "user_id": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
  "username": "alpha"
}

Fetch users

This API enables you to retrieve the user details.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users

Method

GET

Request Body No parameters.

Query Parameters

• max: Maximum number of entries that can retrieved.
• first: Number of entries that can be skipped from the start of the data. For example, if you specify the value as 4, then the first four entries will be skipped from the result.

Result This API retrieves a list of users.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users?max=100&first=0' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

[
  {
    "username": "admin",
    "email": "admin@example.com",
    "firstName": "Admin",
    "lastName": "User",
    "enabled": true,
    "id": "71c573a0-7412-475d-be67-4bf6fdf71404",
    "createdTimestamp": null,
    "attributes": null,
    "emailVerified": true
  },
  {
    "username": "alpha",
    "email": "alpha@example.com",
    "firstName": "Alpha",
    "lastName": "User",
    "enabled": true,
    "id": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
    "createdTimestamp": 1760643896108,
    "attributes": null,
    "emailVerified": false
  },
  {
    "username": "dfuser",
    "email": null,
    "firstName": "se",
    "lastName": "se",
    "enabled": false,
    "id": "12770ab4-d3a0-4243-8018-5bb1fb0d06d7",
    "createdTimestamp": 1760425034931,
    "attributes": null,
    "emailVerified": false
  },
  {
    "username": "fds",
    "email": null,
    "firstName": "dsf",
    "lastName": "fs",
    "enabled": false,
    "id": "a1251ca4-664d-469a-b1c1-539fe8c73a9d",
    "createdTimestamp": 1760425052196,
    "attributes": null,
    "emailVerified": false
  },
  {
    "username": "shiva",
    "email": "shiva.v@protegrity.com",
    "firstName": "shiva",
    "lastName": "v",
    "enabled": true,
    "id": "0743b449-c050-4e49-ba95-974cd2069a84",
    "createdTimestamp": 1760433609089,
    "attributes": null,
    "emailVerified": false
  },
  {
    "username": "testuser1",
    "email": null,
    "firstName": "t",
    "lastName": "tes",
    "enabled": true,
    "id": "948c1484-45d7-4df9-aea4-9534ca2d1923",
    "createdTimestamp": 1760424968139,
    "attributes": null,
    "emailVerified": false
  },
  {
    "username": "testuser2",
    "email": null,
    "firstName": "sdf",
    "lastName": "df",
    "enabled": true,
    "id": "d4961126-d324-4166-97e6-2fac1f40566a",
    "createdTimestamp": 1760425012482,
    "attributes": null,
    "emailVerified": false
  }
]

Update user endpoint

This API enables you to update the details of an user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users

Method

PUT

Request Body

• id: ID of the user. This is a mandatory field
• email: Email of the user.
• firstName: First name of the user.
• lastName: Last name of the user.
• enabled: Enable the user.
• password: Password for the user.
• roles: Roles to be assigned to the user.
• groups: Groups in which the user is included.

Result This API updates the user details.

Sample Request

curl -X 'PUT' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "id": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
  "email": "alpha@example.com",
  "firstName": "lpha",
  "lastName": "User",
  "enabled": true,
  "roles": [
    "directory_admin"
  ]
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": "updated",
  "userId": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0"
}

Fetch User by Id

This API enables you to fetch the details of a specific user by specifying the user ID.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users/{user_id}

Method

GET

Request Body No parameters.

Path Parameters

• user_id: Unique ID of the user. This is a mandatory field.

Result This API retrieves the details of the specific user.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users/7636708c-c714-4e8e-a3e6-f5fc6c49f9c0' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "id": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
  "username": "alpha",
  "firstName": "lpha",
  "lastName": "User",
  "email": "alpha@example.com",
  "emailVerified": false,
  "enabled": true,
  "createdTimestamp": 1760643896108,
  "groups": [],
  "roles": [
    "directory_admin"
  ]
}

Delete user endpoint

This API enables you to delete a user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users

Method

DELETE

Request Body No parameters.

Path Parameters

• user_id: Unique ID of the user. This is a mandatory field.

Result This API deletes the specified user.

Sample Request

curl -X 'DELETE' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users/7636708c-c714-4e8e-a3e6-f5fc6c49f9c0' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>'
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": "deleted",
  "user_id": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0"
}

Update user password endpoint

This API enables you to update the password of an existing user.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/users/password

Method

PUT

Request Body

• userId: Unique ID of the user. This is a mandatory field.
• newPassword: New password for the user..
• temporary: Specifies whether the password is temporary and must be changed on next login.

Result This API creates a roles with the requested permissions.

Sample Request

curl -X 'PUT' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/users/password' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <Access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "userId": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
  "newPassword": "NewStrongPassword123!",
  "temporary": false
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": "password_updated",
  "userId": "7636708c-c714-4e8e-a3e6-f5fc6c49f9c0",
  "temporary": false
}

Group Management

The following section lists the commonly used APIs for managing groups.

Fetch groups

This API enables you retrieve a list of all the groups.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/groups

Method

GET

Request Body No parameters.

Query Parameters

• max: Maximum number of entries that can be retrieved.
• first: Number of entries that can be skipped from the start of the data. For example, if you specify the value as 4, then the first four entries will be skipped from the result.

Result This API a list of the available groups.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/groups?max=100&first=0' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

[ { “id”: “aee4c370-4e97-4b55-a072-0840fe83a2aa”, “name”: “developers”, “description”: “”, “members”: [ “testuser1”, “testuser2” ], “roles”: [] } ]

Create group endpoint

This API enables you create a group.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/groups

Method

POST

Request Body

• name: Name of the group. This is a mandatory field.
• description: Description of the group.
• members: List of user names that need to be added as members.
• roles: List of role names that need to be assigned to the group.

Result This API creates a group with the specified members and roles.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/groups' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "developers",
  "description": "",
  "members": [
    "testuser1",
    "testuser2"
  ],
  "roles": [
    "service_admin",
    "user_manager"
  ]
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{ “group_id”: “aee4c370-4e97-4b55-a072-0840fe83a2aa”, “name”: “developers”, “status”: “created”, “members_added”: 2, “roles_assigned”: 2 }

Update group endpoint

This API enables you update an existing group.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/groups

Method

PUT

Request Body

• group_id: Unique ID of the group. This is a mandatory field.
• members: Members added to the group.
• roles: Roles assigned to the group.

Result This API updates the existing role and its permissions.

Sample Request

curl -X 'PUT' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/groups' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "group_id": "group-uuid",
  "members": [
    "testuser2"
  ],
  "roles": [
    "service_admin"
  ]
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{ “status”: “updated”, “group_id”: “group-uuid”, “members_updated”: 1, “roles_updated”: 1 }

Delete group end point

This API enables you to delete an existing group.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/groups/{group_id}

Method

DELETE

Request Body No parameters.

Path Parameters

• group_id: ID of the group that needs to be deleted. This is a mandatory field.

Result This API deletes the specified group.

Sample Request

curl -X 'DELETE' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/groups/aee4c370-4e97-4b55-a072-0840fe83a2aa' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": "deleted",
  "group_id": "aee4c370-4e97-4b55-a072-0840fe83a2aa"
}

SAML SSO Configuration

The following section lists the commonly used APIs for managing SAML providers.

List SAML providers

This API enables you to list the existing SAML providers.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/saml/providers

Method

GET

Request Body No parameters

Result This API retrieves a list of the existing SAML providers.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/saml/providers' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

[
{
  "alias": "azuread",
  "displayName": "Protegrity SAML SSO  (Azure AD IDP)",
  "providerId": "saml",
  "enabled": false,
  "config": {
    "postBindingLogout": "false",
    "singleLogoutServiceUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/saml2",
    "postBindingResponse": "true",
    "backchannelSupported": "false",
    "caseSensitiveOriginalUsername": "false",
    "encryptionAlgorithm": "RSA-OAEP",
    "xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
    "idpEntityId": "https://sts.windows.net/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/",
    "useMetadataDescriptorUrl": "false",
    "loginHint": "false",
    "allowCreate": "true",
    "enabledFromMetadata": "true",
    "syncMode": "LEGACY",
    "authnContextComparisonType": "exact",
    "singleSignOnServiceUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/saml2",
    "wantAuthnRequestsSigned": "true",
    "allowedClockSkew": "0",
    "artifactBindingResponse": "false",
    "validateSignature": "true",
    "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    "entityId": "https://nfa.aws.protegrity.com/mysamlapp/saml/metadata",
    "signSpMetadata": "true",
    "wantAssertionsEncrypted": "false",
    "signatureAlgorithm": "RSA_SHA256",
    "sendClientIdOnLogout": "false",
    "wantAssertionsSigned": "false",
    "metadataDescriptorUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/federationmetadata/2007-06/federationmetadata.xml?appid=967110c7-a06b-432e-ad40-47859837a76c",
    "sendIdTokenOnLogout": "true",
    "postBindingAuthnRequest": "true",
    "forceAuthn": "false",
    "attributeConsumingServiceIndex": "0",
    "addExtensionsElementWithKeyInfo": "false",
    "principalType": "SUBJECT"
  }
},
{
  "alias": "azured",
  "displayName": "Protegrity 2 SAML SSO  (Azure AD IDP)",
  "providerId": "saml",
  "enabled": true,
  "config": {
    "postBindingLogout": "false",
    "singleLogoutServiceUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/saml2",
    "postBindingResponse": "true",
    "backchannelSupported": "false",
    "caseSensitiveOriginalUsername": "false",
    "xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
    "idpEntityId": "https://sts.windows.net/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/",
    "useMetadataDescriptorUrl": "false",
    "loginHint": "false",
    "allowCreate": "true",
    "enabledFromMetadata": "true",
    "syncMode": "LEGACY",
    "authnContextComparisonType": "exact",
    "singleSignOnServiceUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/saml2",
    "wantAuthnRequestsSigned": "true",
    "allowedClockSkew": "0",
    "guiOrder": "0",
    "artifactBindingResponse": "false",
    "validateSignature": "true",
    "signingCertificate": "MIIC8DCCAdigAwIBAgIQf++2tyNO+YtIpa4MDh1hiQcoVX",
    "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    "entityId": "https://nfa.aws.protegrity.com/mysamlapp/saml/metadata",
    "signSpMetadata": "true",
    "wantAssertionsEncrypted": "false",
    "signatureAlgorithm": "RSA_SHA256",
    "sendClientIdOnLogout": "false",
    "wantAssertionsSigned": "false",
    "metadataDescriptorUrl": "https://login.microsoftonline.com/c3ebfd9e-ec7b-4ab3-a13f-915e941a2785/federationmetadata/2007-06/federationmetadata.xml?appid=967110c7-a06b-432e-ad40-47859837a76c",
    "sendIdTokenOnLogout": "true",
    "postBindingAuthnRequest": "true",
    "forceAuthn": "false",
    "attributeConsumingServiceIndex": "0",
    "addExtensionsElementWithKeyInfo": "false",
    "principalType": "SUBJECT"
  }
}
]

Create SAML provider endpoint

This API enables you to create a SAML provider configuration.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/auth/saml/providers

Method

POST

Request Body

• alias: Unique alias for the SAML provider. This is a mandatory field.
• displayName: Display name for the SAML provider that will appear on the login page. This is a mandatory field.
• configType: Configuration type, either metadata URL or metadata file content. This is a mandatory field.
• metadataUrl: URL to fetch the SAML metadata from the identity provider. For example, https://login.microsoftonline.com/tenant-id/federationmetadata/2007-06/federationmetadata.xml.
• metadataFileContent: SAML metadata XML content as a string. For example, <?xml version=\"1.0\"?>...</EntityDescriptor>.
• signingCertificate: X.509 certificate for signing SAML requests. Use the PEM format without the headers.
• nameIdPolicyFormat: NameID policy format for SAML authentication. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
• forceAuthn: Force re-authentication of the user even if the user is already authenticated.
• validateSignature: Validate the SAML response and assertion signatures.
• wantAssertionsSigned: Require the SAML assertions to be signed.
• wantAssertionsEncrypted: Require the SAML assertions to be encrypted.
• signatureAlgorithm: Signature algorithm for SAML requests. For example, RSA_SHA256.
• attributeMapping: Mapping of SAML attributes to user attributes.
• enabled: Enable or disable the SAML provider.

For details of the each parameter, refer the documentation for the corresponding SAML provider.

Result This API enables you to add a SAML provider.

Sample Request

curl -X 'POST' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/saml/providers' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "alias": "test-azure-ad-saml",
  "displayName": "Test Azure AD SAML",
  "configType": "metadataUrl",
  "metadataUrl": "https://login.microsoftonline.com/tenant-id/federationmetadata/2007-06/federationmetadata.xml",
  "metadataFileContent": "<?xml version=\"1.0\"?>...</EntityDescriptor>",
  "signingCertificate": "MIIDXTCCAkWgAwIBAgIJAL...",
  "nameIdPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
  "forceAuthn": false,
  "validateSignature": true,
  "wantAssertionsSigned": true,
  "wantAssertionsEncrypted": false,
  "signatureAlgorithm": "RSA_SHA256",
  "attributeMapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "enabled": true
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{ “status”: “created”, “alias”: “test-azure-ad-saml”, “configType”: “metadataUrl”, “message”: “SAML provider created successfully from metadata” }

Get SAML provider

This API enables you retrieve the details of a specific SAML provider.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/saml/providers/{alias}

Method

GET

Request Body No parameters.

Path Parameters

• alias: Alias of the SAML provider. This is a mandatory field.

Result This API retrieves the details about the specific SAML provider.

Sample Request

curl -X 'GET' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/saml/providers/azure-ad-saml' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "alias": "azure-ad-saml",
  "displayName": "Azure AD SAML",
  "providerId": "saml",
  "enabled": true,
  "config": {
    "additionalProp1": {}
  }
}

Update SAML provider endpoint

This API enables you update the configurations of an existing SAML provider.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/saml/providers/{alias}

Method

PUT

Request Body No parameters.

Path Parameters

• alias: Alias of the SAML provider that you want to update. This is a mandatory field.

Result This API updates the existing SAML provider.

Sample Request

curl -X 'PUT' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/saml/providers/azure-ad-sampl' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "displayName": "Azure AD SAML Updated",
  "configType": "metadataUrl",
  "metadataUrl": "https://login.microsoftonline.com/new-tenant-id/federationmetadata/2007-06/federationmetadata.xml",
  "metadataFileContent": "string",
  "signingCertificate": "string",
  "nameIdPolicyFormat": "string",
  "forceAuthn": true,
  "validateSignature": true,
  "wantAssertionsSigned": true,
  "wantAssertionsEncrypted": true,
  "signatureAlgorithm": "string",
  "attributeMapping": {
    "additionalProp1": "string",
    "additionalProp2": "string",
    "additionalProp3": "string"
  },
  "enabled": true
}'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{ “status”: “updated”, “alias”: “azure-ad-saml” }

Delete SAML provider endpoint

This API enables you to delete the configuration of an existing SAML provider.

Base URL

https://{NFA IP address or Hostname}/pty/v1

Path

/saml/providers/{alias}

Method

DELETE

Request Body No parameters.

Path Parameters

• alias: Alias of the SAML provider that you want to delete. This is a mandatory field.

Result This API deletes the SAML provider.

Sample Request

curl -X 'DELETE' \
  'https://nfa.aws.protegrity.com/pty/v1/auth/saml/providers/azure-ad-saml' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <access_token>'

This sample request uses the access token for authentication.
For more information about generating the access token, refer to the section Generate token.

Sample Response

The following response appears for the status code 200, if the API is invoked successfully.

Response body

{
  "status": "deleted",
  "alias": "azure-ad-saml"
}

3.1.3 - Protegrity Command Line Interface (CLI) Reference

The Protegrity CLI include the following CLI:

• Administrator CLI: The Administrator CLI is used to perform administrative tasks for the NFA.
• Policy Management CLI: The Policy Management CLI is used to create or manage policies. The CLI performs the same function that can be performed using the Policy Management REST APIs.

3.1.3.1 - Administrator Command Line Interface (CLI) Reference

Main Admin Command

The following command shows to access the help for the admin commands.

user@server$ admin --help

Usage: admin [OPTIONS] COMMAND [ARGS]...

  Users, Roles, Permissions, Groups, SAML and Azure AD management commands.

Options:
  --help  Show this message and exit.

Commands:
  create  Create a resource.
  delete  Delete a resource.
  get     Display one resource.
  list    List resources.
  set     Update fields of a resource.
  test    Test various configurations and connections.

Create Commands

The following section lists the create commands.

Main Create Command

The following command shows how to access help for the create command.

user@server$ admin create --help

Usage: admin create [OPTIONS] COMMAND [ARGS]...

  Create a resource.

Options:
  --help  Show this message and exit.

Commands:
  entra-id               Create Entra ID configuration.
  entra-id-import-users  Import Entra ID users with role assignments.
  groups                 Create a new group.
  roles                  Create a new role.
  saml-mappers           Create an attribute mapper for a SAML provider.
  saml-providers         Create a new SAML SSO provider.
  users                  Create a new user.

Create Entra-id

The following command shows how to access help for the create entra-id command. It also provides examples on how to create a an Entra ID configuration.

user@server$ admin create entra-id --help

Usage: admin create entra-id [OPTIONS]

  Create Entra ID configuration.

  Required Entra ID Setup:
  1. Register an application in Entra ID
  2. Grant Microsoft Graph API permissions:
     - User.Read.All (Application)
     - Group.Read.All (Application) - if importing groups
  3. Create a client secret for the application
  4. Note the Tenant ID, Application (Client) ID, and Client Secret

  Examples:
      admin create entra-id --tenant-id "12345678-1234-1234-1234-123456789012" --client-id "87654321-4321-4321-4321-210987654321" --client-secret "your-secret-here"

Options:
  -t, --tenant-id TEXT      Entra ID Tenant ID  [required]
  -c, --client-id TEXT      Entra ID Application (Client) ID  [required]
  -s, --client-secret TEXT  Entra ID Application Client Secret  [required]
  --enabled / --disabled    Enable/disable configuration
  --help                    Show this message and exit.

Create Entra-id-import-users

The following command shows how to access help for the create entra-id-import-users command. It also provides examples on how to import Entra ID users.

user@server$ admin create entra-id-import-users --help

Usage: admin create entra-id-import-users [OPTIONS]

  Import Entra ID users with role assignments.

  Import users from Entra ID into the application with role assignments.
  Users must be provided via JSON data.

  JSON Format:
  {
      "users": [
          {
              "userPrincipalName": "john.doe@company.com",
              "email": "john.doe@company.com",
              "firstName": "John",
              "lastName": "Doe",
              "roles": ["admin", "user"]
          }
      ],
      "dryRun": false
  }

  Examples:
      # Direct JSON input
      admin create entra-id-import-users --json-data '{"users":[{"userPrincipalName":"john@company.com","email":"john@company.com","firstName":"John","lastName":"Doe","roles":["user"]}]}'

      # Dry run with JSON
      admin create entra-id-import-users --json-data '{"users":[...]}' --dry-run

Options:
  --dry-run             Validate import without creating users
  -j, --json-data TEXT  JSON string with users data to import directly
                        [required]
  --help                Show this message and exit.

Create Groups

The following command shows how to access help for the create groups command. It also provides examples on how to create a group.

user@server$ admin create groups --help

Usage: admin create groups [OPTIONS]

  Create a new group.

  Examples:
      admin create groups --name developers --description "Development team"
      admin create groups --name admins --members "john,jane" --roles "admin,user_manager"
      admin create groups --name operators --description "System operators" --members "user1,user2" --roles "operator"

Options:
  -n, --name TEXT         Group name  [required]
  -d, --description TEXT  Group description
  -m, --members TEXT      Comma-separated list of usernames to add as members
  -r, --roles TEXT        Comma-separated list of role names to assign to group
  --help                  Show this message and exit.

Create Roles

The following command shows how to access help for the create roles command. It also provides examples on how to create a role.

user@server$ admin create roles --help

Usage: admin create roles [OPTIONS]

  Create a new role.

  Examples:
      admin create roles --name manager --description "Manager role"
      admin create roles --name admin --permissions "security_officer"
      admin create roles --name operator --description "System operator" --permissions "security_officer"

Options:
  -n, --name TEXT         Role name  [required]
  -d, --description TEXT  Role description
  -p, --permissions TEXT  Comma-separated list of permission names
  --help                  Show this message and exit.

Create Saml-mappers

The following command shows how to access help for the create saml-mappers command. It also provides examples on how to create an attribute mapper for a SAML provider.

user@server$ admin create saml-mappers --help

Usage: admin create saml-mappers [OPTIONS] PROVIDER_ALIAS

  Create an attribute mapper for a SAML provider.

  Examples:
      admin create saml-mappers azure-ad --name email-mapper --mapper-type saml-user-attribute-idp-mapper --attribute-name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" --user-attribute email
      admin create saml-mappers azure-ad --name role-mapper --mapper-type saml-role-idp-mapper --attribute-value admin --role admin

Options:
  -n, --name TEXT                 Name of the attribute mapper  [required]
  --mapper-type [saml-user-attribute-idp-mapper|saml-role-idp-mapper|saml-advanced-group-idp-mapper|saml-username-idp-mapper]
                                  Type of mapper  [required]
  --sync-mode TEXT                Sync mode for the mapper
  --attribute-name TEXT           SAML attribute name to map from
  --user-attribute TEXT           User attribute to map to
  --attribute-value TEXT          SAML attribute value for role mapping
  --role TEXT                     Role to assign
  --group TEXT                    Group to assign users to
  --template TEXT                 Username template
  --attributes TEXT               Key-value pairs for attribute mapping (JSON
                                  format)
  --help                          Show this message and exit.

Create Saml-providers

The following command shows how to access help for the create saml-providers command. It also provides examples on how to create a new SAML SSO provider.

user@server$ admin create saml-providers --help 

Usage: admin create saml-providers [OPTIONS]

  Create a new SAML SSO provider.

  Examples:
      admin create saml-providers --alias azure-ad --display-name "Azure AD" --config-type metadataUrl --service-provider-entity-id "https://your-keycloak.com/realms/your-realm" --metadata-url "https://..."
      admin create saml-providers --alias okta --display-name "Okta" --config-type metadataFile --service-provider-entity-id "https://your-keycloak.com/realms/your-realm" --metadata-file /path/to/metadata.xml

Options:
  -a, --alias TEXT                Unique alias for the SAML provider
                                  [required]
  -d, --display-name TEXT         Display name shown in login pages
                                  [required]
  --config-type [metadataUrl|metadataFile]
                                  Configuration type  [required]
  --service-provider-entity-id TEXT
                                  Service Provider Entity ID  [required]
  --metadata-url TEXT             URL to fetch SAML metadata (for metadataUrl
                                  type)
  --metadata-file FILENAME        Path to SAML metadata XML file (for
                                  metadataFile type)
  --signing-certificate TEXT      X.509 certificate for signing (PEM format
                                  without headers)
  --name-id-format TEXT           NameID Policy Format
  --force-authn / --no-force-authn
                                  Force re-authentication
  --validate-signature / --no-validate-signature
                                  Validate SAML response signatures
  --want-assertions-signed / --no-want-assertions-signed
                                  Require signed assertions
  --want-assertions-encrypted / --no-want-assertions-encrypted
                                  Require encrypted assertions
  --signature-algorithm TEXT      Signature algorithm for SAML requests
  --post-binding-response / --no-post-binding-response
                                  Use POST binding for SAML responses
  --post-binding-authn-request / --no-post-binding-authn-request
                                  Use POST binding for SAML authentication
                                  requests
  --post-binding-logout / --no-post-binding-logout
                                  Use POST binding for SAML logout requests
  --want-authn-requests-signed / --no-want-authn-requests-signed
                                  Sign SAML authentication requests
  --attribute-mapping TEXT        Attribute mapping as JSON string or
                                  key=value pairs
  --enabled / --disabled          Enable/disable the provider
  --store-token / --no-store-token
                                  Store tokens returned by the identity
                                  provider
  --help                          Show this message and exit.

Create Users

The following command shows how to access help for the create users command. It also provides examples on how to create a user.

user@server$ admin create users --help

Usage: admin create users [OPTIONS]

  Create a new user.

  Examples:
      admin create users --username john.doe --email john@example.com
      admin create users --username jane --email jane@example.com --first-name Jane --last-name Smith --roles "admin,user"

Options:
  -u, --username TEXT     Username  [required]
  -e, --email TEXT        Email address
  --first-name TEXT       First name
  --last-name TEXT        Last name
  -p, --password TEXT     Password
  --enabled / --disabled  Enable/disable user
  --roles TEXT            Comma-separated list of role names
  --groups TEXT           Comma-separated list of group names
  --help                  Show this message and exit.

Delete Commands

The following section lists the delete commands.

Main Delete Command

The following command shows how to access help for the delete command.

user@server$ admin delete --help

Usage: admin delete [OPTIONS] COMMAND [ARGS]...

  Delete a resource.

Options:
  --help  Show this message and exit.

Commands:
  entra-id        Delete Entra ID configuration.
  groups          Delete a group.
  roles           Delete a role.
  saml-mappers    Delete an attribute mapper for a SAML provider.
  saml-providers  Delete a SAML SSO provider.
  users           Delete a user by ID.

Delete Entra-id

The following command shows how to access help for the delete entra-id command. It also provides examples on how to delete Entra ID configuration.

user@server$ admin delete entra-id --help

Usage: admin delete entra-id [OPTIONS]

  Delete Entra ID configuration.

  Warning: This action cannot be undone and will permanently remove
  all stored Entra ID settings.

  Examples:
      admin delete entra-id

Options:
  --help  Show this message and exit.

Delete Groups

The following command shows how to access help for the delete groups command. It also provides examples on how to delete a group.

user@server$ admin delete groups --help

Usage: admin delete groups [OPTIONS] GROUP_ID

  Delete a group.

  Examples:
      admin delete groups group-uuid-here

Options:
  --help  Show this message and exit.

Delete Roles

The following command shows how to access help for the delete roles command. It also provides examples on how to delete a role.

user@server$ admin delete roles --help

Usage: admin delete roles [OPTIONS] ROLE_NAME

  Delete a role.

  Examples:
      admin delete roles admin

Options:
  --help  Show this message and exit.

Delete Saml-mappers

The following command shows how to access help for the delete saml-mappers command. It also provides examples on how to delete an attribute mapper for a SAML provider.

user@server$ admin delete saml-mappers --help

Usage: admin delete saml-mappers [OPTIONS] PROVIDER_ALIAS MAPPER_ID

  Delete an attribute mapper for a SAML provider.

  Examples:
      admin delete saml-mappers azure-ad mapper-uuid

Options:
  --help  Show this message and exit.

Delete Saml-providers

The following command shows how to access help for the delete saml-providers command. It also provides examples on how to delete a SSL SAML provider.

user@server$ admin delete saml-providers --help

Usage: admin delete saml-providers [OPTIONS] ALIAS

  Delete a SAML SSO provider.

  Examples:
      admin delete saml-providers azure-ad

Options:
  --help  Show this message and exit.

Delete Users

The following command shows how to access help for the delete users command. It also provides examples on how to delete a user.

user@server$ admin delete users --help

Usage: admin delete users [OPTIONS] USER_ID

  Delete a user by ID.

  Examples:
      admin delete users USER_ID

Options:
  --help  Show this message and exit.

Get Commands

The following section lists the get commands.

Main Get Command

The following command shows how to access help for the get command.

user@server$ admin get --help

Usage: admin get [OPTIONS] COMMAND [ARGS]...

  Display one resource.

Options:
  --help  Show this message and exit.

Commands:
  entra-id        Get Entra ID configuration details.
  groups          Get detailed information about a specific group.
  password-policy Get password policy details.
  roles           Get detailed information about a specific role.
  saml-mappers    Get detailed information about a SAML Mappers...
  saml-providers  Get detailed information about a specific SAML...
  users           Get detailed information about a specific user.

Get Entra-id

The following command shows how to access help for the get entra-id command. It also provides examples on how to get current Entra ID configuration.

user@server$ admin get entra-id --help

Usage: admin get entra-id [OPTIONS]

  Get current Entra ID configuration.

  Examples:
      admin get entra-id

Options:
  --help  Show this message and exit.

Get Groups

The following command shows how to access help for the get groups command. It also provides examples on how to get detailed information about a group.

user@server$ admin get groups --help

Usage: admin get groups [OPTIONS] GROUP_ID

  Get detailed information about a specific group.

  Examples:
      admin get groups group-uuid-here
      admin get groups developers

Options:
  --help  Show this message and exit.

Get Password-policy

The following command shows how to access help for the get password-policy command. It also provides examples on how to get details about the password policy.

user@server$ admin get password-policy --help

Usage: admin get password-policy [OPTIONS] POLICY_ID

  Get password policy details.

  Examples:
      admin get password-policy policy-uuid-here

Options:
  --help  Show this message and exit.

Get Roles

The following command shows how to access help for the get roles command. It also provides examples on how to get detailed information about a role.

user@server$ admin get roles --help

Usage: admin get roles [OPTIONS] ROLE_NAME

  Get detailed information about a specific role.

  Examples:
      admin get roles admin

Options:
  --help  Show this message and exit.

Get Saml-mappers

The following command shows how to access help for the get saml-mappers command. It also provides examples on how to get detailed information about a SAML provider including its mappers.

user@server$ admin get saml-mappers --help

Usage: admin get saml-mappers [OPTIONS] ALIAS

  Get detailed information about a SAML provider including its mappers.

  Examples:
      admin get saml-mappers azure-ad

Options:
  --help  Show this message and exit.

Get Saml-providers

The following command shows how to access help for the get saml-providers command. It also provides examples on how to get detailed information about a specific SAML provider.

Usage: admin get saml-providers [OPTIONS] ALIAS

  Get detailed information about a specific SAML provider.

  Examples:
      admin get saml-providers tttt
      admin get saml-providers azure-ad-saml

Options:
  --help  Show this message and exit.

Get Users

The following command shows how to access help for the get users command. It also provides examples on how to get detailed information about a user.

user@server$ admin get users --help

Usage: admin get users [OPTIONS] USER_ID

  Get detailed information about a specific user.

  Examples:
      admin get users USER_ID
      admin get users 12345-uuid

Options:
  --help  Show this message and exit.

List Commands

The following section lists the list commands.

Main List Command

The following command shows how to access help for the list command.

user@server$ admin list --help

Usage: admin list [OPTIONS] COMMAND [ARGS]...

  List resources.

Options:
  --help  Show this message and exit.

Commands:
  entra-id-users  Search Entra ID users.
  groups          List all groups with their members and roles.
  permissions     List all available permissions.
  roles           List all roles.
  saml-mappers    List all attribute mappers for a SAML provider.
  saml-providers  List all SAML SSO providers.
  users           List all users.

List Entra-id-users

The following command shows how to access help for the list entra-id-users command. It also provides examples on how to list all the Entra ID users.

user@server$ admin list entra-id-users --help

Usage: admin list entra-id-users [OPTIONS]

  Search Entra ID users.

  Search across userPrincipalName, givenName, surname, and mail fields.
  If no search query provided, returns all enabled users (up to 50).

  Examples:
      admin list entra-id-users
      admin list entra-id-users --search "john"
      admin list entra-id-users --search "smith"

Options:
  -s, --search TEXT  Search query to find users
  --help             Show this message and exit.

List Groups

The following command shows how to access help for the list groups command. It also provides examples on how to list all group with their member and roles.

user@server$ admin list groups --help

Usage: admin list groups [OPTIONS]

  List all groups with their members and roles.

  Examples:
      admin list groups
      admin list groups --max 10
      admin list groups --max 5 --first 10

Options:
  -m, --max INTEGER    Maximum number of groups to return
  -f, --first INTEGER  Offset for pagination
  --help               Show this message and exit.

List Permissions

The following command shows how to access help for the list permissions command. It also provides examples on how to list all the available permissions.

user@server$ admin list permissions --help

Usage: admin list permissions [OPTIONS]

  List all available permissions.

  Examples:
      admin list permissions
      admin list permissions --filter "read*"

Options:
  -f, --filter TEXT  Filter permissions by name pattern
  --help             Show this message and exit.

List Roles

The following command shows how to access help for the list roles command. It also provides examples on how to list all the available roles.

user@server$ admin list roles --help

Usage: admin list roles [OPTIONS]

  List all roles.

  Examples:
      admin list roles

Options:
  --help  Show this message and exit.

List Saml-mappers

The following command shows how to access help for the list saml-mappers command. It also provides examples on how to list all attribute mappers for a SAML provider.

user@server$ admin list saml-mappers --help

Usage: admin list saml-mappers [OPTIONS] PROVIDER_ALIAS

  List all attribute mappers for a SAML provider.

  Examples:
      admin list saml-mappers azure-ad

Options:
  --help  Show this message and exit.

List Saml-providers

The following command shows how to access help for the list saml-providers command. It also provides examples on how to list all SAML SSO providers.

user@server$ admin list saml-providers --help

Usage: admin list saml-providers [OPTIONS]

  List all SAML SSO providers.

  Examples:
      admin list saml-providers

Options:
  --help  Show this message and exit.

List Users

The following command shows how to access help for the list users command. It also provides examples on how to list all the available users.

user@server$ admin list users --help

Usage: admin list users [OPTIONS]

  List all users.

  Examples:
      admin list users
      admin list users --max 10
      admin list users --max 5 --first 10

Options:
  -m, --max INTEGER    Maximum number of users to return
  -f, --first INTEGER  Offset for pagination
  --help               Show this message and exit.

Set Commands

The following section lists the set commands.

Main Set Command

The following command shows how to access help for the set command.

user@server$ admin set --help

Usage: admin set [OPTIONS] COMMAND [ARGS]...

  Update fields of a resource.

Options:
  --help  Show this message and exit.

Commands:
  entra-id                Update existing Entra ID configuration.
  groups                  Update an existing group.
  lock_user               Lock a user account.
  roles                   Update an existing role.
  saml-providers          Update an existing SAML SSO provider.
  unlock_user             Unlock a user account and set a new password.
  update_password         Update user password.
  password_policy  Update password policy configuration.
  users                   Update an existing user.

Set Entra-id

The following command shows how to access help for the set entra-id command. It also provides examples on how to update an existing Entra ID configuration.

user@server$ admin set entra-id --help

Usage: admin set entra-id [OPTIONS]

  Update existing Entra ID configuration.

  Only provided fields are updated. Configuration is tested if credentials are changed.

  Examples:
      admin set entra-id --enabled
      admin set entra-id --client-secret "new-secret-here"
      admin set entra-id --tenant-id "new-tenant-id" --client-id "new-client-id"

Options:
  -t, --tenant-id TEXT      Update Entra ID Tenant ID
  -c, --client-id TEXT      Update Entra ID Application (Client) ID
  -s, --client-secret TEXT  Update Entra ID Application Client Secret
  --enabled / --disabled    Enable/disable configuration
  --help                    Show this message and exit.

Set Groups

The following command shows how to access help for the set groups command. It also provides examples on how to update an existing group.

user@server$ admin set groups --help

Usage: admin set groups [OPTIONS] GROUP_ID

  Update an existing group.

  Examples:
      admin set groups group-uuid --members "john,jane,bob"
      admin set groups group-uuid --roles "admin,user_manager"
      admin set groups group-uuid --members "user1,user2" --roles "operator,viewer"

Options:
  -m, --members TEXT  Comma-separated list of usernames (replaces existing members)
  -r, --roles TEXT    Comma-separated list of role names (replaces existing roles)
  --help              Show this message and exit.

Set Lock_user

The following command shows how to access help for the set lock_user command. It also provides examples on how to lock a user account.

user@server$ admin set lock_user --help

Usage: admin set lock_user [OPTIONS] USER_ID

  Lock a user account.

  Examples:
      admin set lock_user USER_ID

Options:
  --help  Show this message and exit.

Set Password-policy

The following command shows how to access help for the set password-policy command. It also provides examples on how to update an existing password policy.

user@server$ admin set password_policy --help

Usage: admin set password_policy [OPTIONS]

  Update password policy configuration.

Options:
  --policy TEXT  Password policy configuration as JSON string.
                 
                 Common Keys:
                 - length: Minimum password length
                 - digits: Number of digits required
                 - lowerCase: Number of lowercase characters required
                 - upperCase: Number of uppercase characters required
                 - specialChars: Number of special characters required
                 - notUsername: Password cannot be same as username (0 or 1)
                 - passwordHistory: Number of previous passwords to remember
                 - maxLength: Maximum password length
                 
                 Examples:
                     admin set password_policy --policy '{"length": 8, "digits": 1, "upperCase": 1, "specialChars": 1}'
                     admin set password_policy --policy '{"length": 12, "digits": 2, "lowerCase": 1, "upperCase": 1, "specialChars": 2, "notUsername": 1}'
                     admin set password_policy --policy '{"length": 10, "passwordHistory": 5, "maxLength": 128}'   [required]
  --help         Show this message and exit.

Set Roles

The following command shows how to access help for the set roles command. It also provides examples on how to update an existing role.

user@server$ admin set roles --help

Usage: admin set roles [OPTIONS] ROLE_NAME

  Update an existing role.

  Examples:
      admin set roles admin --description "Updated admin role"
      admin set roles manager --permissions "security_officer"
      admin set roles operator --description "System operator" --permissions "security_officer"

Options:
  -d, --description TEXT  New role description
  -p, --permissions TEXT  Comma-separated list of permission names (replaces existing)
  --help                  Show this message and exit.

Set Saml-providers

The following command shows how to access help for the set saml-providers command. It also provides examples on how to update an existing SAML SSO provider.

user@server$ admin set saml-providers --help

Usage: admin set saml-providers [OPTIONS] ALIAS

  Update an existing SAML SSO provider.

  Only the parameters you explicitly provide will be updated.

  Examples:
      admin set saml-providers azure-ad --display-name "New Azure AD"
      admin set saml-providers Test --enabled
      admin set saml-providers Test --disabled
      admin set saml-providers Test --force-authn
      admin set saml-providers Test --no-validate-signature
      admin set saml-providers Test --metadata-url "https://new-metadata-url.com"
      admin set saml-providers Test --signature-algorithm "RSA_SHA512"

Options:
  -d, --display-name TEXT         Update display name for the provider
  --config-type [metadataUrl|metadataFile]
                                  Update configuration type
  --service-provider-entity-id TEXT
                                  Update Service Provider Entity ID
  --metadata-url TEXT             Update metadata URL
  --metadata-file FILENAME        Update metadata file content
  --signing-certificate TEXT      Update signing certificate
  --name-id-policy-format TEXT    Update NameID Policy Format
  --force-authn                   Enable force authentication
  --no-force-authn                Disable force authentication
  --validate-signature            Enable signature validation
  --no-validate-signature         Disable signature validation
  --want-assertions-signed        Require signed assertions
  --no-want-assertions-signed     Don't require signed assertions
  --want-assertions-encrypted     Require encrypted assertions
  --no-want-assertions-encrypted  Don't require encrypted assertions
  --signature-algorithm TEXT      Update signature algorithm
  --post-binding-response         Enable POST binding for responses
  --no-post-binding-response      Disable POST binding for responses
  --post-binding-authn-request    Enable POST binding for auth requests
  --no-post-binding-authn-request
                                  Disable POST binding for auth requests
  --post-binding-logout           Enable POST binding for logout
  --no-post-binding-logout        Disable POST binding for logout
  --want-authn-requests-signed    Enable authentication request signing
  --no-want-authn-requests-signed
                                  Disable authentication request signing
  --attribute-mapping TEXT        Update attribute mapping (JSON format)
  --enabled                       Enable the provider
  --disabled                      Disable the provider
  --store-token                   Enable token storage
  --no-store-token                Disable token storage
  --help                          Show this message and exit.

Set Unlock_user

The following command shows how to access help for the set unlock_user command. It also provides examples on how to unlock a user account and set a new password.

user@server$ admin set unlock_user --help

Usage: admin set unlock_user [OPTIONS] USER_ID

  Unlock a user account and set a new password.

  Examples:
      admin set unlock_user USER_ID --password "NewPassword123!"
      admin set unlock_user USER_ID -p "StrongPass123!"

Options:
  -p, --password TEXT  New password to set after unlocking  [required]
  --help               Show this message and exit.

Set Update_password

The following command shows how to access help for the set update_password command. It also provides examples on how to update user password.

user@server$ admin set update_password --help

Usage: admin set update_password [OPTIONS] USER_ID

  Update user password.

  Examples:
      admin set update_password USER_ID --new-password "NewPassword123!" --old-password "OldPass123!"
      admin set update_password USER_ID -n "NewPass123!" -o "OldPass123!"

Options:
  -n, --new-password TEXT  New password  [required]
  -o, --old-password TEXT  Current password for validation  [required]
  --help                   Show this message and exit.

Set Users

The following command shows how to access help for the set users command. It also provides examples on how to update an existing user.

user@server$ admin set users --help

Usage: admin set users [OPTIONS] USER_ID

  Update an existing user.

  Examples:
      admin set users USER_ID --email newemail@example.com
      admin set users USER_ID --enabled --roles "admin,manager"

Options:
  -e, --email TEXT        New email address
  --first-name TEXT       New first name
  --last-name TEXT        New last name
  --enabled / --disabled  Enable/disable user
  --roles TEXT            Comma-separated list of role names (replaces existing)
  --groups TEXT           Comma-separated list of group names (replaces existing)
  --help                  Show this message and exit.

Test Commands

The following section lists the test commands.

Main Test Command

The following command shows how to access help for the test command.

user@server$ admin test --help

Usage: admin test [OPTIONS] COMMAND [ARGS]...

  Test various configurations and connections.

Options:
  --help  Show this message and exit.

Commands:
  entra-id  Test Entra ID connection.

Test Entra-id

The following command shows how to access help for the test entra-id command. It also provides examples on how to test an Entra ID connection.

user@server$ admin test entra-id --help

Usage: admin test entra-id [OPTIONS]

  Test Entra ID connection.

  Test Options:
  1. Test stored configuration: --use-stored
  2. Test provided credentials: --tenant-id, --client-id, --client-secret

  Examples:
      admin test entra-id --use-stored
      admin test entra-id --tenant-id "tenant-id" --client-id "client-id" --client-secret "secret"

Options:
  --use-stored              Test stored configuration
  -t, --tenant-id TEXT      Entra ID Tenant ID (for direct test)
  -c, --client-id TEXT      Entra ID Application (Client) ID (for direct test)
  -s, --client-secret TEXT  Entra ID Application Client Secret (for direct
                            test)
  --help                    Show this message and exit.

3.1.3.2 - Policy Management Command Line Interface (CLI) Reference

Main Pim Command

The following command shows to access the help for the pim commands.

user@server$ pim --help

Usage: pim [OPTIONS] COMMAND [ARGS]...

  Policy Information Management commands.

Options:
  --help  Show this message and exit.

Commands:
  create  Create a resource.
  delete  Delete a resource.
  get     Display one or many resources.
  invoke  Invoke resource by operation defined by the API.
  set     Update fields of a resource.

Invoke Commands

The following section lists the invoke commands.

Main Invoke Command

The following command shows how to access help for the invoke command.

user@server$ pim invoke --help

Usage: pim invoke [OPTIONS] COMMAND [ARGS]...

  Invoke resource by operation defined by the API.

Options:
  --help  Show this message and exit.

Commands:
  datastores  Commands for deploying datastore resources.
  init        Bootstrap PIM - Initialize the Policy Information system.
  roles       Commands for synchronizing role resources.
  sources     Commands for testing source resources.

Invoke Datastores

The following command shows how to access help for the invoke datastores command. It also provides examples on how to deploy datastore resources.

user@server$ pim invoke datastores --help

Usage: pim invoke datastores [OPTIONS] COMMAND [ARGS]...

  Commands for deploying datastore resources.

Options:
  --help  Show this message and exit.

Commands:
  deploy  Deploy policies and/or trusted applications to a specific datastore.

Invoke Datastores Types

The following commands show how to access help for the invoke datastores <type> command.

Invoke Datastores Deploy

The following command shows how to access help for the invoke datastores deploy command. It also provides examples on how to deploy policies or trusted applications or both to a specific datastore.

user@server$ pim invoke datastores deploy --help

Usage: pim invoke datastores deploy [OPTIONS] DATASTORE_UID

  Deploy policies and/or trusted applications to a specific datastore.

  EXAMPLES:

  # Deploy single policy to datastore
  pim invoke datastores deploy 15 --policies 1

  # Deploy multiple policies to datastore
  pim invoke datastores deploy 15 --policies 1 --policies 2 --policies 3

  # Deploy trusted applications to datastore
  pim invoke datastores deploy 15 --applications 1 --applications 2

  # Deploy both policies and applications together
  pim invoke datastores deploy "<datastore-uid>" --policies 1 --policies 2 --applications 1 --applications 2

  # Clear all deployments (deploy empty configuration)
  pim invoke datastores deploy 42

  WORKFLOW:
  # Step 1: Verify datastore exists and is accessible
  pim get datastores datastore <datastore-uid>

  # Step 2: List available policies and applications
  pim get policies policy
  pim get applications application

  # Step 3: Deploy to  datastore
  pim invoke datastores deploy <datastore-uid> --policies <policy-uid> --applications <app-uid>

Options:
  --policies TEXT      UIDs of policies to deploy (can be specified multiple
                       times).
  --applications TEXT  UIDs of trusted applications to deploy (can be
                       specified multiple times).
  --help               Show this message and exit.

Invoke Init

The following command shows how to access help for the invoke init command. It also provides examples on how to initialize the Policy Information Management system.

user@server$ pim invoke init --help

Usage: pim invoke init [OPTIONS]

  Bootstrap PIM - Initialize the Policy Information Management system.

  EXAMPLES:

  # Initialize PIM system for first-time setup
  pim invoke init

Options:
  --help  Show this message and exit.

Invoke Roles

The following command shows how to access help for the invoke roles command. It also provides examples on how to synchronize role resources.

user@server$ pim invoke roles --help

Usage: pim invoke roles [OPTIONS] COMMAND [ARGS]...

  Commands for synchronizing role resources.

Options:
  --help  Show this message and exit.

Commands:
  sync  Synchronize all group members for a role with external identity sources.

Roles Types

The following commands show how to access help for the invoke roles <type> command.

Invoke Roles Sync

The following command shows how to access help for the invoke roles sync command. It also provides examples on how to synchronize all group members for a role.

user@server$ pim invoke roles sync --help

Usage: pim invoke roles sync [OPTIONS] ROLE_UID

  Synchronize all group members for a role with external identity sources.

  EXAMPLES:

  # Synchronize role members with LDAP/AD source
  pim invoke roles sync 15

Options:
  --help  Show this message and exit.

Invoke Sources

The following command shows how to access help for the invoke sources command. It also provides examples on how to test source resources.

user@server$ pim invoke sources --help

Usage: pim invoke sources [OPTIONS] COMMAND [ARGS]...

  Commands for testing source resources.

Options:
  --help  Show this message and exit.

Commands:
  test  Tests the connection and functionality of a source.

Invoke Sources Types

The following commands show how to access help for the invoke sources <type> command.

Invoke Sources Test

The following command shows how to access help for the invoke sources test command. It also provides examples on how to test the connection to a member source.

user@server$ pim invoke sources test --help

Usage: pim invoke sources test [OPTIONS] UID

  Tests the connection and functionality of a source.

  EXAMPLES:

  # Basic connectivity test
  pim invoke sources test 15

Options:
  --help  Show this message and exit.

Create Commands

The following section lists the create commands.

Main Create Command

The following command shows how to access help for the create command.

user@server$ pim create --help

Usage: pim create [OPTIONS] COMMAND [ARGS]...

  Create a resource.

Options:
  --help  Show this message and exit.

Commands:
  alphabets     Creates a new alphabet.
  applications  Creates a new application.
  dataelements  Creates a new data element of a specific type.
  datastores    Commands for creating datastore resources.
  deploy        Deploys policies and/or trusted applications to a datastore.
  masks         Creates a new mask with specified masking pattern and configuration.
  policies      Creates a new policy or rule.
  roles         Creates a new role or adds members to a role.
  sources       Creates a new source.

Create Alphabets

The following command shows how to access help for the create alphabets command. It also provides examples on how to create an alphabet.

user@server$ pim create alphabets --help

Usage: pim create alphabets [OPTIONS]

  Creates a new alphabet.

  EXAMPLES:

  # Create alphabet combining existing alphabets (use numeric UIDs from 'pim get alphabets')
  pim create alphabets --label "LatinExtended" --alphabets "1,2"

  # Create alphabet with Unicode ranges (Basic Latin + punctuation)
  pim create alphabets --label "ASCIIPrintable" --ranges '[{"from": "0020", "to": "007E"}]'

  # Create alphabet with specific code points (more than 10 examples)
  pim create alphabets --label "SpecialChars" --code-points "00A9,00AE,2122,2603,2615,20AC,00A3,00A5,00B5,00B6,2020,2021,2030,2665,2660"

  # Create complex alphabet with multiple options (use numeric UIDs)
  pim create alphabets --label "CompleteSet" --alphabets "1,3,5"  --ranges '[{"from": "0100", "to": "017F"}, {"from": "1E00", "to": "1EFF"}]' --code-points "20AC,00A3,00A5"

  # Create mathematical symbols alphabet
  pim create alphabets --label "MathSymbols" --ranges '[{"from": "2200", "to": "22FF"}, {"from": "2190", "to": "21FF"}]'

Options:
  --label TEXT        The label for the custom alphabet.  [required]
  --alphabets TEXT    Comma-separated list of alphabet UIDs.
  --ranges TEXT       JSON string of code point ranges. For example, '[{"from":
                      "0020", "to": "007E"}]'.
  --code-points TEXT  Comma-separated list of code points.
  --help              Show this message and exit.

Create Applications

The following command shows how to access help for the create applications command. It also provides examples on how to create a trusted application.

user@server$ pim create applications --help

Usage: pim create applications [OPTIONS]

  Creates a new application.

  EXAMPLES:

  # Create a basic application with required fields
  pim create applications --name "WebApp" --application-name "mywebapp" --application-user "webuser"

  # Create application with description
  pim create applications --name "DatabaseApp" --description "Main database application" --application-name "dbapp" --application-user "dbuser"

Options:
  --name TEXT              Name of the application.  [required]
  --description TEXT       Description of the application.
  --application-name TEXT  The application name or the application loading the
                           API jar file.  [required]
  --application-user TEXT  The application user or the OS user.  [required]
  --help                   Show this message and exit.

Create Dataelements

The following command shows how to access help for the create dataelements command. It also provides examples on how to create a data element.

user@server$ pim create dataelements --help

Usage: pim create dataelements [OPTIONS] COMMAND [ARGS]...

  Creates a new data element of a specific type.

  AVAILABLE PROTECTION TYPES:

  # Encryption Methods:
  - aes128-cbc-enc       # AES-128 CBC encryption
  - aes128-cusp-enc      # AES-128 CUSP encryption  
  - aes256-cbc-enc       # AES-256 CBC encryption
  - aes256-cusp-enc      # AES-256 CUSP encryption
  - triple-des-cbc-enc   # 3DES CBC encryption
  - triple-des-cusp-enc  # 3DES CUSP encryption
  - sha1-hmac-enc        # SHA1 HMAC encryption (deprecated)
  - sha256-hmac-enc      # SHA256 HMAC encryption
  - no-enc               # No encryption (clear text)

  # Tokenization Methods:
  - token numeric        # Numeric tokens
  - token alphabetic     # Alphabetic tokens
  - token alpha-numeric  # Alphanumeric tokens
  - token printable      # Printable character tokens
  - token unicode        # Unicode tokens
  - token credit-card    # Credit card specific tokens
  - token email          # Email specific tokens

  # Format Preserving Encryption (FPE):
  - fpe numeric          # Numeric FPE
  - fpe alphabetic       # Alphabetic FPE
  - fpe alpha-numeric    # Alphanumeric FPE

  # Special Protection Types:
  - masking              # Data masking using NoEnc
  - monitor              # Data monitoring using NoEnc

Options:
  --help  Show this message and exit.

Commands:
  aes128-cbc-enc       Creates a new AES-128-CBC-ENC data element.
  aes128-cusp-enc      Creates a new AES-128-CUSP-ENC data element.
  aes256-cbc-enc       Creates a new AES-256-CBC-ENC data element.
  aes256-cusp-enc      Creates a new AES-256-CUSP-ENC data element.
  fpe                  Creates a new FPE (Format Preserving Encryption)...
  masking              Creates a new masking data element using NoEnc...
  monitor              Creates a new monitoring data element using NoEnc...
  no-enc               Creates a new No-Enc data element.
  sha1-hmac-enc        Creates a new SHA1-HMAC-ENC data element...
  sha256-hmac-enc      Creates a new SHA256-HMAC-ENC data element.
  token                Creates a new token data element of a specific type.
  triple-des-cbc-enc   Creates a new 3DES-CBC-ENC data element.
  triple-des-cusp-enc  Creates a new 3DES-CUSP-ENC data element.

Create Dataelements Types

The following commands show how to access help for the create dataelements <type> command. It also provides examples on how to create a data element of a specific type.

Create Dataelements aes128 cbc enc

The following command shows how to access help for the create dataelements aes128-cbc-enc command. It also provides examples on how to create a AES-128-CBC-ENC data element.

user@server$ pim create dataelements aes128-cbc-enc --help

Usage: pim create dataelements aes128-cbc-enc [OPTIONS]

  Creates a new AES-128-CBC-ENC data element.

  EXAMPLES:

  # Create basic AES-128 encryption data element
  pim create dataelements aes128-cbc-enc --name "BasicEncryption" --description "Basic data encryption"

  # Create with all security features enabled
  pim create dataelements aes128-cbc-enc --name "FullSecurityEnc" --description "Full security encryption" --iv-type "SYSTEM_APPEND" --checksum-type "CRC32" --cipher-format "INSERT_KEYID_V1"

Options:
  --name TEXT                               The name for the data element.  [required]
  --description TEXT                        An optional description for the data element.
  --iv-type [NONE|SYSTEM_APPEND]            Initialization Vector type.
  --checksum-type [NONE|CRC32]              Checksum type.
  --cipher-format [NONE|INSERT_KEYID_V1]    Cipher format.
  --help                                    Show this message and exit.