# Delegated Groups for Treasure Data Administrators As a TD Administrator, you can create Delegated Groups to which you assign Delegated Admins. Delegated Admins are given specific a specific set of policies for a designated group of users. In addition to creating, editing, and deleting Delegated Groups and elevating or removing users to and from Delegated Admin roles, you can add and apply specific policies to Delegated Groups. Can create, edit, or delete Delegated Groups. This topic contains: * [Create a Delegated Admin](#CreateaDelegatedAdmin) * [Remove a Delegated Admin](#RemoveaDelegatedAdmin) * [List Users in a Delegated Group](#ListUsersinaDelegatedGroup) * [Update Users for a Delegated Group](#UpdateUsersforaDelegatedGroup) * [List the Delegated Admins for Delegated Group](#ListtheDelegatedAdminsforDelegatedGroup) * [Update the Delegated Admins of Delegated Group](#UpdatetheDelegatedAdminsofDelegatedGroup) * [Create a New Delegated Group](#CreateaNewDelegatedGroup) * [Return a List of Delegated Groups](#ReturnaListofDelegatedGroups) * [Return the attributes of a Delegated Group](#ReturntheattributesofaDelegatedGroup) * [Update the Information for a Delegated Group](#UpdatetheInformationforaDelegatedGroup) * [Delete a Delegated Group](#DeleteaDelegatedGroup) * [List the Policies for a Delegated Group](#ListthePoliciesforaDelegatedGroup) * [Update the Policies Set in a Delegated Group](#UpdatethePoliciesSetinaDelegatedGroup) * [Attach a Policy to a User](#AttachaPolicytoaUser) * [Detach a Policy from a User](#DetachaPolicyfromaUser) * [Update Multiple Users with a Policy](#UpdateMultipleUserswithaPolicy) * [Update a User with Multiple Policies](#UpdateaUserwithMultiplePolicies) ## Create a Delegated Admin You can elevate a specific user to a Delegated Admin role, which allows them to assign or un-assign permission policies from a set of users. Delegated Policies under your purview are restricted to those assigned to you by a TD Administrator. A Delegated Admin by default cannot apply policies to oneself. An Admin explicitly needs to tag the Delegated Admin with the Policy Group by using the HTTP POST method and calling /v3/policy_group_tags/{policy_group_tag/users}. ```json Sample Request curl -s --location --request POST 'https://{{baseUrl}}/v3/user/delegated_admin/add/{user_email}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "user_email": "hello@world.com", "delegated_admin": true } ``` ## Remove a Delegated Admin You can demote a user from a Delegated Admin using the HTTP POST method as follows. ```json Sample Request curl -s --location --request POST 'https://{{baseUrl}}/v3/user/delegated_admin/remove/{user_email}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "user_email": "hello@world.com", "delegated_admin": false } ``` ## List Users in a Delegated Group You can list the users of a Delegated Group using the HTTP GET method for `policy_group_tags` as follows. ```json Sample Request curl -s --location --request GET 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "user_ids": [ 1, 2, 3 ] } ``` ## Update Users for a Delegated Group You can add users to a Delegated Group using the HTTP PATCH method for policy group tags endpoint. INFO A Delegated Admin cannot tag/untag oneself nor other Delegated Admins. An Admin and Delegated Admin can tag any user from within the same account. ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/users' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "user_ids": [ 1, 2, 3 ] } ``` ## List the Delegated Admins for Delegated Group Return the user ids of Delegated Admins that manage a policy group using the HTTP GET method and the following endpoint. ```json Sample Request curl -s --location --request GET 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/delegated_admins' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "user_ids": [ 1, 2 ] } ``` ## Update the Delegated Admins of Delegated Group You can tag a list of Delegated Admin user ids to manage a policy group using the HTTP PATCH method and the following endpoint. ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/policy_group_tags/{tag}/delegated_admins' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "user_ids": [ 1, 2 ] } ``` ## Create a New Delegated Group You can create a new Delegated Group to which you can assign a specific set of policies and users. ```json Sample Request curl -s --location --request POST 'https://{{baseUrl}}//v3/access_control/policy_groups' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "name": "emea", "description": "emea group" } ``` ```json Sample Response { "id": 1, "name": "emea" } ``` ## Return a List of Delegated Groups You can get a list of Delegates Groups using the HTTP GET method and the following endpoint. ```json Sample Request curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response [ { "id": 240, "account_id": 6598, "name": "DG 02", "created_at": "2023-12-06T13:02:53Z", "updated_at": "2023-12-06T13:02:53Z", "taggable_name": "DG 02", "description": "DG 02", "policy_count": 0 } ] ``` ## Return the attributes of a Delegated Group You can get a list of attributes for a Delegated Group using its policy group id and the HTTP GET method the example that follows. ```json Sample Request curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "id": 240, "account_id": 6598, "name": "DG 02", "created_at": "2023-12-06T13:02:53Z", "updated_at": "2023-12-06T13:02:53Z", "taggable_name": "DG 02", "description": "DG 02", "policy_count": 0 } ``` ## Update the Information for a Delegated Group You can update the information related to a Delegated Group using using the HTTP PATCH method and the following endpoint. ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "name": "some_policy_group", "description": "some_policy_group_description" } ``` ```json Sample Response { "id": 10, "account_id": 123, "name": "some_policy_group", "taggable_name": "some_policy_group", "description": "some_policy_group_description", "policy_count": 1, "created_at": "2012-01-01T12:00:00Z", "updated_at": "2012-01-01T12:00:00Z" } ``` ## Delete a Delegated Group You can delete a Delegated Group by its policy id using the HTTP DELETE method and the following endpoint. ```json Sample Request curl -s --location --request DELETE 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ## List the Policies for a Delegated Group Get a list of policies in a Delegated Group using the HTTP GET method and the following endpoint. ```json Sample Request curl -s --location --request GET 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}/policies' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "policy_ids": [ 1, 2, 3 ] } ``` ## Update the Policies Set in a Delegated Group You can update the policies set in a Delegated Group using the HTTP PATCH method and the following endpoint. ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policy_groups/{policy_group_id_or_taggable_name}/policies' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "policy_ids": [ 1, 2, 3 ] } ``` ```json Sample Response { "policy_ids": [ 1, 2, 3 ] } ``` ## Attach a Policy to a User You can attach a policy to a user using the HTTP POST method and the following endpoints. INFO A Delegated Admin can only attach policies from within a Permission Set Group / Policy Group they manages. ```json Sample Request curl -s --location --request POST 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users/{user_id}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ## Detach a Policy from a User You can detach a policy from a user using the HTTP DELETE method and one of the following endpoints. ```json Sample Request Option 1 curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/policies/{policy_id}/users/{user_id}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Request Option 2 curl -s --location --request DELETE 'https://{{baseUrl}/v3/access_control/users/{user_id}/policies/{policy_id}' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ ``` ```json Sample Response { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## Update Multiple Users with a Policy You can update multiple users with a policy in a delegated group using the HTTP PATCH method and the following endpoint. ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/policies/{policy_id}/users ' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { "user_ids": [ 1, 2, 3 ] } ``` ```json Sample Response { [ { "user_id": 123, "account_id": 123, "permissions": { "WorkflowProject": [], "WorkflowProjectLevel": [], "WorkflowRestrictedOperators": [], "Segmentation": [], "MasterSegmentConfigs": [], "MasterSegmentConfig": [], "MasterSegmentColumn": [], "MasterSegmentAllColumns": [], "CookieConsent": [], "SegmentAllFolders": [], "SegmentFolder": [], "Profiles": [], "ProfilesApiToken": [], "ActivationTemplate": [], "Activation": [], "Authentications": [], "Sources": [], "Destinations": [], "Databases": [], "UniversalConsent": [] }, "policies": [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] } ]} ``` ## Update a User with Multiple Policies ```json Sample Request curl -s --location --request PATCH 'https://{{baseUrl}}/v3/access_control/users/{user_id}/policies' \ --header 'Authorization: TD1 123/456789xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ -H 'content-type: application/json' \ { [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ]} ```