To review your changes, retrieve the changelog of the transaction. For details about the transaction model of Safeguard for Privileged Sessions, see How to configure Safeguard for Privileged Sessions using REST.
GET https:<IP-address-of-Safeguard for Privileged Sessions>/api/transaction/changes
| Header name | Description | Required | Values |
|---|---|---|---|
| session_id | Contains the authentication token of the user | Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format). |
The following command retrieves the changelog of the transaction.
curl --cookie cookies https://<IP-address-of-Safeguard for Privileged Sessions>/api/transaction/changes
The response contains the list of changes performed in the transaction, as list of JSON objects. Every change has a type and a path, other elements depend on the type of the transaction. For example, when you delete an object, the changelog includes the deleted object in the old_value field.
| Element | Type | Description |
|---|---|---|
| new_order | list | The new order of a list after the change. This field is available for reorder transactions. |
| new_value | string or JSON object | The value of the object after the change. For example, the new value of a parameter. |
| old_order | string or JSON object | The order of a list before the change. This field is available for reorder transactions. |
| old_value | string or JSON object | The value of the object before the change. For example, the value of a deleted object. |
| path | string | Path of the changed endpoint or object. |
| type | string | The type of the change. One of: create, delete, reorder, replace |
The following is a sample response received if the changelog is empty.
{
"meta": {
"href": "/api/transaction/changes",
"parent": "/api/transaction",
"transaction": "/api/transaction"
},
"changes": []
}
The following is a sample changelog received after deleting a Channel policy.
{
"meta": {
"href": "/api/transaction/changes",
"parent": "/api/transaction",
"transaction": "/api/transaction"
},
"changes": [
{
"old_value": {
"name": "deny",
"rules": []
},
"path": "/api/configuration/ssh/channel_policies/94615110156697e93121f3",
"type": "delete"
}
]
}
The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.
| Code | Description | Notes |
|---|---|---|
| 200 | OK | Transaction changelog has been retrieved successfully. |
| 401 | Unauthenticated | The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 401 | AuthenticationFailure | Authenticating the user with the given credentials has failed. |
| 405 | UnsupportedMethod | You tried using an unsupported HTTP method. Use the GET method to retrieve the changelog a transaction. |
In addition to the standard HTTP status codes, in certain cases, the Safeguard for Privileged Sessions REST server provides additional information in the response about the error. The following table contains a brief description of such errors. For more details, see the error object in the response body.
| Code | Description | Notes |
|---|---|---|
| 400 | InvalidRequestBody | The request body sent by the user has an invalid format. This may be an error with the encoding or the body is not a properly encoded JSON value. |
| 400 | ConfigTreeNotAvailable | An error occurred while preparing the configuration tree for the REST API. |
| 400 | SyntacticError | A value to be set is not accepted syntactically. The details section contains the path that was found to be invalid. |
| 400 | InvalidPath | The path provided by the client contains a syntax error. Path components are restricted to contain only lowercase alphanumeric characters, the dash (-) and the underscore (_) characters. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 400 | SemanticError | The configuration contains semantic errors, inconsistencies or other problems that would put the system into an unreliable state if the configuration had been applied. The details section contains the errors that were found in the configuration. |
| 401 | Unauthenticated | The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 401 | AuthenticationFailure | Authenticating the user with the given credentials has failed. |
| 403 | Unauthorized | The requested resource cannot be retrieved because the client is not authorized to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 404 | NodeNotFound | The requested endpoint does not exist in the configuration. The details section contains the path that you tried to access, but could not be retrieved. |
| 404 | NodeNotAvailable | The requested endpoint exists in the configuration, however, it is not available directly. The details section contains the path that you tried to access, but could not be retrieved. |
| 405 | UnsupportedMethod | The requested resource does not support the given method. The details section contains the attempted method. |
| 405 | PutNotAllowed | Replacing the specified path is not supported. |
| 405 | MethodNotAllowed | An attempt was made to change a configuration subtree in an unsupported way. |
| 405 | PostNotAllowed | Posting to the specified path is not supported. |
| 405 | GetNotAllowed | Querying the specified path is not supported. |
| 405 | DeleteNotAllowed | Deleting the specified path is not supported. |
| 409 | MidAirCollisionSemanticError | This error occurs when the configuration has been changed by another client between starting and committing a transaction, and the changes in the transaction would interfere semantically with the changes of that other user. The recommended strategy to resolve this error is to review the changes made in the failing transaction, then roll it back, start a new transaction, redo the changes, and finally, commit the new transaction. |
| 409 | WebGuiOrRpcApiConfigInProgress | The configuration of Safeguard for Privileged Sessions is locked. Opening a new transaction is not allowed while another user is modifying configuration through interfaces other than the REST API. For example, web GUI, console, and so on. |
| 409 | MidAirCollision | This error occurs when the configuration has been changed by another client between starting and committing a transaction, and the changes in the transaction would overwrite or interfere with the changes of that other user. The recommended strategy to resolve this error is to review the changes made in the failing transaction, then roll it back, start a new transaction, redo the changes, and finally, commit the new transaction. |
| 409 | NoTransaction | An attempt was made to change the configuration when no transaction was open. |
| 409 | DoubleTransaction | This error is returned when the client attempts to open a transaction while another transaction of that client is already started. |
| 417 | Expectation Failed |
If you receive the "417 - Expectation Failed" error code when using curl, use curl with the --http1.0 or the -H "Expect:" option. |
| 500 | CommitMessageMissing | This error is returned when a commit message is required for committing a transaction, but it was not provided in the commit request. |
| 500 | TransactionCommitError | Unexpected internal errors during committing a transaction are interpreted as TransactionCommitError. |
| 500 | AuthorizationError | The request could not be authorized due to an unexpected internal error. |
The main starting point of navigating the Safeguard for Privileged Sessions configuration using REST is the https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration endpoint. If you query this endpoint, the response contains a list of other endpoints that you can follow to list the various resources of Safeguard for Privileged Sessions, or to list the objects of a specific resource. For example, https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/rdp lists resources related to controlling the Remote Desktop (RDP) protocol, while https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/rdp/channel_policies lists the available RDP Channel Policies.
Note that when you want to create an object that references another object (for example, a Channel Policy that uses a Content Policy), then the referenced object (in this case, the Content Policy) must already exist. For details, see Using the Safeguard for Privileged Sessions REST API.
To modify or delete an object, you need the ID of the object. For details, see Using the Safeguard for Privileged Sessions REST API and Using the Safeguard for Privileged Sessions REST API.
The following is a sample command to query the https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration endpoint, and a sample response.
curl --cookie cookies https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration
Response status: 200
--- BEGIN RESPONSE BODY ---
{
"meta": {
"first": "/api/configuration",
"href": "/api/configuration",
"last": "/api/configuration",
"next": null,
"parent": null,
"previous": null,
"transaction": "/api/transaction"
},
"items": [
{
"key": "aaa",
"meta": {
"href": "/api/configuration/aaa"
}
},
{
"key": "alerting",
"meta": {
"href": "/api/configuration/alerting"
}
},
{
"key": "datetime",
"meta": {
"href": "/api/configuration/datetime"
}
},
{
"key": "http",
"meta": {
"href": "/api/configuration/http"
}
},
{
"key": "ica",
"meta": {
"href": "/api/configuration/ica"
}
},
{
"key": "local_services",
"meta": {
"href": "/api/configuration/local_services"
}
},
{
"key": "management",
"meta": {
"href": "/api/configuration/management"
}
},
{
"key": "network",
"meta": {
"href": "/api/configuration/network"
}
},
{
"key": "passwords",
"meta": {
"href": "/api/configuration/passwords"
}
},
{
"key": "plugins",
"meta": {
"href": "/api/configuration/plugins"
}
},
{
"key": "policies",
"meta": {
"href": "/api/configuration/policies"
}
},
{
"key": "private_keys",
"meta": {
"href": "/api/configuration/private_keys"
}
},
{
"key": "rdp",
"meta": {
"href": "/api/configuration/rdp"
}
},
{
"key": "reporting",
"meta": {
"href": "/api/configuration/reporting"
}
},
{
"key": "ssh",
"meta": {
"href": "/api/configuration/ssh"
}
},
{
"key": "telnet",
"meta": {
"href": "/api/configuration/telnet"
}
},
{
"key": "troubleshooting",
"meta": {
"href": "/api/configuration/troubleshooting"
}
},
{
"key": "vnc",
"meta": {
"href": "/api/configuration/vnc"
}
},
{
"key": "x509",
"meta": {
"href": "/api/configuration/x509"
}
}
]
}
--- END RESPONSE BODY ---
To delete a configuration object (for example, a policy), use a DELETE request with the ID of the object as the key.
You cannot delete policies or objects that are used in other policies (for example, you cannot delete a Time policy that is used in a Channel policy).
To delete an element of a list (for example, a user from a local user database), use a PUT request. The body the request should include the entire object, but remove the element you want to delete from the related list of the object.
You cannot delete built-in policies that are available on Safeguard for Privileged Sessions by default.
You must commit your changes to take effect. For details, see Using the Safeguard for Privileged Sessions REST API.
DELETE https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/<endpoint>/<object-id>
| Header name | Description | Required | Values |
|---|---|---|---|
| session_id | Contains the authentication token of the user | Required |
The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. Note that this session ID refers to the connection between the REST client and the Safeguard for Privileged Sessions REST API. It is not related to the sessions that Safeguard for Privileged Sessions records (and which also have a session ID, but in a different format). |
The following command deletes an RDP Channel policy.
curl --cookie cookies -X DELETE -https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/rdp/channel_policies/<object-id>
The following is a sample response received.
{
"meta": {
"first": "/api/configuration/rdp/channel_policies/-20100",
"href": "/api/configuration/rdp/channel_policies/<id-of-the-deleted-object>",
"last": "/api/configuration/rdp/channel_policies/<id-of-the-deleted-object>",
"next": null,
"parent": "/api/configuration/rdp/channel_policies",
"previous": "/api/configuration/rdp/channel_policies/655555",
"transaction": "/api/transaction"
}
}
The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.
| Code | Description | Notes |
|---|---|---|
| 200 | OK | The resource was successfully deleted. |
| 401 | Unauthenticated | The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 401 | AuthenticationFailure | Authenticating the user with the given credentials has failed. |
| 409 | Conflict | No open Transaction is available. Open a transaction before using this request. For details, see Using the Safeguard for Privileged Sessions REST API. |
To create a new object (for example, a new policy), complete the following steps.
Authenticate and open a transaction.
Post the new object as a JSON object to the appropriate resource URL.
If successful, the REST server creates an ID for the new object, and returns it in the key field of the response.
Commit the transaction.
Note the following points when you create a request:
Note that you cannot simply use the JSON from the response of a similar object. If the object contains references to other resources (for example, a Channel policy references a Time policy), then the JSON object contains an embedded meta object. To get a valid JSON that you can use, you have to replace this embedded object with the ID (key) of the referenced object. For example, the following is a reference to a Time policy:
"time_policy": {
"key": "-100",
"meta": {
"href": "/api/configuration/policies/time_policies/-100"
}
}
In a POST or PUT request, you have to change it to the following:
"time_policy": "-100",
You have to include empty fields in the object as well, for example:
"users": [
{ "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
]
The body wrapper that is displayed in the response is not needed when you create or modify an object, for example:
{
"name": "my-local-user-database",
"users": [
{ "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
]
}POST https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/<path-to-the-parent-resource>
| Header name | Description | Required | Values |
|---|---|---|---|
| Content-Type | Specifies the type of the data sent. Safeguard for Privileged Sessions uses the JSON format | Required | application/json |
| session_id | Contains the authentication token of the user | Required | The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. |
The following command creates a new RDP Channel policy. The data content of the request is read from the file body.json
curl -H "Content-Type: application/json" -d @body.json --cookie session_id=1aca4793549c6f22aecd98bc1047d1bf32dd76ef -X POST https://<object-id>/api/configuration/rdp/channel_policies/
For a simple RDP Channel policy that uses the default settings and allows only the Drawing channel, the JSON object is the following.
{
"name": "drawing-only",
"rules": [
{
"actions": {
"audit": true,
"content_policy": null,
"four_eyes": false,
"ids": false
},
"allowed_for": {
"clients": [],
"gateway_groups": [],
"remote_groups": [],
"servers": [],
"time_policy": "-100"
},
"channel": "#drawing"
}
]
}
The following is a sample response received, showing the properties of Content policy objects. For details of the meta object, see Introduction.
{
"key": "f79bcc85-bb8b-4fa5-a141-eb4cf2b6ef33",
"meta": {
"href": "/api/configuration/rdp/channel_policies/f79bcc85-bb8b-4fa5-a141-eb4cf2b6ef33",
"parent": "/api/configuration/rdp/channel_policies",
"transaction": "/api/transaction"
}
}
The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.
| Code | Description | Notes |
|---|---|---|
| 201 | Created | The new resource was successfully created. |
| 400 | Bad Request | The request body format is invalid. The data is not a properly formatted JSON object. |
| 401 | Unauthenticated | The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 401 | AuthenticationFailure | Authenticating the user with the given credentials has failed. |
| 409 | Conflict | No open Transaction is available. Open a transaction before using this request. For details, see Using the Safeguard for Privileged Sessions REST API. |
| 417 | Expectation Failed |
If you receive the "417 - Expectation Failed" error code when using curl, use curl with the --http1.0 or the -H "Expect:" option. |
To modify or update an object, use a PUT request on the object you want to change. In the body of the request, you have to upload the entire object, not only the parameter that you want to change.
To delete an element of a list (for example, a user from a local user database), use a PUT request. The body the request should include the entire object, but remove the element you want to delete from the related list of the object.
Note the following points when you create a request:
Note that you cannot simply use the JSON from the response of a similar object. If the object contains references to other resources (for example, a Channel policy references a Time policy), then the JSON object contains an embedded meta object. To get a valid JSON that you can use, you have to replace this embedded object with the ID (key) of the referenced object. For example, the following is a reference to a Time policy:
"time_policy": {
"key": "-100",
"meta": {
"href": "/api/configuration/policies/time_policies/-100"
}
}
In a POST or PUT request, you have to change it to the following:
"time_policy": "-100",
You have to include empty fields in the object as well, for example:
"users": [
{ "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
]
The body wrapper that is displayed in the response is not needed when you create or modify an object, for example:
{
"name": "my-local-user-database",
"users": [
{ "certificates": [], "passwords": [ "<reference-to-password>" ], "public_keys": [], "username": "myusername" }
]
}PUT https:<IP-address-of-Safeguard for Privileged Sessions>/api/configuration/<path-to-the-parent-resource>/<id-of-the-object-to-modify>
| Header name | Description | Required | Values |
|---|---|---|---|
| Content-Type | Specifies the type of the data sent. Safeguard for Privileged Sessions uses the JSON format | Required | application/json |
| session_id | Contains the authentication token of the user | Required | The value of the session ID cookie received from the REST server in the authentication response, for example, a1f71d030e657634730b9e887cb59a5e56162860. For details on authentication, see Authenticate to the Safeguard for Privileged Sessions REST API. |
The following command updates an RDP Channel policy. The data content of the request is read from the file body.json.
curl -H "Content-Type: application/json" -d @body.json --cookie session_id=07640a0bf14cdd361d8f5ae2b0b482a786c7a604 -X PUT https://10.40.255.17/api/configuration/rdp/channel_policies/<id-of-the-object-to-modify>
For a simple RDP Channel policy that uses the default settings and allows only the Drawing channel, the JSON object is the following.
{
"name": "drawing-only",
"rules": [
{
"actions": {
"audit": true,
"content_policy": null,
"four_eyes": false,
"ids": false
},
"allowed_for": {
"clients": [],
"gateway_groups": [],
"remote_groups": [],
"servers": [],
"time_policy": "-100"
},
"channel": "#drawing"
}
]
}
The following is a sample response received. For details of the meta object, see Introduction.
{
"meta": {
"first": "/api/configuration/rdp/channel_policies/-20100",
"href": "/api/configuration/rdp/channel_policies/<id-of-the-modified-object>",
"last": "/api/configuration/rdp/channel_policies/<id-of-the-modified-object>",
"next": null,
"parent": "/api/configuration/rdp/channel_policies",
"previous": "/api/configuration/rdp/channel_policies/655555",
"transaction": "/api/transaction"
}
}
The following table lists the typical status and error codes for this request. For a complete list of error codes, see Using the Safeguard for Privileged Sessions REST API.
| Code | Description | Notes |
|---|---|---|
| 201 | Created | The new resource was successfully created.. |
| 400 | Bad Request | The request body format is invalid. The data is not a properly formatted JSON object. |
| 401 | Unauthenticated | The requested resource cannot be retrieved because the client is not authenticated and the resource requires authorization to access it. The details section contains the path that was attempted to be accessed, but could not be retrieved. |
| 401 | AuthenticationFailure | Authenticating the user with the given credentials has failed. |
| 409 | Conflict | No open Transaction is available. Open a transaction before using this request. For details, see Using the Safeguard for Privileged Sessions REST API. |
| 417 | Expectation Failed |
If you receive the "417 - Expectation Failed" error code when using curl, use curl with the --http1.0 or the -H "Expect:" option. |
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy