{
  "openapi": "3.0.0",
  "info": {
    "title": "policy",
    "version": "2.0.0"
  },
  "tags": [{ "name": "Policies" }],
  "paths": {
    "/iam/policies": {
      "get": {
        "summary": "Lists all policies",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Lists all policies.\n\nRequired Permission:\n\n - Resource: ```iam:policies```\n\n - Action: ```iam:policies:list```",
        "operationId": "Policies_ListPolicies",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.ListPoliciesResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "tags": ["Policies"]
      },
      "post": {
        "summary": "Creates a custom policy",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Creates a custom IAM policy used to control permissions.\nA policy is composed of one or more statements that grant permissions to a set of members.\nEach statement contains a role as well as a list of tenants.\n\nThe role defines a set of actions that the statement is scoped to.\nThe tenant list defines the set of resources that the statement is scoped to.\nPass `\"tenants\": [\"*\"]` to scope a statement to every tenant.\n\nA policy's *top-level* tenants list defines which tenants the policy belongs to (for filtering policies by their tenants),\nwhereas the *statement-level* tenants list defines which tenants the statement applies to.\n\nThe example creates a new policy not associated with any tenant (because the top-level `tenants` property is empty) that grants the `viewer` role\non a few tenants for all local teams and a custom role `myRole` on a specific tenant.\n\nRequired Permission:\n\n - Resource: ```iam:policies```\n\n - Action: ```iam:policies:create```",
        "operationId": "Policies_CreatePolicy",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.CreatePolicyResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/compiuta.api.iam.v2.CreatePolicyReq"
              }
            }
          },
          "description": "Does not contain type as the enduser can only create 'custom' policies.",
          "required": true
        },
        "tags": ["Policies"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"name\": \"My Viewer Policy\",\"id\": \"custom-viewer-policy\",\"members\": [\"team:local:*\"], \"statements\": [{\"role\": \"viewer\",\"tenants\": [\"tenant1\", \"tenant2\"], \"effect\": \"ALLOW\"},{\"role\": \"myRole\",\"tenants\": [\"exampleTenant\"], \"effect\": \"ALLOW\"}],\"tenants\": []}"
          }
        ]
      }
    },
    "/iam/policies/{id}": {
      "get": {
        "summary": "Gets a policy",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Returns the details for a policy.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policies:get```",
        "operationId": "Policies_GetPolicy",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.GetPolicyResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Policies"]
      },
      "delete": {
        "summary": "Deletes a custom policy",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Deletes a specified custom policy. You cannot delete compiuta-managed policies.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policies:delete```",
        "operationId": "Policies_DeletePolicy",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.DeletePolicyResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Policies"]
      },
      "put": {
        "summary": "Updates a custom policy",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "This operation overwrites all fields excepting ID,\nincluding those omitted from the request, so be sure to specify all properties.\nProperties that you do not include are reset to empty values.\nThe only exception is the policy ID, which is immutable; it can only be set at creation time.\n\nWhile you can use this endpoint to update members on a policy, if that is the only\nproperty you wish to modify use one of these endpoints instead:\nAdd policy members, Remove policy members, or Replace policy members.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policies:update```",
        "operationId": "Policies_UpdatePolicy",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.UpdatePolicyResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "Unique ID. Cannot be changed.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "name": "My Updated Viewer Policy",
                  "members": ["user:local:newuser", "team:local:newteam"],
                  "statements": [
                    {
                      "role": "viewer",
                      "tenants": ["tenant1", "tenant2"],
                      "effect": "ALLOW"
                    },
                    {
                      "role": "myRole",
                      "tenants": ["exampleTenant"],
                      "effect": "ALLOW"
                    }
                  ],
                  "tenants": []
                },
                "properties": {
                  "members": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "Members affected by this policy."
                  },
                  "statements": {
                    "type": "array",
                    "items": {
                      "$ref": "#/components/schemas/compiuta.api.iam.v2.Statement"
                    },
                    "description": "Statements for the policy."
                  },
                  "name": {
                    "type": "string",
                    "description": "Name for this policy."
                  },
                  "tenants": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of tenants this policy belongs to."
                  }
                },
                "description": "Does not contain type as the enduser can only create 'custom' policies.",
                "required": ["name", "statements"]
              }
            }
          },
          "required": true
        },
        "tags": ["Policies"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"name\": \"My Updated Viewer Policy\", \"members\": [\"user:local:newuser\", \"team:local:newteam\"], \"statements\": [{\"role\": \"viewer\",\"tenants\":[\"tenant1\", \"tenant2\"], \"effect\": \"ALLOW\"},{\"role\": \"myRole\",\"tenants\": [\"exampleTenant\"], \"effect\": \"ALLOW\"}],\"tenants\": []}"
          }
        ]
      }
    },
    "/iam/policies/{id}/members": {
      "get": {
        "summary": "Lists policy members",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Lists all members of a specific policy.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policyMembers:get```",
        "operationId": "Policies_ListPolicyMembers",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.ListPolicyMembersResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Policies"]
      },
      "put": {
        "summary": "Replaces policy members",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Replaces the entire member list of a specific policy with a new list.\nUse this endpoint to update members of either custom or compiuta-managed policies.\n\nEnsure each element of the members array is in the correct format.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policyMembers:update```",
        "operationId": "Policies_ReplacePolicyMembers",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.ReplacePolicyMembersResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "members": ["team:local:viewers", "user:local:test"]
                },
                "properties": {
                  "members": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of members that replaces previous policy member list."
                  }
                }
              }
            }
          },
          "required": true
        },
        "tags": ["Policies"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"members\": [\"team:local:viewers\", \"user:local:test\"]}"
          }
        ]
      }
    },
    "/iam/policies/{id}/members:add": {
      "post": {
        "summary": "Adds policy members",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Adds members to the member list of a specific policy.\nUse this endpoint to update members of either custom or compiuta-managed policies.\n\nEnsure each element of the members array is in the correct format.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policyMembers:create```",
        "operationId": "Policies_AddPolicyMembers",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.AddPolicyMembersResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "members": ["team:local:viewers", "user:local:test"]
                },
                "properties": {
                  "members": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of members to add to the policy."
                  }
                },
                "required": ["members"]
              }
            }
          },
          "required": true
        },
        "tags": ["Policies"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"members\": [\"team:local:viewers\", \"user:local:test\"]}"
          }
        ]
      }
    },
    "/iam/policies/{id}/members:remove": {
      "post": {
        "summary": "Removes policy members",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Removes members from the member list of a specific policy. Silently ignores\nmembers that are not already part of the member list.\nUse this endpoint to update members of either custom or compiuta-managed policies.\n\nEnsure each element of the members array is in the correct format.\n\nThe removed members will still exist within Compiuta IAM, but are no longer associated with this policy.\n\nRequired Permission:\n\n - Resource: ```iam:policies:{id}```\n\n - Action: ```iam:policyMembers:delete```",
        "operationId": "Policies_RemovePolicyMembers",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.RemovePolicyMembersResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the policy.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "members": ["user:local:test"]
                },
                "properties": {
                  "members": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of members to remove from the policy."
                  }
                },
                "required": ["members"]
              }
            }
          },
          "required": true
        },
        "tags": ["Policies"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"members\": [\"team:local:viewers\", \"user:local:test\"]}"
          }
        ]
      }
    },
    "/iam/policy_version": {
      "get": {
        "summary": "Gets IAM version",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Returns the major and minor version of IAM that is running.\n\nRequired Permission:\n\n - Resource: ```iam:policies```\n\n - Action: ```iam:policies:get```",
        "operationId": "Policies_GetPolicyVersion",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.GetPolicyVersionResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "tags": ["Policies"]
      }
    },
    "/iam/roles": {
      "get": {
        "summary": "Lists all roles",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Lists all *compiuta-managed* and *custom* roles.\n\nRequired Permission:\n\n - Resource: ```iam:roles```\n\n - Action: ```iam:roles:list```",
        "operationId": "Policies_ListRoles",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.ListRolesResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "tags": ["Roles"]
      },
      "post": {
        "summary": "Creates a custom role",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Creates a new role to be used in the policies that control permissions.\n\nA role defines the scope of actions in a policy statement.\n\nRequired Permission:\n\n - Resource: ```iam:roles```\n\n - Action: ```iam:roles:create```",
        "operationId": "Policies_CreateRole",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.CreateRoleResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/compiuta.api.iam.v2.CreateRoleReq"
              }
            }
          },
          "description": "Does not contain type as the enduser can only create 'custom' roles.",
          "required": true
        },
        "tags": ["Roles"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"id\": \"custom-role\", \"name\": \"My Custom Application Manager Role\", \"actions\": [\"application:*\", \"iam:tenants:list\"]}"
          }
        ]
      }
    },
    "/iam/roles/{id}": {
      "get": {
        "summary": "Gets a role",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Returns the details for a role.\n\nRequired Permission:\n\n - Resource: ```iam:roles:{id}```\n\n - Action: ```iam:roles:get```",
        "operationId": "Policies_GetRole",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.GetRoleResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the role.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Roles"]
      },
      "delete": {
        "summary": "Deletes a custom role",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Deletes a specified custom role (you cannot delete compiuta-managed roles) and remove it from any statements that may have been using it.\nIf such a statement has no other associated actions, the statement is deleted as well.\nSimilarly, if that statement removal results in a policy with no other statements,\nthat policy is removed as well.\n\nRequired Permission:\n\n - Resource: ```iam:roles:{id}```\n\n - Action: ```iam:roles:delete```",
        "operationId": "Policies_DeleteRole",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.DeleteRoleResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the role.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Roles"]
      },
      "put": {
        "summary": "Updates a custom role",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "This operation overwrites all fields excepting ID,\nincluding those omitted from the request, so be sure to specify all properties.\nProperties that you do not include are reset to empty values.\n\nRequired Permission:\n\n - Resource: ```iam:roles:{id}```\n\n - Action: ```iam:roles:update```",
        "operationId": "Policies_UpdateRole",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.UpdateRoleResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "Unique ID. Cannot be changed.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "name": "My Updated Custom Application Manager Role",
                  "actions": ["applications:*", "iam:tenants:list"]
                },
                "properties": {
                  "name": {
                    "type": "string",
                    "description": "Name for the role."
                  },
                  "actions": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of actions that this role scopes to."
                  },
                  "tenants": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    },
                    "description": "List of tenants this role belongs to."
                  }
                },
                "required": ["name", "actions"]
              }
            }
          },
          "required": true
        },
        "tags": ["Roles"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"name\": \"My Updated Custom Application Manager Role\", \"actions\": [\"application:*\", \"iam:tenants:list\"]}"
          }
        ]
      }
    },
    "/iam/tenants": {
      "get": {
        "summary": "Lists all tenants",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Lists all tenants.\n\nRequired Permission:\n\n - Resource: ```iam:tenants```\n\n - Action: ```iam:tenants:list```",
        "operationId": "Policies_ListTenants",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.ListTenantsResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "tags": ["Tenants"]
      },
      "post": {
        "summary": "Creates a tenant",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Creates a new tenant to be used in the policies that control permissions.\n\nA tenant defines the scope of resources in a policy statement. Resources can be in more than one tenant.\n\nWhen a tenant is created, the system also creates three policies associated with the new tenant,\none for each of the following roles: editor, viewer, and tenant admin.\nYou can optionally pass the `skip_policies` flag set to `true` to skip the creation of these policies.\n\nRequired Permission:\n\n - Resource: ```iam:tenants```\n\n - Action: ```iam:tenants:create```",
        "operationId": "Policies_CreateTenant",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.CreateTenantResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/compiuta.api.iam.v2.CreateTenantReq"
              }
            }
          },
          "required": true
        },
        "tags": ["Tenants"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"name\": \"My Custom Tenant\", \"id\": \"custom-tenant\", \"skip_policies\": true}"
          }
        ]
      }
    },
    "/iam/tenants/{id}": {
      "get": {
        "summary": "Gets a tenant",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Returns the details for a tenant.\n\nRequired Permission:\n\n - Resource: ```iam:tenants:{id}```\n\n - Action: ```iam:tenants:get```",
        "operationId": "Policies_GetTenant",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.GetTenantResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the tenant.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Tenants"]
      },
      "delete": {
        "summary": "Deletes a tenant",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Deletes a tenant from any resources tagged with it.\n\nAlso deletes this tenant from any tenant list in any policy statements.\nIf the resulting tenant list for a given statement is empty, it is deleted.\nIf the resulting policy has no statements, it is also deleted.\n\nRequired Permission:\n\n - Resource: ```iam:tenants:{id}```\n\n - Action: ```iam:tenants:delete```",
        "operationId": "Policies_DeleteTenant",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.DeleteTenantResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "ID of the tenant.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "tags": ["Tenants"]
      },
      "put": {
        "summary": "Updates a tenant",
        "security": [{ "chx_auth_session": [] }, { "bearer": [] }],
        "description": "Updates the name of an existing tenant.\n\nRequired Permission:\n\n - Resource: ```iam:tenants:{id}```\n\n - Action: ```iam:tenants:update```",
        "operationId": "Policies_UpdateTenant",
        "responses": {
          "200": {
            "description": "A successful response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/compiuta.api.iam.v2.UpdateTenantResp"
                }
              }
            }
          },
          "default": {
            "description": "An unexpected error response.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/google.rpc.Status"
                }
              }
            }
          }
        },
        "parameters": [
          {
            "name": "id",
            "description": "Unique ID. Cannot be changed.",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "type": "object",
                "example": {
                  "name": "My Custom Tenant"
                },
                "properties": {
                  "name": {
                    "type": "string",
                    "description": "Name for the tenant."
                  }
                },
                "required": ["name"]
              }
            }
          },
          "required": true
        },
        "tags": ["Tenants"],
        "x-codeSamples": [
          {
            "lang": "JSON",
            "source": "{\"name\": \"My Custom Updated Tenant Name\"}"
          }
        ]
      }
    }
  },
  "servers": [
    {
      "url": "https://apis.connhex.com"
    }
  ],
  "components": {
    "securitySchemes": {
      "bearer": { "type": "http", "scheme": "bearer" },
      "chx_auth_session": {
        "type": "apiKey",
        "in": "cookie",
        "name": "chx_auth_session"
      }
    },
    "schemas": {
      "compiuta.api.iam.v2.AddPolicyMembersResp": {
        "type": "object",
        "example": {
          "members": ["team:local:viewers", "user:local:test"]
        },
        "properties": {
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            }
          }
        }
      },
      "compiuta.api.iam.v2.CreatePolicyReq": {
        "type": "object",
        "example": {
          "name": "My Viewer Policy",
          "id": "custom-viewer-policy",
          "members": ["team:local:*"],
          "statements": [
            {
              "role": "viewer",
              "tenants": ["tenant1", "tenant2"],
              "effect": "ALLOW"
            },
            {
              "role": "myRole",
              "tenants": ["exampleTenant"],
              "effect": "ALLOW"
            }
          ],
          "tenants": []
        },
        "properties": {
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "name": {
            "type": "string",
            "description": "Name for the policy."
          },
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Members affected by this policy."
          },
          "statements": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/compiuta.api.iam.v2.Statement"
            },
            "description": "Statements for the policy."
          },
          "tenants": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of tenants this policy belongs to."
          }
        },
        "description": "Does not contain type as the enduser can only create 'custom' policies.",
        "required": ["id", "name", "statements"]
      },
      "compiuta.api.iam.v2.CreatePolicyResp": {
        "type": "object",
        "example": {
          "name": "My Viewer Policy",
          "id": "custom-viewer-policy",
          "members": ["team:local:*"],
          "statements": [
            {
              "role": "viewer",
              "tenants": ["tenant1", "tenant2"],
              "effect": "ALLOW"
            },
            {
              "role": "myRole",
              "tenants": ["exampleTenant"],
              "effect": "ALLOW"
            }
          ],
          "tenants": []
        },
        "properties": {
          "policy": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Policy"
          }
        }
      },
      "compiuta.api.iam.v2.CreateRoleReq": {
        "type": "object",
        "example": {
          "id": "custom-role",
          "name": "My Custom Application Manager Role",
          "actions": ["applications:*", "iam:tenants:list"]
        },
        "properties": {
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "name": {
            "type": "string",
            "description": "Name for the role."
          },
          "actions": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of actions that this role scopes to."
          },
          "tenants": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of tenants this role belongs to."
          }
        },
        "description": "Does not contain type as the enduser can only create 'custom' roles.",
        "required": ["id", "name", "actions"]
      },
      "compiuta.api.iam.v2.CreateRoleResp": {
        "type": "object",
        "example": {
          "id": "custom-role",
          "name": "My Custom Application Manager Role",
          "actions": ["applications:*", "iam:tenants:list"]
        },
        "properties": {
          "role": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Role"
          }
        }
      },
      "compiuta.api.iam.v2.CreateTenantReq": {
        "type": "object",
        "example": {
          "name": "My Custom Tenant",
          "id": "custom-tenant",
          "skip_policies": true
        },
        "properties": {
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "name": {
            "type": "string",
            "description": "Name for the new tenant."
          },
          "skipPolicies": {
            "type": "boolean",
            "description": "Boolean flag to skip adding policies associated with the tenant. Set to false by default."
          }
        },
        "required": ["id", "name"]
      },
      "compiuta.api.iam.v2.CreateTenantResp": {
        "type": "object",
        "example": {
          "name": "My Custom Tenant",
          "id": "custom-tenant"
        },
        "properties": {
          "tenant": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Tenant"
          }
        }
      },
      "compiuta.api.iam.v2.DeletePolicyResp": {
        "type": "object",
        "example": {
          "name": "My Viewer Policy",
          "id": "custom-viewer-policy",
          "members": ["team:local:*"],
          "statements": [
            {
              "role": "viewer",
              "tenants": ["tenant1", "tenant2"],
              "effect": "ALLOW"
            },
            {
              "role": "myRole",
              "tenants": ["exampleTenant"],
              "effect": "ALLOW"
            }
          ],
          "tenants": []
        }
      },
      "compiuta.api.iam.v2.DeleteRoleResp": {
        "type": "object",
        "example": {
          "id": "custom-role",
          "name": "My Custom Application Manager Role",
          "actions": ["applications:*", "iam:tenants:list"]
        }
      },
      "compiuta.api.iam.v2.DeleteTenantResp": {
        "type": "object",
        "example": {
          "name": "My Custom Tenant",
          "id": "custom-tenant"
        }
      },
      "compiuta.api.iam.v2.GetPolicyResp": {
        "type": "object",
        "example": {
          "name": "My Viewer Policy",
          "id": "custom-viewer-policy",
          "members": ["team:local:*"],
          "statements": [
            {
              "role": "viewer",
              "tenants": ["tenant1", "tenant2"],
              "effect": "ALLOW"
            },
            {
              "role": "myRole",
              "tenants": ["exampleTenant"],
              "effect": "ALLOW"
            }
          ],
          "tenants": []
        },
        "properties": {
          "policy": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Policy"
          }
        }
      },
      "compiuta.api.iam.v2.GetPolicyVersionResp": {
        "type": "object",
        "example": {
          "version": {
            "major": "V2",
            "minor": "V1"
          }
        },
        "properties": {
          "version": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Version"
          }
        }
      },
      "compiuta.api.iam.v2.GetRoleResp": {
        "type": "object",
        "example": {
          "id": "custom-role",
          "name": "My Custom Application Manager Role",
          "actions": ["applications:*", "iam:tenants:list"]
        },
        "properties": {
          "role": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Role"
          }
        }
      },
      "compiuta.api.iam.v2.GetTenantResp": {
        "type": "object",
        "example": {
          "name": "My Custom Tenant",
          "id": "custom-tenant"
        },
        "properties": {
          "tenant": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Tenant"
          }
        }
      },
      "compiuta.api.iam.v2.ListPoliciesResp": {
        "type": "object",
        "example": {
          "policies": [
            {
              "name": "My Viewer Policy 1",
              "id": "custom-viewer-policy-1",
              "members": ["team:local:*"],
              "statements": [
                {
                  "role": "viewer",
                  "tenants": ["tenant1", "tenant2"],
                  "effect": "ALLOW"
                },
                {
                  "role": "myRole",
                  "tenants": ["exampleTenant"],
                  "effect": "ALLOW"
                }
              ],
              "tenants": []
            },
            {
              "name": "My Custom Policy 2",
              "id": "custom-policy-2",
              "members": ["team:local:test"],
              "statements": [
                {
                  "role": "auditor",
                  "tenants": ["tenant1"],
                  "effect": "ALLOW"
                }
              ],
              "tenants": []
            }
          ]
        },
        "properties": {
          "policies": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/compiuta.api.iam.v2.Policy"
            }
          }
        }
      },
      "compiuta.api.iam.v2.ListPolicyMembersResp": {
        "type": "object",
        "example": {
          "members": ["team:local:viewers", "user:local:test"]
        },
        "properties": {
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of policy members."
          }
        }
      },
      "compiuta.api.iam.v2.ListRolesResp": {
        "type": "object",
        "example": {
          "roles": [
            {
              "id": "custom-role",
              "name": "My Custom Application Manager Role",
              "actions": ["applications:*", "iam:tenants:list"]
            },
            {
              "id": "custom-role-2",
              "name": "My Custom Application Role 2",
              "actions": ["infra:*"]
            }
          ]
        },
        "properties": {
          "roles": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/compiuta.api.iam.v2.Role"
            }
          }
        }
      },
      "compiuta.api.iam.v2.ListTenantsResp": {
        "type": "object",
        "example": {
          "tenants": [
            {
              "name": "My Custom Tenant",
              "id": "custom-tenant"
            },
            {
              "name": "My Custom Tenant 2",
              "id": "custom-tenant-2"
            }
          ]
        },
        "properties": {
          "tenants": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/compiuta.api.iam.v2.Tenant"
            }
          }
        }
      },
      "compiuta.api.iam.v2.Policy": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name for the policy."
          },
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "type": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Type"
          },
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Members affected by this policy. May be empty."
          },
          "statements": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/compiuta.api.iam.v2.Statement"
            },
            "description": "Statements for the policy. Will contain one or more."
          },
          "tenants": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of tenants this policy belongs to. May be empty."
          }
        }
      },
      "compiuta.api.iam.v2.RemovePolicyMembersResp": {
        "type": "object",
        "example": {
          "members": ["user:local:test"]
        },
        "properties": {
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Resulting list of policy members."
          }
        }
      },
      "compiuta.api.iam.v2.ReplacePolicyMembersResp": {
        "type": "object",
        "example": {
          "members": ["team:local:viewers", "user:local:test"]
        },
        "properties": {
          "members": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Resulting list of policy members."
          }
        }
      },
      "compiuta.api.iam.v2.Role": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name for the role."
          },
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "type": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Type"
          },
          "actions": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of actions this role scopes to. Will contain one or more."
          },
          "tenants": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "List of tenants this role belongs to. May be empty."
          }
        }
      },
      "compiuta.api.iam.v2.Statement": {
        "type": "object",
        "properties": {
          "effect": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Statement.Effect"
          },
          "actions": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Actions defined inline. May be empty.\nBest practices recommend that you use custom roles rather than inline actions where practical."
          },
          "role": {
            "type": "string",
            "description": "The role defines a set of actions that the statement is scoped to."
          },
          "resources": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Resources defined inline."
          },
          "tenants": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "The tenant list defines the set of resources that the statement is scoped to. May be empty."
          }
        }
      },
      "compiuta.api.iam.v2.Statement.Effect": {
        "type": "string",
        "enum": ["ALLOW", "DENY"],
        "default": "ALLOW"
      },
      "compiuta.api.iam.v2.Tenant": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name for the tenant."
          },
          "id": {
            "type": "string",
            "description": "Unique ID. Cannot be changed."
          },
          "type": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Type"
          }
        }
      },
      "compiuta.api.iam.v2.Type": {
        "type": "string",
        "enum": ["COMPIUTA_MANAGED", "CUSTOM"],
        "default": "COMPIUTA_MANAGED"
      },
      "compiuta.api.iam.v2.UpdatePolicyResp": {
        "type": "object",
        "example": {
          "name": "My Updated Viewer Policy",
          "members": ["user:local:newuser", "team:local:newteam"],
          "statements": [
            {
              "role": "viewer",
              "tenants": ["tenant1", "tenant2"],
              "effect": "ALLOW"
            },
            {
              "role": "myRole",
              "tenants": ["exampleTenant"],
              "effect": "ALLOW"
            }
          ],
          "tenants": []
        },
        "properties": {
          "policy": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Policy"
          }
        }
      },
      "compiuta.api.iam.v2.UpdateRoleResp": {
        "type": "object",
        "example": {
          "id": "custom-role",
          "name": "My Custom Application Manager Role",
          "actions": ["applications:*", "iam:tenants:list"]
        },
        "properties": {
          "role": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Role"
          }
        }
      },
      "compiuta.api.iam.v2.UpdateTenantResp": {
        "type": "object",
        "example": {
          "name": "My Custom Tenant",
          "id": "custom-tenant"
        },
        "properties": {
          "tenant": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Tenant"
          }
        }
      },
      "compiuta.api.iam.v2.Version": {
        "type": "object",
        "properties": {
          "major": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Version.VersionNumber"
          },
          "minor": {
            "$ref": "#/components/schemas/compiuta.api.iam.v2.Version.VersionNumber"
          }
        },
        "title": "the only values that may be returned by GetPolicyVersion"
      },
      "compiuta.api.iam.v2.Version.VersionNumber": {
        "type": "string",
        "enum": ["V0", "V1", "V2"],
        "default": "V0"
      },
      "google.protobuf.Any": {
        "type": "object",
        "properties": {
          "@type": {
            "type": "string"
          }
        },
        "additionalProperties": {}
      },
      "google.rpc.Status": {
        "type": "object",
        "properties": {
          "code": {
            "type": "integer",
            "format": "int32"
          },
          "message": {
            "type": "string"
          },
          "details": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/google.protobuf.Any"
            }
          }
        }
      }
    }
  }
}
