> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # UpdateAuthorizationPolicy > Updates the authorization policy for a given tenant. ## OpenAPI ````yaml /api-reference/openapi.v3.json patch /v1/namespaces/{object.tenant_meta.namespace}/authorization-policies openapi: 3.0.3 info: description: Integrate your application with Endor Labs using the REST API. title: Endor Labs REST API Reference version: '1.0' servers: - url: https://api.endorlabs.com/ security: [] tags: - name: AISastCustomerContextService - name: APIKeyService - name: APIKeyValidatorService - name: ArtifactSignatureService - name: AuditLogService - name: AuthenticationLogService - name: AuthenticationService - name: AuthorizationPolicyService - name: BatchFileSegmentsService - name: BatchNotificationService - name: CallGraphDataService - name: CodeOwnersService - name: DependencyMetadataService - name: EndorIgnoreEntryService - name: ExporterService - name: FindingLogService - name: FindingService - name: HuggingFaceModelService - name: HuggingFaceOrganizationService - name: IPAddressPolicyService - name: IdentityProviderService - name: InstallationService - name: InvitationService - name: LicenseDependencyService - name: LicenseNoticesReportService - name: LicenseSummaryService - name: LinterResultService - name: MalwareService - name: MetricService - name: NamespaceService - name: NotificationService - name: NotificationTargetService - name: OnPremSchedulerService - name: PRCommentConfigService - name: PackageFirewallLogService - name: PackageLicenseOverrideService - name: PackageLicenseQueryService - name: PackageLicenseService - name: PackageManagerService - name: PackageVersionService - name: PluginBinaryService - name: PolicyService - name: PolicyTemplateService - name: ProjectService - name: ProvisioningResultService - name: QueryMalwareService - name: QueryService - name: QuerySimilarPackagesService - name: QueryVulnerabilityService - name: RegistryIngestionCheckpointService - name: RepositoryService - name: RepositoryVersionService - name: RuleSetImportService - name: SBOMExportService - name: SBOMImportService - name: SCMCredentialService - name: SavedQueryService - name: ScanLogRequestService - name: ScanProfileService - name: ScanResultService - name: ScanWorkflowResultService - name: ScanWorkflowService - name: SecretRuleService - name: SemgrepRuleService - name: SystemConfigService - name: TenantService - name: VEXExportService - name: VectorStoreService - name: VersionUpgradeService - name: VulnerabilityService paths: /v1/namespaces/{object.tenant_meta.namespace}/authorization-policies: patch: tags: - AuthorizationPolicyService summary: UpdateAuthorizationPolicy description: Updates the authorization policy for a given tenant. operationId: AuthorizationPolicyService_UpdateAuthorizationPolicy parameters: - description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". in: path name: object.tenant_meta.namespace required: true schema: type: string x-endor-name: Namespace requestBody: content: application/json: schema: $ref: >- #/components/schemas/AuthorizationPolicyServiceUpdateAuthorizationPolicyBody required: true x-originalParamName: body responses: '200': content: application/json: schema: $ref: '#/components/schemas/v1AuthorizationPolicy' description: A successful response. default: content: application/json: schema: $ref: '#/components/schemas/googlerpcStatus' description: An unexpected error response. components: schemas: AuthorizationPolicyServiceUpdateAuthorizationPolicyBody: description: Request to update an authorization policy. properties: object: description: Represents an authorization policy in the system. properties: meta: $ref: '#/components/schemas/v1Meta' propagate: description: >- Indicates that the object should be visible in the child namespaces. type: boolean spec: $ref: '#/components/schemas/v1AuthorizationPolicySpec' tenant_meta: description: Authorization policies are associated with a tenant. title: Authorization policies are associated with a tenant. type: object uuid: description: The UUID of the AuthorizationPolicy resource. readOnly: true type: string type: object request: $ref: '#/components/schemas/v1UpdateRequest' required: - meta - spec type: object v1AuthorizationPolicy: description: Represents an authorization policy in the system. properties: meta: $ref: '#/components/schemas/v1Meta' propagate: description: Indicates that the object should be visible in the child namespaces. type: boolean spec: $ref: '#/components/schemas/v1AuthorizationPolicySpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the AuthorizationPolicy resource. readOnly: true type: string required: - tenant_meta - meta - spec type: object googlerpcStatus: description: >- The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). properties: code: description: |- The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. format: int32 type: integer details: description: >- A list of messages that carry the error details. There is a common set of message types for APIs to use. items: $ref: '#/components/schemas/googleprotobufAny' type: array message: description: >- A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. type: string type: object v1Meta: description: Common fields for all Endor Labs resources. properties: annotations: additionalProperties: type: string description: >- Annotations can be used to attach metadata to a resource message. Annotation values can be small or large, structured or unstructured, and may include characters not permitted by labels. The keys may contain alphanumerics, underscores (_), dots (.) and dashes (-). The values of an annotation must be 16384 bytes or smaller. type: object create_time: description: |- Time the resource was created. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string created_by: description: |- Name and authentication source of the user who created the object, for example, ewok@endor.ai@google@api-key. readOnly: true type: string description: description: Resource description. Must be less than 1024 bytes. type: string index_data: $ref: '#/components/schemas/v1IndexData' kind: description: >- Resource kind, for example, HelloResponse. Auto-generated using the protobuf message proto.MessageName().Name(). readOnly: true type: string name: description: Resource name. Must be 63 characters or less. type: string parent_kind: description: Parent object resource kind, for example, Project. type: string parent_uuid: description: Parent object UUID. type: string references: additionalProperties: $ref: '#/components/schemas/googleprotobufAny' description: Map of objects referenced in a query API. readOnly: true type: object tags: description: >- List of tags attached to the resource. Tags can be used to select objects and to find collections of objects that satisfy certain conditions. A tag must be 255 characters or less. items: type: string type: array update_time: description: |- Time the resource was last updated. Note: Updated on all create/patch/delete operations. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string updated_by: description: >- Name and authentication source of the last user who updated the object, for example, vulnerabilityingestor@endor.ai@x509. readOnly: true type: string upsert_time: description: |- Time the resource was last upserted. Note: create_time is only set the first time the resource is created. upsert_time is set every time the resource is upseted. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string version: description: Message version. readOnly: true type: string required: - name type: object v1AuthorizationPolicySpec: properties: clause: description: >- The list of claims that must match. This is essentially an AND operator. User claims must match all the criteria in the clause for the policy to match. For example, ["group=X", "email=user@endor.ai"] will match users of group X with this email. Clause strings must contain only allowed characters to prevent XSS attacks and ensure exact matching with incoming JWT claims. Allowed characters: letters, numbers, and the following: =@._-/: +()& (space, plus, parentheses, ampersand). items: type: string type: array expiration_time: description: |- Disables this policy after its expiration time. If expiration time is not provided, the policy will never expire. format: date-time type: string is_support_policy: description: |- is_support_policy indicates that the policy is a support policy and cannot be altered without using the SupportAccess API. readOnly: true type: boolean permissions: $ref: '#/components/schemas/v1Permissions' propagate: description: |- Propagate indicates that the policy should include the children of the target namespace as well as allowed targets. type: boolean target_namespaces: description: |- The target namespaces of the policy. The policy can apply to one or more target namespaces. The targets can only be the current namespace or its children. items: type: string type: array required: - clause - target_namespaces - propagate - permissions type: object v1UpdateRequest: description: Message used for all update requests. properties: force: description: |- Force will force the update of the resource if any checks fail. type: boolean update_mask: description: Fields to update. Defaults to all fields. type: string type: object v1TenantMeta: description: Tenant related data for the tenant containing the resource. properties: namespace: description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". type: string required: - namespace type: object googleprotobufAny: additionalProperties: {} description: >- `Any` contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message. Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type. Example 1: Pack and unpack a message in C++. Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... } Example 2: Pack and unpack a message in Java. Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); } Example 3: Pack and unpack a message in Python. foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ... Example 4: Pack and unpack a message in Go foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... } The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z". JSON ==== The JSON representation of an `Any` value uses the regular representation of the deserialized, embedded message, with an additional field `@type` which contains the type URL. Example: package google.profile; message Person { string first_name = 1; string last_name = 2; } { "@type": "type.googleapis.com/google.profile.Person", "firstName": , "lastName": } If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field `value` which holds the custom JSON in addition to the `@type` field. Example (for message [google.protobuf.Duration][]): { "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" } properties: '@type': description: >- A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading "." is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics. type: string type: object v1IndexData: description: |- IndexData is used to index the resource for search. It's an internal object. properties: data: items: type: string readOnly: true type: array search_score: description: >- search_score is the score of the resource for search. Internal use only. format: float readOnly: true type: number tenant: readOnly: true type: string will_be_deleted_at: description: Time that the resource will be deleted. format: date-time readOnly: true type: string type: object v1Permissions: description: |- Holds a map associating each resource kind with the set of methods that are allowed for this kind. For example: properties: except_resources: description: >- List of resources that should not be accounted in any * resource rules. items: type: string type: array roles: items: $ref: '#/components/schemas/v1SystemRole' type: array rules: additionalProperties: $ref: '#/components/schemas/PermissionsMethods' title: >- For message (or resource) repository, I want to provide permissions READ only. This will create map["repository"] = []{READ} type: object type: object v1SystemRole: default: SYSTEM_ROLE_UNSPECIFIED description: >- Captures the default system roles for permissions. - SYSTEM_ROLE_ADMIN: ADMIN has read/write access to all objects in the tenant. - SYSTEM_ROLE_READ_ONLY: READ_ONLY only can read all data, but perform no updates. - SYSTEM_ROLE_POLICY_EDITOR: Policy editor has read access on all objects, and the ability to create and manage policies. - SYSTEM_ROLE_CODE_SCANNER: CODE_SCANNER has all permissions to run a scan and view the results. - SYSTEM_ROLE_ENDOR_PATCHING: ENDOR_PATCHING has permissions to use Endor Lab's factory. - SYSTEM_ROLE_SYNC_ORG: SYNC_ORG has permissions to perform a sync-org scan on all supported platforms (GitHub, Azure, GitLab etc). - SYSTEM_ROLE_ONPREM_SCHEDULER: ONPREM_SCHEDULER has permissions to perform sync-org, scans and manage onprem scheduler related objects. - SYSTEM_ROLE_ENDOR_PROXY: Deprecated: Use SYSTEM_ROLE_PACKAGE_FIREWALL instead. ENDOR_PROXY has permissions to access proxy endpoints in endorfactory service. - SYSTEM_ROLE_PACKAGE_FIREWALL: PACKAGE_FIREWALL has permissions to access firewall endpoints for package firewall in endorfactory service. - SYSTEM_ROLE_AI_AUDIT: AI_AUDIT has least-privilege permissions to run ai-audit hooks (agent session events). enum: - SYSTEM_ROLE_UNSPECIFIED - SYSTEM_ROLE_ADMIN - SYSTEM_ROLE_READ_ONLY - SYSTEM_ROLE_POLICY_EDITOR - SYSTEM_ROLE_CODE_SCANNER - SYSTEM_ROLE_ENDOR_PATCHING - SYSTEM_ROLE_SYNC_ORG - SYSTEM_ROLE_ONPREM_SCHEDULER - SYSTEM_ROLE_ENDOR_PROXY - SYSTEM_ROLE_PACKAGE_FIREWALL - SYSTEM_ROLE_AI_AUDIT type: string PermissionsMethods: description: An array of allowed methods. properties: methods: items: $ref: '#/components/schemas/v1Method' type: array type: object v1Method: default: METHOD_UNSPECIFIED description: |- The type of allowed action. - METHOD_READ: METHOD_READ is for LIST/GET - METHOD_CREATE: METHOD_CREATE is for POST - METHOD_UPDATE: METHOD_UPDATE is for PATCH - METHOD_DELETE: METHOD_DELETE is for DELETE - METHOD_ALL: METHOD_ALL is for all methods (essentially *) enum: - METHOD_UNSPECIFIED - METHOD_READ - METHOD_CREATE - METHOD_UPDATE - METHOD_DELETE - METHOD_ALL type: string ````