# Managing Access Rights ## Hierarchy Service Accounts are designed to be flexible enough to accommodate most organizational structures. They can be given access to any number of projects or organizations as required, with a specific level of permission in each. The access rights hierarchy can be summarized in a few points. * A [Service Account](#manage-service-accounts) is created under a project which becomes its owner. * A Service Account can be a [member](#members) of other projects and organizations. * The Service Account membership is assigned a [role](#roles-and-permissions) for that project or organization. * A role provides the member with [permissions](https://docs.developer.disruptive-technologies.com/service-accounts/permissions) within the related project or organization. ![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MTam1F7bHgMRxSNgh1B%2F-MTame0-YNbP1NUdZqV5%2FServiceAccountRoles-v2.svg?alt=media\&token=db304946-2535-475a-a318-eef1e7e46cf1) ## Manage Service Accounts When first creating a Service Account within a project, the Service Account will not be a member of any projects or organizations, including the owning project. In DT Studio, the “Role in current Project” option will show as “No access” and can be changed to give the Service Account access to the resources in this project. ### Creating a Service Account Please refer to our introductory guide on [Creating a Service Account](https://docs.developer.disruptive-technologies.com/service-accounts/creating-a-service-account). ### Deleting a Service Account {% tabs %} {% tab title="DT Studio" %} In your project, navigate to the **API Integrations -> Service Accounts** page. Locate the Service Account you wish to remove, then click the **Remove** button. ![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MToKqa8LpFMETggZfiR%2F-MToLGGi5oKD19rmbd3a%2Fdelete-sa.png?alt=media\&token=528df5a7-33e7-488d-8729-b2116cc08d82) {% endtab %} {% tab title="REST API" %} Send a **DELETE** request to: `https://api.d21s.com/v2/projects//serviceaccount/` #### Example Using cURL with a Service Account for authentication, the following example deletes the Service Account specified by its ID. ```bash curl -X DELETE "https://api.d21s.com/v2/projects//serviceaccounts/" \ -u "":"" ``` {% endtab %} {% tab title="Python API" %} Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a Service Account can be deleted by calling the following resource method. * [disruptive.ServiceAccount.delete\_service\_account()](https://developer.disruptive-technologies.com/api/libraries/python/resources/service_account.html#delete-service-account) #### Example Usage Using our Python API with Service Account credentials for authentication, the following example deletes the Service Account specified by its ID. ```python import disruptive as dt # Authenticate the package using Service Account credentials. dt.default_auth = dt.Auth.service_account( key_id='', secret='', email='', ) # Delete the specified Service Account. dt.ServiceAccount.delete_service_account( service_account_id='', project_id='', ) ``` {% endtab %} {% endtabs %} ## Members A single Service Account can be a member of several projects and organizations. These members are unique and independent from each other, allowing for different roles to be assigned. ### Manage Project Members A User or Service Account must have the [role](#roles) of Project Admin or higher to manage members. #### New Project Member If you do not possess a Service Account with sufficient access rights, new Project members must be added by an existing Project Admin in DT Studio or through the APIs. {% tabs %} {% tab title="DT Studio" %} In your project, navigate to the **Project Settings** page. Here, using the email of the target Service Account, select a role and click **Invite Member**. This can be changed later. ![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MT5md7kdKcO7MrSXb4c%2F-MT5ns-P6h4jVYUHhpcS%2Fmanage-project-members.png?alt=media\&token=3e57e9fb-a708-4289-9ef9-758a6e07b093) {% endtab %} {% tab title="REST API" %} Send a **POST** request to: `https://api.d21s.com/v2/projects//members` A request body with the following parameters is required. ```javascript { "roles": [ "roles/" ], "email": "" } ``` A list of all available parameters can be found in our [REST API Reference](https://developer.disruptive-technologies.com/api) and a list of all roles and their permissions under the [Roles](#roles) subsection on this very page. #### Example Usage Using cURL with a Service Account for authentication, the following example grants the specified Service Account the role of Project Developer in the specified project. ```bash curl -X POST "https://api.d21s.com/v2/projects//members" \ -u "":"" \ -d '{"roles": ["roles/project.developer"], "email": ""}' ``` {% endtab %} {% tab title="Python API" %} Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a new project member can be added by calling the following resource method. * [disruptive.Project.add\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/project.html#project-add-member) #### Example Usage Using our Python API with Service Account credentials for authentication, the following example grants the specified Service Account the role of Project Developer in a project. ```python import disruptive as dt # Authenticate the package using Service Account credentials. dt.default_auth = dt.Auth.service_account( key_id='', secret='', email='', ) # Add a new project developer member to the specified project. member = dt.Project.add_member( project_id='', email='', roles=[dt.Role.PROJECT_DEVELOPER], ) # Print information about the newly created member. print(member) ``` {% endtab %} {% endtabs %} #### Remove Project Member {% tabs %} {% tab title="DT Studio" %} In your project, navigate to the **Project Settings** page. Locate the member you wish to remove, then click the **Remove** button. For reference, see the image under **New Project Member**. {% endtab %} {% tab title="REST API" %} Send a **DELETE** request to: `https://api.d21s.com/v2/projects//members/` Here, `` is either the ID of a Service Account or User. #### Example Usage Using cURL with a Service Account for authentication, the following example removes the specified Service Accounts membership in the specified project. ```bash curl -X DELETE "https://api.d21s.com/v2/projects//members/" \ -u "":"" ``` {% endtab %} {% tab title="Python API" %} Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a project member can be removed by calling the following resource method. * [disruptive.Project.remove\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/project.html#remove-member) #### Example Usage Using our Python API with Service Account credentials for authentication, the following example removes the specified Service Accounts membership in the specified project. ```python import disruptive as dt # Authenticate the package using Service Account credentials. dt.default_auth = dt.Auth.service_account( key_id='', secret='', email='', ) # Remove member from the specified project. dt.Project.remove_member( member_id='', project_id='', ) ``` {% endtab %} {% endtabs %} ### Manage Organization Members A User or Service Account must have the [role](#roles) of Organization Admin or higher to manage members. #### New Organization Member If you do not possess a Service Account with sufficient access rights, new Organization members must be added by an existing Organization Admin in DT Studio or through the APIs. {% tabs %} {% tab title="DT Studio" %} In any project, navigate to the **Administrators** page. Currently, the only role available for an organization member is `organization.admin`, hence the naming conventions used in DT Studio. Using the email of the Service Account you wish to add, click **Invite Administrator**. Note that an `organization.admin` will obtain the same permissions as a `project.admin` in every single project under the organization in question. ![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MT5md7kdKcO7MrSXb4c%2F-MT5oGjW-JQ4hmcCjQAr%2Fmanage-org-members.png?alt=media\&token=818c370e-9ce8-4a20-a29a-f4dc4d3719be) {% endtab %} {% tab title="REST API" %} Send a **POST** request to: `https://api.d21s.com/v2/organizations//members` A request body with the following parameters is required. ```javascript { "roles": [ "roles/" ], "email": "" } ``` A list of all available parameters can be found in our [REST API Reference](https://developer.disruptive-technologies.com/api). Currently, the only role availbale is `organization.admin`. #### Example Usage Using cURL with a Service Account for authentication, the following example grants the specified Service Account the role of Organization Admin in the specified organization. ```bash curl -X POST "https://api.d21s.com/v2/organizations//members" \ -u "":"" \ -d '{"roles": ["roles/organization.admin"], "email": ""}' ``` {% endtab %} {% tab title="Python API" %} Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), an organization member can be added by calling the following resource method. * [disruptive.Organization.add\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/organization.html#org-add-member) #### Example Usage Using our Python API with Service Account credentials for authentication, the following example grants the specified Service Account the role of Organization Admin. ```python import disruptive as dt # Authenticate the package using Service Account credentials. dt.default_auth = dt.Auth.service_account( key_id='', secret='', email='', ) # Add a new organization admin member to the organization. member = dt.Organization.add_member( organization_id='', email='', roles=[dt.Role.ORGANIZATION_ADMIN], ) # Print information about the newly created member. print(member) ``` {% endtab %} {% endtabs %} #### Remove Organization Member {% tabs %} {% tab title="DT Studio" %} In any project, navigate to the **Administrators** page. Locate the member you wish to remove, then click the **Remove** button. For reference, see the image under **New Organization Member**. {% endtab %} {% tab title="REST API" %} Send a **DELETE** request to: `https://api.d21s.com/v2/organizations//members/` Here, `` is either the ID of a Service Account or User. #### Example Usage Using cURL with a Service Account for authentication, the following example removes the specified Service Accounts membership in the specified organization. ```bash curl -X DELETE "https://api.d21s.com/v2/organizations//members/" \ -u "":"" ``` {% endtab %} {% tab title="Python API" %} Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), an organization member can be removed by calling the following resource method. * [disruptive.Organization.remove\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/project.html#remove-member) #### Example Usage Using our Python API with Service Account credentials for authentication, the following example removes the specified Service Accounts membership in the specified organization. ```python import disruptive as dt # Authenticate the package using Service Account credentials. dt.default_auth = dt.Auth.service_account( key_id='', secret='', email='', ) # Remove member from the specified organization. dt.Organization.remove_member( member_id='', organization_id='', ) ``` {% endtab %} {% endtabs %} ## Roles A role contains permissions that determines which actions a member is authorized to perform on a specific resource in DT Cloud. To make permissions available to members, you grant them the role that provides the desired set of permissions. The following roles are available. * `project.user` * `project.developer` * `project.admin` * `organization.admin` ### Managing Roles Roles can be managed by users or Service Account Members with an assigned role of Project Administrator or Organization Administrator for projects and organization levels. The role of a member is managed in the same place where the member itself is managed. See the [Members](#members) section for details on where this is located, or use our REST API endpoint for Membership and Access Control.