Administrative tasks

This section describes how to perform operations related to users and roles, identity stores, and organizations using Central Governance REST APIs.

Users and roles

Using REST APIs you can create, delete, lock, or unlock a user, add or delete roles, as well as retrieve a list of roles.

  • GET retrieves the list of users. You can filter users by userID, firstName, organization or lock status. You can also retrieve a user that supports a given role, using its name or role ID.
  • PUT updates a specific user, using its business ID. You can update any user field except the organization and User ID of the current user who is executing the API.
  • DELETE removes a user, other than the one executing the operation.
  • POST creates a new user.

You can use POST to create a user as follows:

POST /api/v2/users


  "firstName": "Dorin",

  "organization": "Org",

  "userID": "dorin_user",

  "roles": ["CG Admin","Transfer CFT Administrator"]



You can use POST to create an organization as follows:

POST /api/v2/organizations


    "name": "ldapOrg",

    "identityStore": {

         "name": "My_LDAP"



When you update an organization, the number of users should remain unchanged:

PUT /api/v2/organizations/businessID


  "name": "ldapOrg",

  "description": "newDescription",

  "numberOfUsers": 0,

  "contact": {

    "email": "string@wqer",

    "phone": "66709"



To delete an organization:

DELETE /api/v2/organizations/businessID

If your organization is linked to an external LDAP, you can associate the roles from Central Governance with LDAP role groups. In the example below, a Central Governance role (identified by ID) is linked to several groups in LDAP.

POST /api/v2/organizations/businessID/role-mappings


    "roleId": "3aa79cd8-8423-492c-9695-5f7494133e43",

    "roles": [














You can then retrieve LDAP roles associated with a specific Central Governance role:

GET /api/v2/organizations/businessID/role-mappings/roleID

To update the LDAP roles associated with a specific Central Governance role:

PUT /api/v2/organizations/businessID/role-mappings/roleID

To remove a Central Governance role from the given organization:

DELETE /api/v2/organizations/businessID/role-mappings/roleID

Identity stores

You can create an identity store as follows:

POST  /api/v2/identitystores


    "name": "ldap_with_SSL",

    "numberOfOrganizations": 1,

    "connection": {

      "serverHosts": [



      "serverPort": "33",

      "encryptionMode": "START_TLS",

      "adminLogin": "login",

      "authenticationMode": "SIMPLE",

      "certificateContent": "<server certificate encoded with Base64>",

      "certificateAlias": "CA.cer",

      "connectionTimeout": "5",

      "numberOfRetries": "1",

      "connectionPooling": false


    "ldapTree": {

      "activeDirectory": false,

      "activeDirectoryDomain": "",

      "baseDN": "baseDN",

      "prefix": ""


    "ldapAuthorization": {

      "cacheTimeout": "12",

      "userDNFilter": "(&(objectClass=organizationalPerson)(cn=:userLogin:))",

      "roleListFilter": "(objectClass=organizationalRole)",

      "filterRolesFilter": "(&(objectClass=organizationalRole)(cn=:filter:))",

      "userRolesFilter": "(&(objectClass=organizationalRole)(roleOccupant=:userFullDN:))",

      "groupRolesFilter": "(&(objectClass=organizationalRole)(roleOccupant=:groupFullDN:))",

      "userGroupsFilter": "(&(objectClass=groupOfNames)(member=:userFullDN:))",

      "mappingRoleAttribute": "cn"


    "ldapUserMapping": {

      "userFilter": "(objectClass=organizationalPerson)",

      "firstNameAttribute": "firstName",

      "lastNameAttribute": "lastName",

      "emailAttribute": "email"



To retrieve all identity stores, or to filter them by name or host:

GET /api/v2/identitystores?name=Company_LDAP

Additionally, you can check if the connection to a specific LDAP is working:

HEAD /api/v2/identitystores/businessID/valid-connection


Central Governance | Document Directory

Related Links