Private tenant

A tenant can only be configured to be a private tenant at the initial setup. Once a tenant is either private or shared, it cannot be converted to another type.

This setting can be verified in the User menu.

In a private tenant, folders created on Spark are only visible to the user who created them until explicitly shared with other users and user groups. The sole exception is for members of the supervisor:pf group, who have access to see all Folders and Services in Spark by default.

The private tenant feature is best used in conjunction with custom user groups that are aligned with regional or functional responsibilities in an organization.

Spark entity permission types

Create, Read, Update, Delete and Execute permissions that are applied to users and users groups for a folder affect the actions that can be taken on the folder and the services within them. The table describes the required permissions to perform key functions in Spark.

The table below is meant to be read from left to right. Most actions require combined permissions. For example to delete a folder, you need both Read and Delete permissions.

Depending on your browser and screen, some of the columns in the table may be hidden. Scroll right at the bottom of the table ➡️ to see the complete details.

Entity

Action

Create

Read

Update

Delete

Execute

Folder

Clone

✅

Download

✅

Delete

✅

Edit

✅

Favorite

✅

New folder

✅

View

✅

Service

Add service

✅

Add version

✅

Analyze with AI

✅

API Call History

✅

API Tester

✅

Compare versions

✅

Delete

✅

Deployment Request

✅

Download

✅

/batch

/execute

/metadata

/SPARK_XCALL

/validation

✅* see execute only permissions

✅

Favorite

✅

Recompile

✅

Restore version

✅

Update service properties

✅

View

✅

Transform

Add

✅

Delete

✅

Execute

✅

Edit

✅

Update

✅

Testbed

Add additional test cases

✅

Aggregate

✅

Delete

✅

Download

✅

Favorite

✅

Run

✅

Test case generation

✅

Upload

✅

View

✅

Testbed results

Compare results

✅

Delete

✅

Download

✅

Upload test results

✅

View

✅

Document section

Add

✅

Delete

✅

Edit

✅

View

✅

Document

Delete

✅

Download

✅

Move to

✅

New document

✅

Update

✅

View

✅

supervisor role

When a new folder is created, the user group supervisor:pf is assigned to the folder by default with all of the permission types applied. This means by default, users included in the supervisor:pf user group have access to all folders and services in Spark.

If the user who creates the folder is a member of other user groups, the supervisors of those user groups will also be granted access to manage this folder. For example, if a user is a member of user:team3 creates a folder, the folder will also be accessible by the user group supervisor:team3.

`execute` only permissions

It is possible to make calls to /batch, /execute, /metadata, SPARK_XCALL(), /validation with only execute permissions and without read permissions.

This requires configuration from Coherent. Contact Support for more information.

Set permissions on folders

In private tenants, permissions for folders can be assigned:

Directly to user accounts

To assign permissions, you must either be the owner of the folder or a member of the supervisor:pf group. Follow these steps:

Click on the folder, then click on the "three-dot menu" to access the options and select Set Permissions.
Type in the email address of the account you would like to add. If configured, you will also see that you can choose a user or group from the typeahead list. Set the necessary permissions for the user.
Click Done.
The user account specified in Step 3 will now have access to the folder.

To user groups

To assign permissions, you must either be the owner of the folder or a member of the supervisor:pf group. To create a user group, you must be a member of the tenant-admin group.

Navigate to the menu on the top right corner (button with your initials) and select Options.
In the menu bar on the left-hand side, select User groups and click on Add user group.
Enter a group name. The user group name MUST start with the prefix user:. For example, user:example-user-group. Fill in the description, add all necessary users, and click Submit.
Navigate back to the folder, then click on the triple dot action button to access the folder options and select Set permissions.
Type in the user group you would like to add. If configured, you will also see that you can choose a user or group from the typeahead list. Set the necessary permissions for the user.
Click Done.
The user group added should now have access to this folder.

To API key groups

To create an API key group, you must be a member of the tenant-admin user group.

Prerequisite: a user group exists and is assigned to a folder (To user groups).

Navigate to the menu on the top right corner (button with your initials) and select Options.
Go to the page API keys.
Click New API Key group.
Enter the key group name, description, the user group you assigned to the folder from To user groups, and click on Create.
You can now generate a key in the API key group and make calls to the services within the folder using the x-synthetic-key request header. (See Authorization - API keys).

To service accounts (OAuth2 client credentials)

Service accounts can also be given permissions directly, without the need for "dummy" users. This is especially useful for CI/CD operations, or tasks involving interactions with non-public APIs. For complete instructions, see Client Credentials grant (OAuth 2.0).

Set permissions on folders via API

The use of this functionality requires using an access token with sufficient privileges, either Authorization - Bearer token or .

First get the ID of the folder.
1. Send a POST request to the following endpoint: https://excel.{environment}/api/v1/product/list.
2. In the request headers, include in Authorization a bearer token.
3. Include the following JSON payload in the request body:
  { "search":[ { "field": "name", "value": "{Folder}" } ] }
4. Copy the id from the response body after sending the POST request above. It should look something like this: {
  "data": [ { "id": "a8d98bbf-e5aa-44ce-ad90-cebe728c7776" "name: "Demo", ... } ]

To assign permissions to the folder:

Send a POST request to the following endpoint: https://excel.{environment}/api/v1/entitypermission/setentitypermission. In the request headers, include in Authorization a bearer token.

Include the following JSON payload in the request body:

{
  "entityID": "{Folder_ID}",
  "remove": {true or false based on if you want to assign these rights},
  "create": {true or false based on if you want to assign these rights},
  "update": {true or false based on if you want to assign these rights},
  "execute": {true or false based on if you want to assign these rights},
  "read": {true or false based on if you want to assign these rights},
  "members": "{List of users, groups, credentials separated by comma}"
}

If the member is created from Client Credentials, then use the Client Credential which should include the service-account prefix.

An example of the JSON payload is as follows:

{
 "entityID": "a8d98bbf-e5aa-44ce-ad90-cebe728c7776",
 "remove": true,
 "create": true,
 "update": false,
 "execute": true,
 "read": true,
 "members": "[email protected], user:pf, service-account-cc-folder-level"
}

After completing the steps above, you should observe the changes in the folder you've chosen in the Set permissions dialog.

Last updated 1 month ago

hashtagSpark entity permission types

hashtagsupervisor role

hashtagexecute only permissions

hashtagSet permissions on folders

hashtagDirectly to user accounts

hashtagTo user groups

hashtagTo API key groups

hashtagTo service accounts (OAuth2 client credentials)

hashtagSet permissions on folders via API

Spark entity permission types

supervisor role

`execute` only permissions

Set permissions on folders

Directly to user accounts

To user groups

To API key groups

To service accounts (OAuth2 client credentials)

Set permissions on folders via API