IAM - Identity & Access Management¶

List organization members, inspect user groups, and create or update users via the IAM API.

Commands¶

iam members - List organization members
iam groups - List a user's Keycloak groups
iam create-user - Create a user
iam update-user - Update a user

iam members¶

List the members of an organization via the IAM API.

mysecutec iam members --org <orgId> [flags]

Flags¶

Flag	Type	Default	Description
`--org`	string		Organization ID (required)
`--max`	int	`0`	Maximum number of members to return (-1 for all)

API¶

1	`GET /iam/v1/members/organization/{orgId}/?max=50`

A non-zero --max is forwarded as the max query param (-1 returns all members); when 0 the param is omitted.

Request Example¶

mysecutec iam members --org 9f72e581-3ba2-4a1a-8b3c-abc123456789 --max 50

GET /iam/v1/members/organization/9f72e581-3ba2-4a1a-8b3c-abc123456789/?max=50
Authorization: Bearer <token>
Accept: application/json

iam groups¶

List a user's Keycloak groups.

mysecutec iam groups <user_id>

Flags¶

This command takes no flags beyond the global flags. The user ID is a positional argument.

API¶

1	`GET /iam/v1/users/{userId}/groups`

Request Example¶

mysecutec iam groups 9f72e581-3ba2-4a1a-8b3c-abc123456789

GET /iam/v1/users/9f72e581-3ba2-4a1a-8b3c-abc123456789/groups
Authorization: Bearer <token>
Accept: application/json

iam create-user¶

Create a user in an organization via the IAM API. This is a mutating command and prompts for confirmation before sending the request; pass -y/--yes to skip the prompt.

mysecutec iam create-user --email <email> --first-name <name> --last-name <name> \
  --language <lang> --gender <gender> \
  --org-value <orgId> --org-label <label> --org-alias <alias> [flags]

Flags¶

Flag	Type	Default	Description
`--email`	string		Email address (required)
`--username`	string		Username (defaults to email)
`--first-name`	string		First name (required)
`--last-name`	string		Last name (required)
`--language`	string		Language (nl, fr, en, de)
`--gender`	string		Gender (male, female, other)
`--enabled`	bool	`true`	Whether the user is enabled
`--manager`	bool	`false`	Grant MySecutec manager role
`--org-value`	string		Organization ID (required)
`--org-label`	string		Organization label (required)
`--org-alias`	string		Organization alias (required)
`--required-action`	strings		Keycloak required action (repeatable)
`--email-verified`	bool	`false`	Mark the email as verified
`--send-verify-email`	bool	`false`	Send a Keycloak verification/invite email
`-y`, `--yes`	bool	`false`	Skip the confirmation prompt

API¶

1	`POST /iam/v1/users`

Request body (UserSchemaIn):

{
  "email": "jane@example.com",
  "username": "jane@example.com",
  "firstName": "Jane",
  "lastName": "Doe",
  "language": "en",
  "gender": "female",
  "enabled": true,
  "manager": false,
  "organizationAttr": {
    "value": "<orgId>",
    "label": "Example",
    "alias": "example"
  },
  "requiredActions": [],
  "emailVerified": false,
  "send_verify_email": true
}

Request Example¶

mysecutec iam create-user --email jane@example.com --first-name Jane --last-name Doe \
  --language en --gender female \
  --org-value <orgId> --org-label "Example" --org-alias example --send-verify-email --yes

POST /iam/v1/users
Authorization: Bearer <token>
Content-Type: application/json
Accept: application/json

iam update-user¶

Update an existing user via the IAM API. The backend expects the full user body, identical to create. This is a mutating command and prompts for confirmation before sending the request; pass -y/--yes to skip the prompt.

mysecutec iam update-user <user_id> --email <email> --first-name <name> --last-name <name> \
  --language <lang> --gender <gender> \
  --org-value <orgId> --org-label <label> --org-alias <alias> [flags]

Flags¶

Flag	Type	Default	Description
`--email`	string		Email address (required)
`--username`	string		Username (defaults to email)
`--first-name`	string		First name (required)
`--last-name`	string		Last name (required)
`--language`	string		Language (nl, fr, en, de)
`--gender`	string		Gender (male, female, other)
`--enabled`	bool	`true`	Whether the user is enabled
`--manager`	bool	`false`	Grant MySecutec manager role
`--org-value`	string		Organization ID (required)
`--org-label`	string		Organization label (required)
`--org-alias`	string		Organization alias (required)
`--required-action`	strings		Keycloak required action (repeatable)
`--email-verified`	bool	`false`	Mark the email as verified
`--send-verify-email`	bool	`false`	Send a Keycloak verification/invite email
`-y`, `--yes`	bool	`false`	Skip the confirmation prompt

The user ID is a positional argument.

API¶

1	`PUT /iam/v1/users/{userId}/`

Request body (UserSchemaIn, identical shape to create):

{
  "email": "jane@example.com",
  "username": "jane@example.com",
  "firstName": "Jane",
  "lastName": "Doe",
  "language": "en",
  "gender": "female",
  "enabled": true,
  "manager": false,
  "organizationAttr": {
    "value": "<orgId>",
    "label": "Example",
    "alias": "example"
  },
  "requiredActions": [],
  "emailVerified": false,
  "send_verify_email": false
}

Request Example¶

mysecutec iam update-user 9f72e581-3ba2-4a1a-8b3c-abc123456789 \
  --email jane@example.com --first-name Jane --last-name Doe \
  --language en --gender female \
  --org-value <orgId> --org-label "Example" --org-alias example --manager --yes

PUT /iam/v1/users/9f72e581-3ba2-4a1a-8b3c-abc123456789/
Authorization: Bearer <token>
Content-Type: application/json
Accept: application/json