syntax = "proto3"; import "google/api/annotations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "protoc-gen-swagger/options/annotations.proto"; import "validate/validate.proto"; import "authoption/options.proto"; import "proto/message.proto"; package caos.zitadel.management.api.v1; option go_package = "github.com/caos/zitadel/pkg/grpc/management"; option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { info: { title: "Management API"; version: "0.1"; contact:{ url: "https://github.com/caos/zitadel/pkg/management" }; }; schemes: HTTPS; consumes: "application/json"; consumes: "application/grpc"; produces: "application/json"; produces: "application/grpc"; }; // All requests are based on your context if nothing other is specified // Requests which have /me in the url get the parameter from the context service ManagementService { //READINESS rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/healthz" }; } rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/ready" }; } rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) { option (google.api.http) = { get: "/validate" }; } rpc GetZitadelDocs(google.protobuf.Empty) returns (ZitadelDocs) { option (google.api.http) = { get: "/zitadel/docs" }; } // GetIam returns some needed settings of the iam (Global Organisation ID, Zitadel Project ID) rpc GetIam(google.protobuf.Empty) returns (Iam) { option (google.api.http) = { get: "/iam" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetUserByID(UserID) returns (UserView) { option (google.api.http) = { get: "/users/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } // GetUserByEmailGlobal returns User, global search is overall organisations rpc GetUserByEmailGlobal(Email) returns (UserView) { option (google.api.http) = { get: "/global/users/_byemail" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } // Limit should always be set, there is a default limit set by the service rpc SearchUsers(UserSearchRequest) returns (UserSearchResponse) { option (google.api.http) = { post: "/users/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc IsUserUnique(UniqueUserRequest) returns (UniqueUserResponse) { option (google.api.http) = { get: "/users/_isunique" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc CreateUser(CreateUserRequest) returns (User) { option (google.api.http) = { post: "/users" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc DeactivateUser(UserID) returns (User) { option (google.api.http) = { put: "/users/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ReactivateUser(UserID) returns (User) { option (google.api.http) = { put: "/users/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc LockUser(UserID) returns (User) { option (google.api.http) = { put: "/users/{id}/_lock" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc UnlockUser(UserID) returns (User) { option (google.api.http) = { put: "/users/{id}/_unlock" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc DeleteUser(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.delete" }; } // UserChanges returns the event stream of the user object rpc UserChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/users/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } // ApplicationChanges returns the event stream of the application object rpc ApplicationChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/projects/{id}/applications/{sec_id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" }; } // OrgChanges returns the event stream of the org object rpc OrgChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/orgs/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } // ProjectChanges returns the event stream of the project object rpc ProjectChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/projects/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc GetUserProfile(UserID) returns (UserProfileView) { option (google.api.http) = { get: "/users/{id}/profile" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc UpdateUserProfile(UpdateUserProfileRequest) returns (UserProfile) { option (google.api.http) = { put: "/users/{id}/profile" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserEmail(UserID) returns (UserEmailView) { option (google.api.http) = { get: "/users/{id}/email" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc ChangeUserEmail(UpdateUserEmailRequest) returns (UserEmail) { option (google.api.http) = { put: "/users/{id}/email" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ResendEmailVerificationMail(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/email/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserPhone(UserID) returns (UserPhoneView) { option (google.api.http) = { get: "/users/{id}/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc ChangeUserPhone(UpdateUserPhoneRequest) returns (UserPhone) { option (google.api.http) = { put: "/users/{id}/phone" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc RemoveUserPhone(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{id}/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ResendPhoneVerificationCode(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/phone/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserAddress(UserID) returns (UserAddressView) { option (google.api.http) = { get: "/users/{id}/address" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc UpdateUserAddress(UpdateUserAddressRequest) returns (UserAddress) { option (google.api.http) = { put: "/users/{id}/address" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserMfas(UserID) returns (MultiFactors) { option (google.api.http) = { get: "/users/{id}/mfas" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } // Sends an Notification (Email/SMS) with a password reset Link rpc SendSetPasswordNotification(SetPasswordNotificationRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/password/_sendsetnotification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } // A Manager is only allowed to set an initial password, on the next login the user has to change his password rpc SetInitialPassword(PasswordRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/password/_initialize" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } // returns default policy if nothing other set on organisation rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) { option (google.api.http) = { get: "/policies/passwords/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) { option (google.api.http) = { get: "/policies/passwords/complexity/default" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordComplexityPolicy(PasswordComplexityPolicyCreate) returns (PasswordComplexityPolicy) { option (google.api.http) = { post: "/policies/passwords/complexity" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordComplexityPolicy(PasswordComplexityPolicyUpdate) returns (PasswordComplexityPolicy) { option (google.api.http) = { put: "/policies/passwords/complexity" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc DeletePasswordComplexityPolicy(PasswordComplexityPolicyID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/policies/passwords/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } // returns default if nothing other set on organisation rpc GetPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicy) { option (google.api.http) = { get: "/policies/passwords/age" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordAgePolicy(PasswordAgePolicyCreate) returns (PasswordAgePolicy) { option (google.api.http) = { post: "/policies/passwords/age" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordAgePolicy(PasswordAgePolicyUpdate) returns (PasswordAgePolicy) { option (google.api.http) = { put: "/policies/passwords/age" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc DeletePasswordAgePolicy(PasswordAgePolicyID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/policies/passwords/age" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } // returns default if nothing other set on organisation rpc GetPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicy) { option (google.api.http) = { get: "/policies/passwords/lockout" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordLockoutPolicy(PasswordLockoutPolicyCreate) returns (PasswordLockoutPolicy) { option (google.api.http) = { post: "/policies/passwords/lockout" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordLockoutPolicy(PasswordLockoutPolicyUpdate) returns (PasswordLockoutPolicy) { option (google.api.http) = { put: "/policies/passwords/lockout" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc DeletePasswordLockoutPolicy(PasswordLockoutPolicyID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/policies/passwords/lockout" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } rpc GetMyOrg(google.protobuf.Empty) returns (OrgView) { option (google.api.http) = { get: "/orgs/me" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } // search a organisation by its domain overall organisations rpc GetOrgByDomainGlobal(Domain) returns (OrgView) { option (google.api.http) = { get: "/global/orgs/_bydomain" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } rpc DeactivateMyOrg(google.protobuf.Empty) returns (Org) { option (google.api.http) = { put: "/orgs/me/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc ReactivateMyOrg(google.protobuf.Empty) returns (Org) { option (google.api.http) = { put: "/orgs/me/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc SearchMyOrgDomains(OrgDomainSearchRequest) returns (OrgDomainSearchResponse) { option (google.api.http) = { post: "/orgs/me/domains/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } rpc AddMyOrgDomain(AddOrgDomainRequest) returns (OrgDomain) { option (google.api.http) = { post: "/orgs/me/domains" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc RemoveMyOrgDomain(RemoveOrgDomainRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/domains/{domain}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc GetMyOrgIamPolicy(google.protobuf.Empty) returns (OrgIamPolicy) { option (google.api.http) = { get: "/orgs/me/iampolicy" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetOrgMemberRoles(google.protobuf.Empty) returns (OrgMemberRoles) { option (google.api.http) = { get: "/orgs/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.read" }; } rpc AddMyOrgMember(AddOrgMemberRequest) returns (OrgMember) { option (google.api.http) = { post: "/orgs/me/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.write" }; } rpc ChangeMyOrgMember(ChangeOrgMemberRequest) returns (OrgMember) { option (google.api.http) = { put: "/orgs/me/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.write" }; } rpc RemoveMyOrgMember(RemoveOrgMemberRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.delete" }; } rpc SearchMyOrgMembers(OrgMemberSearchRequest) returns (OrgMemberSearchResponse) { option (google.api.http) = { post: "/orgs/me/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.read" }; } rpc SearchProjects(ProjectSearchRequest) returns (ProjectSearchResponse) { option (google.api.http) = { post: "/projects/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc ProjectByID(ProjectID) returns (ProjectView) { option (google.api.http) = { get: "/projects/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" check_field_name: "Id" }; } rpc CreateProject(ProjectCreateRequest) returns (Project) { option (google.api.http) = { post: "/projects" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" }; } rpc UpdateProject(ProjectUpdateRequest) returns (Project) { option (google.api.http) = { put: "/projects/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } rpc DeactivateProject(ProjectID) returns (Project) { option (google.api.http) = { put: "/projects/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } rpc ReactivateProject(ProjectID) returns (Project) { option (google.api.http) = { put: "/projects/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } // returns all projects my organisation got granted from another organisation rpc SearchGrantedProjects(GrantedProjectSearchRequest) returns (ProjectGrantSearchResponse) { option (google.api.http) = { post: "/grantedprojects/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } // returns a project my organisation got granted from another organisation rpc GetGrantedProjectByID(ProjectGrantID) returns (ProjectGrantView) { option (google.api.http) = { get: "/grantedprojects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc GetProjectMemberRoles(google.protobuf.Empty) returns (ProjectMemberRoles) { option (google.api.http) = { get: "/projects/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.read" }; } rpc SearchProjectMembers(ProjectMemberSearchRequest) returns (ProjectMemberSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.read" check_field_name: "ProjectId" }; } rpc AddProjectMember(ProjectMemberAdd) returns (ProjectMember) { option (google.api.http) = { post: "/projects/{id}/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.write" check_field_name: "Id" }; } rpc ChangeProjectMember(ProjectMemberChange) returns (ProjectMember) { option (google.api.http) = { put: "/projects/{id}/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.write" check_field_name: "Id" }; } rpc RemoveProjectMember(ProjectMemberRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{id}/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.delete" check_field_name: "Id" }; } rpc SearchProjectRoles(ProjectRoleSearchRequest) returns (ProjectRoleSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/roles/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.read" check_field_name: "ProjectId" }; } rpc AddProjectRole(ProjectRoleAdd) returns (ProjectRole) { option (google.api.http) = { post: "/projects/{id}/roles" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } // add a list of project roles in one request rpc BulkAddProjectRole(ProjectRoleAddBulk) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/projects/{id}/roles/_bulk" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } rpc ChangeProjectRole(ProjectRoleChange) returns (ProjectRole) { option (google.api.http) = { put: "/projects/{id}/roles/{key}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } // RemoveProjectRole removes role from UserGrants, ProjectGrants and from Project rpc RemoveProjectRole(ProjectRoleRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{id}/roles/{key}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.delete" check_field_name: "Id" }; } rpc SearchApplications(ApplicationSearchRequest) returns (ApplicationSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/applications/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" check_field_name: "ProjectId" }; } rpc ApplicationByID(ApplicationID) returns (ApplicationView) { option (google.api.http) = { get: "/projects/{project_id}/applications/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" check_field_name: "ProjectId" }; } rpc CreateOIDCApplication(OIDCApplicationCreate) returns (Application) { option (google.api.http) = { post: "/projects/{project_id}/oidcapplications" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc UpdateApplication(ApplicationUpdate) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc DeactivateApplication(ApplicationID) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc ReactivateApplication(ApplicationID) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc RemoveApplication(ApplicationID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/applications/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.delete" check_field_name: "ProjectId" }; } rpc UpdateApplicationOIDCConfig(OIDCConfigUpdate) returns (OIDCConfig) { option (google.api.http) = { put: "/projects/{project_id}/applications/{application_id}/oidcconfig" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc RegenerateOIDCClientSecret(ApplicationID) returns (ClientSecret) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/oidcconfig/_changeclientsecret" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc SearchProjectGrants(ProjectGrantSearchRequest) returns (ProjectGrantSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.read" check_field_name: "ProjectId" }; } rpc ProjectGrantByID(ProjectGrantID) returns (ProjectGrantView) { option (google.api.http) = { get: "/projects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.read" }; } rpc CreateProjectGrant(ProjectGrantCreate) returns (ProjectGrant) { option (google.api.http) = { post: "/projects/{project_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc UpdateProjectGrant(ProjectGrantUpdate) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc DeactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc ReactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } // RemoveProjectGrant removes project grant and all user grants for this project grant rpc RemoveProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.delete" }; } rpc GetProjectGrantMemberRoles(google.protobuf.Empty) returns (ProjectGrantMemberRoles) { option (google.api.http) = { get: "/projects/grants/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.read" }; } rpc SearchProjectGrantMembers(ProjectGrantMemberSearchRequest) returns (ProjectGrantMemberSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/grants/{grant_id}/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.read" }; } rpc AddProjectGrantMember(ProjectGrantMemberAdd) returns (ProjectGrantMember) { option (google.api.http) = { post: "/projects/{project_id}/grants/{grant_id}/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.write" }; } rpc ChangeProjectGrantMember(ProjectGrantMemberChange) returns (ProjectGrantMember) { option (google.api.http) = { put: "/projects/{project_id}/grants/{grant_id}/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.write" }; } rpc RemoveProjectGrantMember(ProjectGrantMemberRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/grants/{grant_id}/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.delete" }; } rpc SearchUserGrants(UserGrantSearchRequest) returns (UserGrantSearchResponse) { option (google.api.http) = { post: "/users/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.read" }; } rpc UserGrantByID(UserGrantID) returns (UserGrantView) { option (google.api.http) = { get: "/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.read" }; } rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) { option (google.api.http) = { post: "/users/{user_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc ReactivateUserGrant(UserGrantID) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc RemoveUserGrant(UserGrantID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.delete" }; } // remove a list of user grants in one request rpc BulkRemoveUserGrant(UserGrantRemoveBulk) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/usersgrants/_bulk" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.delete" }; } // search user grants based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) { option deprecated = true; option (google.api.http) = { post: "/projects/{project_id}/users/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.read" check_field_name: "ProjectId" }; } // get user grant based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) { option deprecated = true; option (google.api.http) = { get: "/projects/{project_id}/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.read" check_field_name: "ProjectId" }; } // create user grant based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) { option deprecated = true; option (google.api.http) = { post: "/projects/{project_id}/users/{user_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.write" check_field_name: "ProjectId" }; } // update user grant based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projects/{project_id}/users/{user_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.write" check_field_name: "ProjectId" }; } // deactivate user grant based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.write" check_field_name: "ProjectId" }; } // reactivate user grant based on a project // This request is required that the user authorizations of zitadel can be differentiated rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.user.grant.write" check_field_name: "ProjectId" }; } // search user grants based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) { option deprecated = true; option (google.api.http) = { post: "/projectgrants/{project_grant_id}/users/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.read" check_field_name: "ProjectGrantId" }; } // get user grant based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) { option deprecated = true; option (google.api.http) = { get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.read" check_field_name: "ProjectGrantId" }; } // create user grant based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) { option deprecated = true; option (google.api.http) = { post: "/projectgrants/{project_grant_id}/users/{user_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.write" check_field_name: "ProjectGrantId" }; } // update user grant based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.write" check_field_name: "ProjectGrantId" }; } // deactivate user grant based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.write" check_field_name: "ProjectGrantId" }; } // reactivate user grant based on a projectgrant // This request is required that the user authorizations of zitadel can be differentiated rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) { option deprecated = true; option (google.api.http) = { put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.user.grant.write" check_field_name: "ProjectGrantId" }; } } message ZitadelDocs { string issuer = 1; string discovery_endpoint = 2; } message Iam { string global_org_id = 1; string iam_project_id = 2; bool set_up_done = 3; bool set_up_started = 4; } message ChangeRequest { string id = 1; string sec_id = 2; uint64 limit= 3; uint64 sequence_offset = 4; bool asc = 5; } message Changes { repeated Change changes = 1; uint64 offset = 2; uint64 limit = 3; } message Change { google.protobuf.Timestamp change_date = 1; caos.zitadel.api.v1.LocalizedMessage event_type = 2; uint64 sequence = 3; string editor_id = 4; string editor = 5; google.protobuf.Struct data = 6; } message ApplicationID { string id = 1; string project_id = 2; } message ProjectID { string id = 1; } message UserID { string id = 1; } message Email { string email = 1; } message UniqueUserRequest { string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message UniqueUserResponse { bool is_unique = 1; } message CreateUserRequest { string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 4 [(validate.rules).string = {max_len: 200}]; string preferred_language = 5[(validate.rules).string = {max_len: 200}]; Gender gender = 6; string email = 7 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}]; bool is_email_verified = 8; string phone = 9 [(validate.rules).string = {max_len: 20}]; bool is_phone_verified = 10; string country = 11 [(validate.rules).string = {max_len: 200}]; string locality = 12 [(validate.rules).string = {max_len: 200}]; string postal_code = 13 [(validate.rules).string = {max_len: 200}]; string region = 14 [(validate.rules).string = {max_len: 200}]; string street_address = 15 [(validate.rules).string = {max_len: 200}]; string password = 16 [(validate.rules).string = {max_len: 72}]; } message User { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string user_name = 5; string first_name = 6; string last_name = 7; string display_name = 8; string nick_name = 9; string preferred_language = 10; Gender gender = 11; string email = 12; bool is_email_verified = 13; string phone = 14; bool is_phone_verified = 15; string country = 16; string locality = 17; string postal_code = 18; string region = 19; string street_address = 20; uint64 sequence = 21; } enum UserState { USERSTATE_UNSPECIFIED = 0; USERSTATE_ACTIVE = 1; USERSTATE_INACTIVE = 2; USERSTATE_DELETED = 3; USERSTATE_LOCKED = 4; USERSTATE_SUSPEND = 5; USERSTATE_INITIAL= 6; } enum Gender { GENDER_UNSPECIFIED = 0; GENDER_FEMALE = 1; GENDER_MALE = 2; GENDER_DIVERSE = 3; } message UserView { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp last_login = 5; google.protobuf.Timestamp password_changed = 6; string user_name = 7; string first_name = 8; string last_name = 9; string display_name = 10; string nick_name = 11; string preferred_language = 12; Gender gender = 13; string email = 14; bool is_email_verified = 15; string phone = 16; bool is_phone_verified = 17; string country = 18; string locality = 19; string postal_code = 20; string region = 21; string street_address = 22; uint64 sequence = 23; string resource_owner = 24; repeated string login_names = 25; string preferred_login_name = 26; } message UserSearchRequest { uint64 offset = 1; uint64 limit = 2; UserSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];; bool asc = 4; repeated UserSearchQuery queries = 5; } message UserSearchQuery { UserSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];; SearchMethod method = 2; string value = 3; } enum UserSearchKey { USERSEARCHKEY_UNSPECIFIED = 0; USERSEARCHKEY_USER_NAME = 1; USERSEARCHKEY_FIRST_NAME = 2; USERSEARCHKEY_LAST_NAME = 3; USERSEARCHKEY_NICK_NAME = 4; USERSEARCHKEY_DISPLAY_NAME = 5; USERSEARCHKEY_EMAIL = 6; USERSEARCHKEY_STATE = 7; } message UserSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } enum SearchMethod { SEARCHMETHOD_EQUALS = 0; SEARCHMETHOD_STARTS_WITH = 1; SEARCHMETHOD_CONTAINS = 2; SEARCHMETHOD_EQUALS_IGNORE_CASE = 3; SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4; SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5; SEARCHMETHOD_NOT_EQUALS = 6; SEARCHMETHOD_GREATER_THAN = 7; SEARCHMETHOD_LESS_THAN = 8; SEARCHMETHOD_IS_ONE_OF = 9; SEARCHMETHOD_LIST_CONTAINS = 10; } message UserProfile { string id = 1; string first_name = 2; string last_name = 3; string nick_name = 4; string display_name = 5; string preferred_language = 6; Gender gender = 7; string user_name = 8; uint64 sequence = 9; google.protobuf.Timestamp creation_date = 10; google.protobuf.Timestamp change_date = 11; } message UserProfileView { string id = 1; string first_name = 2; string last_name = 3; string nick_name = 4; string display_name = 5; string preferred_language = 6; Gender gender = 7; string user_name = 8; uint64 sequence = 9; google.protobuf.Timestamp creation_date = 10; google.protobuf.Timestamp change_date = 11; repeated string login_names = 12; string preferred_login_name = 27; } message UpdateUserProfileRequest { string id = 1; string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 4 [(validate.rules).string = {max_len: 200}]; string preferred_language = 5 [(validate.rules).string = {max_len: 200}]; Gender gender = 6; } message UserEmail { string id = 1; string email = 2; bool is_email_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UserEmailView { string id = 1; string email = 2; bool is_email_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UpdateUserEmailRequest { string id = 1; string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; bool is_email_verified = 3; } message UserPhone { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message UserPhoneView { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message UpdateUserPhoneRequest { string id = 1; string phone = 2 [(validate.rules).string = {min_len: 1, max_len: 20}]; bool is_phone_verified = 3; } message UserAddress { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UserAddressView { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UpdateUserAddressRequest { string id = 1; string country = 2 [(validate.rules).string = {max_len: 200}]; string locality = 3 [(validate.rules).string = {max_len: 200}]; string postal_code = 4 [(validate.rules).string = {max_len: 200}]; string region = 5 [(validate.rules).string = {max_len: 200}]; string street_address = 6 [(validate.rules).string = {max_len: 200}]; } message MultiFactors { repeated MultiFactor mfas = 1; } message MultiFactor { MfaType type = 1; MFAState state = 2; } enum MfaType { MFATYPE_UNSPECIFIED = 0; MFATYPE_SMS = 1; MFATYPE_OTP = 2; } enum MFAState { MFASTATE_UNSPECIFIED = 0; MFASTATE_NOT_READY = 1; MFASTATE_READY = 2; MFASTATE_REMOVED = 3; } message PasswordID{ string id = 1; } message PasswordRequest { string id = 1; string password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}]; } message ResetPasswordRequest { string id = 1; } message SetPasswordNotificationRequest { string id = 1; NotificationType type = 2; } enum NotificationType { NOTIFICATIONTYPE_EMAIL = 0; NOTIFICATIONTYPE_SMS = 1; } message PasswordComplexityPolicyID { string id = 1; } message PasswordComplexityPolicy { string id = 1; string description = 2; PolicyState state = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; uint64 min_length = 6; bool has_lowercase = 7; bool has_uppercase = 8; bool has_number = 9; bool has_symbol = 10; uint64 sequence = 11; bool is_default = 12; } message PasswordComplexityPolicyCreate { string description = 1 [(validate.rules).string = {max_len: 500}]; uint64 min_length = 2; bool has_lowercase = 3; bool has_uppercase = 4; bool has_number = 5; bool has_symbol = 6; } message PasswordComplexityPolicyUpdate { string id = 1; string description = 2 [(validate.rules).string = {max_len: 500}]; uint64 min_length = 3; bool has_lowercase = 4; bool has_uppercase = 5; bool has_number = 6; bool has_symbol = 7; } message PasswordAgePolicyID { string id = 1; } message PasswordAgePolicy { string id = 1; string description = 2; PolicyState state = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; uint64 max_age_days = 6; uint64 expire_warn_days = 7; uint64 sequence = 8; bool is_default = 9; } message PasswordAgePolicyCreate { string description = 1 [(validate.rules).string = {max_len: 500}]; uint64 max_age_days = 2; uint64 expire_warn_days = 3; } message PasswordAgePolicyUpdate { string id = 1; string description = 2 [(validate.rules).string = {max_len: 500}]; uint64 max_age_days = 3; uint64 expire_warn_days = 4; } message PasswordLockoutPolicyID { string id = 1; } message PasswordLockoutPolicy { string id = 1; string description = 2; PolicyState state = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; uint64 max_attempts = 6; bool show_lock_out_failures = 7; uint64 sequence = 8; bool is_default = 9 ; } message PasswordLockoutPolicyCreate { string description = 1 [(validate.rules).string = {max_len: 500}]; uint64 max_attempts = 2; bool show_lock_out_failures = 3; } message PasswordLockoutPolicyUpdate { string id = 1; string description = 2 [(validate.rules).string = {max_len: 500}]; uint64 max_attempts = 3; bool show_lock_out_failures = 4; } enum PolicyState { POLICYSTATE_UNSPECIFIED = 0; POLICYSTATE_ACTIVE = 1; POLICYSTATE_INACTIVE = 2; POLICYSTATE_DELETED = 3; } message OrgIamPolicy { string org_id = 1; string description = 2; bool user_login_must_be_domain = 3; bool default = 4; } message OrgID { string id = 1; } message Org { string id = 1; OrgState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; uint64 sequence = 6; } message OrgView { string id = 1; OrgState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; uint64 sequence = 6; } enum OrgState { ORGSTATE_UNSPECIFIED = 0; ORGSTATE_ACTIVE = 1; ORGSTATE_INACTIVE = 2; } message Domain { string domain = 1; } message OrgDomains { repeated OrgDomain domains = 1; } message OrgDomain { string org_id = 1; google.protobuf.Timestamp creation_date = 2; google.protobuf.Timestamp change_date = 3; string domain = 4; bool verified = 5; bool primary = 6; uint64 sequence = 7; } message OrgDomainView { string org_id = 1; google.protobuf.Timestamp creation_date = 2; google.protobuf.Timestamp change_date = 3; string domain = 4; bool verified = 5; bool primary = 6; uint64 sequence = 7; } message AddOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message RemoveOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message OrgDomainSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated OrgDomainView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message OrgDomainSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated OrgDomainSearchQuery queries = 3; } message OrgDomainSearchQuery { OrgDomainSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum OrgDomainSearchKey { ORGDOMAINSEARCHKEY_UNSPECIFIED = 0; ORGDOMAINSEARCHKEY_DOMAIN = 1; } message OrgMemberRoles { repeated string roles = 1; } message OrgMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message AddOrgMemberRequest { string user_id = 1; repeated string roles = 2; } message ChangeOrgMemberRequest { string user_id = 1; repeated string roles = 2; } message RemoveOrgMemberRequest { string user_id = 1; } message OrgMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated OrgMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message OrgMemberView { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; string user_name = 6; string email = 7; string first_name = 8; string last_name = 9; string display_name = 10; } message OrgMemberSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated OrgMemberSearchQuery queries = 3; } message OrgMemberSearchQuery { OrgMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum OrgMemberSearchKey { ORGMEMBERSEARCHKEY_UNSPECIFIED = 0; ORGMEMBERSEARCHKEY_FIRST_NAME = 1; ORGMEMBERSEARCHKEY_LAST_NAME = 2; ORGMEMBERSEARCHKEY_EMAIL = 3; ORGMEMBERSEARCHKEY_USER_ID = 4; } message ProjectCreateRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message ProjectUpdateRequest { string id = 1; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message ProjectSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectView { string project_id = 1; string name = 2; ProjectState state = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp creation_date = 5; string resource_owner = 6; uint64 sequence = 7; } message ProjectSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated ProjectSearchQuery queries = 3; } message ProjectSearchQuery { ProjectSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectSearchKey { PROJECTSEARCHKEY_UNSPECIFIED = 0; PROJECTSEARCHKEY_PROJECT_NAME = 1; } message Projects { repeated Project projects = 1; } message Project { string id = 1; string name = 2; ProjectState state = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp creation_date = 5; uint64 sequence = 6; } enum ProjectState { PROJECTSTATE_UNSPECIFIED = 0; PROJECTSTATE_ACTIVE = 1; PROJECTSTATE_INACTIVE = 2; } enum ProjectType { PROJECTTYPE_UNSPECIFIED = 0; PROJECTTYPE_OWNED = 1; PROJECTTYPE_GRANTED = 2; } message ProjectMemberRoles { repeated string roles = 1; } message ProjectMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message ProjectMemberAdd { string id = 1; string user_id = 2; repeated string roles = 3; } message ProjectMemberChange { string id = 1; string user_id = 2; repeated string roles = 3; } message ProjectMemberRemove { string id = 1; string user_id = 2; } message ProjectRoleAdd { string id = 1; string key = 2; string display_name = 3; string group = 4; } message ProjectRoleAddBulk { string id = 1; repeated ProjectRoleAdd project_roles = 2; } message ProjectRoleChange { string id = 1; string key = 2; string display_name = 3; string group = 4; } message ProjectRole { string project_id = 1; string key = 2; string display_name = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; string group = 6; uint64 sequence = 7; } message ProjectRoleView { string project_id = 1; string key = 2; string display_name = 3; google.protobuf.Timestamp creation_date = 4; string group = 6; uint64 sequence = 7; } message ProjectRoleRemove { string id = 1; string key = 2; } message ProjectRoleSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectRoleView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectRoleSearchRequest { string project_id = 1; uint64 offset = 2; uint64 limit = 3; repeated ProjectRoleSearchQuery queries = 4; } message ProjectRoleSearchQuery { ProjectRoleSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectRoleSearchKey { PROJECTROLESEARCHKEY_UNSPECIFIED = 0; PROJECTROLESEARCHKEY_KEY = 1; PROJECTROLESEARCHKEY_DISPLAY_NAME = 2; } message ProjectMemberView { string user_id = 1; string user_name = 2; string email = 3; string first_name = 4; string last_name = 5; repeated string roles = 6; google.protobuf.Timestamp change_date = 7; google.protobuf.Timestamp creation_date = 8; uint64 sequence = 10; string display_name = 11; } message ProjectMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectMemberSearchRequest { string project_id = 1; uint64 offset = 2; uint64 limit = 3; repeated ProjectMemberSearchQuery queries = 4; } message ProjectMemberSearchQuery { ProjectMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectMemberSearchKey { PROJECTMEMBERSEARCHKEY_UNSPECIFIED = 0; PROJECTMEMBERSEARCHKEY_FIRST_NAME = 1; PROJECTMEMBERSEARCHKEY_LAST_NAME = 2; PROJECTMEMBERSEARCHKEY_EMAIL = 3; PROJECTMEMBERSEARCHKEY_USER_ID = 4; PROJECTMEMBERSEARCHKEY_USER_NAME = 5; } enum AppState { APPSTATE_UNSPECIFIED = 0; APPSTATE_ACTIVE = 1; APPSTATE_INACTIVE = 2; } message Application { string id = 1; AppState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; oneof app_config { OIDCConfig oidc_config = 8; } uint64 sequence = 9; } message ApplicationUpdate { string project_id = 1; string id = 2; string name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message OIDCConfig { repeated string redirect_uris = 1; repeated OIDCResponseType response_types = 2; repeated OIDCGrantType grant_types = 3; OIDCApplicationType application_type = 4; string client_id = 5; string client_secret = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; } message OIDCApplicationCreate { string project_id = 1; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string redirect_uris = 3; repeated OIDCResponseType response_types = 4; repeated OIDCGrantType grant_types = 5; OIDCApplicationType application_type = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; } message OIDCConfigUpdate { string project_id = 1; string application_id = 2; repeated string redirect_uris = 3; repeated OIDCResponseType response_types = 4; repeated OIDCGrantType grant_types = 5; OIDCApplicationType application_type = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; } enum OIDCResponseType { OIDCRESPONSETYPE_CODE = 0; OIDCRESPONSETYPE_ID_TOKEN = 1; OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2; } enum OIDCGrantType { OIDCGRANTTYPE_AUTHORIZATION_CODE = 0; OIDCGRANTTYPE_IMPLICIT = 1; OIDCGRANTTYPE_REFRESH_TOKEN = 2; } enum OIDCApplicationType { OIDCAPPLICATIONTYPE_WEB = 0; OIDCAPPLICATIONTYPE_USER_AGENT = 1; OIDCAPPLICATIONTYPE_NATIVE = 2; } enum OIDCAuthMethodType { OIDCAUTHMETHODTYPE_BASIC = 0; OIDCAUTHMETHODTYPE_POST = 1; OIDCAUTHMETHODTYPE_NONE = 2; } message ClientSecret { string client_secret = 1; } message ApplicationView { string id = 1; AppState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; oneof app_config { OIDCConfig oidc_config = 8; } uint64 sequence = 9; } message ApplicationSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ApplicationView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ApplicationSearchRequest { string project_id = 1; uint64 offset = 2; uint64 limit = 3; repeated ApplicationSearchQuery queries = 4; } message ApplicationSearchQuery { ApplicationSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ApplicationSearchKey { APPLICATIONSERACHKEY_UNSPECIFIED = 0; APPLICATIONSEARCHKEY_APP_NAME = 1; } message ProjectGrant { string id = 1; string project_id = 2; string granted_org_id = 3; repeated string role_keys = 4; ProjectGrantState state = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; uint64 sequence = 9; } message ProjectGrantCreate { string project_id = 1; string granted_org_id = 2; repeated string role_keys = 3; } message ProjectGrantUpdate { string project_id = 1; string id = 2; repeated string role_keys = 3; } message ProjectGrantID { string project_id = 1; string id = 2; } enum ProjectGrantState { PROJECTGRANTSTATE_UNSPECIFIED = 0; PROJECTGRANTSTATE_ACTIVE = 1; PROJECTGRANTSTATE_INACTIVE = 2; } message ProjectGrantView { string id = 1; string project_id = 2; string granted_org_id = 3; string granted_org_name = 4; repeated string role_keys = 5; ProjectGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; string project_name = 9; uint64 sequence = 10; string resource_owner = 11; string resource_owner_name = 12; } message ProjectGrantSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectGrantView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message GrantedProjectSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated ProjectSearchQuery queries = 3; } message ProjectGrantSearchRequest { string project_id = 1; uint64 offset = 2; uint64 limit = 3; repeated ProjectGrantSearchQuery queries = 4; } message ProjectGrantSearchQuery { ProjectGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectGrantSearchKey { PROJECTGRANTSEARCHKEY_UNSPECIFIED = 0; PROJECTGRANTSEARCHKEY_PROJECT_NAME = 1; PROJECTGRANTSEARCHKEY_ROLE_KEY = 2; } message ProjectGrantMemberRoles { repeated string roles = 1; } message ProjectGrantMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message ProjectGrantMemberAdd { string project_id = 1; string grant_id = 2; string user_id = 3; repeated string roles = 4; } message ProjectGrantMemberChange { string project_id = 1; string grant_id = 2; string user_id = 3; repeated string roles = 4; } message ProjectGrantMemberRemove { string project_id = 1; string grant_id = 2; string user_id = 3; } message ProjectGrantMemberView { string user_id = 1; string user_name = 2; string email = 3; string first_name = 4; string last_name = 5; repeated string roles = 6; google.protobuf.Timestamp change_date = 7; google.protobuf.Timestamp creation_date = 8; uint64 sequence = 9; string display_name = 10; } message ProjectGrantMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectGrantMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectGrantMemberSearchRequest { string project_id = 1; string grant_id = 2; uint64 offset = 3; uint64 limit = 4; repeated ProjectGrantMemberSearchQuery queries = 5; } message ProjectGrantMemberSearchQuery { ProjectGrantMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectGrantMemberSearchKey { PROJECTGRANTMEMBERSEARCHKEY_UNSPECIFIED = 0; PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME = 1; PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME = 2; PROJECTGRANTMEMBERSEARCHKEY_EMAIL = 3; PROJECTGRANTMEMBERSEARCHKEY_USER_ID = 4; PROJECTGRANTMEMBERSEARCHKEY_USER_NAME = 5; } message UserGrant { string id = 1; string user_id = 2; string org_id = 3; string project_id = 4; repeated string role_keys = 5; UserGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; uint64 sequence = 9; string grant_id = 10; } message UserGrantCreateBulk { repeated UserGrantCreate user_grants = 1; } message UserGrantCreate { string user_id = 1; string project_id = 2; repeated string role_keys = 3; string grant_id = 4; } message UserGrantUpdateBulk { repeated UserGrantUpdate user_grants = 1; } message UserGrantUpdate { string user_id = 1; string id = 2; repeated string role_keys = 3; } message UserGrantRemoveBulk { repeated string ids = 1; } message UserGrantID { string user_id = 1; string id = 2; } message ProjectUserGrantID { string project_id = 1; string user_id = 2; string id = 3; } message ProjectUserGrantUpdate { string project_id = 1; string user_id = 2; string id = 3; repeated string role_keys = 4; } message ProjectGrantUserGrantID { string project_grant_id = 1; string user_id = 2; string id = 3; } message ProjectGrantUserGrantCreate { string user_id = 1; string project_grant_id = 2; string project_id = 3 [(validate.rules).string.min_len = 1]; repeated string role_keys = 4; } message ProjectGrantUserGrantUpdate { string project_grant_id = 1; string user_id = 2; string id = 3; repeated string role_keys = 4; } enum UserGrantState { USERGRANTSTATE_UNSPECIFIED = 0; USERGRANTSTATE_ACTIVE = 1; USERGRANTSTATE_INACTIVE = 2; } message UserGrantView { string id = 1; string user_id = 2; string org_id = 3; string project_id = 4; repeated string role_keys = 5; UserGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; string user_name = 9; string first_name = 10; string last_name = 11; string email = 12; string org_name = 13; string org_domain = 14; string project_name = 15; uint64 sequence = 16; string resource_owner = 17; string display_name = 18; string grant_id = 19; } message UserGrantSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserGrantView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message UserGrantSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated UserGrantSearchQuery queries = 3; } message UserGrantSearchQuery { UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2 [(validate.rules).enum = {in: [0]}]; string value = 3; } enum UserGrantSearchKey { USERGRANTSEARCHKEY_UNSPECIFIED = 0; USERGRANTSEARCHKEY_PROJECT_ID = 1; USERGRANTSEARCHKEY_USER_ID = 2; USERGRANTSEARCHKEY_ORG_ID = 3; USERGRANTSEARCHKEY_ROLE_KEY = 4; } message ProjectUserGrantSearchRequest { string project_id = 1; uint64 offset = 2; uint64 limit = 3; repeated UserGrantSearchQuery queries = 4; } message ProjectGrantUserGrantSearchRequest { string project_grant_id = 1; uint64 offset = 2; uint64 limit = 3; repeated UserGrantSearchQuery queries = 4; }