User Management


This section provides instructions on how to create, update and delete users for the default RESTHeart Authenticator.

It also shows how to manage permissions for the default RESTHeart Authorizer.

RESTHeart Authenticator uses the collection /users by default.

Before running the example requests

The following examples assume RESTHeart Platform running on the localhost with the default configuration: the database restheart is bound to / and the user admin exists with default password secret.

User document

With the default configuration, a user is represented as follows:

    "_id": "username",
    "roles": ["list", "of", "roles"],
    "password": "secret"

RESTHeart Authenticator can be configured to use different properties for the username, roles an password. Check RESTHeart Authenticator for more information.

Get existing users

GET /users HTTP/1.1
        "_id": "admin",
        "roles": ["admin"],
        "_etag": {
            "$oid": "5d2edb155883c050065d6a8a"

The password is always hidden on GET requests.

For security reasons, it not possbile to use the filter query parameter on the password field; the following request is forbidden and will cause an error: GET /users?filter={"password":{"$regex":"^a.*"}}

Create a user

POST /users HTTP/1.1

    "_id": "foo",
    "roles": [ "user" ],
    "password": "secret"

The password is automatically encrypted by RESTHeart Platform.

Update a user

PATCH /users/foo HTTP/1.1

    "password": "betterSecret"

Delete a user

DELETE /users/foo HTTP/1.1

Create an ACL document

POST /acl HTTP/1.1

  "predicate": "path-prefix[/inventory] and method[GET]",
  "roles": [ "user" ],
  "priority": 1,
  "readFilter": null,
  "writeFilter": null

If the /acl collection has not been created before and you get 404 Not Found, create if first with:

PUT /acl HTTP/1.1