Managing User Entitlements

A user's entitlements can be modified either by applying an entitlements set to the user or by explicitly applying individual entitlements to the user.

Common Entitlements Types

# An entitlement
type Entitlement {
  # Name of the entitlement
  name: String!

  # Optional description of the entitlement
  description: String

  # Value of the entitlement. Type Float to allow for values
  # values larger than possible with Int. Value is a
  # positive integer.
  value: Float!
}

# Sub-resource consumer of the entitlement
# For example some entitlements are per-Sudo
type EntitlementConsumer {
  # ID of the consuming resource
  id: ID!

  # Issuer of the consuming resource ID e.g. sudoplatform.sudoservice for Sudos
  issuer: String!
}

# Effective entitlements for an external user
type ExternalUserEntitlements  {
  # Time of initial creation of user entitlements mapping in milliseconds
  # since epoch. Number is integral, float type provides sufficient
  # precision.
  createdAtEpochMs: Float!

  # Time of last updates of user entitlements mapping in milliseconds
  # since epoch. Number is integral, float type provides sufficient
  # precision.
  updatedAtEpochMs: Float!

  # Version number of the user's entitlements. This is incremented every
  # time there is a change of entitlements set or explicit entitlements
  # for this user.
  #
  # For users entitled by entitlement set, the fractional part of this version
  # specifies the version of the entitlements set itself. Entitlements set version
  # is divided by 100000 then added to the user entitlements version
  #
  # This ensures that the version of user entitlements always increases mon
  version: Float!

  # External IDP identifier identifying the user
  externalId: String!

  # Sudo Platform owner. This value matches the subject in identity
  # tokens used to authenticate to Sudo Platform services.
  owner: String

  # Name of the entitlements set specified for this user. Will be undefined
  # if entitlements have been specified explicitly rather than by an
  # entitlements set name.
  entitlementsSetName: String

  # Effective entitlements for the user either obtained from the entitlements
  # set or as specified explicitly for this user.
  entitlements: [Entitlement!]!
}

# An error result returned for an operation in a bulk applyEntitlements*ToUsers
# mutation.
type ExternalUserEntitlementsError {
  # Error code of failed operation
  error: String!
}

# Union of success and error results returned for operations in a bulk
# applyEntitlements*ToUsers mutation.
union ExternalUserEntitlementsResult =
    ExternalUserEntitlements
  | ExternalUserEntitlementsError

Apply Entitlements Set to a User

A previously defined entitlements set can be applied to a user by calling the applyEntitlementsSetToUser mutation.

Possible Errors

• EntitlementsSetNotFoundError will be returned if an entitlements set with the name of the supplied entitlementsSetName parameter is unknown to the entitlements service.

• AlreadyUpdatedError will be returned if an attempt to update a user's entitlements is made after the user's entitlements have already been updated to a later version.

• ServiceError will be returned for internal errors.

Applying an entitlements set to a user using SDK.

Apply Entitlements Sets to Multiple Users

Previously defined entitlements set can be applied to multiple users by calling the applyEntitlementsSetToUsers mutation.

Possible Errors

Each individual operation may fail with any of the same errors that applyEntitlementsSetToUser may fail. These are returned in the corresponding element of the returned list of results.

In addition, the overall mutation can fail with the following errors:

• LimitExceededError will be returned if too many operations are specified. The maximum number of operations is 1500. This may be adjusted for specific environments.

• BulkOperationDuplicateUsersError will be returned if more than one individual operation specifies the same value for externalId.

• ServiceError will be returned for internal errors.

Applying an entitlements set to multiple users using SDK.

Apply Entitlements Sequence to a User

A previously defined entitlements setquence can be applied to a user by calling the applyEntitlementsSequenceToUser mutation.

Possible Errors

• EntitlementsSequenceNotFoundError will be returned if an entitlements sequence with the name of the supplied entitlementsSequenceName parameter is unknown to the entitlements service.

• AlreadyUpdatedError will be returned if an attempt to update a user's entitlements is made after the user's entitlements have already been updated to a later version.

• ServiceError will be returned for internal errors.

Applying an entitlements sequence to a user using SDK.

Apply Entitlements Sequences to Multiple Users

Previously defined entitlements sequences can be applied to multiple users by calling the applyEntitlementsSequenceToUsers mutation.

Possible Errors

Each individual operation may fail with any of the same errors that applyEntitlementsSequenceToUser may fail. These are returned in the corresponding element of the returned list of results.

In addition, the overall mutation can fail with the following errors:

• LimitExceededError will be returned if too many operations are specified. The maximum number of operations is 1500. This may be adjusted for specific environments.

• BulkOperationDuplicateUsersError will be returned if more than one individual operation specifies the same value for externalId.

• ServiceError will be returned for internal errors.

Applying an entitlements set to multiple users using SDK.

Apply Entitlements to a User

A list of individual entitlements can be applied to a user by calling the applyEntitlementsToUser mutation.

Possible Errors

• InvalidEntitlementsError will be returned if an entitlement name is not a recognized entitlement.

• AlreadyUpdatedError will be returned if an attempt to update a user's entitlements is made after the user's entitlements have already been updated to a later version.

• ServiceError will be returned for internal errors.

Applying entitlements to a user using SDK.

Apply Entitlements to Multiple Users

Entitlements can be applied to multiple users by calling the applyEntitlementsToUsers mutation.

Possible Errors

Each individual operation may fail with any of the same errors that applyEntitlementsToUser may fail. These are returned in the corresponding element of the returned list of results.

In addition, the overall mutation can fail with the following errors:

• LimitExceededError will be returned if too many operations are specified. The maximum number of operations is 1500. This may be adjusted for specific environments.

• BulkOperationDuplicateUsersError will be returned if more than one individual operation specifies the same value for externalId.

• ServiceError will be returned for internal errors.

Applying an entitlements set to multiple users using SDK.

Apply Expendable Entitlements to a User

A list of individual expendable entitlements can be applied to a user by calling the applyExpendableEntitlementsToUser mutation. The user's expendable entitlements will be incremented (or decremented if entitlement value is negaetive) by the amount specified for each entitlement. Since this is an increment operation, a request ID is required and is used to provide idempotence of the operation. Replayed requests will have no effect on the user's expendable entitlements the current user entitlements will be returned.

Possible Errors

• InvalidEntitlementsError will be returned if an entitlement name is not a recognized expendable entitlement.

• DuplicateEntitlementError will be returned if the same expendable entitlement is specified more than once in the expendableEntitlements property of the input.

• NegativeEntitlementError will be returned if the change in an expendable entitlement would result in negative entitlement.

• AlreadyUpdatedError will be returned if an attempt to update a user's entitlements is made after the user's entitlements have already been updated to a later version.

• ServiceError will be returned for internal errors.

Applying entitlements to a user using SDK.

Get Entitlements for a User

The effective entitlements assigned to a user and their current consumption of those entitlements is retrieved by calling the getEntitlementsForUser query.

Entitlement values are returned with three pieces of information:

value is the total entitled amount

consumed is the amount of the entitlement consumed

available is the amount remaining.

It is always true that value = consumed + available

It's possible that available can be negative. This can happen transiently when a user's entitlement is reduced and the system has not yet had time to reclaim the resources to bring the user back in to compliance with their entitlement.

The getEntitlementsForUser query returns an aggregation of the specified user’s entitlement consumption information.

Possible Errors

• NoEntitlementsError is returned if no entitlements have been defined for the user

• ServiceError will be returned for internal errors.

Retrieving a user's entitlements and consumption using SDK.

To remove all record of a user from the entitlements system call the removeEntitledUser mutation.