/api/v1/group
GET /group — List all groups visible to the current session.
GET /group — List all groups visible to the current session.Returns the groups the current session may read (bag_read); a
system.root user sees all groups. Groups the session may not read
are silently omitted — no 403 is raised, and an unauthenticated
request simply yields an empty list, not a 401. The result is paged
with limit / offset and can be narrowed to specific group types.
Access token in the Authorization header:
Authorization: Bearer <token>.
Maximum number of groups to return. Defaults to 1000.
1000Number of groups to skip before collecting the result page.
Defaults to 0.
0Comma-separated list of group types to return. When set, only
groups whose type is in the list are returned. Valid types:
easydb, system. Example: type=easydb,system.
Array of all groups visible to the current session.
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
Array of all groups visible to the current session.
POST /group — Create or update one or more groups.
POST /group — Create or update one or more groups.The payload is an array of group objects. Whether a group is created
or updated is decided by group._version: a group sent with
_version: 1 is created; a group sent with a higher _version is
updated and its group._version must equal the stored version + 1,
otherwise the request fails with a 400 code: VersionMismatch. An
update also requires the stored group._id (or a lookup:_id object
that resolves one). The response carries the saved groups with their
_id / _version populated.
Creating a group of type: system is rejected with a 400
code: GroupTypeNotAllowed; changing a stored group's type is
rejected with a 400 code: GroupTypeChangeNotAllowed.
PUT /group is an exact alias — same handler, same semantics.
Differs from easydb 5: in easydb 5 the HTTP method selects the
operation (PUT creates, POST updates). In fylr both methods run
the same handler and the operation is chosen per group by
group._version, so a single array may mix creates and updates.
Access token in the Authorization header:
Authorization: Bearer <token>.
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The groups were saved. The response carries the saved groups
with their _id / _version populated.
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The request could not be processed. Common causes and their
code: a group._version that is not stored version + 1 on
update (VersionMismatch); creating a type: system group
(GroupTypeNotAllowed) or changing a stored group's type
(GroupTypeChangeNotAllowed); deleting a type: system group
(DeleteSystemGroup); the instance being in read-only mode
(ReadOnlyMode). A malformed payload or a group id in the URL
that matches no stored group surfaces as code: ServerGeneric
(there is no dedicated 404 for a missing group).
No authenticated user. The request must carry a valid access token.
The authenticated user lacks a required right. Create / update
(POST / PUT) and delete (DELETE) first require the
system.group (or system.root) system right; missing it yields
code: SystemRightRequired with parameters.rights listing the
accepted rights. A non-root user is then checked further:
creating needs system.group[create] (and [create_acl] /
[create_system_rights] when _acl / _system_rights are sent),
editing an existing group's _acl / _system_rights needs
system.group[edit_acl] / [edit_system_rights] — these also
surface as SystemRightRequired. Per-group ACL failures use
code: RightRequired: bag_read on read, bag_write on update,
delete on delete; changing a group's owner additionally requires
system.root.
PUT /group — Create or update one or more groups (alias for POST).
PUT /group — Create or update one or more groups (alias for POST).Identical semantics to POST /group.
Access token in the Authorization header:
Authorization: Bearer <token>.
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The groups were saved. The response carries the saved groups
with their _id / _version populated.
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The request could not be processed. Common causes and their
code: a group._version that is not stored version + 1 on
update (VersionMismatch); creating a type: system group
(GroupTypeNotAllowed) or changing a stored group's type
(GroupTypeChangeNotAllowed); deleting a type: system group
(DeleteSystemGroup); the instance being in read-only mode
(ReadOnlyMode). A malformed payload or a group id in the URL
that matches no stored group surfaces as code: ServerGeneric
(there is no dedicated 404 for a missing group).
No authenticated user. The request must carry a valid access token.
The authenticated user lacks a required right. Create / update
(POST / PUT) and delete (DELETE) first require the
system.group (or system.root) system right; missing it yields
code: SystemRightRequired with parameters.rights listing the
accepted rights. A non-root user is then checked further:
creating needs system.group[create] (and [create_acl] /
[create_system_rights] when _acl / _system_rights are sent),
editing an existing group's _acl / _system_rights needs
system.group[edit_acl] / [edit_system_rights] — these also
surface as SystemRightRequired. Per-group ACL failures use
code: RightRequired: bag_read on read, bag_write on update,
delete on delete; changing a group's owner additionally requires
system.root.
GET /group/{id} — Retrieve a single group by id.
GET /group/{id} — Retrieve a single group by id.Access token in the Authorization header:
Authorization: Bearer <token>.
The group's _id.
The group, returned as a single-element array of group objects (the same shape as the create / delete responses).
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The request could not be processed. Common causes and their
code: a group._version that is not stored version + 1 on
update (VersionMismatch); creating a type: system group
(GroupTypeNotAllowed) or changing a stored group's type
(GroupTypeChangeNotAllowed); deleting a type: system group
(DeleteSystemGroup); the instance being in read-only mode
(ReadOnlyMode). A malformed payload or a group id in the URL
that matches no stored group surfaces as code: ServerGeneric
(there is no dedicated 404 for a missing group).
The authenticated user lacks a required right. Create / update
(POST / PUT) and delete (DELETE) first require the
system.group (or system.root) system right; missing it yields
code: SystemRightRequired with parameters.rights listing the
accepted rights. A non-root user is then checked further:
creating needs system.group[create] (and [create_acl] /
[create_system_rights] when _acl / _system_rights are sent),
editing an existing group's _acl / _system_rights needs
system.group[edit_acl] / [edit_system_rights] — these also
surface as SystemRightRequired. Per-group ACL failures use
code: RightRequired: bag_read on read, bag_write on update,
delete on delete; changing a group's owner additionally requires
system.root.
DELETE /group/{id} — Delete a group by id.
DELETE /group/{id} — Delete a group by id.A group whose type is system cannot be deleted — attempting to do
so yields a 400 with code: DeleteSystemGroup.
Access token in the Authorization header:
Authorization: Bearer <token>.
The group's _id.
The group was deleted. The response carries the deleted group as an array of group objects (the same shape as the create / read responses).
A user group. Bundles a set of users together so the ACL system can address them collectively.
Fixed marker identifying this object as a group.
CIDR / subnet entries. If set, members of this group can only sign
in from a matching network — unless _ip_subnet_filter_exclude is
true, in which case the matching networks are denied.
Invert the meaning of _ip_subnet_filter.
UTC time the group was created.
UTC time the group was last updated.
The request could not be processed. Common causes and their
code: a group._version that is not stored version + 1 on
update (VersionMismatch); creating a type: system group
(GroupTypeNotAllowed) or changing a stored group's type
(GroupTypeChangeNotAllowed); deleting a type: system group
(DeleteSystemGroup); the instance being in read-only mode
(ReadOnlyMode). A malformed payload or a group id in the URL
that matches no stored group surfaces as code: ServerGeneric
(there is no dedicated 404 for a missing group).
No authenticated user. The request must carry a valid access token.
The authenticated user lacks a required right. Create / update
(POST / PUT) and delete (DELETE) first require the
system.group (or system.root) system right; missing it yields
code: SystemRightRequired with parameters.rights listing the
accepted rights. A non-root user is then checked further:
creating needs system.group[create] (and [create_acl] /
[create_system_rights] when _acl / _system_rights are sent),
editing an existing group's _acl / _system_rights needs
system.group[edit_acl] / [edit_system_rights] — these also
surface as SystemRightRequired. Per-group ACL failures use
code: RightRequired: bag_read on read, bag_write on update,
delete on delete; changing a group's owner additionally requires
system.root.
Last updated