Freeze users

Server administrators can freeze users via the Administration API. A frozen user will be temporarily blocked from connecting to Parsec server.

This mechanism allows to automatically block users who have been deleted from a directory service (such as OpenLDAP or Active Directory), while waiting for the Organization administrator to revoke them. It is exposed in the form of HTTP routes that only requires an administration token.

Note

The freeze operation is performed by a Server administrator and can be undone. The revoke operation is performed by an Organization administrator and cannot be undone, it is the definitive removal of the user’s rights within the organization.

HTTP /users route

This route is made available as /administration/organizations/<raw_organization_id>/users and requires an administration token.

It supports the GET method which lists information for all users, including:

  • Parsec ID

  • user name

  • user email

  • frozen status

Here’s an example using curl and jq:

$ curl https://$server/administration/organizations/$organization/users \
    -H "Authorization: Bearer $administration_token" | jq

A successful request returns a JSON object with the following structure:

{
  "users": [
    {
      "user_name": "Alice",
      "frozen": true,
      "user_email": "alice@example.com",
      "user_id": "940a380aedd44127863d952a66cfce1e"
    },
    {
      "user_name": "Bob",
      "frozen": false,
      "user_email": "bob@example.com",
      "user_id": "7d04b0df51a74158b35b6386eecdf4e0"
    }
  ]
}

HTTP /users/freeze route

This route is made available as /administration/organizations/<raw_organization_id>/users/freeze and requires an administration token.

It supports the POST method which modifies the frozen status for a given user.

Here’s an example of generating the request data using jq:

$ DATA=$(jq -n --arg user_id "$user_id" --argjson frozen true '$ARGS.named')
$ echo $DATA
{
"user_id": "940a380aedd44127863d952a66cfce1e",
"frozen": true
}

The request can also use the user_email field instead of user_id to identify the Parsec user (see the note on user identification section below for more information):

$ DATA=$(jq -n --arg user_email "$user_email" --argjson frozen true '$ARGS.named')
$ echo $DATA
{
"user_email": "alice@example.com",
"frozen": true
}

Here’s an example of running the request using curl and jq:

$ curl https://$server/administration/organizations/$organization/users/freeze \
    -H "Authorization: Bearer $administration_token" \
    --request POST --data $DATA | jq

A successful request returns a JSON dictionary similar to the one below:

{
  "frozen": true,
  "user_email": "alice@example.com",
  "user_id": "940a380aedd44127863d952a66cfce1e",
  "user_name": "Alice"
}

HTTP Error handling

The following errors can be returned by both /users and /users/freeze routes:

  • 404: Organization not found with JSON body {"error": "not_found}

  • 403: Invalid administration token with JSON body {"error": "not_allowed"}

  • 400: Wrong request format with JSON body {"error": "bad_data"}

The following error is returned by the /users/freeze request if the user does not exist in the organization:

  • 404: User not found with JSON body {"error": "user_not_found"}

Note on user identification

There is a subtle difference between using Parsec user ID or email address to identify a user.

  • The Parsec user ID uniquely identifies a user within the Parsec server, regardless of its organization. When a user is revoked, its user ID identifies the revoked user.

  • The email address identifies an active (i.e. non-revoked) user within an organization. When a user is revoked, its email address can be reused to (re)join the organization.

This means that, over time, an email address can be shared between multiple user IDs, either from different organizations or within the same organization if it has been revoked.

Consider the following scenario:

Org 1

Org 2

ID 1 alice@mail.com (revoked)

ID 4 bob@mail.com (active)

ID 2 bob@mail.com (active)

ID 5 alice@mail.com (active)

ID 3 alice@mail.com (active)

The frozen status specified in the POST request is always associated with a Parsec user ID, even if an email address is specified.

Regarding the previous scenario, here are some possible requests and their outcomes: - Freeze user with ID 1: will have no consequences since the user is already revoked. - Freeze user with ID 4: will effectively freeze the user. Its active status is maintained in case of unfreeze. - Freeze user with email alice@mail.com from Org 1: will freeze user with ID 3 (user with ID 1 is not considered as it is already revoked)

Warning

Notice that if a user is revoked from an organization and then re-invited with the same email address, its previous frozen status will not be applied to the new user.