The Panther API supports the following user and role operations:
List users
Get a user by ID or by email address
Invite new users
Update a user's information and role
Delete users
List roles
Get a role by ID or by name
Create a new role
Update a role's information and permissions
Delete roles
You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on Panther API.
See the sections below for GraphQL queries, mutations, and end-to-end workflow examples around core user and role management operations.
Common user and role management operations
Below are some of the most common GraphQL user and role management operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or curl) to make a call to Panther's GraphQL API.
Note: The createdAt field is in ISO 8601 date and time standard.
Listing Users
Retrieving a User
Inviting a new User
Updating a User
Deleting a User
Listing Roles
Retrieving a Role
Creating a new Role
Note: The permission UserModify provides full admin access to the Panther platform. Use discretion when assigning this permission to new roles.
Updating a Role
Note: The permissions in the updateRole input must contain all desired permissions for the role.
Deleting a Role
End-to-end examples
Below, we will build on the Common Operations examples to showcase an end-to-end flow.
Create a new user administrator role and invite a user to that role.
mutation deleteUser{
deleteUser(input: {
id: "8h81hfh-ij828db"
})
{
id # the delete operation doesn't return a `user` object; just an ID
}
}
query roles {
roles(
# This input is optional. Without input, the query will return all roles.
input: {
nameContains: "admin",
sortDir: ascending
})
{
createdAt
id
name
permissions
updatedAt
updatedBy {
... on User {
email
id
}
... on APIToken {
id
name
}
}
# Used only if RBAC per log type is enabled
logTypeAccess
logTypeAccessKind
}
}
query adminRole {
roleByName(
name: "admin"
) {
createdAt
id
name
permissions
updatedAt
updatedBy {
... on User {
email
id
}
... on APIToken {
id
name
}
}
# Used only if RBAC per log type is enabled
logTypeAccess
logTypeAccessKind
}
}
query adminRole {
roleById(
id: "feeafade-c545"
) {
createdAt
id
logTypeAccess
logTypeAccessKind
name
permissions
updatedAt
updatedBy {
... on User {
email
id
}
... on APIToken {
id
name
}
}
# Used only if RBAC per log type is enabled
logTypeAccess
logTypeAccessKind
}
}
mutation createRole {
createRole(input: {
name: "new-role"
permissions: [
UserRead
AlertRead
]
})
{
role {
name
id
permissions
}
}
}
mutation createRole {
createRole(input: {
name: "new-role"
permissions: [
UserRead
AlertRead
]
# Used only if the RBAC per log type feature is enabled
logTypeAccess:["AWS.ALB"]
logTypeAccessKind: ALLOW
})
{
role {
name
id
permissions
logTypeAccess
logTypeAccessKind
}
}
}
mutation updateRole {
updateRole(input: {
id: "fea8sje-92jdnhc"
name: "updated-role-name"
permissions: [
UserRead
AlertRead
AlertModify
]
})
{
role {
name
id
permissions
}
}
}
mutation updateRole {
updateRole(input: {
id: "fea8sje-92jdnhc"
name: "updated-role-name"
permissions: [
UserRead
AlertRead
AlertModify
]
# Used only if the RBAC per log type feature is enabled
logTypeAccess:["AWS.ALB"]
logTypeAccessKind: DENY
})
{
role {
name
id
permissions
logTypeAccess
logTypeAccessKind
}
}
}
mutation deleteRole {
deleteRole(input: {
id: "e146c8d8-c6a5"
})
{
id # The delete operation doesn't return a `role` object. Just an ID.
}
}
# pip install gql aiohttp
from gql import gql, Client
from gql.transport.aiohttp import AIOHTTPTransport
transport = AIOHTTPTransport(
url="YOUR_PANTHER_API_URL",
headers={"X-API-Key": "YOUR_API_KEY"},
)
client = Client(transport=transport, fetch_schema_from_transport=True)
create_user_admin = gql(
"""
mutation newAdminRole {
createRole (input: {
name: "user-admin"
permissions: [
UserRead
UserModify
OrganizationAPITokenRead
GeneralSettingsRead
]
})
{
role {
name
id
}
}
}
"""
)
invite_user = gql(
"""
mutation inviteUser($input: InviteUserInput!) {
inviteUser (input: $input) {
user {
id
email
}
}
}
"""
)
new_role_data = client.execute(
create_user_admin
)
print(f'new role ID is {new_role_data["createRole"]["role"]["id"]}')
response_data = client.execute(
invite_user,
variable_values= {
"input": {
"email": "[email protected]",
"givenName": "user",
"familyName": "admin",
"role": {
"kind": "ID",
"value": new_role_data["createRole"]["role"]["id"],
}
}
}
)
print(f'Successfully invited user {response_data["inviteUser"]["user"]["email"]} with role {new_role_data["createRole"]["role"]["name"]}.'
import { GraphQLClient, gql } from "graphql-request";
const client = new GraphQLClient(
"YOUR_PANTHER_API_URL",
{ headers: { "X-API-Key": "YOUR_API_KEY" } }
);
// `createUserAdmin` is a nickname for the query. You can fully omit it.
const createUserAdmin = gql`
mutation newAdminRole {
createRole(
input: {
name: "user-admin"
permissions: [
UserRead
UserModify
OrganizationAPITokenRead
GeneralSettingsRead
]
}
) {
role {
name
id
}
}
}
`;
// `inviteUser` is a nickname for the mutation. You can fully omit it.
const inviteUser = gql`
mutation inviteUser($input: InviteUserInput!) {
inviteUser(input: $input) {
user {
id
email
}
}
}
`;
(async () => {
try {
const newRoleData = await client.request(createUserAdmin);
const inviteUserOutput = await client.request(inviteUser, {
input: {
email: "[email protected]",
givenName: "user",
familyName: "admin",
role: {
kind: "ID",
value: newRoleData.createRole.role.id
}
}
});
console.log(
`Successfully invited user ${inviteUserOutput.inviteUser.user.email} with role ${newRoleData.createRole.role.name}.`
);
} catch (err) {
console.error(err);
}
})();
