Admin Entitlements
DATA group, membership, and entitlement-grant administration
Add or keep a DATA-group membership
Add or keep a DATA-group membership
Remove a DATA-group membership
Remove a DATA-group membership
Grant a scope to a FUNCTIONAL group
Adds the scope to the group's auth.group_scopes bundle. The scope must be a member of the system scope catalog (400 if unknown). Every current member's cached scope resolution is invalidated immediately.
Add a counterparty or instrument to a restricted (MNPI) list
Creates a DENY entitlement grant for the COUNTERPARTY or INSTRUMENT dimension. The resource is blocked across all books for the grant's principal (typically a firm-wide or desk GROUP). To grant a wall-crossing exception for a single user, create a USER-principal ALLOW grant for the same resource via POST /api/v1/admin/entitlements with effect=ALLOW, reason, and valid_until.
List DATA groups
List DATA groups
Create a DATA group
Create a DATA group
List declared SoD group conflicts
List declared SoD group conflicts
Declare a separation-of-duties (SoD) conflict between two groups
Rejects with 409 (group_conflict_violators) and the violator list if any user currently belongs to both groups, unless force=true. With force=true the conflict is recorded anyway and the violator list is returned as a report; existing memberships are not removed.
List entitlement grants with filters
List entitlement grants with filters
Create an entitlement grant (ALLOW or DENY)
Create an entitlement grant (ALLOW or DENY)
Periodic access-review (recertification) extract
Per user: FUNCTIONAL/DATA group memberships, effective entitlements (including DS T10 wall-crossing USER grants), expiring/expired grants, and SoD violations (DS T11). Returns JSON by default; pass format=csv or Accept: text/csv for a CSV export (one row per user, multi-valued fields flattened to semicolon-separated summaries).
Get DATA group detail
Get DATA group detail
Delete an empty DATA group
Delete an empty DATA group
List FUNCTIONAL groups and the scopes they grant
FUNCTIONAL groups replace schemas/roles/roles.json (DS T12, #712); each group's name corresponds to a former role and its scope bundle (auth.group_scopes) is the set of scopes granted to every member.
Get a FUNCTIONAL group and its scope bundle
Get a FUNCTIONAL group and its scope bundle
Remove a restricted-list (DENY) entry
Remove a restricted-list (DENY) entry
Remove a declared SoD group conflict
Remove a declared SoD group conflict
Revoke a scope from a FUNCTIONAL group
Removes the scope from the group's auth.group_scopes bundle. Every current member's cached scope resolution is invalidated immediately.
Revoke an entitlement grant
Revoke an entitlement grant