# LitmusEdgeManager 2.31.x API Documentation/Edge Lifecycle Management/RBAC - LE, LEM, LUNS API Docs ## List Device Users **GET** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users` # List Device Users Returns the users defined **on the target LE device**. LEM proxies the call -- the users live in the device's own auth system, not in LEM. ## Endpoint ```http GET {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 200 OK ```json [ { "userId": "0cd0732e-c1cd-401d-9a30-46f67ceea633", "username": "admin", "firstName": "System", "lastName": "Administrator", "mustChangePassword": false, "mfaEnabled": false, "disabled": false, "isAdmin": true, "eulaAcceptedTs": "2025-11-14T18:22:02Z" } ] ``` --- ## Create Device User **POST** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}` # Create Device User Creates a new user on the target LE device. Use `Set Device User Groups` to assign group membership after creation. The user is prompted to accept the EULA on first login. ## Endpoint ```http POST {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}} ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Request body ```json { "username": "User", "firstName": "First", "lastName": "Last", "email": "email@litmus.io", "admin": false, "mustChangePassword": true, "password": "Litmus@1", "disabled": true, "locked": true, "lockReason": "string" } ``` ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Request Body ```json { "username": "User", "firstName": "First", "lastName": "Last", "email": "email@litmus.io", "locked": true, "lockReason": "string", "admin": false, "mustChangePassword": true, "password": "Litmus@1", "disabled": true } ``` ### Response **Status**: 200 OK ```json { "userId": "345aac2a-b5bb-4e74-9552-59132626fab0" } ``` --- ## Update Device User **PUT** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}` # Update Device User Updates an existing user on the device. Pass the full record. ## Endpoint ```http PUT {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}} ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Request body Same shape as `Create Device User`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Request Body ```json { "username": "User", "firstName": "First", "lastName": "Last", "email": "email@litmus.io", "locked": false, "lockReason": "string", "admin": false, "mustChangePassword": false, "password": "Litmus@1", "disabled": false } ``` ### Response **Status**: 200 OK ```json { "code": "S", "message": null, "messageDetails": null } ``` --- ## Delete Device User **DELETE** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}` # Delete Device User Removes a user from the target LE device. ## Endpoint ```http DELETE {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}} ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 200 OK ```json { "code": "S", "message": null, "messageDetails": null } ``` --- ## Get Device User Groups **GET** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}/groups` # Get Device User Groups Returns the groups one user is currently a member of on the target device. ## Endpoint ```http GET {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}/groups ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 0 ```json [ { "groupId": "default_admins_group", "groupName": "Administrators" }, { "groupId": "default_viewers_group", "groupName": "Viewers" } ] ``` --- ## Set Device User Groups **PUT** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}/groups` # Set Device User Groups Replaces the user's group memberships with the supplied list. This is **not** additive -- omitted groups are removed. ## Endpoint ```http PUT {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/users/{{user_id}}/groups ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Request body ```json [ "group1", "group2", "group3" ] ``` ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Request Body ```json [ "group1", "group2", "group3" ] ``` ### Response **Status**: 200 OK ```json { "code": "S", "message": null, "messageDetails": null } ``` --- ## Validate Password **POST** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/password` # Validate Password Validates a candidate password against the device's password policy. Returns `isSufficient` plus a per-requirement breakdown. ## Endpoint ```http POST {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/password ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Request body ```json { "password": "password" } ``` ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Request Body ```json { "password": "password" } ``` ### Response **Status**: 200 OK ```json { "isSufficient": true, "requirements": {}, "score": 1 } ``` --- ## Get Device Roles **GET** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/permissions` # Get Device Roles Returns the roles available on the target device, with each role's per-component permissions. ## Endpoint ```http GET {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/permissions ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 200 OK ```json [ { "component": { "id": "dl", "label": "Downloads", "desc": "Downloads." }, "permissions": [ "View" ] }, { "component": { "id": "lic", "label": "Licensing", "desc": "Licensing component provides license management functionality." }, "permissions": [ "Modify" ] }, { "component": { "id": "mp", "label": "Marketplace", "desc": "Marketplace component manages execution environment for marketplace application." }, "permissions": [ "Create", "Delete", "Modify", "Update", "View" ] }, { "component": { "id": "sysinfo", "label": "System Info", "desc": "System Info component reports system information and performance." }, "permissions": [ "Modify" ] }, { "component": { "id": "cc", "label": "Integrations", "desc": "Integrations." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "dt", "label": "Digital Twin", "desc": "Digital Twin is a service for managing virtual models designed to accurately reflect physical objects." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "flows", "label": "Flows Manager", "desc": "Flows Manager." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "stats", "label": "DataHub", "desc": "Stats component manages historic data." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "support", "label": "Support Bundle", "desc": "Support Bundle." }, "permissions": [ "Modify" ] }, { "component": { "id": "access", "label": "Access", "desc": "Access provides access to data from external systems." }, "permissions": [ "View", "Modify" ] }, { "component": { "id": "auth", "label": "Auth", "desc": "Authentication and Authorization component." }, "permissions": [ "Modify" ] }, { "component": { "id": "css", "label": "Cloud Storage Sync", "desc": "Cloud Storage Sync sync data between local mounted directories and different cloud storage providers." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "events", "label": "Events", "desc": "Events allows viewing of system events." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "ftp", "label": "FTP Server", "desc": "Internal FTP server." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "opcua", "label": "OPCUA Server", "desc": "OPCUA server." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "analytics", "label": "Analytics", "desc": "Analytics." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "dh", "label": "DeviceHub", "desc": "Device Hub is responsible for data acquisition from equipment." }, "permissions": [ "ViewDevices", "ViewDrivers", "ViewTags", "Modify", "ModifyDevices", "ModifyTags", "View" ] }, { "component": { "id": "dm", "label": "Device Management", "desc": "Device Management." }, "permissions": [ "Modify" ] }, { "component": { "id": "nd", "label": "Network Discovery", "desc": "Network Discovery allows scanning local networks for connected devices." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "nwutil", "label": "Network Util", "desc": "Network tools." }, "permissions": [ "Modify", "View" ] } ] ``` --- ## Get Device Permissions **GET** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/permissions` # Get Device Permissions Returns the per-component permission catalog of the target device. Same URL as `Get Device Roles`; the difference is in intent: this is used to render the permission picker in role-editor UIs. ## Endpoint ```http GET {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/permissions ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 0 ```json [ { "component": { "id": "cc", "label": "Integrations", "desc": "Integrations." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "analytics", "label": "Analytics", "desc": "Analytics." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "dh", "label": "DeviceHub", "desc": "Device Hub is responsible for data acquisition from equipment." }, "permissions": [ "ModifyTags", "View", "ViewDevices", "ViewDrivers", "ViewTags", "Modify", "ModifyDevices" ] }, { "component": { "id": "dl", "label": "Downloads", "desc": "Downloads." }, "permissions": [ "View" ] }, { "component": { "id": "nwutil", "label": "Network Util", "desc": "Network tools." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "lic", "label": "Licensing", "desc": "Licensing component provides license management functionality." }, "permissions": [ "Modify" ] }, { "component": { "id": "access", "label": "Access", "desc": "Access provides access to data from external systems." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "auth", "label": "Auth", "desc": "Authentication and Authorization component." }, "permissions": [ "Modify" ] }, { "component": { "id": "css", "label": "Cloud Storage Sync", "desc": "Cloud Storage Sync sync data between local mounted directories and different cloud storage providers." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "dm", "label": "Device Management", "desc": "Device Management." }, "permissions": [ "Modify" ] }, { "component": { "id": "dt", "label": "Digital Twin", "desc": "Digital Twin is a service for managing virtual models designed to accurately reflect physical objects." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "flows", "label": "Flows Manager", "desc": "Flows Manager." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "ftp", "label": "FTP Server", "desc": "Internal FTP server." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "mp", "label": "Marketplace", "desc": "Marketplace component manages execution environment for marketplace application." }, "permissions": [ "View", "Create", "Delete", "Modify", "Update" ] }, { "component": { "id": "nd", "label": "Network Discovery", "desc": "Network Discovery allows scanning local networks for connected devices." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "opcua", "label": "OPCUA Server", "desc": "OPCUA server." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "stats", "label": "DataHub", "desc": "Stats component manages historic data." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "sysinfo", "label": "System Info", "desc": "System Info component reports system information and performance." }, "permissions": [ "Modify" ] }, { "component": { "id": "events", "label": "Events", "desc": "Events allows viewing of system events." }, "permissions": [ "Modify", "View" ] }, { "component": { "id": "support", "label": "Support Bundle", "desc": "Support Bundle." }, "permissions": [ "Modify" ] } ] ``` --- ## Get Device Groups **GET** `{{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/groups` # Get Device Groups Returns the groups defined on the target device. Built-in groups (`Administrators`, `Viewers`) are flagged `isSystem: true`. ## Endpoint ```http GET {{LEM_URL}}/api/v1/loopedge-user/{{edge_device_id}}/groups ``` ## Authentication HTTP Basic Auth. **Username** is your API token, **password** is empty. Tokens are managed under `System > Access Control > Tokens`. ## Errors | HTTP status | When it happens | |---------------------|--------------------------------------------------------------------------------| | `400 Bad Request` | Missing or malformed query/body parameter. | | `401 Unauthorized` | Missing or invalid credentials. | | `403 Forbidden` | Token lacks permission for this operation. | | `404 Not Found` | Target entity does not exist. | | `5xx` | Service is unreachable, restarting, or internally errored. Inspect device logs under `System > Support`. | > **TLS note**: edge devices use a self-signed certificate by default. Either install the device CA in your client trust store or disable certificate verification when calling this endpoint directly. ### Response **Status**: 0 ```json [ { "groupId": "default_admins_group", "groupName": "Administrators", "isSystem": true }, { "groupId": "default_viewers_group", "groupName": "Viewers", "isSystem": true } ] ``` ---