Check User Group Restriction

POST /groups-srv/verifications

This API call checks if a user meets specified user group restriction.

Purpose:

Real-time verification of user access permissions based on group memberships and roles
Authorization checks before granting access to protected resources
Validation of user eligibility for specific operations or features

Authentication Requirements:

This endpoint requires authentication.
For anonymous tokens, the cidaas:users_read scope is required.
For authenticated users: non-admin users can only verify their own access (sub must match token's sub) unless they have admin roles.
Admin users can verify access for any user.

Request Structure:

sub: Required, the user ID to verify
matchCondition: Required, determines how multiple filters are combined ("and" or "or")
filters: Required array, must contain at least one filter. Each filter can specify:
- groupId: Verify user membership in a specific group
- groupType: Verify user membership in any group of a specific type
- roleFilter: Optional, verify user has specific roles in the group(s)

Validation Rules:

sub: Required, must be a valid user ID (UUID format), user must exist
matchCondition: Required, must be either "and" or "or"
filters: Required, must be a non-empty array
Each filter must specify at least one of: groupId or groupType
If groupId is specified, the group must exist
If groupType is specified, the group type must exist
If roleFilter is provided:
- matchCondition: Required, must be "and" or "or"
- roles: Required array, must contain at least one role name
- All roles must exist in the system

Business Rules:

When matchCondition is "or", the user needs to meet at least one filter condition.
When matchCondition is "and", the user must meet all filter conditions.
Role filters are evaluated within the context of the group(s) specified in the filter.
If a user is a member of multiple groups that match, all matching groups are returned in allowedGroups.

/groups-srv/verifications