This guide walks through managing users in Aritma IAM — inviting users, listing them, and managing their OIDC roles.
- An access token with IAM admin permissions
- A configured tenant
Retrieve a paginated list of all user subjects in your tenant. You can filter by a search query.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/users
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/users
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/users?searchQuery=john&page=1&pageSize=100' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Retrieve a single user by their subject ID.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/{userId}
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Send an invitation email to a user. The recipient will receive a link to complete registration in Aritma ID. Once they register, they become an active subject in your tenant.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/invite
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/invite
curl -i -X POST \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/invite?email=jane.doe%40aritma.com&redirectUrl=https%3A%2F%2Fapp.example.com%2Faccept-invite' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'| Parameter | Description |
|---|---|
email | The email address to send the invitation to |
redirectUrl | Optional. The URL the user will be redirected to after accepting the invitation. Useful for sending users to your own application after they complete registration |
The user will appear in your tenant after they accept the invitation and complete registration. Until then, they are not listed as an active subject.
If your organization has verified domain ownership in Aritma IAM (see Domains), you can create users directly within your tenant without sending an invitation email.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/users
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/users
curl -i -X POST \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/users?email=jane.doe%40example.com&fullName=Jane+Doe&phoneNumber=%2B4712345678' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'| Parameter | Description |
|---|---|
email | The email address for the new user. Must belong to a verified domain |
fullName | The full name of the new user |
phoneNumber | The phone number of the new user |
OIDC roles are claims included in the user's access token. They are used by your applications for their own authorization logic — they do not control access to Aritma resources. To grant access to Aritma resources, use Policies instead.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}/role/{roleId}
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/{userId}/role/{roleId}
curl -i -X POST \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}/role/{roleId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}/role/{roleId}
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/{userId}/role/{roleId}
curl -i -X DELETE \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/{userId}/role/{roleId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'To see the effective permissions for a user subject, use the subject permissions endpoint:
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/users/{userId}/permissions
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/users/{userId}/permissions
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/users/{userId}/permissions?resourceType=subscriptions&resourceProvider=aritma.control&action=iam.policy.read' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'To see which groups a user belongs to:
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/{subject}/memberships
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/{subject}/memberships
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/{subject}/memberships?page=1&pageSize=100' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Any authenticated subject can check their own permissions using the /v1/me endpoints - no admin rights required:
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/me
curl -i -X GET \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/permissions
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/me/permissions
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/permissions?resourceType=subscriptions&resourceProvider=aritma.control&action=iam.policy.read' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/roles
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/me/roles
curl -i -X GET \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/roles \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/claims
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/me/claims
curl -i -X GET \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/me/claims \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'GetUserClaims returns the OIDC claims assigned to your subject. Claims are key-value pairs included in your access token and are used by Aritma services and your own applications for authorization decisions.