Symantec ZTNA API (V2)

Download OpenAPI specification:Download

What's New

Effective from Change

March 24th, 2025

Effective from	Change
March 24th, 2025	You can now choose the authentication mode for registering Connectors by specifying the `authentication_mode` field during site creation. The available options are: `['Connector', 'Site']`. This value is immutable and must be set at creation. Default Behavior (`Connector` Mode) By default, the Connector mode is used, which aligns with the previous behavior. In this mode: • Connectors are created and bound via API calls. • During Connector creation, the API returns a one-time password (OTP). • The OTP is passed as an environment variable and used by the Connector Container for registration. • Once the registration is complete, the OTP becomes invalid, and the Connector’s persistent storage must be maintained to ensure resiliency. New Behavior (`Site` Mode) The Site mode is primarily designed for managed container orchestrators (e.g., Kubernetes, Fargate), but is also compatible with environments where Connector mode is currently being used. In this mode: • A registration key acts as a long-lived token associated with the site. • The key is shown only once upon creation, and it is the user’s responsibility to store it securely in a secret manager. • The token is reusable and allows the creation of new Connector entities upon registration. • The Connector Container uses this token, passed as an environment variable, to register itself. • Resiliency is ensured as the container dynamically handles the Connector creation and deletion • Persistent storage is not required, and direct Connector creation via API is disabled in this mode. New APIs for Managing Site Registration Keys: Get site registration keys Rotate site registration key Delete site registration keys
Dec 18th, 2024	The APIs Get Application, Create Application and Update Application have been updated by removing DNS type from both response and request, You can now perform all necessary operations in the new DNS Resiliency section DNS Resiliency.

You can now choose the authentication mode for registering Connectors
by specifying the authentication_mode field during site creation.
The available options are: ['Connector', 'Site'].
This value is immutable and must be set at creation.

Default Behavior (`Connector` Mode)

By default, the Connector mode is used, which aligns with the previous behavior. In this mode:
• Connectors are created and bound via API calls.
• During Connector creation, the API returns a one-time password (OTP).
• The OTP is passed as an environment variable and used by the Connector Container for registration.
• Once the registration is complete, the OTP becomes invalid, and the Connector’s persistent storage must be maintained to ensure resiliency.

New Behavior (`Site` Mode)

The Site mode is primarily designed for managed container orchestrators (e.g., Kubernetes, Fargate),
but is also compatible with environments where Connector mode is currently being used. In this mode:
• A registration key acts as a long-lived token associated with the site.
• The key is shown only once upon creation, and it is the user’s responsibility to store it securely in a secret manager.
• The token is reusable and allows the creation of new Connector entities upon registration.
• The Connector Container uses this token, passed as an environment variable, to register itself.
• Resiliency is ensured as the container dynamically handles the Connector creation and deletion
• Persistent storage is not required, and direct Connector creation via API is disabled in this mode.

New APIs for Managing Site Registration Keys:
Get site registration keys
Rotate site registration key
Delete site registration keys

Dec 18th, 2024 The APIs Get Application, Create Application and Update Application have been updated by removing DNS type from both response and request, You can now perform all necessary operations in the new DNS Resiliency section DNS Resiliency.

Introduction

Symantec ZTNA API uses common RESTful resourced based URL conventions and JSON as the exchange format.
Properties names are case-sensitive.
Some of Symantec ZTNA API calls omit None values from the API response.

The base-URL is api.<tenant-name>.luminatesec.com. For example, if your administration portal URL is admin.acme.luminatesec.com, then your API base-URL is api.acme.luminatesec.com.

All examples below are performed on a tenant called acme.

Common Operations Steps

Below you may find a list of common operations and the relevant API calls for each. Each of these operations can also be performed by using the administrative portal at https://admin.acme.luminatesec.com.

Creating a site and deploying a connector:
1. Creating a new site using the Create site API.
2. Once a site is created you can use its Id (returned in the response of the Create Site request) and call the Create connector API.
3. Deploy the Symantec ZTNA connector:
  1. Retrieve the deployment command using the Connector Deployment Command API.
  2. Execute the command on the target machine.
Creating an application:
1. An application is always associated with a specific site for routing the traffic to the application via the connectors associated with the same site. In order to create the application, call the Create Application API
2. Once the application is created, you *must* assign the application to a specific site in order to make it accessible. Assign the application to the required site using the Bind Application to Site API.
3. In order to grant access to the application for specific entities (users/groups), you should assign the application to the access policy using the Access and Activity Policy API

Object Model

The object model of the API is built around the following:

Sites - Site is a representation of the physical or virtual data center your applications reside in.
Connectors - A connector is a lightweight piece of software connecting your site to the Symantec ZTNA platform.
Applications - Application is the internal resource you would like to publish using Symantec ZTNA.
Access and Activity Policies - Symantec ZTNA continuously authorize each user request for the contextual access and activity, in order to control access to resources and restrict user’s actions within resources, based on the user/device context (such as the user’s group membership, user’s location, MFA status and managed/unmanaged device status) and the requested resource.
Cloud Integration - Integration with Cloud Providers like Amazon Web Services to provide a smoother and cloud-native integration with SIEM solutions and to allow access to resources based on their associated tags.
Logs - Symantec ZTNA internal logs for audit and forensics purposes:
1. Audit Logs audit all operations done through the administration portal
2. Forensics Logs audit any user's access to any application as well as user's activity for any application.

Authentication

Authentication is done using OAuth2 with the Bearer authentication scheme.

OAuth

Standard OAuth2 clientCredentials flow

Security Scheme Type	OAuth2
clientCredentials OAuth Flow	Token URL: https://api.acme.luminatesec.com/v1/oauth/token Scopes:

The Symantec ZTNA API is available to Symantec ZTNA users who have administrative privileges in their Symantec ZTNA tenant. An administrator should create an API client through the Symantec ZTNA Admin portal and copy the ‘Client Id’ and the ‘Client Secret’. Then the administrator should assign the API client an appropriate role in 'Tenant Roles' page.

Retrieving the API access token is done using Basic-Authentication scheme, POST of a Base64 encoded Client-ID and Client-Secret:

curl -X POST \ https://api.acme.luminatesec.com/v1/oauth/token \ -u yourApiClientId:yourApiClientSecret

This call returns the following JSON: { "access_token":"edfe22e3-eb4c-4c83-8ce3-3152e6a2XXX", "expires_in":3600, "scope":"luminate-scope", "token_type":"Bearer", "error":"", "error_description":""}

All further API calls should include the ‘Authorization’ header with value “Bearer AccessToken”

For example:

curl -H "Authorization: Bearer edfe22e3-eb4c-4c83-8ce3-3152e6a2XXX" "https://api.acme.luminatesec.com/v2/applications"

Token

The Symantec ZTNA API is available to Symantec ZTNA users who have administrative privileges in their Symantec ZTNA tenant. An administrator can create a token through the Symantec ZTNA Admin portal, with type 'Token' and copy the ‘Client Token'.
Make sure to copy the token once it's generated, it won't be presented again!

Then, the administrator should assign the token an appropriate role in 'Tenant Roles' page.
To enforce the new role, the administrator must click the 'Enforce Roles' button on the token entity page.

All further API calls should include the ‘Authorization’ header with value “Bearer <client-token-value>”

For example:

curl -H "Authorization: Bearer 2d902c58adc30cfaa12c83b7a524fdf753b7f6adb9d13a5d8e4122f643c2c6ca8c597ade37d198e799b338d2448018dddecd341b770d495305d93f39e53e6f6ab691456e25768e76ac7e53282b2b7a24a9d2f3636acca2dd894b1279e4e93aa4db010a0922f612f7253af71b3a414ad5435489bc7987cd6648eeb05ec6643e00ba33c920e2eea9d55cbb4167bc5d58aecfbc0acfc82be613e1176894fd6ded83943374e30fa5724d4b4088494f59eefe2164c6c6373163029b551c195c9251c633ccda6a498a0d48a43fXXX01bd88da0edc5dba6XXXc86d828256d0b8de0af11e3e1e81cf1d1651657c88af8cab57358886d680f36de53608f48b0a9b769aXXX" "https://api.acme.luminatesec.com/v2/sites"

Versioning and Compatibility

The latest Major Version is v2.

The Major Version is included in the URL path (e.g. /v2/applications ) and it denotes breaking changes to the API. Minor and Patch versions are transparent to the client.

Auditing

All authentication operations and modify operations (POST, PUT, DELETE) are audited.

Rate-limiting

The API has a rate limit of 5 requests per second. If you have hit the rate limit, then a ‘429’ status code will be returned. In such cases, you should back-off from submitting new requests for 1 second before resuming.

Note that rate-limitation applies to the accumulated requests of all of your clients. For example, if you have 6 clients submitting requests simultaneously at a rate of 1 request per second for each one then one of them is likely to get a 429 status code.

Support

For additional help you may refer to our support at https://support.broadcom.com

Each request submitted to the API returns a unique request ID that is generated by the API. The request ID will be returned in header x-lum-request-id. If you need to contact us about any specific request then this ID will serve as a reference to the given request.

Sites

Site is a representation of the physical or virtual data center your applications reside in.

Create Site

post /sites

Default server.

https://api.acme.luminatesec.com/v2/sites

Creates a Site in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

name required	string [ 2 .. 700 ] A descriptive name of the site.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.
mute_health_notification	boolean Default: false Indication whether health notifications are enabled for this site.
region	string The connectivity region of the site. If not specified, the default region will be used.
authentication_mode	string (SiteAuthenticationMode) Default: "connector" Enum: "connector" "site" This value is un mutable can be chosen only on creation! The value `Connector` allows creating and binding Connectors through API calls. During Connector creation you get a response with an OTP, which is passed as an env var and used by the Connector Container to in order to register the Connector entity. Once this is done, the OTP can't be used any more and the Container storage must be persistent in order to ensure Container resiliency The value `Site` is meant to be used in a managed Containers Orchestrator (such as K8s, Fargate and so on) This mode allows creating a registration key (See: Site Registration Keys)

Responses

201

successful operation.

Response Schema: application/json

name required	string [ 2 .. 700 ] A descriptive name of the site.
id	string <uuid> A unique identifier of this site. Note: This field is required for any operation other than initial creation.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.
connectors	Array of strings <uuid> IDs of all connectors included in this site.
application_ids	Array of strings <uuid> IDs of all applications included in this site.
connector_objects	Array of objects (Connector)
site_status	object (SiteStatus)
mute_health_notification	boolean Default: false Indication whether health notifications are enabled for this site.
countCollections	integer <int32> The number of collections that are associated with this site.
region	string The connectivity region of the site. If not specified, the default region will be used.
authentication_mode	string (SiteAuthenticationMode) Default: "connector" Enum: "connector" "site" This value is un mutable can be chosen only on creation! The value `Connector` allows creating and binding Connectors through API calls. During Connector creation you get a response with an OTP, which is passed as an env var and used by the Connector Container to in order to register the Connector entity. Once this is done, the OTP can't be used any more and the Container storage must be persistent in order to ensure Container resiliency The value `Site` is meant to be used in a managed Containers Orchestrator (such as K8s, Fargate and so on) This mode allows creating a registration key (See: Site Registration Keys)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"mute_health_notification": false,
"region": "europe-west1",
"authentication_mode": "connector"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"connectors": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"application_ids": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"connector_objects": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:21Z",
"date_registered": "2025-08-21T14:31:21Z",
"date_otp_expire": "2025-08-21T14:31:21Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}
],
"site_status": 
{"ConnectorsUp": 
[
{"Id": "72e508f9-33fd-4166-ae82-8a25b0e90915",
"last_seen": "2019-02-24T12:05:51.000Z"
},
{"Id": "d05ccd0f-0cec-4de2-a815-281169c9ca7b",
"last_seen": "2019-02-24T12:05:51.000Z"
}
],
"ConnectorsDown": null,
"ConnectorsNotConfigured": 
[
{"Id": "50f4837b-ec1d-4cbd-aefa-5a54733f0558",
"last_seen": "1901-01-01T00:00:00.000Z"
}
],
"ConnectorsDisabled": null,
"Status": "not-configured"
},
"mute_health_notification": false,
"countCollections": 1,
"region": "europe-west1",
"authentication_mode": "connector"
}

List Sites

get /sites

Default server.

https://api.acme.luminatesec.com/v2/sites

Return an array of paginated JSON objects. Each object represents a site configured in your Symantec ZTNA tenant.
The supported sort keys are either ‘name’ for sorting by site name.
Filter applies for the following fields: "name" and "description".
Using the query filter=test will return all the sites for which one or more of the above listed fields contain "test" Filtering by Application ID may be applied - in such a case, Sites that are associated with this Application will be returned. If the Application ID does not exist then an empty array is returned.

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (Site)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/sites?sort=name,desc&size=10&page=0&filter=test' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"connectors": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"application_ids": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"connector_objects": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:21Z",
"date_registered": "2025-08-21T14:31:21Z",
"date_otp_expire": "2025-08-21T14:31:21Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}
],
"site_status": 
{"ConnectorsUp": 
[
{"Id": "72e508f9-33fd-4166-ae82-8a25b0e90915",
"last_seen": "2019-02-24T12:05:51.000Z"
},
{"Id": "d05ccd0f-0cec-4de2-a815-281169c9ca7b",
"last_seen": "2019-02-24T12:05:51.000Z"
}
],
"ConnectorsDown": null,
"ConnectorsNotConfigured": 
[
{"Id": "50f4837b-ec1d-4cbd-aefa-5a54733f0558",
"last_seen": "1901-01-01T00:00:00.000Z"
}
],
"ConnectorsDisabled": null,
"Status": "not-configured"
},
"mute_health_notification": false,
"countCollections": 1,
"region": "europe-west1",
"authentication_mode": "connector"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Update Site

put /sites/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}

Update an existing site in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The site ID.

Request Body schema: application/json

name required	string [ 2 .. 700 ] A descriptive name of the site.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.
mute_health_notification	boolean Default: false Indication whether health notifications are enabled for this site.
region	string The connectivity region of the site. If not specified, the default region will be used.
authentication_mode	string (SiteAuthenticationMode) Default: "connector" Enum: "connector" "site" This value is un mutable can be chosen only on creation! The value `Connector` allows creating and binding Connectors through API calls. During Connector creation you get a response with an OTP, which is passed as an env var and used by the Connector Container to in order to register the Connector entity. Once this is done, the OTP can't be used any more and the Container storage must be persistent in order to ensure Container resiliency The value `Site` is meant to be used in a managed Containers Orchestrator (such as K8s, Fargate and so on) This mode allows creating a registration key (See: Site Registration Keys)

Responses

200

successful operation.

Response Schema: application/json

name required	string [ 2 .. 700 ] A descriptive name of the site.
id	string <uuid> A unique identifier of this site. Note: This field is required for any operation other than initial creation.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.
connectors	Array of strings <uuid> IDs of all connectors included in this site.
application_ids	Array of strings <uuid> IDs of all applications included in this site.
connector_objects	Array of objects (Connector)
site_status	object (SiteStatus)
mute_health_notification	boolean Default: false Indication whether health notifications are enabled for this site.
countCollections	integer <int32> The number of collections that are associated with this site.
region	string The connectivity region of the site. If not specified, the default region will be used.
authentication_mode	string (SiteAuthenticationMode) Default: "connector" Enum: "connector" "site" This value is un mutable can be chosen only on creation! The value `Connector` allows creating and binding Connectors through API calls. During Connector creation you get a response with an OTP, which is passed as an env var and used by the Connector Container to in order to register the Connector entity. Once this is done, the OTP can't be used any more and the Container storage must be persistent in order to ensure Container resiliency The value `Site` is meant to be used in a managed Containers Orchestrator (such as K8s, Fargate and so on) This mode allows creating a registration key (See: Site Registration Keys)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"mute_health_notification": false,
"region": "europe-west1",
"authentication_mode": "connector"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"connectors": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"application_ids": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"connector_objects": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:21Z",
"date_registered": "2025-08-21T14:31:21Z",
"date_otp_expire": "2025-08-21T14:31:21Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}
],
"site_status": 
{"ConnectorsUp": 
[
{"Id": "72e508f9-33fd-4166-ae82-8a25b0e90915",
"last_seen": "2019-02-24T12:05:51.000Z"
},
{"Id": "d05ccd0f-0cec-4de2-a815-281169c9ca7b",
"last_seen": "2019-02-24T12:05:51.000Z"
}
],
"ConnectorsDown": null,
"ConnectorsNotConfigured": 
[
{"Id": "50f4837b-ec1d-4cbd-aefa-5a54733f0558",
"last_seen": "1901-01-01T00:00:00.000Z"
}
],
"ConnectorsDisabled": null,
"Status": "not-configured"
},
"mute_health_notification": false,
"countCollections": 1,
"region": "europe-west1",
"authentication_mode": "connector"
}

Get Site

get /sites/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}

Returns the details of a Site from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The Site ID.

Responses

200

successful operation.

Response Schema: application/json

name required	string [ 2 .. 700 ] A descriptive name of the site.
id	string <uuid> A unique identifier of this site. Note: This field is required for any operation other than initial creation.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.
connectors	Array of strings <uuid> IDs of all connectors included in this site.
application_ids	Array of strings <uuid> IDs of all applications included in this site.
connector_objects	Array of objects (Connector)
site_status	object (SiteStatus)
mute_health_notification	boolean Default: false Indication whether health notifications are enabled for this site.
countCollections	integer <int32> The number of collections that are associated with this site.
region	string The connectivity region of the site. If not specified, the default region will be used.
authentication_mode	string (SiteAuthenticationMode) Default: "connector" Enum: "connector" "site" This value is un mutable can be chosen only on creation! The value `Connector` allows creating and binding Connectors through API calls. During Connector creation you get a response with an OTP, which is passed as an env var and used by the Connector Container to in order to register the Connector entity. Once this is done, the OTP can't be used any more and the Container storage must be persistent in order to ensure Container resiliency The value `Site` is meant to be used in a managed Containers Orchestrator (such as K8s, Fargate and so on) This mode allows creating a registration key (See: Site Registration Keys)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/sites/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "DataCenterEurope",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420",
"connectors": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"application_ids": 
["2db3162f-b720-40d3-8067-345a5a25c9ec",
"a784ec20-24b9-445b-877d-cbbd7f67c444"
],
"connector_objects": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:21Z",
"date_registered": "2025-08-21T14:31:21Z",
"date_otp_expire": "2025-08-21T14:31:21Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}
],
"site_status": 
{"ConnectorsUp": 
[
{"Id": "72e508f9-33fd-4166-ae82-8a25b0e90915",
"last_seen": "2019-02-24T12:05:51.000Z"
},
{"Id": "d05ccd0f-0cec-4de2-a815-281169c9ca7b",
"last_seen": "2019-02-24T12:05:51.000Z"
}
],
"ConnectorsDown": null,
"ConnectorsNotConfigured": 
[
{"Id": "50f4837b-ec1d-4cbd-aefa-5a54733f0558",
"last_seen": "1901-01-01T00:00:00.000Z"
}
],
"ConnectorsDisabled": null,
"Status": "not-configured"
},
"mute_health_notification": false,
"countCollections": 1,
"region": "europe-west1",
"authentication_mode": "connector"
}

Delete Site

delete /sites/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}

Delete a site from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5

Site ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/sites/3c536623-4763-4f67-a45a-e88f3d08cdd5' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Get Site Health Status

get /sites/{site-id}/status

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}/status

Returns the health status of a site from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5

Site ID.

Responses

200

successful operation.

Response Schema: application/json

ConnectorsUp	Array of objects (ConnectorLastSeen) A list of online connectors represented by their ID and their last communication date.
ConnectorsDown	Array of objects (ConnectorLastSeen) A list of offline connectors represented by their ID and their last communication date.
ConnectorsNotConfigured	Array of objects (ConnectorLastSeen) A list of connectors that were yet established initial communication with Symantec ZTNA Cloud Service.
ConnectorsDisabled	Array of objects (ConnectorLastSeen) A list of disabled connectors (connectors that don't serve applications defined under the contained site).
Status	string Enum: "online" "offline" "not-configured" Site health status. The site is online when there is at least one online connector.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/sites/3c536623-4763-4f67-a45a-e88f3d08cdd5/status' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"ConnectorsUp": 
[
{"Id": "72e508f9-33fd-4166-ae82-8a25b0e90915",
"last_seen": "2019-02-24T12:05:51.000Z"
},
{"Id": "d05ccd0f-0cec-4de2-a815-281169c9ca7b",
"last_seen": "2019-02-24T12:05:51.000Z"
}
],
"ConnectorsDown": null,
"ConnectorsNotConfigured": 
[
{"Id": "50f4837b-ec1d-4cbd-aefa-5a54733f0558",
"last_seen": "1901-01-01T00:00:00.000Z"
}
],
"ConnectorsDisabled": null,
"Status": "not-configured"
}

List Regions

get /regions

Default server.

https://api.acme.luminatesec.com/v2/regions

Returns a list of available connectivity regions

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

Array

name required	string (RegionName) The name of the region
is_default required	boolean (RegionIsDefault) A boolean indicating if the region is the default region

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/regions' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"name": "us-west1",
"is_default": true
}
]

Get Region By Name

get /regions/{region_name}

Default server.

https://api.acme.luminatesec.com/v2/regions/{region_name}

Returns details of a connectivity region

Authorizations:

OAuth

path Parameters

region-name

required

string

Example: us-west1

Region name

Responses

200

successful operation.

Response Schema: application/json

name required	string (RegionName) The name of the region
is_default required	boolean (RegionIsDefault) A boolean indicating if the region is the default region

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/regions/{region_name}' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"name": "us-west1",
"is_default": true
}

Site Registration Keys

Registration Keys are available for sites with authentication_mode set to Site.
which is primarily designed for managed container orchestrators (e.g., Kubernetes, Fargate),
but is also compatible with environments where Connector mode is currently being used.

• A registration key acts as a long-lived token associated with the site.
• The key is shown only once upon creation, and it is the user’s responsibility to store it securely in a secret manager.
• The token is reusable and allows the creation of new Connector entities upon registration.
• The Connector Container uses this token, passed as an environment variable, to register itself.
• Resiliency is ensured as the container dynamically handles the Connector creation and deletion
• Persistent storage is not required, and direct Connector creation via API is disabled in this mode.

A site can have up to two active registration keys at a time:
One primary key, and the second (if exists) is a temporarily active key

List Site Registration Keys

get /sites/{site-id}/registration_keys

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}/registration_keys

Returns the site's registration keys list.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5

Site ID.

Responses

200

successful operation.

Response Schema: application/json

registration_keys

Array of objects (SiteRegistrationKey)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/sites/3c536623-4763-4f67-a45a-e88f3d08cdd5/registration_keys' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"registration_keys": 
[
{"id": "string",
"date_created": "1985-04-12T23:20:50.52Z",
"last_used": "2025-08-21T14:31:22Z",
"expiration_date": "2025-08-21T14:31:22Z",
"status": "active"
}
]
}

Rotate Site Registration Keys

post /sites/{site-id}/registration_keys

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}/registration_keys

Rotates the site's registration keys.
If no registration key exists, the first request generates one.
Future rotation requests replace the primary key.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5

Site ID.

Request Body schema: application/json

revoke_immediately

boolean

Default: false

true: →
All existing keys are deleted.
false: →
The primary key becomes temporarily active (72-hour expiration).
If there's an existing temporarily active key already, it will be deleted.

Responses

200

successful operation.

Response Schema: application/json

registration_key_id	string <uuid>
registration_key	string

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"revoke_immediately": false
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"registration_key_id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"registration_key": "string"
}

Clean Site Registration Keys

delete /sites/{site-id}/registration_keys

Default server.

https://api.acme.luminatesec.com/v2/sites/{site-id}/registration_keys

Cleans the site's registration keys list.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5

Site ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/sites/3c536623-4763-4f67-a45a-e88f3d08cdd5/registration_keys' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Connectors

A connector is a lightweight piece of software connecting your site to the Symantec ZTNA platform.

Create Connector

post /connectors

Default server.

https://api.acme.luminatesec.com/v2/connectors

Creates a Connector in your Symantec ZTNA tenant. To complete configuring the Symantec ZTNA connector, you should retrieve the deployment command using Connector Deployment Command API and execute it on the target machine.

Authorizations:

OAuth

query Parameters

bind_to_site_id

required

string <uuid>

Example: bind_to_site_id=6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the site that should contain this connector.

Request Body schema: application/json

name required	string >= 1 A descriptive name of the Connector.
deployment_type required	string (DeploymentType) Enum: "windows" "linux" "docker-compose" "kubernetes" The deployment type of the host running the Symantec ZTNA connector.
send_logs	boolean Default: false Indicates whether to set connector debug log level to the highest one.
enabled	boolean Default: true Indicates whether the connector serves applications defined under the contained site. A disabled connector still communicates with Symantec ZTNA cloud service to support enabling it later on.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.

Responses

201

successful operation.

Response Schema: application/json

name required	string >= 1 A descriptive name of the Connector.
deployment_type required	string (DeploymentType) Enum: "windows" "linux" "docker-compose" "kubernetes" The deployment type of the host running the Symantec ZTNA connector.
id	string <uuid> A unique identifier of this connector. Note: This field is required for any operation other than initial creation.
version	string The version of the running connector. This version equals to or higher than container_version.
registered	boolean Indicates whether the connector has already established a successful handshake with the Symantec ZTNA Cloud.
otp	string When initiated, the Symantec ZTNA Connector receives an ephemeral OTP, allowing it to establish initial communication. with Symantec ZTNA Cloud Service and pull a TLS Certificate to be used for further communications. This property holds an empty value after the connector establishes a successful handshake with the Symantec ZTNA Cloud.
date_created	string <date-time> Connector creation date.
date_registered	string <date-time> The date when the connector established a successful handshake with the Symantec ZTNA Cloud.
date_otp_expire	string <date-time> The date when the connector OTP expires. By default OTP is valid for 24 hours after connector creation date.
send_logs	boolean Default: false Indicates whether to set connector debug log level to the highest one.
enabled	boolean Default: true Indicates whether the connector serves applications defined under the contained site. A disabled connector still communicates with Symantec ZTNA cloud service to support enabling it later on.
connector_status	string Enum: "StatusUndefined" "StatusReady" "StatusDownloadStarted" "StatusDownloadCompleted" "StatusMigrationStarted" "StatusMigrationCompleted" "StatusExecuteStarted" "StatusExecuteCompleted" "StatusRetired" "StatusFailed" "StatusRetireStarted"
update_status	string Enum: "UpToDate" "UpdateAvailable" "UpdateStarted" "UpdateCompleted" "UpdateFailed" Indicates the connector upgrade status: UpToDate - Connector version is the latest available. UpdateAvailable - New connector version is available. UpdateStarted - Connector upgrade is in progress. UpdateCompleted - Connector upgrade was just completed. This is a temporary state until upgrade result is calculated. UpdateFailed - Connector upgrade attempt has failed.
update_status_info	string A detailed description of the connector upgrade failure reason in case a recent upgrade has failed.
internal_ip	string The internal IP address of the host running the Symantec ZTNA connector container.
external_ip	string The IP address used by Symantec ZTNA connector to address Symantec ZTNA cloud.
hostname	string The name of the host running the Symantec ZTNA connector container.
geo_location	string Geo location based on the external-ip, including the hosted cloud service if applicable.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "TestSite-Connector-3",
"send_logs": false,
"enabled": true,
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:22Z",
"date_registered": "2025-08-21T14:31:22Z",
"date_otp_expire": "2025-08-21T14:31:22Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}

List Connectors

get /connectors

Default server.

https://api.acme.luminatesec.com/v2/connectors

Return an array of paginated JSON objects. Each object represents a connector configured in your Symantec ZTNA tenant.
The supported sort keys are either ‘name’ for sorting by connector name or ‘id’ for sorting by connector id.
Filter applies for the following fields: "name", "internal-address", "external-address", "custom-domain" and "custom-root-path".
Using the query filter=test will return all the connectors for which one or more of the above listed fields contain "test".

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (Connector)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/connectors?sort=name,desc&size=10&page=0&filter=test' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:22Z",
"date_registered": "2025-08-21T14:31:22Z",
"date_otp_expire": "2025-08-21T14:31:22Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Get Connector

get /connectors/{connector-id}

Default server.

https://api.acme.luminatesec.com/v2/connectors/{connector-id}

Returns the details of a Connector from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

connector-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Connector ID.

Responses

200

successful operation.

Response Schema: application/json

name required	string >= 1 A descriptive name of the Connector.
deployment_type required	string (DeploymentType) Enum: "windows" "linux" "docker-compose" "kubernetes" The deployment type of the host running the Symantec ZTNA connector.
id	string <uuid> A unique identifier of this connector. Note: This field is required for any operation other than initial creation.
version	string The version of the running connector. This version equals to or higher than container_version.
registered	boolean Indicates whether the connector has already established a successful handshake with the Symantec ZTNA Cloud.
otp	string When initiated, the Symantec ZTNA Connector receives an ephemeral OTP, allowing it to establish initial communication. with Symantec ZTNA Cloud Service and pull a TLS Certificate to be used for further communications. This property holds an empty value after the connector establishes a successful handshake with the Symantec ZTNA Cloud.
date_created	string <date-time> Connector creation date.
date_registered	string <date-time> The date when the connector established a successful handshake with the Symantec ZTNA Cloud.
date_otp_expire	string <date-time> The date when the connector OTP expires. By default OTP is valid for 24 hours after connector creation date.
send_logs	boolean Default: false Indicates whether to set connector debug log level to the highest one.
enabled	boolean Default: true Indicates whether the connector serves applications defined under the contained site. A disabled connector still communicates with Symantec ZTNA cloud service to support enabling it later on.
connector_status	string Enum: "StatusUndefined" "StatusReady" "StatusDownloadStarted" "StatusDownloadCompleted" "StatusMigrationStarted" "StatusMigrationCompleted" "StatusExecuteStarted" "StatusExecuteCompleted" "StatusRetired" "StatusFailed" "StatusRetireStarted"
update_status	string Enum: "UpToDate" "UpdateAvailable" "UpdateStarted" "UpdateCompleted" "UpdateFailed" Indicates the connector upgrade status: UpToDate - Connector version is the latest available. UpdateAvailable - New connector version is available. UpdateStarted - Connector upgrade is in progress. UpdateCompleted - Connector upgrade was just completed. This is a temporary state until upgrade result is calculated. UpdateFailed - Connector upgrade attempt has failed.
update_status_info	string A detailed description of the connector upgrade failure reason in case a recent upgrade has failed.
internal_ip	string The internal IP address of the host running the Symantec ZTNA connector container.
external_ip	string The IP address used by Symantec ZTNA connector to address Symantec ZTNA cloud.
hostname	string The name of the host running the Symantec ZTNA connector container.
geo_location	string Geo location based on the external-ip, including the hosted cloud service if applicable.
kubernetes_persistent_volume_name	string (kubernetes_persistent_volume_name) Default: null A persistent volume to be used for storing the Symantec ZTNA connector TLS Certificate. The persistent volume must be defined for deployments of type Kubernetes in order to support connector failovers. This property value is inherited from the contained site and can be overridden at the connector level.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/connectors/18837193-a81a-400f-b38d-482379e3ab47' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "TestSite-Connector-3",
"version": "2.5.1+964",
"registered": true,
"otp": null,
"date_created": "2025-08-21T14:31:22Z",
"date_registered": "2025-08-21T14:31:22Z",
"date_otp_expire": "2025-08-21T14:31:22Z",
"send_logs": false,
"enabled": true,
"connector_status": "StatusReady",
"update_status": "UpdateFailed",
"update_status_info": "error downloading new connector",
"internal_ip": "10.10.10.1",
"external_ip": "109.155.209.167",
"hostname": "TestSite-Connector-3-Linux",
"geo_location": "Microsoft Azure, Netherlands, Amsterdam",
"deployment_type": "kubernetes",
"kubernetes_persistent_volume_name": "pv-81e55b9b-298b-11e9-b2bd-0ace4f35b420"
}

Delete Connector

delete /connectors/{connector-id}

Default server.

https://api.acme.luminatesec.com/v2/connectors/{connector-id}

Delete the connector from the contained site in your Symantec ZTNA tenant.
In order to complete the action the connector container that runs in the corresponding datacenter should be removed.

Authorizations:

OAuth

path Parameters

connector-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Connector ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/connectors/18837193-a81a-400f-b38d-482379e3ab47' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Get Connector Deployment Command

get /connectors/{connector-id}/command

Default server.

https://api.acme.luminatesec.com/v2/connectors/{connector-id}/command

Returns the command for deploying Symantec ZTNA connector as a docker image. This endpoint is valid for connectors of version 2.5.10 and higher. The command is generated based on the deployment_type that was set for the connector: windows / linux / docker-compose / Kubernetes. Executing the command on the target machine is the last step in configuring the Symantec ZTNA Connector.

Authorizations:

OAuth

path Parameters

connector-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Connector ID.

Responses

200

successful operation.

Response Schema: application/json

deployment_commands

string

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/connectors/18837193-a81a-400f-b38d-482379e3ab47/command' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"deployment_commands": "sudo docker run --ulimit nofile=2048 -e ENDPOINT_URL='acme.luminatesite.com' \\\n-e TENANT_IDENTIFIER='12f3e95861234567a123a7c582a0a51f_acme' \\ --network=host \\\n-d \\ --name='TestSite-Connector-3' \\ --restart=on-failure \\ -e HTTPS_SKIP_CERT_VERIFY='true' \\\n-e OTP='2d1e1bfa-1234-41bf-a805-a3d1aa7eb5d1' \\ -e LOG_LEVEL=debug \\ -e DISABLE_ERROR_TRACKER=true \\\nluminate/connector:2.5.8\n"
}

Get Connector Environment Variables

get /connectors/{connector-id}/environment_variables

Default server.

https://api.acme.luminatesec.com/v2/connectors/{connector-id}/environment_variables

Returns the set of environment variables required for deployed connector in a conveniently JSON format. Applicable for all connector types that was set for the connector: windows / linux / docker-compose / Kubernetes.

Authorizations:

OAuth

path Parameters

connector-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Connector ID.

Responses

200

successful operation.

Response Schema: application/json

container_name	string
environment_variables	Array of objects An array of environment variables

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/connectors/18837193-a81a-400f-b38d-482379e3ab47/environment_variables' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"container_name": "TestSite-Connector-3",
"environment_variables": 
[
{"name": "ENDPOINT_URL",
"value": "acme.luminatesec.com"
},
{"name": "TENANT_IDENTIFIER",
"value": "12f3e95861234567a123a7c582a0a51f_acme"
},
{"name": "HTTPS_SKIP_CERT_VERIFY",
"value": true
},
{"name": "OTP",
"value": "2d1e1bfa-1234-41bf-a805-a3d1aa7eb5d1"
},
{"name": "LOG_LEVEL",
"value": "debug"
},
{"name": "DISABLE_ERROR_TRACKER",
"value": true
}
]
}

Get Connector Version

get /connectors/version

Default server.

https://api.acme.luminatesec.com/v2/connectors/version

Returns the latest connector version available for the tenant

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

connector_version

string

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/connectors/version' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"connector_version": "2.5.8"
}

Applications

Application is the internal resource you would like to publish using Symantec ZTNA.

Create Application

post /applications

Default server.

https://api.acme.luminatesec.com/v2/applications

Creates an application in your Symantec ZTNA tenant.

Note: To allow access to a newly created application, you should have a Site defined and Symantec ZTNA Connectors deployed, as well as access policy, this application assigned to. You can then assign the application to the required site using Bind Application to Site API. You can assign the application to the policy using Assign Application to policies.

Authorizations:

OAuth

Request Body schema: application/json

name required	string [ 2 .. 40 ] A descriptive name of the application.
id required	string <uuid> (ApplicationID) A unique identifier of the application. Note: This field is required for any operation other than initial creation.
type required	string (ApplicationType) DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications. SSH
connectionSettings required	object (ApplicationConnectionSettingsSSH)
icon	string Nullable Default: null Base64 representation of the icon file, size should be up to 40x40 pixels.
isVisible	boolean Nullable Default: true Indicates whether to show this application in the applications portal.
isNotificationEnabled	boolean Nullable Default: true Indicates whether notifications are enabled for this application.
enabled	boolean Nullable Default: true Indicates the application status configured by Admin (enabled/disabled).
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to application. Note: if field not provided application will created on default collection.

Responses

201

successful operation.

Response Schema: application/json

name required	string [ 2 .. 40 ] A descriptive name of the application.
id required	string <uuid> (ApplicationID) A unique identifier of the application. Note: This field is required for any operation other than initial creation.
type required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
connectionSettings required	object (ApplicationConnectionSettings)
createdOn	number Application creation date, epoch time in milliseconds. Note: This field is automatically populated.
modifiedOn	number Application last modification date, epoch time in milliseconds. Note: This field is automatically populated.
icon	string Nullable Default: null Base64 representation of the icon file, size should be up to 40x40 pixels.
isVisible	boolean Nullable Default: true Indicates whether to show this application in the applications portal.
isNotificationEnabled	boolean Nullable Default: true Indicates whether notifications are enabled for this application.
enabled	boolean Nullable Default: true Indicates the application status configured by Admin (enabled/disabled).
health	object (ApplicationHealth)
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to application. Note: if field not provided application will created on default collection.
subType	string (ApplicationSubType) Enum: "HTTP_LUMINATE_DOMAIN" "HTTP_CUSTOM_DOMAIN" "HTTP_WILDCARD_DOMAIN" "SINGLE_MACHINE" "MULTIPLE_MACHINES" "SEGMENT_SPECIFIC_IPS" "SEGMENT_RANGE" "RDP_BROWSER_SINGLE_MACHINE" "RDP_BROWSER_MULTIPLE_MACHINES" Valid sub-types for HTTP applications: HTTP_LUMINATE_DOMAIN – Symantec ZTNA domain (i.e. testapp.acme.luminatesec.com). HTTP_CUSTOM_DOMAIN - custom domain (i.e. testapp.acme.com). HTTP_WILDCARD_DOMAIN - Wildcard with custom domain (i.e. .acme.com). If no value is given then a default value is set as follows: HTTP_LUMINATE_DOMAIN for application with a null or empty customExternalAddress, HTTP_CUSTOM_DOMAIN otherwise. Valid sub-types for RDP applications:* SINGLE_MACHINE - RDP application default sub type, one to one mapping. MULTIPLE_MACHINES - one to many mapping for RDP type. RDP_BROWSER_SINGLE_MACHINE - one to one mapping for RDP type. RDP_BROWSER_MULTIPLE_MACHINES - one to many mapping for RDP type. Valid sub-types for Segment applications: SEGMENT_SPECIFIC_IPS - Segment application with single or multipe IPs as targets (i.e 10.0.0.0). SEGMENT_RANGE - Segment application with IP range or mask as target (i.e 10.0.0.0/30 or 10.0.0.0-10.0.0.2). If no value is given then a default value is set as follows: SEGMENT_SPECIFIC_IPS for application with IP address, SEGMENT_RANGE for application with range or mask.
linkTranslationSettings	object (ApplicationLinkTranslationSettings)
requestCustomizationSettings	object (ApplicationRequestCustomizationSettings)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Example

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "SSH",
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"connectionSettings": 
{"internalAddress": "tcp://127.0.0.1:22",
"externalAddress": "testapp.acme.luminatesec.com",
"luminateAddress": "testapp.acme.luminatesec.com",
"subdomain": null
}
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "HTTP",
"createdOn": 1539000953351,
"modifiedOn": 1539000956235,
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"health": 
{"applicationId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"status": "PartiallyAvailable",
"cause": "Some connector fail to expose application",
"lastUpdatedOn": 1539680482000,
"totalNumberOfConnectors": 2,
"lastAvailableOn": 1539680482000
},
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"subType": "HTTP_LUMINATE_DOMAIN",
"connectionSettings": 
{"internalAddress": "https://127.0.0.1:443",
"externalAddress": "https://testapp.acme.luminatesec.com",
"luminateAddress": "https://testapp.acme.luminatesec.com",
"subdomain": null,
"customExternalAddress": null,
"customRootPath": null,
"healthUrl": "/HealthCheck",
"healthMethod": "Head",
"customSSLCertificate": null,
"wildcardPrivateKey": null
},
"linkTranslationSettings": 
{"isDefaultContentRewriteRulesEnabled": true,
"isDefaultHeaderRewriteRulesEnabled": true,
"useExternalAddressForHostAndSni": false,
"linkedApplications": [ ]
},
"requestCustomizationSettings": 
{"headerCustomization": "X-Forwarded-For: '$SOURCEIP$'\nX-Forwarded-Host: '$ORIGINALHOST$'\nX-Forwarded-Proto: '$PROTOCOL$'\nX-EMAIL-ADDRESS: '$EMAIL$'\n"
},
"ApplicationHTTP": "ApplicationHTTP"
}

List Applications

get /applications

Default server.

https://api.acme.luminatesec.com/v2/applications

Return an array of paginated JSON objects. Each object represents an application configured in your Symantec ZTNA tenant.
The supported sort keys are either ‘name’ for sorting by application name or ‘id’ for sorting by application id.
Filter applies for the following fields: "name", "internal-address", "external-address", "custom-domain" and "custom-root-path".
Using the query filter=testapp will return all the applications for which one or more of the above listed fields contain "testapp"

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)
type	string Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" Example: type=HTTP Application type by which the results are filtered.
siteId	string <uuid> Example: siteId=5fa7bfe9e312345bce28f0a2ad9698b8 Site ID by which the results are filtered.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (Application)
sort	Array of objects (ApplicationSort) Response sorting techniques.
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/applications?sort=name,desc&size=10&page=0&filter=test&type=HTTP&siteId=5fa7bfe9e312345bce28f0a2ad9698b8' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "HTTP",
"createdOn": 1539000953351,
"modifiedOn": 1539000956235,
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"health": 
{"applicationId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"status": "PartiallyAvailable",
"cause": "Some connector fail to expose application",
"lastUpdatedOn": 1539680482000,
"totalNumberOfConnectors": 2,
"lastAvailableOn": 1539680482000
},
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"subType": "HTTP_LUMINATE_DOMAIN",
"connectionSettings": 
{"internalAddress": "https://127.0.0.1:443",
"externalAddress": "https://testapp.acme.luminatesec.com",
"luminateAddress": "https://testapp.acme.luminatesec.com",
"subdomain": null,
"customExternalAddress": null,
"customRootPath": null,
"healthUrl": "/HealthCheck",
"healthMethod": "Head",
"customSSLCertificate": null,
"wildcardPrivateKey": null
},
"linkTranslationSettings": 
{"isDefaultContentRewriteRulesEnabled": true,
"isDefaultHeaderRewriteRulesEnabled": true,
"useExternalAddressForHostAndSni": false,
"linkedApplications": [ ]
},
"requestCustomizationSettings": 
{"headerCustomization": "X-Forwarded-For: '$SOURCEIP$'\nX-Forwarded-Host: '$ORIGINALHOST$'\nX-Forwarded-Proto: '$PROTOCOL$'\nX-EMAIL-ADDRESS: '$EMAIL$'\n"
},
"tcpTunnelSettings": 
[
{"target": "127.0.0.1",
"ports": 
[80,
8080
]
},
{"target": "127.0.0.2",
"ports": 
[80,
8080
]
}
],
"cloudIntegrationData": 
{"tags": 
[
{"key": "key1",
"value": "value1"
},
{"key": "key2",
"value": "value2"
}
],
"segmentId": "bd3e5b97-3521-4f08-b7b1-9970a47fd984",
"vpcs": 
[
{"id": "5fa7bfe9e312345bce28f0a2ad9698b8",
"vpc": "vpc-ab123456",
"region": "eu-west-1",
"cidr_block": "194.24.0.0/16",
"integration_id": "0c0aa97c-0f47-1234-80cc-5fedc03ea4c7",
"integration_name": "acmeAws"
},
{"id": "ad12345eac234b66b00b6f35de23ba0e",
"vpc": "vpc-ed123456",
"region": "eu-west-1",
"cidr_block": "194.24.0.0/16",
"integration_id": "0c0aa97c-0f47-1234-80cc-5fedc03ea4c7",
"integration_name": "acmeAws"
}
]
},
"segmentSettings": 
{"originalIp": "string"
},
"multipleSegmentSettings": 
[
{"originalIp": "10.0.0.0"
}
]
}
],
"sort": 
[
{"direction": "asc",
"property": "name",
"ignoreCase": false,
"nullHandling": 1,
"ascending": true,
"descending": false
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Get Application

get /applications/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/applications/{application-id}

Returns the details of an Application from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Responses

200

successful operation.

Response Schema: application/json

name required	string [ 2 .. 40 ] A descriptive name of the application.
id required	string <uuid> (ApplicationID) A unique identifier of the application. Note: This field is required for any operation other than initial creation.
type required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
connectionSettings required	object (ApplicationConnectionSettings)
createdOn	number Application creation date, epoch time in milliseconds. Note: This field is automatically populated.
modifiedOn	number Application last modification date, epoch time in milliseconds. Note: This field is automatically populated.
icon	string Nullable Default: null Base64 representation of the icon file, size should be up to 40x40 pixels.
isVisible	boolean Nullable Default: true Indicates whether to show this application in the applications portal.
isNotificationEnabled	boolean Nullable Default: true Indicates whether notifications are enabled for this application.
enabled	boolean Nullable Default: true Indicates the application status configured by Admin (enabled/disabled).
health	object (ApplicationHealth)
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to application. Note: if field not provided application will created on default collection.
subType	string (ApplicationSubType) Enum: "HTTP_LUMINATE_DOMAIN" "HTTP_CUSTOM_DOMAIN" "HTTP_WILDCARD_DOMAIN" "SINGLE_MACHINE" "MULTIPLE_MACHINES" "SEGMENT_SPECIFIC_IPS" "SEGMENT_RANGE" "RDP_BROWSER_SINGLE_MACHINE" "RDP_BROWSER_MULTIPLE_MACHINES" Valid sub-types for HTTP applications: HTTP_LUMINATE_DOMAIN – Symantec ZTNA domain (i.e. testapp.acme.luminatesec.com). HTTP_CUSTOM_DOMAIN - custom domain (i.e. testapp.acme.com). HTTP_WILDCARD_DOMAIN - Wildcard with custom domain (i.e. .acme.com). If no value is given then a default value is set as follows: HTTP_LUMINATE_DOMAIN for application with a null or empty customExternalAddress, HTTP_CUSTOM_DOMAIN otherwise. Valid sub-types for RDP applications:* SINGLE_MACHINE - RDP application default sub type, one to one mapping. MULTIPLE_MACHINES - one to many mapping for RDP type. RDP_BROWSER_SINGLE_MACHINE - one to one mapping for RDP type. RDP_BROWSER_MULTIPLE_MACHINES - one to many mapping for RDP type. Valid sub-types for Segment applications: SEGMENT_SPECIFIC_IPS - Segment application with single or multipe IPs as targets (i.e 10.0.0.0). SEGMENT_RANGE - Segment application with IP range or mask as target (i.e 10.0.0.0/30 or 10.0.0.0-10.0.0.2). If no value is given then a default value is set as follows: SEGMENT_SPECIFIC_IPS for application with IP address, SEGMENT_RANGE for application with range or mask.
linkTranslationSettings	object (ApplicationLinkTranslationSettings)
requestCustomizationSettings	object (ApplicationRequestCustomizationSettings)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/applications/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "HTTP",
"createdOn": 1539000953351,
"modifiedOn": 1539000956235,
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"health": 
{"applicationId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"status": "PartiallyAvailable",
"cause": "Some connector fail to expose application",
"lastUpdatedOn": 1539680482000,
"totalNumberOfConnectors": 2,
"lastAvailableOn": 1539680482000
},
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"subType": "HTTP_LUMINATE_DOMAIN",
"connectionSettings": 
{"internalAddress": "https://127.0.0.1:443",
"externalAddress": "https://testapp.acme.luminatesec.com",
"luminateAddress": "https://testapp.acme.luminatesec.com",
"subdomain": null,
"customExternalAddress": null,
"customRootPath": null,
"healthUrl": "/HealthCheck",
"healthMethod": "Head",
"customSSLCertificate": null,
"wildcardPrivateKey": null
},
"linkTranslationSettings": 
{"isDefaultContentRewriteRulesEnabled": true,
"isDefaultHeaderRewriteRulesEnabled": true,
"useExternalAddressForHostAndSni": false,
"linkedApplications": [ ]
},
"requestCustomizationSettings": 
{"headerCustomization": "X-Forwarded-For: '$SOURCEIP$'\nX-Forwarded-Host: '$ORIGINALHOST$'\nX-Forwarded-Proto: '$PROTOCOL$'\nX-EMAIL-ADDRESS: '$EMAIL$'\n"
},
"ApplicationHTTP": "ApplicationHTTP"
}

Update Application

put /applications/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/applications/{application-id}

Update an existing application in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Request Body schema: application/json

name required	string [ 2 .. 40 ] A descriptive name of the application.
id required	string <uuid> (ApplicationID) A unique identifier of the application. Note: This field is required for any operation other than initial creation.
type required	string (ApplicationType) DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications. SSH
connectionSettings required	object (ApplicationConnectionSettingsSSH)
icon	string Nullable Default: null Base64 representation of the icon file, size should be up to 40x40 pixels.
isVisible	boolean Nullable Default: true Indicates whether to show this application in the applications portal.
isNotificationEnabled	boolean Nullable Default: true Indicates whether notifications are enabled for this application.
enabled	boolean Nullable Default: true Indicates the application status configured by Admin (enabled/disabled).
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to application. Note: if field not provided application will created on default collection.

Responses

200

successful operation.

Response Schema: application/json

name required	string [ 2 .. 40 ] A descriptive name of the application.
id required	string <uuid> (ApplicationID) A unique identifier of the application. Note: This field is required for any operation other than initial creation.
type required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
connectionSettings required	object (ApplicationConnectionSettings)
createdOn	number Application creation date, epoch time in milliseconds. Note: This field is automatically populated.
modifiedOn	number Application last modification date, epoch time in milliseconds. Note: This field is automatically populated.
icon	string Nullable Default: null Base64 representation of the icon file, size should be up to 40x40 pixels.
isVisible	boolean Nullable Default: true Indicates whether to show this application in the applications portal.
isNotificationEnabled	boolean Nullable Default: true Indicates whether notifications are enabled for this application.
enabled	boolean Nullable Default: true Indicates the application status configured by Admin (enabled/disabled).
health	object (ApplicationHealth)
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to application. Note: if field not provided application will created on default collection.
subType	string (ApplicationSubType) Enum: "HTTP_LUMINATE_DOMAIN" "HTTP_CUSTOM_DOMAIN" "HTTP_WILDCARD_DOMAIN" "SINGLE_MACHINE" "MULTIPLE_MACHINES" "SEGMENT_SPECIFIC_IPS" "SEGMENT_RANGE" "RDP_BROWSER_SINGLE_MACHINE" "RDP_BROWSER_MULTIPLE_MACHINES" Valid sub-types for HTTP applications: HTTP_LUMINATE_DOMAIN – Symantec ZTNA domain (i.e. testapp.acme.luminatesec.com). HTTP_CUSTOM_DOMAIN - custom domain (i.e. testapp.acme.com). HTTP_WILDCARD_DOMAIN - Wildcard with custom domain (i.e. .acme.com). If no value is given then a default value is set as follows: HTTP_LUMINATE_DOMAIN for application with a null or empty customExternalAddress, HTTP_CUSTOM_DOMAIN otherwise. Valid sub-types for RDP applications:* SINGLE_MACHINE - RDP application default sub type, one to one mapping. MULTIPLE_MACHINES - one to many mapping for RDP type. RDP_BROWSER_SINGLE_MACHINE - one to one mapping for RDP type. RDP_BROWSER_MULTIPLE_MACHINES - one to many mapping for RDP type. Valid sub-types for Segment applications: SEGMENT_SPECIFIC_IPS - Segment application with single or multipe IPs as targets (i.e 10.0.0.0). SEGMENT_RANGE - Segment application with IP range or mask as target (i.e 10.0.0.0/30 or 10.0.0.0-10.0.0.2). If no value is given then a default value is set as follows: SEGMENT_SPECIFIC_IPS for application with IP address, SEGMENT_RANGE for application with range or mask.
linkTranslationSettings	object (ApplicationLinkTranslationSettings)
requestCustomizationSettings	object (ApplicationRequestCustomizationSettings)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Example

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "SSH",
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"connectionSettings": 
{"internalAddress": "tcp://127.0.0.1:22",
"externalAddress": "testapp.acme.luminatesec.com",
"luminateAddress": "testapp.acme.luminatesec.com",
"subdomain": null
}
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"name": "TestApplication",
"type": "HTTP",
"createdOn": 1539000953351,
"modifiedOn": 1539000956235,
"icon": null,
"isVisible": true,
"isNotificationEnabled": true,
"enabled": true,
"health": 
{"applicationId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"status": "PartiallyAvailable",
"cause": "Some connector fail to expose application",
"lastUpdatedOn": 1539680482000,
"totalNumberOfConnectors": 2,
"lastAvailableOn": 1539680482000
},
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"subType": "HTTP_LUMINATE_DOMAIN",
"connectionSettings": 
{"internalAddress": "https://127.0.0.1:443",
"externalAddress": "https://testapp.acme.luminatesec.com",
"luminateAddress": "https://testapp.acme.luminatesec.com",
"subdomain": null,
"customExternalAddress": null,
"customRootPath": null,
"healthUrl": "/HealthCheck",
"healthMethod": "Head",
"customSSLCertificate": null,
"wildcardPrivateKey": null
},
"linkTranslationSettings": 
{"isDefaultContentRewriteRulesEnabled": true,
"isDefaultHeaderRewriteRulesEnabled": true,
"useExternalAddressForHostAndSni": false,
"linkedApplications": [ ]
},
"requestCustomizationSettings": 
{"headerCustomization": "X-Forwarded-For: '$SOURCEIP$'\nX-Forwarded-Host: '$ORIGINALHOST$'\nX-Forwarded-Proto: '$PROTOCOL$'\nX-EMAIL-ADDRESS: '$EMAIL$'\n"
},
"ApplicationHTTP": "ApplicationHTTP"
}

Delete Application

delete /applications/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/applications/{application-id}

Delete an application from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/applications/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Bind Application to Site

put /applications/{application-id}/site-binding/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/applications/{application-id}/site-binding/{site-id}

Bind your Application to an existing Site in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

application-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f Application ID.
site-id required	string <uuid> Example: 3c536623-4763-4f67-a45a-e88f3d08cdd5 Site ID.

Request Body schema: application/json

any

Responses

200

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all

null

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Get Application Health Status

get /applications/{application-id}/status

Default server.

https://api.acme.luminatesec.com/v2/applications/{application-id}/status

Returns the health status of the given Application from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Responses

200

successful operation.

Response Schema: application/json

applicationId	string <uuid>
status	string Enum: "Available" "Unavailable" "Pending" "PartiallyAvailable" The application accessibility status.
cause	string Root cause for status different than "Available".
lastUpdatedOn	number Date when Application health was last updated on, epoch time in milliseconds.
totalNumberOfConnectors	integer <int32> The number of connectors that expose the application regardless of their health status.
lastAvailableOn	number Date when Application was last available, epoch time in milliseconds.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/applications/6fd0a892-8b70-471a-9dd7-bf374b07451f/status' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"applicationId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"status": "PartiallyAvailable",
"cause": "Some connector fail to expose application",
"lastUpdatedOn": 1539680482000,
"totalNumberOfConnectors": 2,
"lastAvailableOn": 1539680482000
}

Access and Activity Policies

Symantec ZTNA continuously enforce contextual access and activity policies to control access to resources and restrict user’s actions within resources, based on the user/device context (such as the user’s group membership, user’s location, MFA status and managed/unmanaged device status) and the requested resource.

Policy Evaluation
For each access request, Symantec ZTNA processes the policies against the request context (user, device and the requested resource) to calculate the effective policies and to determine whether the request should be allowed or denied. If no access policy could be matched, the access is blocked.

Access Policy configuration
When defining an access policy, the following configuration is supported:

Filter conditions - The conditions specify the context under which the activity policy will apply.
Context includes information about the source IP address, source location and source device.
The policy is effective only when *ALL* conditions are satisfied (evaluate to TRUE).
Entities - users/groups/api-clients to which the policy applies.
Resources - the applications to which the policy applies.
Access settings - settings that are specific for the policy target protocol. For example SSH accounts as well as the supported authentication methods (temporary tokens or certificates) for target protocol SSH.
Validators - The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification.

Activity Policy configuration
Activity policies are used to control specific user’s actions within the resource to which the user has been granted access by Access Policy. Examples are restricting file downloads, controling access to specific URIs, limiting SSH commands and others). The activity policy consists of the entities (users or groups to which the policy applies), the applications to which the policy apply as well as filter conditions and rules.

Activity policy filter conditions
The conditions specify the context under which the activity policy will apply. Context includes information about the source IP address, source location and source device.
The policy is effective only when *ALL* conditions are satisfied (evaluate to TRUE).
Activity policy rules
The rules specify the constraints on the action that the user wants to perform. For example URI black list for web applications or file download restrictions.
Each rule contains the the activity which triggers the rule and the action, which determines how the Symantec ZTNA should react when such activity is triggered. For example block action in case of an attempt to access a non-allowed URI.

Create Policy

post /policies

Default server.

https://api.acme.luminatesec.com/v2/policies

Creates an Access / Activity Policy in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

type required	string (PolicyType) Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted. ACCESS
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".

Responses

200

successful operation.

Response Schema: application/json

type required	string (PolicyType) Enum: "ACCESS" "ACTIVITY" Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted.
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
createdAt	string <date-time>
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".
containers	Array of objects (PolicyRule) The rules specify the constraints on the action that the user wants to perform. For example URI black list for web applications or file download restrictions. Each rule contains the the activity which triggers the rule and the action, which determines how the Symantec ZTNA should react when such activity is triggered. Example actions are ‘block action’ in case of an attempt to access a non-allowed URI.
isWhitelist	boolean Indicates whether Allow rules enabled for this policy, if disabled only Deny rules apply. For Allow rules only "ALLOW" action ID could be applied.
isIsolation	boolean Indicates whether Web Isolation is enabled for this policy. This flag is relevant only for Web Activity policies (type=”ACTIVITY” and targetProtocol=”HTTP”).

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Example

Copy

Expand all Collapse all


{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
}
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"createdAt": { },
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
},
"containers": 
[
{"conditions": 
[
{"arguments": 
{"SSH_COMMAND": 
["sudo",
"ls",
"chmod"
]
},
"conditionDefinitionId": "SSH_COMMAND_WHITELIST"
}
],
"actionId": "ALLOW",
"isolationProfileId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"dlpFilterId": "6fd0a892-8b70-471a-9dd7-bf374b07451f"
}
],
"isWhitelist": true,
"isIsolation": true,
"PolicyAccess": "Policy"
}

List Policies

get /policies

Default server.

https://api.acme.luminatesec.com/v2/policies

Return an array of paginated JSON objects. Each object represents a policy configured in your Symantec ZTNA tenant.
The supported sort keys are either ‘name’ for sorting by policy name or ‘id’ for sorting by policy id.
Filter applies for the policy name only.
Using the query filter=testpolicy will return all the policies for which one or more of the above listed fields contain "testpolicy"

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (PolicyByType)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies?sort=name,desc&size=10&page=0&filter=test' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"createdAt": "1985-04-12T23:20:50.520Z",
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
}
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Get Policy

get /policies/{policy-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/{policy-id}

Returns the details of a Policy from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

policy-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Policy ID.

Responses

200

successful operation.

Response Schema: application/json

type required	string (PolicyType) Enum: "ACCESS" "ACTIVITY" Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted.
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
createdAt	string <date-time>
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".
containers	Array of objects (PolicyRule) The rules specify the constraints on the action that the user wants to perform. For example URI black list for web applications or file download restrictions. Each rule contains the the activity which triggers the rule and the action, which determines how the Symantec ZTNA should react when such activity is triggered. Example actions are ‘block action’ in case of an attempt to access a non-allowed URI.
isWhitelist	boolean Indicates whether Allow rules enabled for this policy, if disabled only Deny rules apply. For Allow rules only "ALLOW" action ID could be applied.
isIsolation	boolean Indicates whether Web Isolation is enabled for this policy. This flag is relevant only for Web Activity policies (type=”ACTIVITY” and targetProtocol=”HTTP”).

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/6fd0a531-6b70-471a-9dd7-bf374b07814f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"createdAt": { },
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
},
"containers": 
[
{"conditions": 
[
{"arguments": 
{"SSH_COMMAND": 
["sudo",
"ls",
"chmod"
]
},
"conditionDefinitionId": "SSH_COMMAND_WHITELIST"
}
],
"actionId": "ALLOW",
"isolationProfileId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"dlpFilterId": "6fd0a892-8b70-471a-9dd7-bf374b07451f"
}
],
"isWhitelist": true,
"isIsolation": true,
"PolicyAccess": "Policy"
}

Update Policy

put /policies/{policy-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/{policy-id}

Update an existing policy in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

policy-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Policy ID.

Request Body schema: application/json

type required	string (PolicyType) Enum: "ACCESS" "ACTIVITY" Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted.
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".
containers	Array of objects (PolicyRule) The rules specify the constraints on the action that the user wants to perform. For example URI black list for web applications or file download restrictions. Each rule contains the the activity which triggers the rule and the action, which determines how the Symantec ZTNA should react when such activity is triggered. Example actions are ‘block action’ in case of an attempt to access a non-allowed URI.
isWhitelist	boolean Indicates whether Allow rules enabled for this policy, if disabled only Deny rules apply. For Allow rules only "ALLOW" action ID could be applied.
isIsolation	boolean Indicates whether Web Isolation is enabled for this policy. This flag is relevant only for Web Activity policies (type=”ACTIVITY” and targetProtocol=”HTTP”).

Responses

200

successful operation.

Response Schema: application/json

type required	string (PolicyType) Enum: "ACCESS" "ACTIVITY" Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted.
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
createdAt	string <date-time>
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".
containers	Array of objects (PolicyRule) The rules specify the constraints on the action that the user wants to perform. For example URI black list for web applications or file download restrictions. Each rule contains the the activity which triggers the rule and the action, which determines how the Symantec ZTNA should react when such activity is triggered. Example actions are ‘block action’ in case of an attempt to access a non-allowed URI.
isWhitelist	boolean Indicates whether Allow rules enabled for this policy, if disabled only Deny rules apply. For Allow rules only "ALLOW" action ID could be applied.
isIsolation	boolean Indicates whether Web Isolation is enabled for this policy. This flag is relevant only for Web Activity policies (type=”ACTIVITY” and targetProtocol=”HTTP”).

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Example

Copy

Expand all Collapse all


{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
},
"containers": 
[
{"conditions": 
[
{"arguments": 
{"SSH_COMMAND": 
["sudo",
"ls",
"chmod"
]
},
"conditionDefinitionId": "SSH_COMMAND_WHITELIST"
}
],
"actionId": "ALLOW",
"isolationProfileId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"dlpFilterId": "6fd0a892-8b70-471a-9dd7-bf374b07451f"
}
],
"isWhitelist": true,
"isIsolation": true,
"PolicyAccess": "Policy"
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"createdAt": { },
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
},
"containers": 
[
{"conditions": 
[
{"arguments": 
{"SSH_COMMAND": 
["sudo",
"ls",
"chmod"
]
},
"conditionDefinitionId": "SSH_COMMAND_WHITELIST"
}
],
"actionId": "ALLOW",
"isolationProfileId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"dlpFilterId": "6fd0a892-8b70-471a-9dd7-bf374b07451f"
}
],
"isWhitelist": true,
"isIsolation": true,
"PolicyAccess": "Policy"
}

Delete Policy

delete /policies/{policy-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/{policy-id}

Delete a policy from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

policy-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Policy ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/policies/6fd0a531-6b70-471a-9dd7-bf374b07814f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Get Supported Conditions Definitions

get /policies/config/condition-definitions

Default server.

https://api.acme.luminatesec.com/v2/policies/config/condition-definitions

Returns all supported conditions that can be used as building blocks when defining policies. Conditions Definitions are used to define filter conditions and activity policy rules.

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

id	string (PolicyConditionDefinitionID) String that uniquly represents the condition and used as its identifier.
displayName	string Human readable name of this Condition.
description	string Condition scope extended information.
conditionParameters	Array of objects (PolicyConditionParameter) Determine the parameters that are required for evaluating the condition. The order of the parameters matters.
typeMapping	Array of objects (PolicyConditionTypeMapping) This property specifies the policy type and the application type for which this condition applies.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/config/condition-definitions' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "LOCATION_RESTRICTION",
"displayName": "Location",
"description": "List of countries that will be allowed to access",
"conditionParameters": 
[
{"parameterId": "COUNTRIES",
"displayName": "conditions",
"elementType": "enum",
"enumSettings": 
{"isMultiple": true,
"values": 
[
{"id": "IL",
"displayName": "Israel"
}
]
},
"stringSettings": 
{"regexValidator": "^Symantec ZTNA1$",
"isMultiple": true,
"example": "Symantec ZTNA1"
},
"numberSettings": 
{"min": 5,
"max": 10
}
}
],
"typeMapping": 
[
{"applicationType": "HTTP",
"policyType": "ACCESS"
}
]
}

Get Supported Rules Actions

get /policies/config/action-types

Default server.

https://api.acme.luminatesec.com/v2/policies/config/action-types

Returns the actions that can be enforced when a user performs a specific operation. Examples are: ALLOW to allow the action, BLOCK to block the action, BLOCK_USER to disconnect all active sessions of the user and block further login attempts.

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

Array

id	string Unique id for this Action, this ID should be used when setting the Action in a Container
name	string Human readable name for this action type
description	string extended information about the action

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/config/action-types' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"id": "BLOCK",
"name": "block",
"description": "block the action"
}
]

Get Supported Validators

get /policies/config/validator-types

Default server.

https://api.acme.luminatesec.com/v2/policies/config/validator-types

Returns the validators that can be used as a prerequisite for granting access to a requested resource. Examples are Multi-factor authentication and Web Verification.
Note: The validators are applicable for policies of type ACCESS only.

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

Array

id	string
displayName	string
description	string
applicationType	string Enum: "HTTP" "SSH" "TCP" "RDP" "DYNAMIC_SSH" type of applications for that condition

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/config/validator-types' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"id": "MFA",
"displayName": "MFA",
"description": "Multi Factor authentication",
"applicationType": "HTTP"
}
]

Get Application Assigned Policies.

get /policies/by-app-id/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/by-app-id/{application-id}

Returns an array of JSON objects.
Each object represents a policy assigned to the provided application in your Symantec ZTNA.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Responses

200

successful operation.

Response Schema: application/json

Array

type required	string (PolicyType) Determines the policy type: ACCESS - control access to resources by continuously enforcing contextual authorization ACTIVITY - control user activity within resources to which access was granted. ACCESS
targetProtocol required	string (PolicyTargetProtocol) Enum: "HTTP" "SSH" "RDP" "TCP"
name required	string A descriptive name of the policy. The name must be unique.
targetProtocolSubType	string (PolicyTargetProtocolSubType) Enum: "RDP_BROWSER" "RDP_NATIVE" Valid sub-types for Policies: RDP_BROWSER – For browser based RDP connection. RDP_NATIVE - For RDP connection using RDP client. If no value is given then a default value is set to RDP_NATIVE.
id	string <uuid> A unique identifier of the policy. Note: This field is required for any operation other than initial creation.
enabled	boolean Indicates whether this policy is enabled.
createdAt	string <date-time>
collectionId	string <uuid> Nullable A unique identifier of the collection assigned to policy. Note: if field not provided policy will created on default collection.
directoryEntities	Array of objects (DirectoryEntity) The entities to which this policy applies.
applications	Array of objects (ApplicationBase) The applications to which this policy applies.
filterConditions	Array of objects (PolicyCondition) Filter conditions that specify the context of the user and the device in which the policy will apply. This Context includes information about the source IP address, source location and source device. The policy is effective only when ALL conditions are satisfied (evaluate to TRUE). Conditions are formed by using properties of the request context and describing their required state. For example, source IP should be one of the listed IP addresses. To retrieve the supported conditions use Get Supported Conditions API.
timeSettingsType	string Default: "permanent" Enum: "permanent" "temporary" "working_hours" configures the time settings type for the policy.
Status	string Indicates the policy status
validators	object The controls you want to enforce as a prerequisite for granting access to the requested resource. Examples are Multi-factor authentication and Web Verification. To configure the required controls, you should retrieve the supported validators IDs by using Get Supported Validators and set the proper ones to TRUE. Note: Applicable for policies of type ACCESS only.
rdpSettings	object (PolicyRDPSettings) Policy settings that are specific to applications of type RDP
sshSettings	object (PolicySSHSettings) Policy settings that are specific to applications of type SSH
tcpSettings	object (PolicyTCPSettings) Policy settings that are specific to applications of type RDP
timeSettings	object (PolicyTimeSettings) Holds additional information regarding time settings of rules. This property applies only in case timeSettingsType is set to "temporary".
workingHoursSettings	object (WorkingHoursSettings) Specifies time slots and weekdays for the secure access. This property applies only in case timeSettingsType is set to "working_hours".

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/by-app-id/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"type": "ACCESS",
"targetProtocol": "SSH",
"targetProtocolSubType": "RDP_NATIVE",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"enabled": true,
"createdAt": "1985-04-12T23:20:50.520Z",
"name": "Contractors Policy to Jira",
"collectionId": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"directoryEntities": 
[
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
],
"applications": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "HTTP",
"subType": "HTTP_LUMINATE_DOMAIN"
}
],
"filterConditions": 
[
{"conditionDefinitionId": "LOCATION_RESTRICTION",
"arguments": 
{"COUNTRIES": 
["Argentina",
"Angola"
]
}
}
],
"timeSettingsType": "permanent",
"Status": "expired",
"validators": 
{"VALIDATOR_MFA": true
},
"rdpSettings": 
{"longTermPassword": false,
"webRdpSettings": 
{"disableCopy": false,
"disablePaste": false
}
},
"sshSettings": 
{"accounts": 
["ubuntu",
"root"
],
"autoMapping": true,
"fullUpnAutoMapping": false,
"agentForward": false,
"acceptTemporaryToken": false,
"acceptCertificate": false
},
"tcpSettings": 
{"acceptTemporaryToken": false,
"acceptCertificate": false
},
"timeSettings": 
{"fromDate": "1985-04-12T23:20:50.52Z",
"toDate": "1985-04-12T23:20:50.52Z"
},
"workingHoursSettings": 
{"days": 
[true,
true,
true,
true,
false,
false,
false
],
"fromHour": "08:00",
"toHour": "17:00",
"endDate": "2025-04-14T23:20:50.52Z"
}
}
]

Update application in policies

put /policies/by-app-id/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/by-app-id/{application-id}

Update explicit application assignment in the list of the policies where this application assigned to. The application will be removed from the policies which doesn’t mentioned in the request body.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Request Body schema: application/json

applicationType required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
policyIds required	Array of strings Identifiers of the policies to apply on the given application.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"applicationType": "HTTP",
"policyIds": 
["string"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Assign Application to policies

post /policies/by-app-id/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/by-app-id/{application-id}

Assign explicit application to the existent policies.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Request Body schema: application/json

applicationType required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
policyIds required	Array of strings Identifiers of the policies to apply on the given application.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"applicationType": "HTTP",
"policyIds": 
["string"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Remove application from policies

delete /policies/by-app-id/{application-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/by-app-id/{application-id}

Remove explicit application from the policies.

Authorizations:

OAuth

path Parameters

application-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

Application ID.

Request Body schema: application/json

applicationType required	string (ApplicationType) Enum: "HTTP" "SSH" "RDP" "DYNAMIC_SSH" "TCP" "SEGMENT" "DNS" DNS is a not an application. DNS servers are published through Symantec ZTNA, leveraging the organization’s domain resolution for Segment Applications.
policyIds required	Array of strings Identifiers of the policies to apply on the given application.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"applicationType": "HTTP",
"policyIds": 
["string"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Shared Objects

Shared object is an instance which might be assigned to other instances, for ease of provisioning. "Network Location" is such a shared object which might be assigned to access or activity policy conditions.

Create Shared Object

post /policies/shared-objects

Default server.

https://api.acme.luminatesec.com/v2/policies/shared-objects

Creates a shared object in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

name required	string A descriptive name of the shared object. The name must be unique.
type required	string Value: "IP_LIST" Determines the shared object value type: IP_LIST - List of Source IPs that will be allowed to access
values required	Array of objects (SharedObjectValue)
id	string <uuid> A unique identifier of the shared object. Note: This field is required for any operation other than initial creation.
modifiedOn	string <date-time> the last time the shared object been modified

Responses

200

successful operation.

Response Schema: application/json

name required	string A descriptive name of the shared object. The name must be unique.
type required	string Value: "IP_LIST" Determines the shared object value type: IP_LIST - List of Source IPs that will be allowed to access
values required	Array of objects (SharedObjectValue)
id	string <uuid> A unique identifier of the shared object. Note: This field is required for any operation other than initial creation.
modifiedOn	string <date-time> the last time the shared object been modified
createdAt	string <date-time> the time at the creation of the shared object

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"createdAt": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}

List Shared Objects

get /policies/shared-objects

Default server.

https://api.acme.luminatesec.com/v2/policies/shared-objects

Return an array of paginated JSON objects. Each object represents a shared object configured in your Symantec ZTNA tenant.
The supported sort keys are either ‘name’ for sorting by shared object name or ‘created_at’/'modified_on' for sorting by date
Filter applies for the shared object name only.
Using the query filter=test will return all the shared objects for which one or more of the above listed fields contain "test"

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)
type	string Example: type=IP_LIST A shared object type to search by

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (SharedObject)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/shared-objects?sort=name,desc&size=10&page=0&filter=test&type=IP_LIST' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"createdAt": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Get Shared Object

get /policies/shared-objects/{shared-object-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/shared-objects/{shared-object-id}

Returns the details of a Shared Object from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

shared-object-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Shared Object ID.

Responses

200

successful operation.

Response Schema: application/json

name required	string A descriptive name of the shared object. The name must be unique.
type required	string Value: "IP_LIST" Determines the shared object value type: IP_LIST - List of Source IPs that will be allowed to access
values required	Array of objects (SharedObjectValue)
id	string <uuid> A unique identifier of the shared object. Note: This field is required for any operation other than initial creation.
modifiedOn	string <date-time> the last time the shared object been modified
createdAt	string <date-time> the time at the creation of the shared object

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/policies/shared-objects/6fd0a531-6b70-471a-9dd7-bf374b07814f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"createdAt": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}

Update Shared Object

put /policies/shared-objects/{shared-object-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/shared-objects/{shared-object-id}

Update an existing shared object in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

shared-object-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Shared Object ID.

Request Body schema: application/json

name required	string A descriptive name of the shared object. The name must be unique.
type required	string Value: "IP_LIST" Determines the shared object value type: IP_LIST - List of Source IPs that will be allowed to access
values required	Array of objects (SharedObjectValue)
id	string <uuid> A unique identifier of the shared object. Note: This field is required for any operation other than initial creation.
modifiedOn	string <date-time> the last time the shared object been modified

Responses

200

successful operation.

Response Schema: application/json

name required	string A descriptive name of the shared object. The name must be unique.
type required	string Value: "IP_LIST" Determines the shared object value type: IP_LIST - List of Source IPs that will be allowed to access
values required	Array of objects (SharedObjectValue)
id	string <uuid> A unique identifier of the shared object. Note: This field is required for any operation other than initial creation.
modifiedOn	string <date-time> the last time the shared object been modified
createdAt	string <date-time> the time at the creation of the shared object

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "NY Office",
"type": "IP_LIST",
"modifiedOn": "2017-10-02T15:40:01.318Z",
"createdAt": "2017-10-02T15:40:01.318Z",
"values": 
[
{"value": "192.168.0.0/24"
}
]
}

Delete Shared Object

delete /policies/shared-objects/{shared-object-id}

Default server.

https://api.acme.luminatesec.com/v2/policies/shared-objects/{shared-object-id}

Delete a shared object from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

shared-object-id

required

string <uuid>

Example: 6fd0a531-6b70-471a-9dd7-bf374b07814f

Shared Object ID.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/policies/shared-objects/6fd0a531-6b70-471a-9dd7-bf374b07814f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Collections

Link Site to Collection

post /collection/site-links

Default server.

https://api.acme.luminatesec.com/v2/collection/site-links

Link a Site to a Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

links

Array of objects (CollectionSiteLink)

Responses

200

successful operation.

Response Schema: application/json

links

Array of objects (CollectionSiteLink)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"links": 
[
{"siteId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionId": "dd5ef47d-3e9c-418b-abfc-a1f702fa0c59"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"links": 
[
{"siteId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionId": "dd5ef47d-3e9c-418b-abfc-a1f702fa0c59"
}
]
}

Get Collection Linked Sites

get /collection/site-links/{collection-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/site-links/{collection-id}

Get the Sites linked to the Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

collection-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The collection ID.

Responses

200

successful operation.

Response Schema: application/json

links

Array of objects (CollectionSiteLink)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/collection/site-links/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"links": 
[
{"siteId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionId": "dd5ef47d-3e9c-418b-abfc-a1f702fa0c59"
}
]
}

Unlinks site from collection

delete /collection/site-links/{collection-id}/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/site-links/{collection-id}/{site-id}

Unlink Site from Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

collection-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The collection ID.
site-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The site ID.

Request Body schema: application/json

any

Responses

200

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all

null

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

List Collections

get /collection

Default server.

https://api.acme.luminatesec.com/v2/collection

Return an array of paginated JSON objects. Each object represents an collection configured in your Symantec ZTNA tenant.
Using the query filter=testCollection will return all the collection for which one or more of the above listed fields contain "testCollection"

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
name	string Example: name=test The name of the resource.
application-id	string <uuid> Example: application-id=6fd0a892-8b70-471a-9dd7-bf374b07451f Application ID.
site-id	string <uuid> Example: site-id=3c536623-4763-4f67-a45a-e88f3d08cdd5 Site ID.
policy-id	string <uuid> Example: policy-id=6fd0a531-6b70-471a-9dd7-bf374b07814f Policy ID.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (Collection)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/collection?sort=name,desc&size=10&page=0&name=test&application-id=6fd0a892-8b70-471a-9dd7-bf374b07451f&site-id=3c536623-4763-4f67-a45a-e88f3d08cdd5&policy-id=6fd0a531-6b70-471a-9dd7-bf374b07814f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Create Collection

post /collection

Default server.

https://api.acme.luminatesec.com/v2/collection

Create Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

id	string <uuid>
name	string

Responses

200

successful operation.

Response Schema: application/json

id	string <uuid>
parentId	string <uuid>
name	string
countResources	integer <int32>
countLinkedSites	integer <int32>
fqdn	string authorization fqdn

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
}

Get Collection

get /collection/{collection-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/{collection-id}

Get Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

collection-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The collection ID.

Responses

200

successful operation.

Response Schema: application/json

id	string <uuid>
parentId	string <uuid>
name	string
countResources	integer <int32>
countLinkedSites	integer <int32>
fqdn	string authorization fqdn

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/collection/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
}

Update Collection

put /collection/{collection-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/{collection-id}

Update Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

collection-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The collection ID.

Request Body schema: application/json

name

string

Responses

200

successful operation.

Response Schema: application/json

id	string <uuid>
parentId	string <uuid>
name	string
countResources	integer <int32>
countLinkedSites	integer <int32>
fqdn	string authorization fqdn

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "string"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
}

Delete Collection

delete /collection/{collection-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/{collection-id}

Delete Collection in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

collection-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The collection ID.

Request Body schema: application/json

any

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all

null

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Get Collections by Site

get /collection/site/{site-id}

Default server.

https://api.acme.luminatesec.com/v2/collection/site/{site-id}

Get Collections by Site in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

site-id

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The site ID.

Responses

200

successful operation.

Response Schema: application/json

collectionIds

Array of strings <uuid>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/collection/site/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"collectionIds": 
["ff5ef47d-3e9c-418b-abfc-a1f702fa0c59"
]
}

List Role Bindings

get /collection/role-bindings

Default server.

https://api.acme.luminatesec.com/v2/collection/role-bindings

List Role Bindings in your Symantec ZTNA tenant.

Authorizations:

OAuth

query Parameters

sort	any Default: "displayName" Enum: "displayName" "entityType" "role" "createdAt" "subjectType" Example: sort=name The value of this parameter is a comma-separated list of sort key.
direction	string Default: "asc" Enum: "asc" "desc" Example: direction=asc The value of this parameter is a comma-separated list of sort direction.
page	number <int32> The page number.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
entityIdInIdp	string Example: entityIdInIdp=18837193-a81a-400f-b38d-482379e3ab47 Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.
entityType	any Enum: "User" "Group" "ApiClient" Example: entityType=User The directory entity type (User/Group/OU/API Client).
entityName	string Example: entityName=test The value of this parameter is entity name.
subjectId	string <uuid> Example: subjectId=18837193-a81a-400f-b38d-482379e3ab47 The ID of the Resource that assigned.
subjectType	string (SubjectType) Enum: "Site" "App" "Policy" "Collection" Example: subjectType=Site The Resource that assigned to the role type (Site/App/Policy).
subjectName	string Example: subjectName=siteName The Resource that assigned to the role name.
roleType	string (RoleType) Enum: "TenantAdmin" "TenantViewer" "SiteEditor" "SiteConnectorDeployer" "ApplicationOwner" "PolicyOwner" Example: roleType=TenantAdmin The role type (TenantAdmin/TenantViewer/SiteEditor/SiteConnectorDeployer/ApplicationOwner/PolicyOwner) that will assign to entity.

Responses

200

successful operation

Response Schema: application/json

content	Array of objects (RoleBinding)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/collection/role-bindings?sort=name&direction=asc&page=0&size=10&entityIdInIdp=18837193-a81a-400f-b38d-482379e3ab47&entityType=User&entityName=test&subjectId=18837193-a81a-400f-b38d-482379e3ab47&subjectType=undefined&subjectName=siteName&roleType=TenantAdmin' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"createdAt": "2025-08-21T14:31:22Z",
"role": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "Tenant Viewer",
"RoleType": "TenantAdmin"
},
"Collection": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
},
"entity": 
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
},
"resource": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionID": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"fqdn": "r::site",
"name": "SiteName",
"originalResourceId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"subjectType": "Site"
}
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Create Tenant Role Binding

post /collection/tenant-role-bindings

Default server.

https://api.acme.luminatesec.com/v2/collection/tenant-role-bindings

Create Tenant Role Binding in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

roleType	string (TenantRoleType) Enum: "TenantAdmin" "TenantViewer" Tenant role type (TenantAdmin/TenantViewer) that will assign to entity.
entities	Array of objects (DirectoryEntity)

Responses

201

successful operation.

Response Schema: application/json

roleBindings

Array of objects (RoleBinding)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"roleType": "TenantAdmin",
"entities": 
[
{"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"roleBindings": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"createdAt": "2025-08-21T14:31:22Z",
"role": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "Tenant Viewer",
"RoleType": "TenantAdmin"
},
"Collection": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
},
"entity": 
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
},
"resource": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionID": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"fqdn": "r::site",
"name": "SiteName",
"originalResourceId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"subjectType": "Site"
}
}
]
}

Create Collection Role Binding

post /collection/collection-role-bindings

Default server.

https://api.acme.luminatesec.com/v2/collection/collection-role-bindings

Create Collection Role Binding in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

roleType	string (CollectionRoleType) Enum: "ApplicationOwner" "PolicyOwner" Collection role type (CollectionAdmin/CollectionViewer) that will assign to entity.
collectionId	string <uuid>
entities	Array of objects (DirectoryEntity)

Responses

201

successful operation.

Response Schema: application/json

roleBindings

Array of objects (RoleBinding)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"roleType": "CollectionAdmin",
"collectionId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"entities": 
[
{"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"roleBindings": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"createdAt": "2025-08-21T14:31:22Z",
"role": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "Tenant Viewer",
"RoleType": "TenantAdmin"
},
"Collection": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
},
"entity": 
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
},
"resource": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionID": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"fqdn": "r::site",
"name": "SiteName",
"originalResourceId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"subjectType": "Site"
}
}
]
}

Create Site Role Binding

post /collection/site-role-bindings

Default server.

https://api.acme.luminatesec.com/v2/collection/site-role-bindings

Create Site Role Binding in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

roleType	string (SiteRoleType) Enum: "SiteEditor" "SiteConnectorDeployer" Site role type (SiteEditor/SiteConnectorDeployer) that will assign to entity.
siteId	string <uuid>
entities	Array of objects (DirectoryEntity)

Responses

201

successful operation.

Response Schema: application/json

roleBindings

Array of objects (RoleBinding)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"roleType": "SiteEditor",
"siteId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"entities": 
[
{"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"roleBindings": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"createdAt": "2025-08-21T14:31:22Z",
"role": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "Tenant Viewer",
"RoleType": "TenantAdmin"
},
"Collection": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"parentId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "string",
"countResources": 0,
"countLinkedSites": 0,
"fqdn": "string"
},
"entity": 
{"id": "2fd0a178-8b70-296a-9dd7-bf260b07683f",
"identifierInProvider": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"identityProviderId": "local",
"identityProviderType": "local",
"type": "User",
"displayName": "John Doe"
},
"resource": 
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"collectionID": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"fqdn": "r::site",
"name": "SiteName",
"originalResourceId": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"subjectType": "Site"
}
}
]
}

Delete Role Binding

post /collection/role-bindings/delete

Default server.

https://api.acme.luminatesec.com/v2/collection/role-bindings/delete

Delete Collection Role Binding in your Symantec ZTNA tenant by role binding IDs. you can retrieve role bindings ids from List Role Bindings API.

Authorizations:

OAuth

Request Body schema: application/json

roleBindingIds

Array of strings <uuid>

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"roleBindingIds": 
["6fd0a892-8b70-471a-9dd7-bf374b07451f"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

DNS Resiliency

Create New DNS Group

post /wss-integration-tenant/dns-groups

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups

Create New DNS Group.

Authorizations:

OAuth

Request Body schema: application/json

name required	string The name of the group.
domainSuffixes required	Array of strings
sendNotifications required	boolean Indicates whether notifications should be sent to admin.

Responses

201

DNS Group has been created successfully.

Response Schema: application/json

id	string <uuid> The id of the group.
name	string The name of the group.
status	string The status of the group.
domainSuffixes	Array of strings List of domain suffixes.
sendNotifications	boolean Indicates whether notifications should be sent to admin.
servers	Array of strings list of dns servers ids.
serverInUsed	string <uuid> Indicates the id of the active server in the group
activeServerAddress	string the address of the active dns server.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "group1",
"domainSuffixes": 
["[\"dns-group.com\",\"example.com\"]"
],
"sendNotifications": "true"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "0115deec-b583-4335-92f2-8269f0bfd493",
"name": "DNS Group 1",
"status": "Available",
"domainSuffixes": "[\"dns-group.com\",\"other-group.com\"]",
"sendNotifications": "true",
"servers": "[\"0115deec-b583-4335-92f2-8269f0bfd493\",\"cf5780a0-4c72-45db-92c4-c7ce517f86e9\"]",
"serverInUsed": "0115deec-b583-4335-92f2-8269f0bfd493",
"activeServerAddress": "1.1.1.1"
}

List DNS Groups

get /wss-integration-tenant/dns-groups

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups

List DNS Groups.

Authorizations:

OAuth

query Parameters

sort	string Default: "id,asc" Example: sort=name,desc The value of this parameter is a comma-separated list of sort key and sort direction. By default, query results are sorted in ascending order by item id. The supported sort directions are either 'asc' for ascending or 'desc' for descending.
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)

Responses

200

List Dns Groups.

Response Schema: application/json

content	Array of objects (DnsGroupOutput)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups?sort=name,desc&size=10&page=0&filter=test' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "0115deec-b583-4335-92f2-8269f0bfd493",
"name": "DNS Group 1",
"status": "Available",
"domainSuffixes": "[\"dns-group.com\",\"other-group.com\"]",
"sendNotifications": "true",
"servers": "[\"0115deec-b583-4335-92f2-8269f0bfd493\",\"cf5780a0-4c72-45db-92c4-c7ce517f86e9\"]",
"serverInUsed": "0115deec-b583-4335-92f2-8269f0bfd493",
"activeServerAddress": "1.1.1.1"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

Get DNS Group By ID

get /wss-integration-tenant/dns-groups/{dnsGroupId}

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}

Retrieve a group by its ID.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group to retrieve, update or delete.

Responses

200

Successful response.

Response Schema: application/json

id	string <uuid> The id of the group.
name	string The name of the group.
status	string The status of the group.
domainSuffixes	Array of strings List of domain suffixes.
sendNotifications	boolean Indicates whether notifications should be sent to admin.
servers	Array of strings list of dns servers ids.
serverInUsed	string <uuid> Indicates the id of the active server in the group
activeServerAddress	string the address of the active dns server.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "0115deec-b583-4335-92f2-8269f0bfd493",
"name": "DNS Group 1",
"status": "Available",
"domainSuffixes": "[\"dns-group.com\",\"other-group.com\"]",
"sendNotifications": "true",
"servers": "[\"0115deec-b583-4335-92f2-8269f0bfd493\",\"cf5780a0-4c72-45db-92c4-c7ce517f86e9\"]",
"serverInUsed": "0115deec-b583-4335-92f2-8269f0bfd493",
"activeServerAddress": "1.1.1.1"
}

Update a group by ID

put /wss-integration-tenant/dns-groups/{dnsGroupId}

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}

Update a group by its ID.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group to retrieve, update or delete.

Request Body schema: application/json

name required	string The name of the group.
domainSuffixes required	Array of strings
sendNotifications required	boolean Indicates whether notifications should be sent to admin.

Responses

200

Group updated successfully.

Response Schema: application/json

id	string <uuid> The id of the group.
name	string The name of the group.
status	string The status of the group.
domainSuffixes	Array of strings List of domain suffixes.
sendNotifications	boolean Indicates whether notifications should be sent to admin.
servers	Array of strings list of dns servers ids.
serverInUsed	string <uuid> Indicates the id of the active server in the group
activeServerAddress	string the address of the active dns server.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "group1",
"domainSuffixes": 
["[\"dns-group.com\",\"example.com\"]"
],
"sendNotifications": "true"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "0115deec-b583-4335-92f2-8269f0bfd493",
"name": "DNS Group 1",
"status": "Available",
"domainSuffixes": "[\"dns-group.com\",\"other-group.com\"]",
"sendNotifications": "true",
"servers": "[\"0115deec-b583-4335-92f2-8269f0bfd493\",\"cf5780a0-4c72-45db-92c4-c7ce517f86e9\"]",
"serverInUsed": "0115deec-b583-4335-92f2-8269f0bfd493",
"activeServerAddress": "1.1.1.1"
}

Delete a group by ID

delete /wss-integration-tenant/dns-groups/{dnsGroupId}

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}

Delete a group by ID.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group to retrieve, update or delete.

Responses

204

Group deleted successfully.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Create New DNS Server in Group

post /wss-integration-tenant/dns-groups/{dnsGroupId}/servers/

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/servers/

Create New DNS Server in Group.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group to create a server for.

Request Body schema: application/json

name required	string The name of the DNS Server.
internalAddress required	string The IP address of the server.
siteId required	string <uuid> The site ID associated with the DNS Server.
groupId required	string <uuid> The group ID associated with the DNS Server.

Responses

201

Server created successfully in group.

Response Schema: application/json

id	string <uuid>
groupId	string <uuid> The group ID associated with the DNS Server.
siteId	string The site ID associated with the DNS Server.
name	string The name of the DNS Server.
internalAddress	string The IP address of the server.
healthStatus	string Enum: "Available" "UnAvailable" DNS server status.
createdAt	string <date-time>
updatedAt	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "server1",
"internalAddress": "1.1.1.1",
"siteId": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "gg5ef47d-3e9c-418b-abfc-a1f702fa0c60"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "9977c221-7f35-4019-b8d7-31d936bda95f",
"siteId": "3377c221-7f35-4019-b8d7-31d936bda98d",
"name": "server1",
"internalAddress": "1.1.1.1",
"healthStatus": "Available",
"createdAt": "2024-04-12T23:20:50.52Z",
"updatedAt": "2024-04-12T23:20:50.52Z"
}

Get All Servers Of a DNS Group

get /wss-integration-tenant/dns-groups/{dnsGroupId}/servers/

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/servers/

Retrieve a list of servers for a specific group.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group to retrieve servers for.

Responses

200

Get dns group's servers.

Response Schema: application/json

Array

id	string <uuid>
groupId	string <uuid> The group ID associated with the DNS Server.
siteId	string The site ID associated with the DNS Server.
name	string The name of the DNS Server.
internalAddress	string The IP address of the server.
healthStatus	string Enum: "Available" "UnAvailable" DNS server status.
createdAt	string <date-time>
updatedAt	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/6fd0a892-8b70-471a-9dd7-bf374b07451f/servers/' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"id": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "9977c221-7f35-4019-b8d7-31d936bda95f",
"siteId": "3377c221-7f35-4019-b8d7-31d936bda98d",
"name": "server1",
"internalAddress": "1.1.1.1",
"healthStatus": "Available",
"createdAt": "2024-04-12T23:20:50.52Z",
"updatedAt": "2024-04-12T23:20:50.52Z"
}
]

Get DNS Server By Id

get /wss-integration-tenant/dns-groups/{dnsGroupId}/servers/{serverId}

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/servers/{serverId}

Retrieve a server of a specific group by id.

Authorizations:

OAuth

path Parameters

dnsGroupId required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The ID of the group to get the server for.
serverId required	string <uuid> Example: 5gd0a892-8b70-471a-9dd7-bf374b07453g The ID of the DNS server to retrieve.

Responses

200

Get DNS server.

Response Schema: application/json

id	string <uuid>
groupId	string <uuid> The group ID associated with the DNS Server.
siteId	string The site ID associated with the DNS Server.
name	string The name of the DNS Server.
internalAddress	string The IP address of the server.
healthStatus	string Enum: "Available" "UnAvailable" DNS server status.
createdAt	string <date-time>
updatedAt	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/6fd0a892-8b70-471a-9dd7-bf374b07451f/servers/5gd0a892-8b70-471a-9dd7-bf374b07453g' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "9977c221-7f35-4019-b8d7-31d936bda95f",
"siteId": "3377c221-7f35-4019-b8d7-31d936bda98d",
"name": "server1",
"internalAddress": "1.1.1.1",
"healthStatus": "Available",
"createdAt": "2024-04-12T23:20:50.52Z",
"updatedAt": "2024-04-12T23:20:50.52Z"
}

Update DNS Server By Id

put /wss-integration-tenant/dns-groups/{dnsGroupId}/servers/{serverId}

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/servers/{serverId}

Update DNS server of a specific group by id.

Authorizations:

OAuth

path Parameters

dnsGroupId required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The ID of the DNS resiliency group.
serverId required	string <uuid> Example: 5gd0a892-8b70-471a-9dd7-bf374b07453g The ID of the DNS server to update.

Request Body schema: application/json

name required	string The name of the DNS Server.
internalAddress required	string The IP address of the server.
siteId required	string <uuid> The site ID associated with the DNS Server.
groupId required	string <uuid> The group ID associated with the DNS Server.

Responses

200

update DNS server.

Response Schema: application/json

id	string <uuid>
groupId	string <uuid> The group ID associated with the DNS Server.
siteId	string The site ID associated with the DNS Server.
name	string The name of the DNS Server.
internalAddress	string The IP address of the server.
healthStatus	string Enum: "Available" "UnAvailable" DNS server status.
createdAt	string <date-time>
updatedAt	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "server1",
"internalAddress": "1.1.1.1",
"siteId": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "gg5ef47d-3e9c-418b-abfc-a1f702fa0c60"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "8577c221-7f35-4019-b8d7-31d936bda96b",
"groupId": "9977c221-7f35-4019-b8d7-31d936bda95f",
"siteId": "3377c221-7f35-4019-b8d7-31d936bda98d",
"name": "server1",
"internalAddress": "1.1.1.1",
"healthStatus": "Available",
"createdAt": "2024-04-12T23:20:50.52Z",
"updatedAt": "2024-04-12T23:20:50.52Z"
}

Delete DNS Servers By Ids

post /wss-integration-tenant/dns-groups/{dnsGroupId}/servers/delete-by-ids

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/servers/delete-by-ids

Delete DNS server by group id and dns server ids.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the DNS resiliency group.

Request Body schema: application/json

DnsServerIds

Array of strings <uuid>

Responses

204

DNS servers have been deleted.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"DnsServerIds": 
["6fd0a892-8b70-471a-9dd7-bf374b07451f"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Update DNS Servers Order

put /wss-integration-tenant/dns-groups/{dnsGroupId}/server-order

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/{dnsGroupId}/server-order

Update DNS Server resiliency order and the agent if needed. Send an array which contains ordered DNS server ids, The 1st item has the highest priority.

Authorizations:

OAuth

path Parameters

dnsGroupId

required

string <uuid>

Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f

The ID of the group of the DNS server.

Request Body schema: application/json

DnsServerIds

Array of strings <uuid>

Responses

200

updated servers order in DNS group

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"DnsServerIds": 
["6fd0a892-8b70-471a-9dd7-bf374b07451f"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Enable/Disable DNS Groups

post /wss-integration-tenant/dns-groups/enableByIds

Default server.

https://api.acme.luminatesec.com/v2/wss-integration-tenant/dns-groups/enableByIds

Enable or Disable DNS Groups.

Authorizations:

OAuth

Request Body schema: application/json

enable required	boolean enable or disable groups.
groupIds required	Array of strings List of group ids to enable or disable.

Responses

200

successfully enabled/disabled group

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

NotFound - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"enable": "true",
"groupIds": 
["[\"99116c18-d842-4d2e-82b7-a493cc86e649\"]"
]
}

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Identity Providers

Working agains one of the supported Identity Providers or with Symantec ZTNA internal Identity Provider.

List Identity Providers

get /identities/settings/identity-providers

Default server.

https://api.acme.luminatesec.com/v2/identities/settings/identity-providers

Return an array of JSON objects. Each object represents an Identity Provider configuration in your Symantec ZTNA tenant.

Authorizations:

OAuth

query Parameters

includeLocal

boolean

Default: false

Indication whether to include Symantec ZTNA internal Identity Provider in the response.

Responses

200

successful operation.

Response Schema: application/json

Array

name required	string >= 1 A descriptive name of the Identity Provider.
provider required	string (IdentityProviderType) Identity provider name. okta
settings	object (DirectoryProviderSettingsOkta)
instructions	object (DirectoryProviderInstructionsOneLoginOrOkta)
id	string <uuid> A unique identifier of this Identity Provider. Note: This field is required for any operation other than initial creation.
is_authenticator	boolean Default: true Indication whether this identity provider is used for authentication.
is_user_store	boolean Default: true Indication whether this identity provider is used for storing identities.
authenticator_id	string <uuid> Nullable Symantec ZTNA internal identifier of the Identity Provider used for authentication. This property holds a value only in case the Identity Provider is used for storing identities only (is_authenticator=false).
created_at	string <date-time> Identity Provider object creation date.
updated_at	string <date-time> The date when the Identity Provider object was last updated.
auth0_connection_id	string Symantec ZTNA internal identifier of the Identity Provider connection.
upn_override_value_data_mapping	string

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/settings/identity-providers?includeLocal=false' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"name": "Okta ACME",
"provider": "local",
"is_authenticator": true,
"is_user_store": true,
"authenticator_id": null,
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"auth0_connection_id": "con_RWvVa2P2YCCDzZt1",
"upn_override_value_data_mapping": null
}
]

Users

A user that is managed by one of the supported Identity Providers or locally by Symantec ZTNA internal Identity Provider.

Search Users By Identity Provider

get /identities/{identity-provider-id}/users

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/users

Return an array of JSON objects. Each object represents a user in the given IDP.
Pagination support is defined per Identity Provider. Filter applies for user name only.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

query Parameters

filter	string Example: filter=test The string by which the results are filtered (see description)
pageOffset	string or number Example: pageOffset=1 Page number. Depending on the Identity Provider, this field can either be a number or a string. It can't be assumed and a valid value must be used from the response returned for the previous page. If not specified, first page is returned.
sortBy	string Example: sortBy=email:desc The value of this parameter is a combination of sort key and sort direction: <field>:<direction>. Sort directions are either 'asc' for ascending or 'desc' for descending. The supported sort keys are ‘email’ for a user and name for a group. By default, query results are sorted in ascending order by ‘email’.
perPage	number <int32> [ 1 .. 100 ] Default: 25 Example: perPage=10 The number of items returned in a single page.
email	string Example: email=john e-mail by which the results are filtered. Using the query email=john will return all the entities whose email address contains "john"

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (User)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
perPage	integer <int32> Number of elements in current page.
nextPage	number Next page offset indicator. Its value should be passed in the `pageOffset` query parameter. when requesting the next page. Its type depends on the Identity Provider.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/users?filter=test&pageOffset=1&sortBy=email:desc&perPage=10&email=john' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"last_login": "2025-08-21T14:31:22Z",
"logins_count": 1235,
"repository_type": "local",
"is_admin": false,
"is_deleted": false,
"blocked": false,
"hasMfaSecret": false,
"id": "978f38e3-ec9f-4779-829d-19f1f443dec8",
"identity_provider_id": "local"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"perPage": 1,
"nextPage": 1
}

Get User

get /identities/{identity-provider-id}/users/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/users/{entity-id}

Return user by ID from the specified identity provider. For the local users repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

200

successful operation.

Response Schema: application/json

username required	string The identity with which the user logs in. Should be in the format `anyText@`<`tenant-name`>`.`<`domain-name`>.
notification_email required	string The email address to which notifications are sent.
identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
upn	string User principal name.
first_name	string Nullable First name.
last_name	string Nullable Last name.
email	string The email address to which outgoing mails are sent. This field is deprecated. Please use username & notification_email fields.
created_at	string <date-time> The date when the user was created.
updated_at	string <date-time> The date when the user was last updated (modified).
last_login	string <date-time> Date when the user last logged in.
logins_count	integer <int32> The number of logins made by this user.
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.
is_admin	boolean Default: false Indication whether the user holds an administrator role.
is_deleted	boolean Default: false Indication whether the user was deleted from the system.
blocked	boolean Default: false Indication whether the user is blocked from logging into your tenant.
hasMfaSecret	boolean Default: false Indication whether the user has already registered to the configured multi-factor authenticator provider.
id	string <uuid> A unique identifier of the user.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/users/4fd0a357-8b70-345a-9dd7-bf359b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"last_login": "2025-08-21T14:31:22Z",
"logins_count": 1235,
"repository_type": "local",
"is_admin": false,
"is_deleted": false,
"blocked": false,
"hasMfaSecret": false,
"id": "978f38e3-ec9f-4779-829d-19f1f443dec8",
"identity_provider_id": "local"
}

Delete User

delete /identities/{identity-provider-id}/users/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/users/{entity-id}

Deletes a user permanently from Symantec ZTNA tenant's repository. Applicable for Generic SAML (SAML attributes) integration or Local Users only. For the local users repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/users/4fd0a357-8b70-345a-9dd7-bf359b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Create Local User

post /identities/local/users

Default server.

https://api.acme.luminatesec.com/v2/identities/local/users

Creates a new user in Symantec ZTNA Identity Provider in your Symantec ZTNA tenant. In the request body. repository_type should be set to local.

Authorizations:

OAuth

Request Body schema: application/json

username required	string The identity with which the user logs in. Should be in the format `anyText@`<`tenant-name`>`.`<`domain-name`>.
notification_email required	string The email address to which notifications are sent.
identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
upn	string User principal name.
first_name	string Nullable First name.
last_name	string Nullable Last name.
email	string The email address to which outgoing mails are sent. This field is deprecated. Please use username & notification_email fields.
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.

Responses

201

successful operation.

Response Schema: application/json

username required	string The identity with which the user logs in. Should be in the format `anyText@`<`tenant-name`>`.`<`domain-name`>.
notification_email required	string The email address to which notifications are sent.
identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
upn	string User principal name.
first_name	string Nullable First name.
last_name	string Nullable Last name.
email	string The email address to which outgoing mails are sent. This field is deprecated. Please use username & notification_email fields.
created_at	string <date-time> The date when the user was created.
updated_at	string <date-time> The date when the user was last updated (modified).
last_login	string <date-time> Date when the user last logged in.
logins_count	integer <int32> The number of logins made by this user.
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.
is_admin	boolean Default: false Indication whether the user holds an administrator role.
is_deleted	boolean Default: false Indication whether the user was deleted from the system.
blocked	boolean Default: false Indication whether the user is blocked from logging into your tenant.
hasMfaSecret	boolean Default: false Indication whether the user has already registered to the configured multi-factor authenticator provider.
id	string <uuid> A unique identifier of the user.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"repository_type": "local",
"identity_provider_id": "local"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"last_login": "2025-08-21T14:31:22Z",
"logins_count": 1235,
"repository_type": "local",
"is_admin": false,
"is_deleted": false,
"blocked": false,
"hasMfaSecret": false,
"id": "978f38e3-ec9f-4779-829d-19f1f443dec8",
"identity_provider_id": "local"
}

Update Local User

put /identities/local/users/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/local/users/{entity-id}

Updates an existing user in Symantec ZTNA Identity Provider in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

entity-id

required

string

Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f

Entity identifier as determined by the owning Identity Provider.
This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Request Body schema: application/json

username required	string The identity with which the user logs in. Should be in the format `anyText@`<`tenant-name`>`.`<`domain-name`>.
notification_email required	string The email address to which notifications are sent.
identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
upn	string User principal name.
first_name	string Nullable First name.
last_name	string Nullable Last name.
email	string The email address to which outgoing mails are sent. This field is deprecated. Please use username & notification_email fields.
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.

Responses

200

successful operation.

Response Schema: application/json

username required	string The identity with which the user logs in. Should be in the format `anyText@`<`tenant-name`>`.`<`domain-name`>.
notification_email required	string The email address to which notifications are sent.
identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
upn	string User principal name.
first_name	string Nullable First name.
last_name	string Nullable Last name.
email	string The email address to which outgoing mails are sent. This field is deprecated. Please use username & notification_email fields.
created_at	string <date-time> The date when the user was created.
updated_at	string <date-time> The date when the user was last updated (modified).
last_login	string <date-time> Date when the user last logged in.
logins_count	integer <int32> The number of logins made by this user.
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.
is_admin	boolean Default: false Indication whether the user holds an administrator role.
is_deleted	boolean Default: false Indication whether the user was deleted from the system.
blocked	boolean Default: false Indication whether the user is blocked from logging into your tenant.
hasMfaSecret	boolean Default: false Indication whether the user has already registered to the configured multi-factor authenticator provider.
id	string <uuid> A unique identifier of the user.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"repository_type": "local",
"identity_provider_id": "local"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"last_login": "2025-08-21T14:31:22Z",
"logins_count": 1235,
"repository_type": "local",
"is_admin": false,
"is_deleted": false,
"blocked": false,
"hasMfaSecret": false,
"id": "978f38e3-ec9f-4779-829d-19f1f443dec8",
"identity_provider_id": "local"
}

Delete Local User

delete /identities/local/users/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/local/users/{entity-id}

Deletes a user permanently from Symantec ZTNA Identity Provider in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

entity-id

required

string

Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/local/users/4fd0a357-8b70-345a-9dd7-bf359b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

List Blocked Users

get /identities/settings/blocked-users

Default server.

https://api.acme.luminatesec.com/v2/identities/settings/blocked-users

Lists of blocked users in your Symantec ZTNA tenant.

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

Array

identity_provider_id required	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
user_id required	string (EntityId) Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.
created_at	string <date-time> The date when the user was blocked.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/settings/blocked-users' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"identity_provider_id": "local",
"user_id": "4fd0a357-8b70-345a-9dd7-bf359b07451f",
"created_at": "2025-08-21T14:31:22Z"
}
]

Block User

post /identities/{identity-provider-id}/users/{entity-id}/block

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/users/{entity-id}/block

Blocks a user in your Symantec ZTNA tenant. Blocking a group of users is not supported. All active sessions of the given user will get disconnected and the user will no longer be able to login to your tenant.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X POST 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/users/4fd0a357-8b70-345a-9dd7-bf359b07451f/block' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Unblock User

delete /identities/{identity-provider-id}/users/{entity-id}/block

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/users/{entity-id}/block

Unblocks a user in your Symantec ZTNA tenant. Unblocking a group of users is not supported. Upon a successful operation, the user will be able to login to your tenant.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/users/4fd0a357-8b70-345a-9dd7-bf359b07451f/block' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Groups

A group that is managed by one of the supported Identity Providers or locally by Symantec ZTNA internal Identity Provider.

Get Group

get /identities/{identity-provider-id}/groups/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups/{entity-id}

Return group by ID from the specified identity provider. For the local groups repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

200

successful operation.

Response Schema: application/json

name required	string Group name
id	string Group uuid
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.
identity_provider_id	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
created_at	string <date-time>
updated_at	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/groups/4fd0a357-8b70-345a-9dd7-bf359b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "d8028639-a76a-4614-965a-7e3d4832d94b",
"name": "Administrators",
"repository_type": "local",
"identity_provider_id": "local",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z"
}

Delete Group

delete /identities/{identity-provider-id}/groups/{entity-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups/{entity-id}

Deletes a group permanently from Symantec ZTNA tenant's repository. Applicable for Generic SAML (SAML attributes) integration or Local Groups only. For the local groups repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/groups/4fd0a357-8b70-345a-9dd7-bf359b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Search Groups By Identity Provider

get /identities/{identity-provider-id}/groups

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups

Return an array of JSON objects. Each object represents a group in the given IDP.
Pagination support is defined per Identity Provider. Filter applies for group name only.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

query Parameters

filter	string Example: filter=test The string by which the results are filtered (see description)
pageOffset	string or number Example: pageOffset=1 Page number. Depending on the Identity Provider, this field can either be a number or a string. It can't be assumed and a valid value must be used from the response returned for the previous page. If not specified, first page is returned.
sortBy	string Example: sortBy=email:desc The value of this parameter is a combination of sort key and sort direction: <field>:<direction>. Sort directions are either 'asc' for ascending or 'desc' for descending. The supported sort keys are ‘email’ for a user and name for a group. By default, query results are sorted in ascending order by ‘email’.
perPage	number <int32> [ 1 .. 100 ] Default: 25 Example: perPage=10 The number of items returned in a single page.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (Group)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
perPage	integer <int32> Number of elements in current page.
nextPage	number Next page offset indicator. Its value should be passed in the `pageOffset` query parameter. when requesting the next page. Its type depends on the Identity Provider.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/groups?filter=test&pageOffset=1&sortBy=email:desc&perPage=10' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "d8028639-a76a-4614-965a-7e3d4832d94b",
"name": "Administrators",
"repository_type": "local",
"identity_provider_id": "local",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"perPage": 1,
"nextPage": 1
}

Create Group

post /identities/{identity-provider-id}/groups

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups

Creates a new group in Symantec ZTNA tenant repository. Applicable for Generic SAML (SAML attributes) integration or Local Groups only. For the local groups repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

Request Body schema: application/json

name

required

string

Group name

Responses

201

successful operation.

Response Schema: application/json

name required	string Group name
id	string Group uuid
repository_type	string (IdentityProviderType) Enum: "local" "ad" "okta" "adfs" "gapps" "onelogin" "generic-saml" Identity provider name.
identity_provider_id	string <uuid> (IdentityProviderId) Identity Provider identifier. This property might include non-ascii characters (i.e. LDAP). In such a case, the client needs to use URL Encoding. This uuid can be retrieved using List Identity Providers API.. This property equals 'local' when the Identity Provider is Symantec ZTNA internal one.
created_at	string <date-time>
updated_at	string <date-time>

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "Administrators"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "d8028639-a76a-4614-965a-7e3d4832d94b",
"name": "Administrators",
"repository_type": "local",
"identity_provider_id": "local",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z"
}

List Assigned Users

get /identities/{identity-provider-id}/groups/{entity-id}/users

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups/{entity-id}/users

Returns a group's user list by ID from the specified identity provider For the local users repository in your Symantec ZTNA tenant, set identity-provider-id to 'local'.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
entity-id required	string Example: 4fd0a357-8b70-345a-9dd7-bf359b07451f Entity identifier as determined by the owning Identity Provider. This identifier can be retrieved using Search Users By Identity Provider API for users or Search Groups By Identity Provider API for groups.

query Parameters

pageOffset	string or number Example: pageOffset=1 Page number. Depending on the Identity Provider, this field can either be a number or a string. It can't be assumed and a valid value must be used from the response returned for the previous page. If not specified, first page is returned.
perPage	number <int32> [ 1 .. 100 ] Default: 25 Example: perPage=10 The number of items returned in a single page.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (User)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
perPage	integer <int32> Number of elements in current page.
nextPage	number Next page offset indicator. Its value should be passed in the `pageOffset` query parameter. when requesting the next page. Its type depends on the Identity Provider.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/groups/{entity-id}/users?pageOffset=1&perPage=10' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"username": "john.doe@acme.luminatesec.com",
"notification_email": "john.doe@gmail.com",
"upn": "john.doe@acme.com",
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@acme.com",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"last_login": "2025-08-21T14:31:22Z",
"logins_count": 1235,
"repository_type": "local",
"is_admin": false,
"is_deleted": false,
"blocked": false,
"hasMfaSecret": false,
"id": "978f38e3-ec9f-4779-829d-19f1f443dec8",
"identity_provider_id": "local"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"perPage": 1,
"nextPage": 1
}

Remove User From Group

delete /identities/local/groups/{group-id}/users/{user-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/local/groups/{group-id}/users/{user-id}

Remove user from group.

Authorizations:

OAuth

path Parameters

group-id required	string Example: b7188113-b9c6-4dee-9a3c-3963236f19a8 Group ID
user-id required	string Example: 64b2d04f-157f-48a3-a277-e1b4147c46c4 User ID

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/local/groups/{group-id}/users/{user-id}' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Assign User To Group

put /identities/local/groups/{group-id}/users/{user-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/local/groups/{group-id}/users/{user-id}

Add user to group.

Authorizations:

OAuth

path Parameters

group-id required	string Example: b7188113-b9c6-4dee-9a3c-3963236f19a8 Group ID
user-id required	string Example: 64b2d04f-157f-48a3-a277-e1b4147c46c4 User ID

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X PUT 'https://api.acme.luminatesec.com/v2/identities/local/groups/{group-id}/users/{user-id}' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

SSH Clients

List SSH Clients

get /ssh-clients

Default server.

https://api.acme.luminatesec.com/v2/ssh-clients

Return an array of paginated JSON objects. Each object represents a ssh-client configured in your Symantec ZTNA tenant.
Using the query filter=test will return all the ssh-clients for which one or more of the above listed fields contain "test"

Authorizations:

OAuth

query Parameters

sort	string Enum: "name" "created_on" "last_accessed" "expires" "description" Name of field to sort
size	number <int32> <= 100 Default: 50 Example: size=10 The number of items returned in a single page.
page	number <int32> The page number.
filter	string Example: filter=test The string by which the results are filtered (see description)

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (SSH-Client)
first	boolean Indicates whether the current page is the first one.
last	boolean Indicates whether the current page is the last one.
size	integer <int32> Maximum number of elements per page.
totalElements	integer <int32> Number of elements included in the response.
totalPages	integer <int32> Number of pages included in the response.
number	integer <int32> Page number
numberOfElements	integer <int32> Number of elements in current page.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/ssh-clients?sort=undefined&size=10&page=0&filter=test' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "ff5ef47d-3e9c-418b-abfc-a1f702fa0c59",
"name": "mysshclient",
"description": "This ssh client is used to access our production server",
"key_size": 2048,
"created_on": "2021-10-02T15:40:01.318Z",
"modified_on": "2021-10-02T15:40:01.318Z",
"last_accessed": "2021-10-02T15:40:01.318Z",
"expires": "2022-04-02T15:40:01.318Z"
}
],
"first": true,
"last": true,
"size": 50,
"totalElements": 1,
"totalPages": 1,
"number": 0,
"numberOfElements": 1
}

SCIM

When working with Generic SAML IDP, the users and groups are managed with the following APIs which comply with SCIM 2.0 protocol.

For the search the user/group, the following search API should be used:
List Users API.
List Groups API.

Create SCIM User

post /identities/{identity-provider-id}/scim/users

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/users

Create a SCIM user.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

Request Body schema: application/json

emails required	Array of objects (SCIMUserEmail) SCIM-user's emails list.
userName required	string SCIM-user's username.
name required	object (SCIMUserFullName)
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:User" the relevant schemas for the request
externalId	string <uuid> SCIM user's external id
displayName	string SCIM-user's display name.
targetWorkstations	Array of strings SCIM-user's target workstations addresses.

Responses

201

successful operation.

Response Schema: application/json

emails required	Array of objects (SCIMUserEmail) SCIM-user's emails list.
userName required	string SCIM-user's username.
name required	object (SCIMUserFullName)
id	string <uuid> A unique identifier of this user. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:User" the relevant schemas for the request
externalId	string <uuid> SCIM user's external id
displayName	string SCIM-user's display name.
targetWorkstations	Array of strings SCIM-user's target workstations addresses.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}

List SCIM Users

get /identities/{identity-provider-id}/scim/users

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/users

Return an array of paginated JSON objects. Each object represents a SCIM user.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (SCIM-User)
itemsPerPage	integer <int32> Number of elements in current page.
schemas	Array of strings Items Value: "urn:ietf:params:scim:api:messages:2.0:ListResponse" SCIM list schema
startIndex	integer <int32> The 1-based index of the first result in the current set of list results.
totalResults	integer <int32> Number of elements included in the response.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/users' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}
],
"itemsPerPage": 1,
"schemas": 
["urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 1
}

Get SCIM User

get /identities/{identity-provider-id}/scim/users/{user-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/users/{user-id}

Return the details of a SCIM user.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
user-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The user ID.

Responses

200

successful operation.

Response Schema: application/json

emails required	Array of objects (SCIMUserEmail) SCIM-user's emails list.
userName required	string SCIM-user's username.
name required	object (SCIMUserFullName)
id	string <uuid> A unique identifier of this user. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:User" the relevant schemas for the request
externalId	string <uuid> SCIM user's external id
displayName	string SCIM-user's display name.
targetWorkstations	Array of strings SCIM-user's target workstations addresses.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

Not Found - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/users/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}

Delete SCIM User

delete /identities/{identity-provider-id}/scim/users/{user-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/users/{user-id}

Delete a SCIM user.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
user-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The user ID.

Responses

204

successful operation.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/users/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1551881524069,
"status": 401,
"reasonPhrase": "Unauthorized",
"message": "You are not authorized to perform this operation.",
"errors": 
["Invalid session"
]
}

Update SCIM User

put /identities/{identity-provider-id}/scim/users/{user-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/users/{user-id}

Update an existing SCIM user.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
user-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The user ID.

Request Body schema: application/json

emails required	Array of objects (SCIMUserEmail) SCIM-user's emails list.
userName required	string SCIM-user's username.
name required	object (SCIMUserFullName)
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:User" the relevant schemas for the request
externalId	string <uuid> SCIM user's external id
displayName	string SCIM-user's display name.
targetWorkstations	Array of strings SCIM-user's target workstations addresses.

Responses

200

successful operation.

Response Schema: application/json

emails required	Array of objects (SCIMUserEmail) SCIM-user's emails list.
userName required	string SCIM-user's username.
name required	object (SCIMUserFullName)
id	string <uuid> A unique identifier of this user. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:User" the relevant schemas for the request
externalId	string <uuid> SCIM user's external id
displayName	string SCIM-user's display name.
targetWorkstations	Array of strings SCIM-user's target workstations addresses.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": 
{"givenName": "string",
"familyName": "string"
},
"emails": 
[
{"value": "string",
"primary": true
}
],
"userName": "user3",
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"targetWorkstations": 
["string"
]
}

Create a SCIM Group

post /identities/{identity-provider-id}/scim/groups

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups

Create a SCIM group.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

Request Body schema: application/json

displayName required	string SCIM-group's name.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

Responses

201

successful operation.

Response Schema: application/json

displayName required	string SCIM-group's name.
id	string <uuid> A unique identifier of this group. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

Not Found - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

List SCIM Groups

get /identities/{identity-provider-id}/scim/groups

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups

Return an array of paginated JSON objects. Each object represents a SCIM group.

Authorizations:

OAuth

path Parameters

identity-provider-id

required

string

Example: a5ea5f01-f73c-427f-b3b6-da66433e7694

The identity provider id. This unique identifier can be retrieved using List Identity Providers API.
For Symantec ZTNA internal Identity Provider, set this property to local.

Responses

200

successful operation.

Response Schema: application/json

content	Array of objects (SCIM-Group)
itemsPerPage	integer <int32> Number of elements in current page.
schemas	Array of strings Items Value: "urn:ietf:params:scim:api:messages:2.0:ListResponse" SCIM list schema
startIndex	integer <int32> The 1-based index of the first result in the current set of list results.
totalResults	integer <int32> Number of elements included in the response.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/groups' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"content": 
[
{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}
],
"itemsPerPage": 1,
"schemas": 
["urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 1
}

Get SCIM Group

get /identities/{identity-provider-id}/scim/groups/{group-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups/{group-id}

Return the details of a SCIM group.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
group-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The group ID.

Responses

200

successful operation.

Response Schema: application/json

displayName required	string SCIM-group's name.
id	string <uuid> A unique identifier of this group. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

Not Found - The specified resource was not found.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/groups/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

Update SCIM Group

put /identities/{identity-provider-id}/scim/groups/{group-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups/{group-id}

Update an existing group.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
group-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The group ID.

Request Body schema: application/json

displayName required	string SCIM-group's name.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

Responses

200

successful operation.

Response Schema: application/json

displayName required	string SCIM-group's name.
id	string <uuid> A unique identifier of this group. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

Not Found - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

Delete SCIM Group

delete /identities/{identity-provider-id}/scim/groups/{group-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups/{group-id}

Delete a SCIM group.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
group-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The group ID.

Responses

204

successful operation.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/identities/a5ea5f01-f73c-427f-b3b6-da66433e7694/scim/groups/6fd0a892-8b70-471a-9dd7-bf374b07451f' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1551881524069,
"status": 401,
"reasonPhrase": "Unauthorized",
"message": "You are not authorized to perform this operation.",
"errors": 
["Invalid session"
]
}

Modify a SCIM Group

patch /identities/{identity-provider-id}/scim/groups/{group-id}

Default server.

https://api.acme.luminatesec.com/v2/identities/{identity-provider-id}/scim/groups/{group-id}

Modify a SCIM group that has one or more required SCIM 2.0 attributes. Supports only add/remove/replace operations.

Authorizations:

OAuth

path Parameters

identity-provider-id required	string Example: a5ea5f01-f73c-427f-b3b6-da66433e7694 The identity provider id. This unique identifier can be retrieved using List Identity Providers API. For Symantec ZTNA internal Identity Provider, set this property to local.
group-id required	string <uuid> Example: 6fd0a892-8b70-471a-9dd7-bf374b07451f The group ID.

Request Body schema: application/json

Operations required	Array of objects (SCIMGroupOperation)
schemas required	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:PatchOp" the relevant schemas for the request

Responses

200

successful operation.

Response Schema: application/json

displayName required	string SCIM-group's name.
id	string <uuid> A unique identifier of this group. Note: This field is required for any operation other than initial creation.
schemas	Array of strings Items Value: "urn:ietf:params:scim:schemas:core:2.0:Group" the relevant schemas for the request
externalId	string <uuid> SCIM group's external id.
members	Array of objects (SCIMGroupMembers) all group members.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

404

Not Found - The specified resource was not found.

Request samples

Payload
cURL

Content type

application/json

Example

Copy

Expand all Collapse all


{"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:PatchOp"
],
"Operations": 
[
{"op": "add",
"path": "members",
"value": 
[
{"value": "99116c18-d842-4d2e-82b7-a493cc86e649",
"type": "User"
}
]
}
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"id": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"schemas": 
["urn:ietf:params:scim:schemas:core:2.0:Group"
],
"externalId": "3c536623-4763-4f67-a45a-e88f3d08cdd5",
"displayName": "string",
"members": 
[
{"value": "6fd0a892-8b70-471a-9dd7-bf374b07451f",
"type": "User"
}
]
}

Cloud Integration

Integration with Cloud Providers like Amazon Web Services to provide a smoother and cloud-native integration with SIEM solutions and to allow access to resources based on their associated tags.

List Cloud Integration Configurations

get /cloud-integrations/integrations

Default server.

https://api.acme.luminatesec.com/v2/cloud-integrations/integrations

Return an array of JSON objects. Each object represents a Cloud Integration configuration in your Symantec ZTNA tenant.

Authorizations:

OAuth

Responses

200

successful operation.

Response Schema: application/json

Array

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
id	string A unique identifier of thœe Cloud Integration.
created_at	string <date-time>
updated_at	string <date-time>
aws_external_id	string AWS External ID.
aws_role_arn	string (CloudIntegrationArn) The AWS role ARN.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.
health	object (CloudIntegrationHealth)
luminate_aws_account_id	string The tag that represents the hostname.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/cloud-integrations/integrations' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


[
{"name": "AWS EU Integration",
"provider": "amazon",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"aws_external_id": "aaabbbcccc",
"aws_role_arn": "arn:xxx:yyy:zzz",
"regions": 
["string"
],
"hostname_tag_name": "Name",
"health": 
{"status": "Ready",
"message": "string",
"error": 
{"message": "string",
"region": "string",
"provider_err_code": "string",
"provider_description": "string"
}
},
"luminate_aws_account_id": 12312312
}
]

Create Cloud Integration Configuration

post /cloud-integrations/integrations

Default server.

https://api.acme.luminatesec.com/v2/cloud-integrations/integrations

Create a new cloud integration configuration in your Symantec ZTNA tenant.

Authorizations:

OAuth

Request Body schema: application/json

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.

Responses

201

successful operation.

Response Schema: application/json

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
id	string A unique identifier of thœe Cloud Integration.
created_at	string <date-time>
updated_at	string <date-time>
aws_external_id	string AWS External ID.
aws_role_arn	string (CloudIntegrationArn) The AWS role ARN.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.
health	object (CloudIntegrationHealth)
luminate_aws_account_id	string The tag that represents the hostname.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "AWS EU Integration",
"provider": "amazon",
"regions": 
["string"
],
"hostname_tag_name": "Name"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"name": "AWS EU Integration",
"provider": "amazon",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"aws_external_id": "aaabbbcccc",
"aws_role_arn": "arn:xxx:yyy:zzz",
"regions": 
["string"
],
"hostname_tag_name": "Name",
"health": 
{"status": "Ready",
"message": "string",
"error": 
{"message": "string",
"region": "string",
"provider_err_code": "string",
"provider_description": "string"
}
},
"luminate_aws_account_id": 12312312
}

Get Cloud Integration Configuration

get /cloud-integrations/integrations/{cloud-integration-id}

Default server.

https://api.acme.luminatesec.com/v2/cloud-integrations/integrations/{cloud-integration-id}

Return a Cloud Integration configuration from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

cloud-integration-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Cloud Integration ID

Responses

200

successful operation.

Response Schema: application/json

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
id	string A unique identifier of thœe Cloud Integration.
created_at	string <date-time>
updated_at	string <date-time>
aws_external_id	string AWS External ID.
aws_role_arn	string (CloudIntegrationArn) The AWS role ARN.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.
health	object (CloudIntegrationHealth)
luminate_aws_account_id	string The tag that represents the hostname.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X GET 'https://api.acme.luminatesec.com/v2/cloud-integrations/integrations/18837193-a81a-400f-b38d-482379e3ab47' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"name": "AWS EU Integration",
"provider": "amazon",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"aws_external_id": "aaabbbcccc",
"aws_role_arn": "arn:xxx:yyy:zzz",
"regions": 
["string"
],
"hostname_tag_name": "Name",
"health": 
{"status": "Ready",
"message": "string",
"error": 
{"message": "string",
"region": "string",
"provider_err_code": "string",
"provider_description": "string"
}
},
"luminate_aws_account_id": 12312312
}

Update Cloud Integration Configuration

put /cloud-integrations/integrations/{cloud-integration-id}

Default server.

https://api.acme.luminatesec.com/v2/cloud-integrations/integrations/{cloud-integration-id}

Update an existing Cloud Integration configuration in your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

cloud-integration-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Cloud Integration ID

Request Body schema: application/json

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
aws_role_arn required	string (CloudIntegrationArn) The AWS role ARN.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.

Responses

200

successful operation.

Response Schema: application/json

name required	string (CloudIntegrationName) A descriptive name of the Cloud Integration.
provider required	string (CloudIntegrationProvider) Default: "amazon" Value: "amazon" Cloud Provider name.
id	string A unique identifier of thœe Cloud Integration.
created_at	string <date-time>
updated_at	string <date-time>
aws_external_id	string AWS External ID.
aws_role_arn	string (CloudIntegrationArn) The AWS role ARN.
regions	Array of strings (CloudIntegrationRegions) A list of regions that are applicable for the configured Cloud Integration.
hostname_tag_name	string (CloudIntegrationHostnameTagName) Default: "Name" The tag that represents the hostname.
health	object (CloudIntegrationHealth)
luminate_aws_account_id	string The tag that represents the hostname.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

409

Conflict - Value of one of the provided fields is already used by an existing object.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"name": "AWS EU Integration",
"provider": "amazon",
"aws_role_arn": "arn:xxx:yyy:zzz",
"regions": 
["string"
],
"hostname_tag_name": "Name"
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"name": "AWS EU Integration",
"provider": "amazon",
"id": "1e1513c8-3801-4e58-bba3-e2466bd3fbb4",
"created_at": "2025-08-21T14:31:22Z",
"updated_at": "2025-08-21T14:31:22Z",
"aws_external_id": "aaabbbcccc",
"aws_role_arn": "arn:xxx:yyy:zzz",
"regions": 
["string"
],
"hostname_tag_name": "Name",
"health": 
{"status": "Ready",
"message": "string",
"error": 
{"message": "string",
"region": "string",
"provider_err_code": "string",
"provider_description": "string"
}
},
"luminate_aws_account_id": 12312312
}

Delete Cloud Integration

delete /cloud-integrations/integrations/{cloud-integration-id}

Default server.

https://api.acme.luminatesec.com/v2/cloud-integrations/integrations/{cloud-integration-id}

Delete a Cloud Integration configuration from your Symantec ZTNA tenant.

Authorizations:

OAuth

path Parameters

cloud-integration-id

required

string <uuid>

Example: 18837193-a81a-400f-b38d-482379e3ab47

Cloud Integration ID

Responses

204

successful operation.

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

500

Internal Server Error.

Request samples

cURL

Copy

curl -X DELETE 'https://api.acme.luminatesec.com/v2/cloud-integrations/integrations/18837193-a81a-400f-b38d-482379e3ab47' -H 'Content-Type: application/json' -H 'Authorization:Bearer b8246240-8e79-495c-9959-332af85d5014' -i

Response samples

Content type

application/json

Example

Copy

Expand all Collapse all


{"request-identifier": "c1f30631-de5d-4d5a-bba1-03571bdaf306",
"timestamp": 1548259503065,
"status": 400,
"reasonPhrase": "Bad Request",
"message": "Invalid request parameters: Invalid ID format - failed to process request"
}

Audit Logs

Audit logs audit all operations done through the administration portal.

Search Audit logs

post /logs/audit

Default server.

https://api.acme.luminatesec.com/v2/logs/audit

Searches your tenant audit logs using the Elasticsearch query language. Timeframe between from_date to to_date is limited to 30 days. Results are always sorted by date in ascending order.

Authorizations:

OAuth

Request Body schema: application/json

query required	object (SearchQuery)
size	integer <int32> [ 0 .. 1000 ] Default: 1000 The maximum number of results to return.
search_after	Array of strings or numbers (SearchAfter) Nullable Elasticsearch Search After Syntax. To get the next page, copy the SearchAfterValues value from previous response.

Responses

200

successful operation.

Response Schema: application/json

Hits	number <int32> (Hits) Total number of logs found that match the query.
Logs	Array of objects (AuditLogResult)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"size": 500,
"query": 
{"free_text": "John Doe",
"from_date": 1553502809000,
"to_date": 1553675609000,
"match_or_fields": 
[
{"field_name": "clientip",
"field_values": 
["213.12.11.10",
"0.0.1.10"
]
}
]
},
"search_after": 
[1553589827407,
"luminate-<log type>#6aebc61f-7e2f-46b3-805f-d206de8899c0"
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"Hits": 1,
"Logs": 
[
{"Id": "6aebc61f-7e2f-46b3-805f-d206de8899c0",
"Data": 
{"@timestamp": "2021-01-01T12:35:03.724Z",
"additionalInfo": { },
"eventStatus": "SUCCEEDED",
"eventType": "LOGIN",
"geoip": 
{"city_name": "Jerusalem",
"country": "Israel",
"country_code": "IL",
"latitude": 31.5,
"longitude": 34.75,
"location": 
{"lon": 34.75,
"lat": 31.5
}
},
"id": "6aebc61f-7e2f-46b3-805f-d206de8899c0",
"message": "{\\\"id\\\":\\\"6aebc61f-7e2f-46b3-805f-d206de8899c0\\\",\\\"date\\\":\\\"2019-02-13T12:35:03.724386395Z\\\",\\\"tenantId\\\":\\\"12f3e95861234567a123a7c582a0a51f_acme\\\",\\\"user\\\":\\\"user@acme.com\\\",\\\"sourceHost\\\":\\\"10.10.10.50\\\",\\\"targetService\\\":\\\"AUTH_SERVICE\\\",\\\"eventType\\\":\\\"LOGIN\\\",\\\"resourceType\\\":\\\"Authentication\\\",\\\"resourceName\\\":\\\"user@acme.com\\\",\\\"resourceId\\\":\\\"auth0|5ac324095d12345678931c97\\\",\\\"eventStatus\\\":\\\"SUCCEEDED\\\",\\\"sourceAgent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36\\\"}\n",
"resourceId": "auth0|9daa694c-d8d0-47cb-8e94-e84694153d1d",
"resourceName": "user@acme.com",
"resourceType": "Authentication",
"role": "",
"sourceAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36",
"sourceHost": "10.10.10.50",
"tenant_id": "12f3e95861234567a123a7c582a0a51f_acme",
"entity_id": "494b5b76-4418-4a89-858e-774463c95b78",
"entity_idp_id": "local",
"entity_type": "User",
"entity_name": "first last",
"client_ip": "192.192.250.250",
"client_port": "8080",
"previous_revision": "\"{\"name\" :\"username\"}\"",
"current_revision": "\"{\"name\" :\"updated_username\"}\"",
"user": "user@acme.com",
"user_agent_full": 
{"browser": "Chrome",
"browser_major_version": 83,
"browser_type": "Browser",
"device_type": "Desktop",
"platform": "Linux",
"platform_version": "Intel x86_64",
"raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36"
}
},
"SearchAfterValues": 
[1553589827407,
"luminate-<log type>#6aebc61f-7e2f-46b3-805f-d206de8899c0"
]
}
]
}

Forensics Logs

Forensics logs audit any user's access to any application as well as user's activity for any application.

Search Forensics logs

post /logs/forensics

Default server.

https://api.acme.luminatesec.com/v2/logs/forensics

Searches for the tenant's forensics logs using the Elasticsearch query language. Time search frame between [from_date to to_date] limited to 30 days. Results are always sorted by date in ascending order.

Authorizations:

OAuth

Request Body schema: application/json

query required	object (SearchQuery)
size	integer <int32> [ 0 .. 1000 ] Default: 1000 The maximum number of results to return.
search_after	Array of strings or numbers (SearchAfter) Nullable Elasticsearch Search After Syntax. To get the next page, copy the SearchAfterValues value from previous response.

Responses

200

successful operation.

Response Schema: application/json

Hits	number <int32> (Hits) Total number of logs found that match the query.
Logs	Array of objects (ForensicsLogResult)

400

Bad Request - The server cannot or will not process the request due to an apparent client error.

401

Unauthorized - Authentication is required and has failed or has not yet been provided.

403

Forbidden - The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort.

404

NotFound - The specified resource was not found.

500

Internal Server Error.

Request samples

Payload
cURL

Content type

application/json

Copy

Expand all Collapse all


{"size": 500,
"query": 
{"free_text": "John Doe",
"from_date": 1553502809000,
"to_date": 1553675609000,
"match_or_fields": 
[
{"field_name": "clientip",
"field_values": 
["213.12.11.10",
"0.0.1.10"
]
}
]
},
"search_after": 
[1553589827407,
"luminate-<log type>#6aebc61f-7e2f-46b3-805f-d206de8899c0"
]
}

Response samples

Content type

application/json

Copy

Expand all Collapse all


{"Hits": 1,
"Logs": 
[
{"Id": "6aebc61f-7e2f-46b3-805f-d206de8899c0",
"Data": 
{"@timestamp": "2019-02-13T12:35:03.724Z",
"action_result": "SUCCESS",
"activity_type": "URI Access",
"app_external_address": "app.acme.luminatesec.com",
"app_id": "abcdefgh-5b31-41d7-b4a3-1d53faff6bad",
"app_name": "app",
"app_type": "HTTP",
"authentication_method": "PUBLIC_KEY\n",
"bytes_sent": 687,
"client": "SSH-2.0-SSHJ_0.22.0",
"client_ip": "10.10.10.50",
"client_port": 51262,
"client_type": "BROWSER",
"compliance_state": "NOT_COMPLIANT",
"description": "Accessing Web application app",
"device_validation_action_type": "CLIENT_CERTIFICATE\n",
"entity_id": "auth0|a1b2c3d4e5f6g7h8i9j0klmn",
"entity_name": "user@acme.com",
"entity_type": "User",
"entity_idp_id": "local",
"error_type": "",
"event_type": "ACCESS\n",
"geoip": 
{"city_name": "Jerusalem",
"country": "Israel",
"country_code": "IL",
"latitude": 31.5,
"longitude": 34.75,
"location": 
{"lon": 34.75,
"lat": 31.5
}
},
"global_request_id": "abcdefgh-5b31-41d7-b4a3-1d53faff6bad",
"hashed_session_id": "abcdefg1d883af497cf57a44d4950a32",
"http_command": "GET",
"http_version": "HTTP/1.1",
"internal_ip": "http://127.0.0.1:32109",
"key_action_type": "CREATE\n",
"key_event_target_user_name": "user@luminatesec.com\n",
"log_id": "abcdefgh-5b31-41d7-b4a3-1d53faff6bad",
"log_type": "WEB_ACCESS_LOG\n",
"mfa_action_type": "GOOGLE\n",
"policy_id": "abcdefgh-5b31-41d7-b4a3-1d53faff6bad",
"policy_name": "my-policy",
"policy_type": "ACCESS",
"policy_is_static": "NO",
"referrer": "https://acme.luminatesec.com/home",
"response_time": 0.029,
"ssh_activity_command": "echo -n 'hello world'\n",
"ssh_client_internal_user": "user",
"ssh_internal_resource_identifier": "app-ssh.staging.eu-west-1.acmeops.com",
"ssh_internal_resource_port": 22,
"status_code": 200,
"summary": "'user@acme.com' succeeded accessing HTTP application 'app'\n",
"tcp_internal_resource_identifier": "127.0.0.1\n",
"tcp_internal_resource_port": "22\n",
"tenant_id": "12f3e95861234567a123a7c582a0a51f_acme",
"time_to_first_byte": 0.001,
"up_stream_response_time": 0.012,
"uri": "/",
"user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36",
"user_agent_full": 
{"browser": "Chrome",
"browser_major_version": 83,
"browser_type": "Browser",
"device_type": "Desktop",
"platform": "Linux",
"platform_version": "Intel x86_64",
"raw_user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36"
},
"wss_agent_device_id": "29129c76-8940-11c7-beeb-5y347b5667c1f",
"wss_agent_device_version": "8.1.0",
"wss_agent_type": "wss-agent",
"wss_device_name": "EXAMPLE-10",
"wss_os_info": "architecture=x86_64 name=Windows 10 Pro version=10.0.19043"
},
"SearchAfterValues": 
[1553589827407,
"luminate-<log type>#6aebc61f-7e2f-46b3-805f-d206de8899c0"
]
}
]
}

Symantec ZTNA API (V2)

What's New

Default Behavior (Connector Mode)

New Behavior (Site Mode)

Introduction

Common Operations Steps

Object Model

Authentication

OAuth

Token

Versioning and Compatibility

Pagination

Auditing

Rate-limiting

Support

Sites

Create Site

Authorizations:

Request Body schema: application/json

Responses

Response Schema: application/json

Request samples

Response samples

List Sites

Authorizations:

query Parameters

Responses

Response Schema: application/json

Request samples

Response samples

Update Site

Authorizations:

path Parameters

Request Body schema: application/json

Responses

Response Schema: application/json

Request samples

Response samples

Get Site

Authorizations:

path Parameters

Responses

Response Schema: application/json

Request samples

Response samples

Delete Site

Authorizations:

path Parameters

Responses

Request samples

Response samples

Get Site Health Status

Authorizations:

path Parameters

Responses

Response Schema: application/json

Request samples

Response samples

List Regions

Authorizations:

Responses

Response Schema: application/json

Request samples

Response samples

Get Region By Name

Authorizations:

path Parameters

Responses

Response Schema: application/json

Request samples

Response samples

Site Registration Keys

List Site Registration Keys

Authorizations:

path Parameters

Responses

Response Schema: application/json

Request samples

Response samples

Rotate Site Registration Keys

Default Behavior (`Connector` Mode)

New Behavior (`Site` Mode)