What are the capabilities of a given actionGroup?


I have reviewed the In-Depth documentation for access control and have a question about actionGroup. I have also looked at Authorizor type to see if any APIs exist to get more information and don’t think it will help.

The term actionGroup is mentioned in various places. The only formal definition I could find for this term is from the access control tutorial (From static/console: Help > Documentation > Tutorials > Topic Access Control Tutorial) which reads:

Note that actionGroups are defined through annotations on functions in c3type files, eg. @action(group='monitor')

So it seems that actionGroups can be defined arbitrarily.

Here are my questions:

  1. is there a way to programmatically get all known values for actionGroup that exist within a tenant/tag?

  2. How do I get all functions/capabilities associated with an actionGroup. For example, I’ve seen the actionGroup “read”, “write”, and “delete”. These are somewhat intuitive, but I’d like to get a definitive list of what “read” actionGroup entails, for example.

I’m currently assuming “fetch()” and “evaluate()” to be members of the “read” actionGroup. I don’t know if this is correct or a complete list.

  1. Two action groups of interest for me are: user-admin and cluster-admin. These seem much broader than “read” or “write” - and I’d like to get more information on what functions from each type are part of these action groups.




  1. It is technically possible to programmatically get the type/methods that below in a given action group. However, there is no single API. You will need to use metadata APIs and interrogate the metadata of each type to determine if its methods or inherited methods belong to a given action group. This not for the faint of heart.

  2. There is not straightforward mechanism today. An approach similar to #1 will be required.

I’ve logged an enhancement request to provide APIs to provide a list of action-groups and actions that participate in a given action group.

1 Like


Here is a short script that returns all action groups and associated methods and types.

 * Get all types, methods, and action-groups
var typ, mixTyp, csvStr;
var tms = TagMetadataStore.tag();
var types = tms.types();
var actionGroupList = [];

types.forEach(function(tp) {
	typ = tms.readType(tp.typeName);
	actionGroupList = actionGroupList.concat(getActionGroupsForType(tp.typeName, typ));
	if (typ.hasOwnProperty("mixins") == true) {
		typ.mixins.forEach(function (m) {
			mixTyp = tms.readType(m.name);
			actionGroupList = actionGroupList.concat(getActionGroupsForType(tp.typeName, mixTyp));

function getActionGroupsForType(typeName, typ) {
	var csvStr;
	var actionGroupList = [];
	if (typ.hasOwnProperty("fields") == true) {
		typ.fields.forEach(function (f) {
			if (f.valueType.type == "MethodType") {
				if (f.extensions != undefined && f.extensions.action != undefined && f.extensions.action.group != undefined) {
					csvStr = typeName + "," + f.name + "," + f.extensions.action.group;
	return actionGroupList;
1 Like