> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dados.rio/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Cerbos superadmin policy template

> Get the Cerbos policy template for granting superadmin permissions.

This endpoint provides the policy configuration that should be applied to Cerbos
when the admin API is disabled and manual policy configuration is required.

**Use Case**: When Heimdall cannot automatically create the superadmin policy
(e.g., Cerbos admin API is disabled), use this template to manually configure
the policy in your Cerbos deployment.

**Instructions**:
1. Get the policy template from this endpoint
2. Save it as a YAML or JSON file in your Cerbos configuration
3. Apply it via your Cerbos deployment method (ConfigMap, file system, etc.)



## OpenAPI

````yaml https://raw.githubusercontent.com/prefeitura-rio/heimdall/main/docs/api/openapi.json get /api/v1/cerbos-policy-template
openapi: 3.1.0
info:
  title: Heimdall Admin Service
  description: >-
    # Heimdall Admin Service API


    A comprehensive admin service for user and group management with
    authorization powered by Cerbos.


    ## Features


    - **User Management**: Automatic user creation from JWT tokens with
    role-based access control

    - **Group Management**: Create, manage, and assign users to groups with
    hierarchical permissions

    - **Role Management**: Define and assign roles to users and groups

    - **Mapping Management**: Configure API endpoint to action mappings for
    authorization

    - **Action Management**: Define available actions for fine-grained
    permission control

    - **Cerbos Integration**: Policy-based authorization with external Cerbos
    service

    - **Audit Logging**: Comprehensive audit trail for all administrative
    operations

    - **Redis Caching**: High-performance caching for frequently accessed data
  version: 1.0.0
servers:
  - url: https://services.pref.rio/heimdall-admin
    description: Production server
  - url: https://services.staging.app.dados.rio/heimdall-admin
    description: Staging server
security: []
tags:
  - name: health
    description: Service health and readiness checks
  - name: users
    description: >-
      User management operations. Users are automatically created from JWT
      tokens.
  - name: groups
    description: >-
      Group management operations. Groups organize users and can have roles
      assigned.
  - name: memberships
    description: Group membership management. Assign and remove users from groups.
  - name: roles
    description: >-
      Role management operations. Roles define permissions that can be assigned
      to users or groups.
  - name: actions
    description: >-
      Action management operations. Actions define the granular permissions
      available in the system.
  - name: mappings
    description: >-
      API endpoint to action mapping configuration. Maps HTTP endpoints to
      authorization actions.
paths:
  /api/v1/cerbos-policy-template:
    get:
      tags:
        - health
        - health
      summary: Get Cerbos superadmin policy template
      description: >-
        Get the Cerbos policy template for granting superadmin permissions.


        This endpoint provides the policy configuration that should be applied
        to Cerbos

        when the admin API is disabled and manual policy configuration is
        required.


        **Use Case**: When Heimdall cannot automatically create the superadmin
        policy

        (e.g., Cerbos admin API is disabled), use this template to manually
        configure

        the policy in your Cerbos deployment.


        **Instructions**:

        1. Get the policy template from this endpoint

        2. Save it as a YAML or JSON file in your Cerbos configuration

        3. Apply it via your Cerbos deployment method (ConfigMap, file system,
        etc.)
      operationId: get_cerbos_policy_template_api_v1_cerbos_policy_template_get
      responses:
        '200':
          description: Cerbos policy template retrieved successfully
          content:
            application/json:
              schema: {}
              example:
                apiVersion: api.cerbos.dev/v1
                kind: RolePolicy
                metadata:
                  storeIdentifier: role_superadmin
                rolePolicy:
                  role: superadmin
                  version: default
                  rules:
                    - resource: '*'
                      actions:
                        - action: '*'
                          effect: EFFECT_ALLOW

````