Adds an existing user, group, or computer as a group member.
" }, "CreateGroup":{ "name":"CreateGroup", "http":{ "method":"POST", "requestUri":"/Groups/CreateGroup", "responseCode":200 }, "input":{"shape":"CreateGroupRequest"}, "output":{"shape":"CreateGroupResult"}, "errors":[ {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Creates a new group.
" }, "CreateUser":{ "name":"CreateUser", "http":{ "method":"POST", "requestUri":"/Users/CreateUser", "responseCode":200 }, "input":{"shape":"CreateUserRequest"}, "output":{"shape":"CreateUserResult"}, "errors":[ {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Creates a new user.
" }, "DeleteGroup":{ "name":"DeleteGroup", "http":{ "method":"POST", "requestUri":"/Groups/DeleteGroup", "responseCode":200 }, "input":{"shape":"DeleteGroupRequest"}, "output":{"shape":"DeleteGroupResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Deletes a group.
" }, "DeleteUser":{ "name":"DeleteUser", "http":{ "method":"POST", "requestUri":"/Users/DeleteUser", "responseCode":200 }, "input":{"shape":"DeleteUserRequest"}, "output":{"shape":"DeleteUserResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Deletes a user.
" }, "DescribeGroup":{ "name":"DescribeGroup", "http":{ "method":"POST", "requestUri":"/Groups/DescribeGroup", "responseCode":200 }, "input":{"shape":"DescribeGroupRequest"}, "output":{"shape":"DescribeGroupResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ThrottlingException"} ], "documentation":"Returns information about a specific group.
" }, "DescribeUser":{ "name":"DescribeUser", "http":{ "method":"POST", "requestUri":"/Users/DescribeUser", "responseCode":200 }, "input":{"shape":"DescribeUserRequest"}, "output":{"shape":"DescribeUserResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ThrottlingException"} ], "documentation":"Returns information about a specific user.
" }, "DisableUser":{ "name":"DisableUser", "http":{ "method":"POST", "requestUri":"/Users/DisableUser", "responseCode":200 }, "input":{"shape":"DisableUserRequest"}, "output":{"shape":"DisableUserResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Deactivates an active user account. For information about how to enable an inactive user account, see ResetUserPassword in the Directory Service API Reference.
" }, "ListGroupMembers":{ "name":"ListGroupMembers", "http":{ "method":"POST", "requestUri":"/GroupMemberships/ListGroupMembers", "responseCode":200 }, "input":{"shape":"ListGroupMembersRequest"}, "output":{"shape":"ListGroupMembersResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ThrottlingException"} ], "documentation":"Returns member information for the specified group.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the ListGroupMembers.NextToken member contains a token that you pass in the next call to ListGroupMembers. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Returns group information for the specified directory.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the ListGroups.NextToken member contains a token that you pass in the next call to ListGroups. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Returns group information for the specified member.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the ListGroupsForMember.NextToken member contains a token that you pass in the next call to ListGroupsForMember. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Returns user information for the specified directory.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the ListUsers.NextToken member contains a token that you pass in the next call to ListUsers. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Removes a member from a group.
" }, "SearchGroups":{ "name":"SearchGroups", "http":{ "method":"POST", "requestUri":"/Groups/SearchGroups", "responseCode":200 }, "input":{"shape":"SearchGroupsRequest"}, "output":{"shape":"SearchGroupsResult"}, "errors":[ {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ThrottlingException"} ], "documentation":" Searches the specified directory for a group. You can find groups that match the SearchString parameter with the value of their attributes included in the SearchString parameter.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the SearchGroups.NextToken member contains a token that you pass in the next call to SearchGroups. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Searches the specified directory for a user. You can find users that match the SearchString parameter with the value of their attributes included in the SearchString parameter.
This operation supports pagination with the use of the NextToken request and response parameters. If more results are available, the SearchUsers.NextToken member contains a token that you pass in the next call to SearchUsers. This retrieves the next set of items.
You can also specify a maximum number of return results with the MaxResults parameter.
Updates group information.
" }, "UpdateUser":{ "name":"UpdateUser", "http":{ "method":"POST", "requestUri":"/Users/UpdateUser", "responseCode":200 }, "input":{"shape":"UpdateUserRequest"}, "output":{"shape":"UpdateUserResult"}, "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"DirectoryUnavailableException"}, {"shape":"ConflictException"}, {"shape":"ThrottlingException"} ], "documentation":"Updates user information.
" } }, "shapes":{ "AccessDeniedException":{ "type":"structure", "members":{ "Message":{"shape":"ExceptionMessage"}, "Reason":{ "shape":"AccessDeniedReason", "documentation":"Reason the request was unauthorized.
" } }, "documentation":" You don't have permission to perform the request or access the directory. It can also occur when the DirectoryId doesn't exist or the user, member, or group might be outside of your organizational unit (OU).
Make sure that you have the authentication and authorization to perform the action. Review the directory information in the request, and make sure that the object isn't outside of your OU.
", "error":{ "httpStatusCode":403, "senderFault":true }, "exception":true }, "AccessDeniedReason":{ "type":"string", "enum":[ "IAM_AUTH", "DIRECTORY_AUTH", "DATA_DISABLED" ] }, "AddGroupMemberRequest":{ "type":"structure", "required":[ "DirectoryId", "GroupName", "MemberName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "GroupName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "MemberName":{ "shape":"MemberName", "documentation":" The SAMAccountName of the user, group, or computer to add as a group member.
The domain name that's associated with the group member. This parameter is required only when adding a member outside of your Managed Microsoft AD domain to a group inside of your Managed Microsoft AD domain. This parameter defaults to the Managed Microsoft AD domain.
This parameter is case insensitive.
Indicates that the attribute type value is a boolean. For example:
\"BOOL\": true
Indicates that the attribute type value is a number. For example:
\"N\": \"16\"
Indicates that the attribute type value is a string. For example:
\"S\": \"S Group\"
Indicates that the attribute type value is a string set. For example:
\"SS\": [\"sample_service_class/host.sample.com:1234/sample_service_name_1\", \"sample_service_class/host.sample.com:1234/sample_service_name_2\"]
The data type for an attribute. Each attribute value is described as a name-value pair. The name is the AD schema name, and the value is the data itself. For a list of supported attributes, see Directory Service Data Attributes.
", "union":true }, "Attributes":{ "type":"map", "key":{"shape":"LdapDisplayName"}, "value":{"shape":"AttributeValue"}, "max":25, "min":1 }, "Boolean":{ "type":"boolean", "box":true }, "BooleanAttributeValue":{ "type":"boolean", "box":true, "sensitive":true }, "ClientToken":{ "type":"string", "max":128, "min":1, "pattern":"^[\\x00-\\x7F]+$" }, "ConflictException":{ "type":"structure", "members":{ "Message":{"shape":"ExceptionMessage"} }, "documentation":"This error will occur when you try to create a resource that conflicts with an existing object. It can also occur when adding a member to a group that the member is already in.
This error can be caused by a request sent within the 8-hour idempotency window with the same client token but different input parameters. Client tokens should not be re-used across different requests. After 8 hours, any request with the same client token is treated as a new request.
", "error":{ "httpStatusCode":409, "senderFault":true }, "exception":true }, "CreateGroupRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "GroupScope":{ "shape":"GroupScope", "documentation":"The scope of the AD group. For details, see Active Directory security group scope.
" }, "GroupType":{ "shape":"GroupType", "documentation":"The AD group type. For details, see Active Directory security group type.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression that defines one or more attributes with the data type and value of each attribute.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" } } }, "CreateGroupResult":{ "type":"structure", "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the group.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the group.
" } } }, "CreateUserRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that’s associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "EmailAddress":{ "shape":"EmailAddress", "documentation":"The email address of the user.
" }, "GivenName":{ "shape":"GivenName", "documentation":"The first name of the user.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression that defines one or more attribute names with the data type and value of each attribute. A key is an attribute name, and the value is a list of maps. For a list of supported attributes, see Directory Service Data Attributes.
Attribute names are case insensitive.
The name of the user.
" }, "Surname":{ "shape":"Surname", "documentation":"The last name of the user.
" } } }, "CreateUserResult":{ "type":"structure", "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory where the address block is added.
" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the user.
" } } }, "DeleteGroupRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" } } }, "DeleteGroupResult":{ "type":"structure", "members":{ } }, "DeleteUserRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" } } }, "DeleteUserResult":{ "type":"structure", "members":{ } }, "DescribeGroupRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The Identifier (ID) of the directory associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "OtherAttributes":{ "shape":"LdapDisplayNameList", "documentation":"One or more attributes to be returned for the group. For a list of supported attributes, see Directory Service Data Attributes.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
This parameter is optional, so you can return groups outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD groups are returned.
This value is case insensitive.
The name of the group.
" } } }, "DescribeGroupResult":{ "type":"structure", "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the group.
" }, "DistinguishedName":{ "shape":"DistinguishedName", "documentation":"The distinguished name of the object.
" }, "GroupScope":{ "shape":"GroupScope", "documentation":"The scope of the AD group. For details, see Active Directory security groups.
" }, "GroupType":{ "shape":"GroupType", "documentation":"The AD group type. For details, see Active Directory security group type.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"The attribute values that are returned for the attribute names that are included in the request.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the group.
" } } }, "DescribeUserRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "OtherAttributes":{ "shape":"LdapDisplayNameList", "documentation":"One or more attribute names to be returned for the user. A key is an attribute name, and the value is a list of maps. For a list of supported attributes, see Directory Service Data Attributes.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the user.
This parameter is optional, so you can return users outside your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD users are returned.
This value is case insensitive.
The name of the user.
" } } }, "DescribeUserResult":{ "type":"structure", "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the user.
" }, "DistinguishedName":{ "shape":"DistinguishedName", "documentation":"The distinguished name of the object.
" }, "EmailAddress":{ "shape":"EmailAddress", "documentation":"The email address of the user.
" }, "Enabled":{ "shape":"Boolean", "documentation":"Indicates whether the user account is active.
" }, "GivenName":{ "shape":"GivenName", "documentation":"The first name of the user.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"The attribute values that are returned for the attribute names that are included in the request.
Attribute names are case insensitive.
The domain name that's associated with the user.
" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the user.
" }, "Surname":{ "shape":"Surname", "documentation":"The last name of the user.
" }, "UserPrincipalName":{ "shape":"UserPrincipalName", "documentation":"The UPN that is an Internet-style login name for a user and is based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember.
" } } }, "DirectoryId":{ "type":"string", "pattern":"^d-[0-9a-f]{10}$" }, "DirectoryUnavailableException":{ "type":"structure", "members":{ "Message":{"shape":"ExceptionMessage"}, "Reason":{ "shape":"DirectoryUnavailableReason", "documentation":"Reason the request failed for the specified directory.
" } }, "documentation":"The request could not be completed due to a problem in the configuration or current state of the specified directory.
", "error":{ "httpStatusCode":400, "senderFault":true }, "exception":true, "retryable":{"throttling":false} }, "DirectoryUnavailableReason":{ "type":"string", "enum":[ "INVALID_DIRECTORY_STATE", "DIRECTORY_TIMEOUT", "DIRECTORY_RESOURCES_EXCEEDED", "NO_DISK_SPACE", "TRUST_AUTH_FAILURE" ] }, "DisableUserRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" } } }, "DisableUserResult":{ "type":"structure", "members":{ } }, "DistinguishedName":{ "type":"string", "max":256, "min":1, "sensitive":true }, "EmailAddress":{ "type":"string", "max":256, "min":1, "sensitive":true }, "ExceptionMessage":{"type":"string"}, "GivenName":{ "type":"string", "max":64, "min":1, "sensitive":true }, "Group":{ "type":"structure", "required":["SAMAccountName"], "members":{ "DistinguishedName":{ "shape":"DistinguishedName", "documentation":"The distinguished name of the object.
" }, "GroupScope":{ "shape":"GroupScope", "documentation":"The scope of the AD group. For details, see Active Directory security groups
" }, "GroupType":{ "shape":"GroupType", "documentation":"The AD group type. For details, see Active Directory security group type.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression of one or more attributes, data types, and the values of a group.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the group.
" } }, "documentation":"A group object that contains identifying information and attributes for a specified group.
" }, "GroupList":{ "type":"list", "member":{"shape":"Group"} }, "GroupName":{ "type":"string", "max":64, "min":1, "pattern":"^[^:;|=+\"*?<>/\\\\,\\[\\]@]+$" }, "GroupScope":{ "type":"string", "enum":[ "DomainLocal", "Global", "Universal", "BuiltinLocal" ] }, "GroupSummary":{ "type":"structure", "required":[ "GroupScope", "GroupType", "SAMAccountName", "SID" ], "members":{ "GroupScope":{ "shape":"GroupScope", "documentation":"The scope of the AD group. For details, see Active Directory security groups.
" }, "GroupType":{ "shape":"GroupType", "documentation":"The AD group type. For details, see Active Directory security group type.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the group.
" } }, "documentation":"A structure containing a subset of fields of a group object from a directory.
" }, "GroupSummaryList":{ "type":"list", "member":{"shape":"GroupSummary"} }, "GroupType":{ "type":"string", "enum":[ "Distribution", "Security" ] }, "Integer":{ "type":"integer", "box":true }, "InternalServerException":{ "type":"structure", "members":{ "Message":{"shape":"ExceptionMessage"} }, "documentation":"The operation didn't succeed because an internal error occurred. Try again later.
", "error":{"httpStatusCode":500}, "exception":true, "fault":true, "retryable":{"throttling":false} }, "LdapDisplayName":{ "type":"string", "max":63, "min":1, "pattern":"^[A-Za-z*][A-Za-z-*]*$" }, "LdapDisplayNameList":{ "type":"list", "member":{"shape":"LdapDisplayName"}, "max":25, "min":1 }, "ListGroupMembersRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "MemberRealm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group member. This parameter defaults to the Managed Microsoft AD domain.
This parameter is optional and case insensitive.
An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
This parameter is optional, so you can return members from a group outside of your Managed Microsoft AD domain. When no value is defined, only members of your Managed Microsoft AD groups are returned.
This value is case insensitive.
The name of the group.
" } } }, "ListGroupMembersResult":{ "type":"structure", "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"Identifier (ID) of the directory associated with the group.
" }, "MemberRealm":{ "shape":"Realm", "documentation":"The domain name that's associated with the member.
" }, "Members":{ "shape":"MemberList", "documentation":"The member information that the request returns.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
" } } }, "ListGroupsForMemberRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the member.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "MemberRealm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group member.
This parameter is optional, so you can limit your results to the group members in a specific domain.
This parameter is case insensitive and defaults to Realm
An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
This parameter is optional, so you can return groups outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD groups are returned.
This value is case insensitive and defaults to your Managed Microsoft AD domain.
The SAMAccountName of the user, group, or computer that's a member of the group.
The identifier (ID) of the directory that's associated with the member.
" }, "Groups":{ "shape":"GroupSummaryList", "documentation":"The group information that the request returns.
" }, "MemberRealm":{ "shape":"Realm", "documentation":"The domain that's associated with the member.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain that's associated with the group.
" } } }, "ListGroupsRequest":{ "type":"structure", "required":["DirectoryId"], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name associated with the directory.
This parameter is optional, so you can return groups outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD groups are returned.
This value is case insensitive.
The identifier (ID) of the directory that's associated with the group.
" }, "Groups":{ "shape":"GroupSummaryList", "documentation":"The group information that the request returns.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name associated with the group.
" } } }, "ListUsersRequest":{ "type":"structure", "required":["DirectoryId"], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the user.
This parameter is optional, so you can return users outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD users are returned.
This value is case insensitive.
The identifier (ID) of the directory that's associated with the user.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain that's associated with the user.
" }, "Users":{ "shape":"UserSummaryList", "documentation":"The user information that the request returns.
" } } }, "MaxResults":{ "type":"integer", "box":true, "max":250, "min":1 }, "Member":{ "type":"structure", "required":[ "MemberType", "SAMAccountName", "SID" ], "members":{ "MemberType":{ "shape":"MemberType", "documentation":"The AD type of the member object.
" }, "SAMAccountName":{ "shape":"MemberName", "documentation":"The name of the group member.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the group member.
" } }, "documentation":"A member object that contains identifying information for a specified member.
" }, "MemberList":{ "type":"list", "member":{"shape":"Member"} }, "MemberName":{ "type":"string", "max":63, "min":1, "pattern":"^[^:;|=+\"*?<>/\\\\,\\[\\]@]+$" }, "MemberType":{ "type":"string", "enum":[ "USER", "GROUP", "COMPUTER" ] }, "NextToken":{ "type":"string", "max":6144, "min":1, "sensitive":true }, "NumberAttributeValue":{ "type":"long", "box":true, "sensitive":true }, "Realm":{ "type":"string", "max":255, "min":1, "pattern":"^([a-zA-Z0-9]+[\\\\.-])+([a-zA-Z0-9])+[.]?$" }, "RemoveGroupMemberRequest":{ "type":"structure", "required":[ "DirectoryId", "GroupName", "MemberName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the member.
", "location":"querystring", "locationName":"DirectoryId" }, "GroupName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "MemberName":{ "shape":"MemberName", "documentation":" The SAMAccountName of the user, group, or computer to remove from the group.
The domain name that's associated with the group member. This parameter defaults to the Managed Microsoft AD domain.
This parameter is optional and case insensitive.
The resource couldn't be found.
", "error":{ "httpStatusCode":404, "senderFault":true }, "exception":true }, "SID":{ "type":"string", "max":256, "min":1 }, "SearchGroupsRequest":{ "type":"structure", "required":[ "DirectoryId", "SearchAttributes", "SearchString" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the group.
This parameter is optional, so you can return groups outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD groups are returned.
This value is case insensitive.
One or more data attributes that are used to search for a group. For a list of supported attributes, see Directory Service Data Attributes.
" }, "SearchString":{ "shape":"SearchString", "documentation":"The attribute value that you want to search for.
Wildcard (*) searches aren't supported. For a list of supported attributes, see Directory Service Data Attributes.
The identifier (ID) of the directory that's associated with the group.
" }, "Groups":{ "shape":"GroupList", "documentation":"The group information that the request returns.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain that's associated with the group.
" } } }, "SearchString":{ "type":"string", "max":64, "min":1, "sensitive":true }, "SearchUsersRequest":{ "type":"structure", "required":[ "DirectoryId", "SearchAttributes", "SearchString" ], "members":{ "DirectoryId":{ "shape":"DirectoryId", "documentation":"The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "MaxResults":{ "shape":"MaxResults", "documentation":"The maximum number of results to be returned per request.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain name that's associated with the user.
This parameter is optional, so you can return users outside of your Managed Microsoft AD domain. When no value is defined, only your Managed Microsoft AD users are returned.
This value is case insensitive.
One or more data attributes that are used to search for a user. For a list of supported attributes, see Directory Service Data Attributes.
" }, "SearchString":{ "shape":"SearchString", "documentation":"The attribute value that you want to search for.
Wildcard (*) searches aren't supported. For a list of supported attributes, see Directory Service Data Attributes.
The identifier (ID) of the directory where the address block is added.
" }, "NextToken":{ "shape":"NextToken", "documentation":"An encoded paging token for paginated calls that can be passed back to retrieve the next page.
" }, "Realm":{ "shape":"Realm", "documentation":"The domain that's associated with the user.
" }, "Users":{ "shape":"UserList", "documentation":"The user information that the request returns.
" } } }, "StringAttributeValue":{ "type":"string", "max":1024, "min":1, "sensitive":true }, "StringSetAttributeValue":{ "type":"list", "member":{"shape":"StringAttributeValue"}, "max":25, "min":0, "sensitive":true }, "Surname":{ "type":"string", "max":64, "min":1, "sensitive":true }, "ThrottlingException":{ "type":"structure", "required":["Message"], "members":{ "Message":{"shape":"ExceptionMessage"}, "RetryAfterSeconds":{ "shape":"Integer", "documentation":"The recommended amount of seconds to retry after a throttling exception.
", "location":"header", "locationName":"Retry-After" } }, "documentation":"The limit on the number of requests per second has been exceeded.
", "error":{ "httpStatusCode":429, "senderFault":true }, "exception":true, "retryable":{"throttling":true} }, "UpdateGroupRequest":{ "type":"structure", "required":[ "DirectoryId", "SAMAccountName" ], "members":{ "ClientToken":{ "shape":"ClientToken", "documentation":"A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the group.
", "location":"querystring", "locationName":"DirectoryId" }, "GroupScope":{ "shape":"GroupScope", "documentation":"The scope of the AD group. For details, see Active Directory security groups.
" }, "GroupType":{ "shape":"GroupType", "documentation":"The AD group type. For details, see Active Directory security group type.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression that defines one or more attributes with the data type and the value of each attribute.
" }, "SAMAccountName":{ "shape":"GroupName", "documentation":"The name of the group.
" }, "UpdateType":{ "shape":"UpdateType", "documentation":" The type of update to be performed. If no value exists for the attribute, use ADD. Otherwise, use REPLACE to change an attribute value or REMOVE to clear the attribute value.
A unique and case-sensitive identifier that you provide to make sure the idempotency of the request, so multiple identical calls have the same effect as one single call.
A client token is valid for 8 hours after the first request that uses it completes. After 8 hours, any request with the same client token is treated as a new request. If the request succeeds, any future uses of that token will be idempotent for another 8 hours.
If you submit a request with the same client token but change one of the other parameters within the 8-hour idempotency window, Directory Service Data returns an ConflictException.
This parameter is optional when using the CLI or SDK.
The identifier (ID) of the directory that's associated with the user.
", "location":"querystring", "locationName":"DirectoryId" }, "EmailAddress":{ "shape":"EmailAddress", "documentation":"The email address of the user.
" }, "GivenName":{ "shape":"GivenName", "documentation":"The first name of the user.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression that defines one or more attribute names with the data type and value of each attribute. A key is an attribute name, and the value is a list of maps. For a list of supported attributes, see Directory Service Data Attributes.
Attribute names are case insensitive.
The name of the user.
" }, "Surname":{ "shape":"Surname", "documentation":"The last name of the user.
" }, "UpdateType":{ "shape":"UpdateType", "documentation":" The type of update to be performed. If no value exists for the attribute, use ADD. Otherwise, use REPLACE to change an attribute value or REMOVE to clear the attribute value.
The distinguished name of the object.
" }, "EmailAddress":{ "shape":"EmailAddress", "documentation":"The email address of the user.
" }, "Enabled":{ "shape":"Boolean", "documentation":"Indicates whether the user account is active.
" }, "GivenName":{ "shape":"GivenName", "documentation":"The first name of the user.
" }, "OtherAttributes":{ "shape":"Attributes", "documentation":"An expression that includes one or more attributes, data types, and values of a user.
" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the user.
" }, "Surname":{ "shape":"Surname", "documentation":"The last name of the user.
" }, "UserPrincipalName":{ "shape":"UserPrincipalName", "documentation":"The UPN that is an internet-style login name for a user and based on the internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember.
" } }, "documentation":"A user object that contains identifying information and attributes for a specified user.
" }, "UserList":{ "type":"list", "member":{"shape":"User"} }, "UserName":{ "type":"string", "max":20, "min":1, "pattern":"^[\\w\\-.]+$" }, "UserPrincipalName":{ "type":"string", "max":256, "min":1, "sensitive":true }, "UserSummary":{ "type":"structure", "required":[ "Enabled", "SAMAccountName", "SID" ], "members":{ "Enabled":{ "shape":"Boolean", "documentation":"Indicates whether the user account is active.
" }, "GivenName":{ "shape":"GivenName", "documentation":"The first name of the user.
" }, "SAMAccountName":{ "shape":"UserName", "documentation":"The name of the user.
" }, "SID":{ "shape":"SID", "documentation":"The unique security identifier (SID) of the user.
" }, "Surname":{ "shape":"Surname", "documentation":"The last name of the user.
" } }, "documentation":"A structure containing a subset of the fields of a user object from a directory.
" }, "UserSummaryList":{ "type":"list", "member":{"shape":"UserSummary"} }, "ValidationException":{ "type":"structure", "members":{ "Message":{"shape":"ExceptionMessage"}, "Reason":{ "shape":"ValidationExceptionReason", "documentation":"Reason the request failed validation.
" } }, "documentation":"The request isn't valid. Review the details in the error message to update the invalid parameters or values in your request.
", "error":{ "httpStatusCode":400, "senderFault":true }, "exception":true }, "ValidationExceptionReason":{ "type":"string", "enum":[ "INVALID_REALM", "INVALID_DIRECTORY_TYPE", "INVALID_SECONDARY_REGION", "INVALID_NEXT_TOKEN", "INVALID_ATTRIBUTE_VALUE", "INVALID_ATTRIBUTE_NAME", "INVALID_ATTRIBUTE_FOR_USER", "INVALID_ATTRIBUTE_FOR_GROUP", "INVALID_ATTRIBUTE_FOR_SEARCH", "INVALID_ATTRIBUTE_FOR_MODIFY", "DUPLICATE_ATTRIBUTE", "MISSING_ATTRIBUTE", "ATTRIBUTE_EXISTS", "LDAP_SIZE_LIMIT_EXCEEDED", "LDAP_UNSUPPORTED_OPERATION" ] } }, "documentation":"Amazon Web Services Directory Service Data is an extension of Directory Service. This API reference provides detailed information about Directory Service Data operations and object types.
With Directory Service Data, you can create, read, update, and delete users, groups, and memberships from your Managed Microsoft AD without additional costs and without deploying dedicated management instances. You can also perform built-in object management tasks across directories without direct network connectivity, which simplifies provisioning and access management to achieve fully automated deployments. Directory Service Data supports user and group write operations, such as CreateUser and CreateGroup, within the organizational unit (OU) of your Managed Microsoft AD. Directory Service Data supports read operations, such as ListUsers and ListGroups, on all users, groups, and group memberships within your Managed Microsoft AD and across trusted realms. Directory Service Data supports adding and removing group members in your OU and the Amazon Web Services Delegated Groups OU, so you can grant and deny access to specific roles and permissions. For more information, see Manage users and groups in the Directory Service Administration Guide.
Directory management operations and configuration changes made against the Directory Service API will also reflect in Directory Service Data API with eventual consistency. You can expect a short delay between management changes, such as adding a new directory trust and calling the Directory Service Data API for the newly created trusted realm.
Directory Service Data connects to your Managed Microsoft AD domain controllers and performs operations on underlying directory objects. When you create your Managed Microsoft AD, you choose subnets for domain controllers that Directory Service creates on your behalf. If a domain controller is unavailable, Directory Service Data uses an available domain controller. As a result, you might notice eventual consistency while objects replicate from one domain controller to another domain controller. For more information, see What gets created in the Directory Service Administration Guide. Directory limits vary by Managed Microsoft AD edition:
Standard edition – Supports 8 transactions per second (TPS) for read operations and 4 TPS for write operations per directory. There's a concurrency limit of 10 concurrent requests.
Enterprise edition – Supports 16 transactions per second (TPS) for read operations and 8 TPS for write operations per directory. There's a concurrency limit of 10 concurrent requests.
Amazon Web Services Account - Supports a total of 100 TPS for Directory Service Data operations across all directories.
Directory Service Data only supports the Managed Microsoft AD directory type and is only available in the primary Amazon Web Services Region. For more information, see Managed Microsoft AD and Primary vs additional Regions in the Directory Service Administration Guide.
" }