Organizations
Learn about creating and managing organizations (orgs) via the DNAnexus Platform API.
An organization (or org) is a DNAnexus entity that associates a group of users. The administrators of an org manage account creation, configure permissions in the context of the org as well as the projects owned by the org, and oversee billing. All storage and compute costs associated with an org are invoiced to a single billing account designated by the org administrators. Data objects and projects can be shared with orgs as an entity.
Org Membership Status
A user may be a member of an org at one of two membership statuses:
ADMIN
MEMBER
An org ADMIN is granted all possible permissions in the org and may perform org administrative functions such as adding/removing users or modifying org policies. An org MEMBER, on the other hand, is granted only a subset of the possible permissions in the org and has no administrative power in the org.
Org Permission Flags
Org permission flags, configurable by user, dictate the allowable actions for each user in an org. The following permission flags exist:
allowBillableActivitiesboolean Whether the user can perform certain activities that would incur charges for the org. Users with this flag set to true may create projects and apps billed to the org and download files while billing the data transfer costs to the org. They may also view the org's pricing model (and view the cost of any projects or jobs billed to the org).projectAccessstring The maximum project permission granted to the user for projects shared with the org (must be one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")appAccessboolean Whether the user can access and run apps shared with the org
Org ADMINs have all available permissions in the org.
{
"allowBillableActivities": true,
"projectAccess": "ADMINISTER",
"appAccess": true
}Org MEMBERs, by default, receive the following set of permission flags:
{
"allowBillableActivities": false,
"projectAccess": "CONTRIBUTE",
"appAccess": true
}Any org ADMIN can configure the permission flags for org MEMBERs using /org-xxxx/setMemberAccess.
Org Policies
Org policies, configurable by org, dictate many different behaviors when the org interacts with other entities. The following policies exist:
memberListVisibilitystring (default "ADMIN" in /org/new) The org membership status required to be able to view the membership status and permission flags in effect for any other member of the org (via /org-xxxx/findMembers). Must be one of "ADMIN", "MEMBER", or "PUBLIC". If "PUBLIC", then any DNAnexus user may view the membership status and permission flags in effect for any member of the org.restrictProjectTransferstring (default "MEMBER" in /org/new) The org membership status required to change the billing account of a project billed to this org. Must be one of "ADMIN" or "MEMBER". If "ADMIN", only org ADMINs can change the billing account of an org-billed project. If "MEMBER", any org member can do so.restrictProjectSharingstring (default "MEMBER" in /org/new) The org membership status required to invite the org to be a member of a project. If set to "MEMBER" any member of the org can invite the org to a project. When set to "ADMIN", only org admins can invite the org to a project.jobReuseboolean (defaultfalsein /org/new) for information on how to reuse the outputs of jobs that share the same executable and input IDs using, see Smart Reuse. This feature is only available for licensed customers.detailedJobMetricsCollectDefaultboolean (defaultfalsein /org/new) If set to true, more frequent, detailed job metrics (tracking CPU, memory, network, disk, etc) are collected by default for all jobs launched in all projects billed to this org. This setting can be overridden when launching an execution. This field is only applicable to orgs with adetailedJobMetricslicense.maximumPreauthenticatedDurationint (optional, default43200(12 hours), maximum86400(24 hours)) Maximum number of seconds that a preauthenticated file download URL is valid for. If set to 0, preauthenticated URLs are disabled for the whole organization.The security of preauthenticated URLs (also known as a pre-signed URL) is the responsibility of the client. DNAnexus does not revoke preauthenticated URLs once generated. Take care with longer-lived URLs, as they remain valid for their full duration.
Setting
maximumPreauthenticatedDurationbelow a minimum threshold of 300 seconds (5 minutes) can cause dependent functionality to break. For example, File Viewers and some automated tools require URLs to be valid for 3-5 minutes to complete downloads or viewing sessions. Ensure the duration meets all intended use cases.
monthlyProjectComputeLimitDefaultint or NULL (optional, defaultNULLin /org/new) Default dollar values of project level spending limits for compute in currency. This limit does not apply to DBCluster-related charges.monthlyProjectEgressBytesLimitDefaultint or NULL (optional, defaultNULLin /org/new) Default values of project level spending limits for egress in bytes.monthlyProjectStorageLimitDefaultfloat or NULL (optional, defaultNULLin /org/new) Default dollar values of project level spending limits for storage in currency. This limit does not apply to DBCluster-related charges.enforceTerminationForProjectComputeLimitboolean (optional, defaultfalsein /org/new) Whether system should enforce termination behaviors when project spending compute limit is exceeded.enforceTerminationForProjectEgressBytesLimitboolean (optional, defaultfalsein /org/new) Whether system should enforce termination behaviors when project spending egress limit is exceeded.enforceTerminationForProjectStorageLimitboolean (optional, defaultfalsein /org/new) Whether system should enforce termination behaviors when project spending storage limit is exceeded. Not Changeable.projectSpendingLimitNotificationThresholdint (optional, 1 - 99, default90in /org/new) Percent threshold for sending out the warning notification for the monthly project spending budget. When the available monthly project spending budget drops below the threshold, the system sends email notifications to the admins of the affected project.
API Method Specifications
API Method: /org/new
/org/newSpecification
Creates a new non-billable organization. After creation, the requesting user receives sole ADMIN rights of the organization. The organization's handle and name remain visible to the public. The org functions as an alias for a group of users, but does not allow billable activities (such as creation of projects or uploading of data). Contact DNAnexus Sales to create a billable org.
Inputs
handlestring A case-insensitive unique handle for the org. The chosen handle must not exist in use by any other user or org. The lowercase ofhandleappends to "org-" to form the ID of this org. An org handle:must start with an alpha character (uppercase or lowercase)
must be at least 3 characters long
may contain alphanumeric characters (uppercase and lowercase), periods, and underscores
must be no longer than 33 characters
namestring A descriptive name for the organizationpoliciesmapping (optional) A set of organization policies to override the corresponding default policies. Policies that are not included inherit the system default policies. See org policies for more informationnoncestring (optional) Unique identifier for this request. Ensures that even if multiple requests fail and are retried, only a single org is created. For more information, see Nonces.
Outputs
idstring ID of the newly created organization ("org-" +handle)
Errors
InvalidInput
A
noncewas reused in a request but other inputs had changed signifying a new and different requestA
noncemay not exceed 128 bytes
InvalidState
The
handleof the org case-insensitively matches that of an existing org or user, or of a previously destroyed org
PermissionDenied
The requesting user does not have a full scope token
User cannot set the following
policies:monthlyProjectComputeLimitDefaultmonthlyProjectEgressBytesLimitDefaultmonthlyProjectStorageLimitDefaultenforceTerminationForProjectComputeLimitenforceTerminationForProjectEgressBytesLimitenforceTerminationForProjectStorageLimitprojectSpendingLimitNotificationThreshold
API Method: /org-xxxx/describe
/org-xxxx/describeSpecification
Describes an organization. The output may be restricted if this is invoked by a non-member user. The exact subset of fields that is returned is defined by the organization's policies.
Inputs
defaultFieldsboolean (optional, default false iffieldsexists, true otherwise) Includes the default set of fields in the output (see "Outputs" section). Fields named explicitly infieldsoverride these selectionsfieldsmapping (optional) Specifies fields to include or exclude from the output. These selections overridedefaultFieldssettingskey Desired output field (see the "Outputs" section below for valid values)
value boolean Whether to include the field
The following options are deprecated (and are not respected if fields is present):
pendingTransfersboolean (optional, default false) If true, returns a list of project IDs which the org has been invited to be the billing account for
Outputs
idstring The organization ID
The following fields are included by default (but can be disabled using fields or defaultFields):
classstring The string "org"handlestring The organization handle, as originally provided to /org/newnamestring The descriptive name of the organization
The following field (included by default) is available if the org's memberListVisibility policy is set to 'PUBLIC' or if the memberListVisibility policy is any other value, the requesting user is a MEMBER of the org, and a full scope token is supplied.
adminsarray of strings The IDs of users who are ADMINs of the organization
The remaining keys are only available if a full scope token is supplied.
The following fields (included by default) are available if the requesting user is a member of the org:
levelstring Membership level of the requesting user in the orgallowBillableActivitiesboolean Whether the requesting user can perform billable activities on behalf of the org (see Organization permission flags for more information)projectAccessstring The maximum project permission the requesting user is granted via the org to projects explicitly shared with the org (see Organization permission flags for more information)appAccessboolean Whether the requesting user can access and run apps shared with the org (see Organization permission flags for more information)policiesmapping Organization-wide policiespendingBillingInformationmapping or null A mapping containing billing information that goes into effect once the accounts payable contact agrees to and confirms the billing information, ornullif there is no pending billing informationestSpendingLimitLeftnumber or null The estimated number of dollars remaining before new activities billed to the org are locked down. A value ofnullindicates that no spending limit is imposed on the account. This value may be negative, which indicates that the org has exceeded the spending limit. The value may continue to decrease if jobs are still running or if projects with nonzero storage amounts are still billed to the org.phiFeaturesEnabledboolean Whether PHI features have been enabled for the accountdefaultRegionstring The default region in which newly created projects billed to this org reside (may be overridden at project creation time). For more information about regions, see Regions.permittedRegionsarray of strings The regions in which this org is permitted to create projects. For more information about regions, see Regions.
The following fields (included by default) are available if the requesting user is a MEMBER of the org and billing information has been confirmed for this billing account:
billingInformationmapping The confirmed billing contact information to which invoices are sent
The following fields (included by default) are available if the requesting user is a member of the org with allowBillableActivities permission:
computeChargesnumber Running total of compute charges (in dollars) for the accountcomputeChargesReflectedUntiltimestamp Last date for whichcomputeChargeswere calculatedcomputeChargesComputedAttimestamp Time whencomputeChargeswere updated in the systemstorageChargesnumber Running total of storage charges (in dollars) for the accountstorageChargesReflectedUntiltimestamp Last date for whichstorageChargeswere calculatedstorageChargesComputedAttimestamp Time thatstorageChargeswere last updated in the systemdataEgressChargesnumber Running total of data egress charges (in dollars) for the accountdataEgressChargesReflectedUntiltimestamp Last date for whichdataEgressChargeswere calculateddataEgressChargesComputedAttimestamp Time thatdataEgressChargeswere last updated in the systemdearchivalChargesnumber Running total of data dearchival charges (in dollars) for the accountdearchivalChargesReflectedUntiltimestamp Last date for whichdearchivalChargeswere calculateddearchivalChargesComputedAttimestamp Time thatdearchivalChargeswere last updated in the systemdbclusterChargesnumber Running total of DB cluster charges (in dollars) for the accountdbclusterChargesReflectedUntiltimestamp Last date for whichdbclusterChargeswere calculateddbclusterChargesComputedAttimestamp Time thatdbclusterChargeswere last updated in the system
The following fields are only returned if the corresponding field in the fields input is set to true, the user is a member of the org with allowBillableActivities permission, and billing information has been confirmed for this billing account:
pricingModelsByRegionmapping Contains information about the pricing models that are in effect for the org (applied to projects whosebillTois this org). The mapping has one entry for each region in thepermittedRegionsof the org:key region, for example, "aws:us-east-1"
value mapping the pricing model that is applied in this region
storageRatePerGBMonthnumber Storage rate (in dollars per GB-month) for ordinary (non-archival) storage in this regioncomputeRatesPerHourmapping Contains compute rates for each instance type the account is permitted to use in this region. For a list of available instance types, see: Instance Typeskey Instance type name
value number Rate (in dollars per instance-hour)
ipRatesmapping Rate for data leaving DNAnexus from this region to specific destination IP ranges (specified in CIDR notation). If an IP is in more than one specified range, the rate is given by the most specific matching IP range. The mapping includes the predefined key "0.0.0.0/0" with the default rate.key IP range (specified in CIDR notation)
value number Rate (in dollars per GB) leaving DNAnexus to that IP range
publicIPv4AddressRatePerHournumber Per-hour charge (in currency units) for using IPv4 addresses for workers in this region
The following field is present only if the org has the
phiFeaturesEnabledfield set to true:computeRatesPerHourPHImapping Contains compute rates for each instance type the account is permitted to use in this region, applied only to projects that have thecontainsPHIflag setkey Instance type name
value number Rate (in dollars per instance-hour) for this instance type
The following fields are present only if the org has the Relational Database Service enabled:
dbclusterStorageRatePerGBMonthnumber Storage rate (in dollars per GB-month) for storage used by DBCluster, in this region.dbclusterBackupPerGBMonthnumber Backup storage rate (in dollars per GB-month) for storage used by DBCluster, in this region.dbclusterIORequestsPer1Mnumber The rate (in dollars) charged per million of I/O requests made to the DBCluster billed to this org. See AWS Aurora I/O operations FAQ for more details.dbclusterInstanceRatesPerHourmapping Contains compute rates (in dollars) for each instance type used for DBCluster, that the account is permitted to use in this region.dbclusterInstanceCpuBurstRatesPerHourmapping Contains CPU Burst rates (in dollars) for each bursting DBCluster instance type that the account is permitted to use in this region. db_std1 instances may incur CPU Burst charges similar to AWS T3 Db instances described in AWS RDS instance types documentation.db_std1_x1has 2 cores. Regular hourly charges for this instance type are based on 1 core, CPU Burst charges are based on 2 cores
The following fields are only returned if the corresponding field in the fields input is set to true and the requesting user is an ADMIN of the org:
expiresAttimestamp The date when the organization expires and all associated data is permanently deleted. This field is not present if the organization does not have an expiration date. The value is a Unix timestamp in milliseconds. For example,1735689600000represents January 1, 2025 at 00:00:00 UTC. Organization expiration dates are typically set for temporary organizations used for testing purposes.pendingTransferslist of strings List of project IDs which the org has been invited to be the billing account foruserCreationFeaturesEnabledboolean Whether ADMINs of this org may provision a new account for another user
The following field is only returned if the requesting user is an ADMIN of the org:
jobLogsForwardingmapping Job logs forwarding settings for the org, ornullif job logs forwarding has not been configured for the org or if the org does not have job logs forwarding license. This mapping may contain the following keys:urlstring The URL of the Splunk endpoint if the org is configured to send job logs to SplunktokenSignaturestring The sha256 of the Splunk token supplied to/org-xxxx/updateIf the org is configured to send job logs to Splunkupdatedinteger The timestamp when this configuration was last updatedupdatedBystring The user id that issued the last configuration update
The following keys in policies (included by default) are available if the requesting user is a member of the org and if the org has the Monthly Project Spending Limit feature enabled:
monthlyProjectComputeLimitDefault(see Org Policies for details)monthlyProjectEgressBytesLimitDefault(see Org Policies for details)monthlyProjectStorageLimitDefault(see Org Policies for details)enforceTerminationForProjectComputeLimit(see Org Policies for details)enforceTerminationForProjectEgressBytesLimit(see Org Policies for details)enforceTerminationForProjectStorageLimit(see Org Policies for details)projectSpendingLimitNotificationThreshold(see Org Policies for details)
Errors
PermissionDenied
jobLogsForwardingfield can only be explicitly requested by an org ADMIN with a full scope token
API Method: /org-xxxx/update
/org-xxxx/updateSpecification
Updates information about an organization. The requesting user must be an ADMIN of the organization.
Inputs
namestring (optional) A descriptive name for the organizationpoliciesmapping (optional) A set of organization policies to override the existing policies. Policies that are not included in the mapping are not updated. See org policies for more information.defaultRegionstring (optional) The default region in which all newly created projects billed to this org reside (may be overridden at project creation time). For more information about regions, see Regions.jobLogsForwardingmapping (optional) Configuration to enable or disable the forwarding of job logs billed to this org to customer's Splunk instance. See Forwarding Job Logs to customer's Splunk for more information. Supplying an empty mapping disables job logs forwarding. If job logs forwarding is already disabled, the operation succeeds without updating the org'sjobLogsForwardingconfiguration. Otherwise, the mapping requires the following keys:urlstring The URL of the Splunk HEC endpoint to receive forwarded job logs. Must start with"https://". For example:https://http-inputs-examplecompany.splunkcloud.com/services/collector/eventtokenstring The Splunk HEC token string for forwarding job logs to SplunkEnabling job logs forwarding prints the following message to the configured Splunk instance:
user-xxxx, an admin of org-yyyy is enabling DNAnexus job logs forwarding with these parameters{"url": "<url>","tokenSignature": "<sha256OfSplunkToken>"}
Outputs
idstring ID of the organization
Errors
InvalidInput
defaultRegionis not in the org'spermittedRegionsIf
monthlyProjectComputeLimitDefaultinpoliciesis not an int and not null, or not larger than zero.If
monthlyProjectEgressBytesLimitDefaultinpoliciesis not an int and not null, or not larger than zero.If
monthlyProjectStorageLimitDefaultinpoliciesis not an float and not NULL, or not larger than zero.If
enforceTerminationForProjectComputeLimitinpoliciesis not a boolean.If
enforceTerminationForProjectEgressBytesLimitinpoliciesis not a boolean.If
projectSpendingLimitNotificationThresholdinpoliciesis not an integer, or not in the range of [1, 50]detailedJobMetricsCollectDefaultinpoliciesinput must be a booleanjobLogsForwardingURL must start withhttps://jobLogsForwardingURL must not exceed 1024 charactersjobLogsForwardingmust be an empty hash or a hash with URL and token fieldsAttempt to upload to
<Splunk HEC URL>failed with<Splunk upload error code> '<Splunk upload error message>'jobLogsForwardingcannot be updated together with other org attributes
PermissionDenied
The requesting user is not an ADMIN of the organization.
The requesting user does not have a full scope token.
If
monthlyProjectSpendingLimitis not enabled for the org but the following fields are provided forpolicies:monthlyProjectComputeLimitDefaultmonthlyProjectEgressBytesLimitDefaultenforceTerminationForProjectComputeLimitenforceTerminationForProjectEgressBytesLimitprojectSpendingLimitNotificationThreshold
If
monthlyProjectStorageSpendingLimitis not enabled for the org,the following fields are provided for
policies:monthlyProjectStorageLimitDefault
If the Detailed Job Metrics feature is not enabled for the org, the following fields are provided for
policies:detailedJobMetricsCollectDefault
If the Job Logs Forwarding feature is not enabled for the org, but the following fields are provided:
jobLogsForwarding
API Method: /org-xxxx/invite
/org-xxxx/inviteSpecification
Invites a user to become a member of the organization. Sends the invitation to an existing user or email address.
Inputs
inviteestring User ID or email address of the user that is invited to the organization with a membership status oflevellevelstring (optional, default "MEMBER") Membership status that the invitee receives (one of "MEMBER" or "ADMIN")messagestring (optional) A message to the recipientinviteesuppressEmailNotificationboolean (optional, default false) If true, does not send an email notification to theinvitee
If level is "MEMBER", then the following optional org permission flags (see Org Permission Flags for more information) may be included:
allowBillableActivitiesboolean (optional, default false) Whether theinviteecan perform billable activities on behalf of the org.appAccessboolean (optional, default true) Whether the user can access and run apps shared with the orgprojectAccessstring (optional, default "CONTRIBUTE") The maximum project permission theinviteeis granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")
Outputs
idstring Invite ID, or null if the invite did not need to be created. This happens when the invitee already has at least the requested permission.statestring State of the invite
Errors
ResourceNotFound
inviteeis not an existing user or is not a valid email address
PermissionDenied
The requesting user is not an ADMIN of the organization
The requesting user does not have a full scope token.
API Method: /org-xxxx/setMemberAccess
/org-xxxx/setMemberAccessSpecification
Modifies the organization membership statuses and/or permission flags for members of the organization. To add new users to the organization, refer to /org-xxxx/invite.
Changes in user membership status from "ADMIN" to "MEMBER" require specifying permission flags.
For an existing user who is a "MEMBER" and remains a "MEMBER", the specified permission flags are set, and those that are unspecified are unaffected.
When changing a user's membership status from "MEMBER" to "ADMIN", permission flags cannot be specified.
This method attempts to make all possible modifications. If some modifications fail because users in the input are not members of the organization, the method applies changes to all remaining users and throws an InvalidState error. This behavior does not apply to other errors.
Inputs
The input to
/org-xxxx/setMemberAccessis a mapping with the following key-value pairs:key User ID
value mapping A mapping of organization membership status and permission flags to set for the corresponding user. Includes the following key-value pairs:
levelstring One of "MEMBER" or "ADMIN". The following fields are required iflevelis "MEMBER" and the corresponding user has a membership status of "ADMIN", prohibited iflevelis "ADMIN", and optional otherwise:allowBillableActivitiesboolean (optional) Whether the corresponding user can perform billable activities on behalf of the orgappAccessboolean (optional) Whether the corresponding user can access or run apps shared with the orgprojectAccessstring (optional) The maximum project permission the corresponding user is granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")
Outputs
idstring ID of the organization
Errors
InvalidInput
The requesting user specified themselves in the input
InvalidState
At least one of the users is neither a MEMBER nor an ADMIN of the organization
PermissionDenied
The requesting user is not an ADMIN of the organization
The requesting user does not have a full scope token
API Method: /org-xxxx/findProjects
/org-xxxx/findProjectsSpecification
Lists projects that are billed to the org (and optionally describes those projects). Only ADMINs of the org are permitted to perform this operation.
Projects are ordered by:
Last modified time stamp (descending), then
ID (ascending)
This behaves similarly to /system/findProjects
Inputs
namestring or mapping (optional) If a string, then the exact case-sensitive name that the resulting projects must have. If a mapping, then may include any subset of the following key-value pairs:regexpstring (mutually exclusive withglob, required ifglobis not present) A PCRE regular expression that must be matched by the name of all resulting projectsflagsstring (optional ifregexpis present, prohibited otherwise) The only valid value for this field isi, which enables case-insensitive matching with theregexpglobstring (mutually exclusive withregexp, required ifregexpis not present) A wildcard pattern that must be matched by the name of all resulting projects. The valid wildcard patterns are'*'(0 or more characters) and '?' (1 character)
idarray of strings (optional) If specified, the resulting projects must have project IDs among this list of IDs. The array may contain no more than 1000 elementstagsstring or mapping (optional) Specifies the tags that all resulting projects must have. Can be provided in the following ways:A simple string to match a single tag exactly, for example,
"production".An AND condition requiring all specified tags to match, for example,
{"$and": ["production", "validated"]}.An OR condition requiring at least one specified tag to match, for example,
{"$or": ["production", "development"]}.Complex nested conditions:
{"$or": ["production", {"$and": ["validated", "reviewed"]}]}.
propertiesmapping (optional) Specifies the properties that matching projects must have. Can be provided in the following ways:A mapping of key-value pairs where each key is a property name and each value can be:
A string: The property must have exactly this value, for example,
{"department": "genomics"}.A boolean
true: The property must exist with any value, for example,{"confidential": true}.
An AND condition requiring all specified property constraints to match, for example,
{"$and": [{"department": "genomics"}, {"confidential": true}]}.An OR condition requiring at least one specified property constraint to match, for example,
{"$or": [{"department": "genomics"}, {"department": "proteomics"}]}.Complex nested conditions:
{"$or": [{"department": "genomics"}, {"$and": [{"confidential": true}, {"status": "active"}]}]}.
cloudAccountstring (optional) If specified, limits results to projects associated with the provided cloud account ID.providerstring (optional) If specified, the resulting set contains only projects that are associated with the provider ID.regionstring or array of strings (optional) For a string value, limits results to projects matching the specifiedregion. For an array, limits results to projects withregionmatching any of the specified strings.publicboolean (optional) If true, includes only public projects in the result set. If false, excludes all public projects.createdmapping (optional) If at least one of the following keys exists, limits results to projects created in the specified time period. Without these keys, no creation time constraints apply. An error occurs if acreatedhash lacks at least one key.aftertimestamp (optional) If specified, only return results created at or after this timebeforetimestamp (optional) If specified, only return results created at or before this time
describeboolean or mapping (optional, default false) False returns no extra metadata with results. A mapping provides input for /project-xxxx/describe calls on each returned project. True represents an empty mapping input.Allows the following keys
monthlyComputeLimitcurrentMonthComputeUsagecurrentMonthComputeAvailableBudgetmonthlyEgressBytesLimitcurrentMonthEgressBytesUsagecurrentMonthEgressBytesAvailableBudgetmonthlyStorageLimitcurrentMonthExpectedStorageUsagecurrentMonthStorageAvailableBudget
startingstring (optional) Continue a previous query that had reached its limit. The value that was returned asnextin the previous query's output should be provided herelimitint (optional, default 1000, max 1000) Maximum number of projects that are returnedcontainsPHIboolean (optional) If set to true, only projects that contain PHI data are retrieved. If set to false, only projects that do not contain PHI data are retrieved.
Outputs
resultsarray of mappings List of results, each with the following fields:idstring ID of the resulting projectpublicboolean Whether the project is publiclevelstring The explicit project permission the requesting user has to the corresponding project. May be "NONE".describemapping The output of the corresponding project's describe method if the inputdescribewas true or a mapping. This mapping may contain the keylevelwith a corresponding value of "NONE", unlike the output of /system/findProjects.
nextstring or null If null, all results are included inresults. If a string, it represents the next result that could not be included becauselimitresults have been returned. Supply this value tostartingin a subsequent query to retrieve more results.
Errors
PermissionDenied
The requesting user is not an ADMIN of the organization
The requesting user does not have a full scope token
API Method: /org-xxxx/findApps
/org-xxxx/findAppsSpecification
Lists all apps that are billed to the org. The ordering of results is arbitrary. Only ADMINs of the org are permitted to perform this operation.
This operation behaves similarly to /system/findApps, except that, by default, it returns all apps billed to the org, regardless of whether the app has been published, or whether the requesting user is either a developer or on the authorized users list.
Org ADMINS can call /app-xxxx/addDeveloper on any app returned by this route.
Inputs
namestring or mapping (optional) If a string, the exact case-sensitive name that the results must have. If a mapping, then it can have a subset of the following fields:regexpstring (mutually exclusive withglob, required ifglobis not present) A PCRE regular expression that the name of all results must matchflagsstring (optional, can only be present ifregexpis present) The only valid value for this field isi, which enables case-insensitive matching with the regular expressionglobstring (mutually exclusive withregexp, required ifregexpis not present) A wildcard pattern that the name of all results must match. The valid wildcard characters are '*' (0 or more characters) and '?' (1 character).
categorystring or mapping (optional) Specifies the category or categories that matching apps must have. Can be provided in the following ways:A simple string to match a single category exactly, for example,
"Alignment".An AND condition requiring all specified categories to match, for example,
{"$and": ["Alignment", "NGS"]}.An OR condition requiring at least one specified category to match, for example,
{"$or": ["Alignment", "Variant Calling"]}.Complex nested conditions:
{"$or": ["Alignment", {"$and": ["NGS", "RNA-Seq"]}]}.
allVersionsboolean (optional, default false) Set to true to include all app versions, not just those tagged with "default"publishedboolean (optional) Set to true for published apps only, false for unpublished apps only. If omitted, returns both published and unpublished apps.createdBystring (optional) ID of the user who created the appdeveloperstring (optional) ID of a developer the app must haveauthorizedUserstring (optional) One of a userID, an orgID or the string "PUBLIC", that must exist in each app'sauthorizedUserslistmodifiedmapping (optional) If at least one of the following keys is specified, the resulting apps must have been last modified in the indicated time period. If not specified, there is no constraint on when the app was last modified. If amodifiedhash does not contain at least one of the following keys, an error is thrown.aftertimestamp (optional) Limits results to those modified at or after this timebeforetimestamp (optional) Limits results to those modified at or before this time
createdmapping (optional) If at least one of the following keys is specified, the resulting apps must have been created in the indicated time period. If not specified, there is no constraint on app creation time. If acreatedhash does not contain at least one of the following keys, an error is thrown.aftertimestamp (optional) If specified, only return results created at or after this timebeforetimestamp (optional) If specified, only return results created at or before this time
describeboolean or mapping (optional, default false) False indicates that no extra metadata should be retrieved with the results. A mapping represents the input that is used for calling /app-xxxx/describe on each of the returned results. A value of true is equivalent to the empty hash input.startingmapping (optional) Continue a previous query that had reached its limit. The value that was returned asnextin the query's output should be provided herelimitint (optional, default 1000) Maximum number of results to return. Valid range: 1-1000 (inclusive)
Outputs
resultsarray of mappings List of results, each with the following fields:idstring ID of the appdescribemapping The output of the result's corresponding describe method ifdescribewas set to true or a mapping.
nextmapping or null If null, all results were reported inresults. If a mapping, represents the next result that could not be returned becauselimitresults have already been returned. This value should be passed directly tostartingin a subsequent query if more results are desired.
Errors
PermissionDenied
The requesting user is not an ADMIN of the organization
The requesting user does not have a full scope token
API Method: /org-xxxx/removeMember
/org-xxxx/removeMemberSpecification
Removes the specified user from the org. The requesting user may remove any org member, including themselves, from the org. By default, this operation also revokes all permissions that the specified user has to projects and/or apps that are billed to the org. On completion, the specified user may no longer perform any action that can incur charges to the org.
The requesting user must be an ADMIN of the org, but does not need ADMINISTER permission to projects or developer access to apps whose permissions may be modified by this operation.
When removing another member from the org, the requesting user may receive elevated permissions to projects and/or apps to prevent orphaned resources. For example, the requesting user receives ADMINISTER permission to a project only if the specified user is the sole user with ADMINISTER permission. Similarly, the requesting user receives developer access to an app only if the specified user is the sole developer. The requesting user receives no elevated permissions when removing themselves from the org.
If the specified user is not a member of the org at invocation time, their permissions to projects and/or apps billed to the org remain unchanged.
Inputs
userstring ID of the user to remove from the orgrevokeProjectPermissionsboolean (optional, default true) whether to revoke all explicit permissions granted touserto projects billed to the org. The requesting ADMIN does not need to have ADMINISTER permission to projects billed to the org that are modified because of this operation.revokeAppPermissionsboolean (optional, default true) whether to revoke all explicit developer and authorized accesses granted touserto apps billed to the org. The requesting ADMIN does not need to have developer access to apps billed to the org that are modified because of this operation.
Outputs
idstring ID of the manipulated orgprojectsmapping mapping with the following key-value pairskey ID of the project to which the specified user was revoked explicit permission
value boolean whether the requesting administrator was granted ADMINISTER permission to the corresponding project
appsmapping mapping with the following key-value pairskey name of the app to which the specified user was revoked all explicit accesses
value boolean whether the requesting administrator was granted developer access to the corresponding app
Errors
InvalidState
The requesting user may not remove themselves if they are the only ADMIN in the org
PermissionDenied
Must have full scope auth token
Must be an ADMIN of the org
API Method: /org-xxxx/findMembers
/org-xxxx/findMembersSpecification
Finds all members of the org, subject to the constraints specified by the requesting user.
The requesting user may be required to have a certain minimum org membership level to perform this operation. To bypass the minimum org membership level restriction and view the membership information of oneself, invoke /org-xxxx/describe.
The ordering of the returned members is ascending by ID.
Inputs
levelstring (optional) Restrict results to members with the specified membership level. Must be one of "MEMBER" or "ADMIN"idarray of strings (optional) If specified, the resulting list of members must have user IDs among this list of IDs. The array may contain no more than 1000 elements.describeboolean or mapping (optional, default false) False indicates that no extra metadata is retrieved with the results. True represents the empty mapping input. A mapping represents the input that is used to describe each of the members in the result set. See /user-xxxx/describe for more information.startingmapping (optional) Continue a previous query that had reached its limit. The non-null value that was returned asnextin that query's output should be provided here.limitint (optional, default 1000, max 1000) Maximum number of members that may be returned
Outputs
resultsarray of mappings List of results, each with the following fields:idstring ID of the org memberlevelstring Membership level of the member in this orgallowBillableActivitiesboolean Whether the corresponding member can perform billable activities on behalf of the org (see org permission flags for more information)projectAccessstring The maximum project permission the corresponding member is granted via the org to projects explicitly shared with this orgappAccessboolean Whether the corresponding member can access and run apps shared with this orgdescribemapping Metadata about the org member ifdescribewas true or a mapping. The output is equivalent to that of/user-xxxx/describe, with the exception that the extra keys are not present if the requesting user is also the member being described. The mapping contains a subset of the following keys:idclassfirstlastmiddlehandle
nextmapping or null If null, all results were reported inresults. If a mapping, represents the next result that could not be returned becauselimitresults have already been returned. This value should be passed directly tostartingin a subsequent query if more results are desired.
Errors
PermissionDenied
The requesting user does not have a sufficient org membership level. See memberListVisibility for more information. /org-xxxx/describe may be invoked to view the requesting user's own org membership information.
Must have full scope auth token
API Method: /org-xxxx/destroy
/org-xxxx/destroySpecification
Destroys the specified org. All members are removed from the organization. Any project or app permissions granted to the org are revoked.
Inputs
None
Outputs
idstring ID of the organization
Errors
InvalidState
Existing projects and/or apps are billed to this org
PermissionDenied
The requesting user must be an ADMIN of the org
Must have full scope auth token
API Method: /org-xxxx/bulkUpdateProjectLimit
/org-xxxx/bulkUpdateProjectLimitInputs
projectsarray of strings (required) One or more projects IDs to update. The array may contain no more than 1000 elements.monthlyComputeLimitint or null (optional) The project-level compute spending limit.monthlyStorageLimitfloat or null (optional) The project-level storage spending limit.monthlyEgressBytesLimitint or null (optional) The project-level egress spending limit.dryRunboolean (optional, default false) If set to true, the final update call is not performed.
Outputs
updatedCountint The number of projects that were updated (or the number of projects that could have been updated ifdryRunis true).
Errors
InvalidInput
If neither
monthlyComputeLimit normonthlyComputeEgressBytesLimitnormonthlyStorageLimitis provided.If
monthlyComputeLimitis not int or null or is not larger than or equal to zero.If
monthlyComputeEgressBytesLimitis not int or null or is not larger than or equal to zero.If
monthlyStorageLimitis not a float or NULL or is not larger than or equal to zero.dryRunis not a boolean.If any project does not belong to the org.
If there are more than 1000 project IDs.
ResourceNotFound
If a
projectIdis not found.
PermissionDenied
If
licenseFeature.monthlyProjectSpendingLimitis not enabled.If the requesting user is not the org admin.
The requesting user does not have a full-scope token.
Last updated
Was this helpful?