Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Enterprise Open source

RBAC API

Role-based access control API is only available in Grafana Cloud or Grafana Enterprise. Read more about Grafana Enterprise.

The API can be used to create, update, delete, get, and list roles.

To check which basic or fixed roles have the required permissions, refer to RBAC role definitions.

Get status

GET /api/access-control/status

Returns an indicator to check if role-based access control is enabled or not.

Required permissions

ActionScope
status:accesscontrolservices:accesscontrol

Example request

http
GET /api/access-control/status
Accept: application/json
Content-Type: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
  "enabled": true
}

Status codes

CodeDescription
200Returned a flag indicating if the role-based access control is enabled or no.
403Access denied
404Not found, an indication that role-based access control is not available at all.
500Unexpected error. Refer to body and/or server logs for more details.

Create and manage custom roles

Get all roles

GET /api/access-control/roles

Gets all existing roles. The response contains all global and organization local roles, for the organization which user is signed in.

Query Parameters:

  • includeHidden: Optional. Set to true to include roles that are hidden.

Required permissions

ActionScope
roles:readroles:*

Example request

http
GET /api/access-control/roles
Accept: application/json
Content-Type: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "version": 3,
        "uid": "XvHQJq57z",
        "name": "fixed:reports:reader",
        "displayName": "Report reader",
        "description": "Read all reports and shared report settings.",
        "group": "Reports",
        "updated": "2021-11-19T10:48:00+01:00",
        "created": "2021-11-19T10:48:00+01:00",
        "global": false
    },
    {
        "version": 5,
        "uid": "vi9mlLjGz",
        "name": "fixed:datasources.permissions:writer",
        "description: "Create, read or delete data source permissions.",
        "global": true,
        "updated": "2021-05-13T22:41:49+02:00",
        "created": "2021-05-13T16:24:26+02:00"
    }
]

Status codes

CodeDescription
200Global and organization local roles are returned.
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Get a role

GET /api/access-control/roles/:uid

Get a role for the given UID.

Required permissions

ActionScope
roles:readroles:*

Example request

http
GET /api/access-control/roles/PYnDO3rMk
Accept: application/json
Content-Type: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "version": 4,
    "uid": "6dNwJq57z",
    "name": "fixed:reports:writer",
    "displayName": "Report writer",
    "description": "Create, read, update, or delete all reports and shared report settings.",
    "group": "Reports",
    "permissions": [
        {
            "action": "reports:delete",
            "scope": "reports:*",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports:read",
            "scope": "reports:*",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports:send",
            "scope": "reports:*",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports:create",
            "scope": "",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports:write",
            "scope": "reports:*",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports.settings:read",
            "scope": "",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        },
        {
            "action": "reports.settings:write",
            "scope": "",
            "updated": "2021-11-19T10:48:00+01:00",
            "created": "2021-11-19T10:48:00+01:00"
        }
    ],
    "updated": "2021-11-19T10:48:00+01:00",
    "created": "2021-11-19T10:48:00+01:00",
    "global": false
}

Status codes

CodeDescription
200Role is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Create a new custom role

POST /api/access-control/roles

Creates a new custom role and maps given permissions to that role. Note that roles with the same prefix as Fixed roles can’t be created.

Required permissions

permissions:type:delegate scope ensures that users can only create custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to create a custom role which allows to do that. This is done to prevent escalation of privileges.

ActionScope
roles:writepermissions:type:delegate

Example request

http
POST /api/access-control/roles
Accept: application/json
Content-Type: application/json

{
    "version": 1,
    "uid": "jZrmlLCGka",
    "name": "custom:delete:roles",
    "displayName": "custom delete roles",
    "description": "My custom role which gives users permissions to delete roles",
    "group":"My Group",
    "displayName": "My Custom Role",
    "global": false,
    "permissions": [
        {
            "action": "roles:delete",
            "scope": "permissions:type:delegate"
        }
    ]
}

JSON body schema

Field NameDate TypeRequiredDescription
uidstringNoUID of the role. If not present, the UID will be automatically created for you and returned in response. Refer to the Custom roles for more information.
globalbooleanNoA flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request.
versionnumberNoVersion of the role. If not present, version 0 will be assigned to the role and returned in the response. Refer to the Custom roles for more information.
namestringYesName of the role. Refer to Custom roles for more information.
descriptionstringNoDescription of the role.
displayNamestringNoDisplay name of the role, visible in the UI.
groupstringNoThe group name the role belongs to.
hiddenbooleanNoSpecify whether the role is hidden or not. If set to true, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified.
permissionsPermissionNoIf not present, the role will be created without any permissions.

Permission

Field NameData TypeRequiredDescription
actionstringYesRefer to Custom role actions and scopes for full list of available actions.
scopestringNoIf not present, no scope will be mapped to the permission. Refer to Custom role actions and scopes for full list of available scopes.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "version": 2,
    "uid": "jZrmlLCGka",
    "name": "custom:delete:create:roles",
    "displayName": "custom delete create roles",
    "description": "My custom role which gives users permissions to delete and create roles",
    "group":"My Group",
    "displayName": "My Custom Role",
    "global": false,
    "permissions": [
        {
            "action": "roles:delete",
            "scope": "permissions:type:delegate",
            "updated": "2021-05-13T23:19:46+02:00",
            "created": "2021-05-13T23:19:46+02:00"
        }
    ],
    "updated": "2021-05-13T23:20:51.416518+02:00",
    "created": "2021-05-13T23:19:46+02:00"
}

Create role validation errors

Permission validation only occurs when permission validation is enabled (rbac.permission_validation_enabled = true).

It has been enabled by default since Grafana 10.2.

Invalid action

The following example shows a request with an invalid action. The action serviceaccounts.permissions:reader is not a valid action. The valid action should be serviceaccounts.permissions:read.

http
POST /api/access-control/roles HTTP/1.1
Content-Type: application/json
{
	"Name": "Read Service Account with id 6",
	"Permissions": [
			{
			"action": "serviceaccounts.permissions:reader",
			"scope": "serviceaccounts:uid:6"
		}
	]
}
http
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
	"extra": {
		"validationError": "the provided action was not found in the list of valid actions: serviceaccounts.permissions:reader"
	},
	"message": "Permission contains an invalid action",
	"messageId": "accesscontrol.permission-invalid-action",
	"statusCode": 400,
	"traceID": ""
}
Invalid scope

The following example shows a request with an invalid scope. The scope serviceaccounts:serviceaccount6 is not a valid scope for the action serviceaccounts.permissions:read. The valid scopes for this action are *, serviceaccounts:* and serviceaccounts:id:*.

http
POST /api/access-control/roles HTTP/1.1
Content-Type: application/json
{
	"Name": "Read Service Account with id 6",
	"Permissions": [
			{
			"action": "serviceaccounts.permissions:read",
			"scope": "serviceaccounts:serviceaccount6"
		}
	]
}
http
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
	"extra": {
		"validationError": "unknown scope: serviceaccounts:serviceaccount6 for action: serviceaccounts.permissions:read provided, expected prefixes are [* serviceaccounts:* serviceaccounts:id:*]"
	},
	"message": "Invalid scope",
	"messageId": "accesscontrol.permission-invalid-scope",
	"statusCode": 400,
	"traceID": ""
}

Status codes

CodeDescription
200Role is updated.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied (one of the specified permissions is not assigned to the requester)
500Unexpected error. Refer to body and/or server logs for more details.

Update a role

PUT /api/access-control/roles/:uid

Update the role with the given UID, and its permissions. The operation is idempotent and all permissions of the role will be replaced based on the request content. You need to increment the version of the role with each update, otherwise the request will fail.

You can update custom roles and basic roles permissions. However fixed roles cannot be updated.

Required permissions

permissions:type:delegate scope ensures that users can only update custom roles with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to update a custom role which allows to do that. This is done to prevent escalation of privileges.

ActionScope
roles:writepermissions:type:delegate

Example request

http
PUT /api/access-control/roles/jZrmlLCGka
Accept: application/json
Content-Type: application/json

{
    "version": 3,
    "name": "custom:delete:write:roles",
    "displayName": "custom delete write roles",
    "description": "My custom role which gives users permissions to delete and write roles",
    "group":"My Group",
    "displayName": "My Custom Role",
    "global": false,
    "permissions": [
        {
            "action": "roles:delete",
            "scope": "permissions:type:delegate"
        },
        {
            "action": "roles:write",
            "scope": "permissions:type:delegate"
        }
    ]
}

JSON body schema

Field NameData TypeRequiredDescription
versionnumberYesVersion of the role. Must be incremented for update to work.
namestringYesName of the role.
descriptionstringNoDescription of the role.
displayNamestringNoDisplay name of the role, visible in the UI.
groupstringNoThe group name the role belongs to.
hiddenbooleanNoSpecify whether the role is hidden or not. If set to true, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified.
permissionsList of PermissionsNoThe full list of permissions for the role after the update.

Permission

Field NameData TypeRequiredDescription
actionstringYesRefer to Custom role actions and scopes for full list of available actions.
scopestringNoIf not present, no scope will be mapped to the permission. Refer to Custom role actions and scopes for full list of available scopes.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "version":3,
    "uid":"jZrmlLCGka",
    "name":"custom:delete:write:roles",
    "displayName":"custom delete write roles",
    "description":"My custom role which gives users permissions to delete and write roles",
    "group":"My Group",
    "displayName": "My Custom Role",
    "permissions":[
        {
            "action":"roles:delete",
            "scope":"permissions:type:delegate",
            "updated":"2021-08-06T18:27:40+02:00",
            "created":"2021-08-06T18:27:40+02:00"
        },
        {
            "action":"roles:write",
            "scope":"permissions:type:delegate",
            "updated":"2021-08-06T18:27:41+02:00",
            "created":"2021-08-06T18:27:41+02:00"
        }
    ],
    "updated":"2021-08-06T18:27:41+02:00",
    "created":"2021-08-06T18:27:40+02:00",
    "global":false
}

Update role validation errors

Permission validation only occurs when permission validation is enabled (rbac.permission_validation_enabled = true).

It has been enabled by default since Grafana 10.2.

For more information, refer to Create role validation errors.

Status codes

CodeDescription
200Role is updated.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied (one of the specified permissions is not assigned to the requester)
404Role was not found to update.
500Unexpected error. Refer to body and/or server logs for more details.

Delete a custom role

DELETE /api/access-control/roles/:uid?force=false

Delete a role with the given UID, and it’s permissions. If the role is assigned, the deletion operation will fail, unless the force query param is set to true, and in that case all assignments will also be deleted.

Required permissions

permissions:type:delegate scope ensures that users can only delete a custom role with the same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to delete a custom role which allows to do that.

ActionScope
roles:deletepermissions:type:delegate

Example request

http
DELETE /api/access-control/roles/jZrmlLCGka?force=true&global=false
Accept: application/json

Query parameters

ParamTypeRequiredDescription
forcebooleanNoWhen set to true, the role will be deleted with all its assignments.
globalbooleanNoA flag indicating if the role is global or not. If set to false, the default org ID of the authenticated user will be used from the request. Refer to the About RBAC for more information.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role deleted"
}

Status codes

CodeDescription
200Role is deleted.
400Bad request (invalid json, missing content-type, missing or invalid fields, etc.).
403Access denied
500Unexpected error. Refer to body and/or server logs for more details.

Create and remove user role assignments

List roles assigned to a user

GET /api/access-control/users/:userId/roles

Lists the roles that have been directly assigned to a given user. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team.

Query Parameters:

  • includeHidden: Optional. Set to true to include roles that are hidden.
  • includeMapped: Optional. Set to true to include roles that have been mapped through the group attribute sync feature.

Required permissions

ActionScope
users.roles:readusers:id:<user ID>

Example request

http
GET /api/access-control/users/1/roles
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "version": 4,
        "uid": "6dNwJq57z",
        "name": "fixed:reports:writer",
        "displayName": "Report writer",
        "description": "Create, read, update, or delete all reports and shared report settings.",
        "group": "Reports",
        "updated": "2021-11-19T10:48:00+01:00",
        "created": "2021-11-19T10:48:00+01:00",
        "global": false
    }
]

Status codes

CodeDescription
200Set of assigned roles is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

List your permissions

GET /api/access-control/user/permissions

Lists the permissions granted to the signed in user.

Required permissions

No permission is required.

Query parameters

ParamTypeRequiredDescription
reloadcachebooleanNoA flag to reload the permission cache.

Example request

http
GET /api/access-control/user/permissions
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
  "dashboards:read": ["dashboards:uid:70KrY6IVz"],
  "dashboards:write": ["dashboards:uid:70KrY6IVz"],
  "datasources.id:read": ["datasources:*"],
  "datasources:read": ["datasources:*"],
  "datasources:explore": [""],
  "datasources:query": ["datasources:uid:grafana"],
  "datasources:read": ["datasources:uid:grafana"],
  "orgs:read": [""]
}

Status codes

CodeDescription
200Set of assigned permissions is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

List permissions assigned to a user

GET /api/access-control/users/:userId/permissions

Lists the permissions granted to a given user.

Required permissions

ActionScope
users.permissions:readusers:id:<user ID>

Example request

http
GET /api/access-control/users/1/permissions
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "action": "ldap.status:read",
        "scope": ""
    },
    {
        "action": "ldap.user:read",
        "scope": ""
    }
]

Status codes

CodeDescription
200Set of assigned permissions is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Add a user role assignment

POST /api/access-control/users/:userId/roles

Assign a role to a specific user.

For bulk updates consider Set user role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:type:delegate

Example request

http
POST /api/access-control/users/1/roles
Accept: application/json
Content-Type: application/json

{
    "global": false,
    "roleUid": "XvHQJq57z"
}

JSON body schema

Field NameData TypeRequiredDescription
roleUidstringYesUID of the role.
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to create organization local assignment.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role added to the user."
}

Status codes

CodeDescription
200Role is assigned to a user.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Remove a user role assignment

DELETE /api/access-control/users/:userId/roles/:roleUID

Revoke a role from a user.

For bulk updates consider Set user role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:removepermissions:type:delegate

Query parameters

ParamTypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to remove assignment.

Example request

http
DELETE /api/access-control/users/1/roles/AFUXBHKnk
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role removed from user."
}

Status codes

CodeDescription
200Role is unassigned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Set user role assignments

PUT /api/access-control/users/:userId/roles

Update the user’s role assignments to match the provided set of UIDs. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user.

If you want to add or remove a single role, consider using Add a user role assignment or Remove a user role assignment instead.

Required permissions

permissions:type:delegate scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:type:delegate
users.roles:removepermissions:type:delegate

Example request

http
PUT /api/access-control/users/1/roles
Accept: application/json
Content-Type: application/json

{
    "global": false,
    "roleUids": [
        "ZiHQJq5nk",
        "GzNQ1357k"
    ]
}

JSON body schema

Field NameDate TypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request.
roleUidslistYesList of role UIDs.
includeHiddenbooleanNoSpecify whether the hidden role assignments should be updated.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "User roles have been updated."
}

Status codes

CodeDescription
200Roles have been assigned.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Create and remove service account role assignments

List roles assigned to a service account

GET /api/access-control/users/:serviceAccountId/roles

Lists the roles that have been directly assigned to a given service account. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin).

Query Parameters:

  • includeHidden: Optional. Set to true to include roles that are hidden.

Required permissions

ActionScope
users.roles:readusers:id:<service account ID>

Example request

http
GET /api/access-control/users/1/roles
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "version": 4,
        "uid": "6dNwJq57z",
        "name": "fixed:reports:writer",
        "displayName": "Report writer",
        "description": "Create, read, update, or delete all reports and shared report settings.",
        "group": "Reports",
        "updated": "2021-11-19T10:48:00+01:00",
        "created": "2021-11-19T10:48:00+01:00",
        "global": false
    }
]

Status codes

CodeDescription
200Set of assigned roles is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

List permissions assigned to a service account

GET /api/access-control/users/:serviceAccountId/permissions

Lists the permissions that a given service account has.

Required permissions

ActionScope
users.permissions:readusers:id:<service account ID>

Example request

http
GET /api/access-control/users/1/permissions
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "action": "ldap.status:read",
        "scope": ""
    },
    {
        "action": "ldap.user:read",
        "scope": ""
    }
]

Status codes

CodeDescription
200Set of assigned permissions is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Add a service account role assignment

POST /api/access-control/users/:serviceAccountId/roles

Assign a role to a specific service account.

For bulk updates consider Set service account role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:type:delegate

Example request

http
POST /api/access-control/users/1/roles
Accept: application/json
Content-Type: application/json

{
    "global": false,
    "roleUid": "XvHQJq57z"
}

JSON body schema

Field NameData TypeRequiredDescription
roleUidstringYesUID of the role.
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to create organization local assignment.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role added to the user."
}

Status codes

CodeDescription
200Role is assigned to a user.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Remove a service account role assignment

DELETE /api/access-control/users/:serviceAccountId/roles/:roleUID

Revoke a role from a service account.

For bulk updates consider Set service account role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:removepermissions:type:delegate

Query parameters

ParamTypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request to remove assignment.

Example request

http
DELETE /api/access-control/users/1/roles/AFUXBHKnk
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role removed from user."
}

Status codes

CodeDescription
200Role is unassigned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Set service account role assignments

PUT /api/access-control/users/:serviceAccountId/roles

Update the service accounts’s role assignments to match the provided set of UIDs. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the service account.

If you want to add or remove a single role, consider using Add a service account role assignment or Remove a service account role assignment instead.

Required permissions

permissions:type:delegate scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
users.roles:addpermissions:type:delegate
users.roles:removepermissions:type:delegate

Example request

http
PUT /api/access-control/users/1/roles
Accept: application/json
Content-Type: application/json

{
    "global": false,
    "roleUids": [
        "ZiHQJq5nk",
        "GzNQ1357k"
    ]
}

JSON body schema

Field NameDate TypeRequiredDescription
globalbooleanNoA flag indicating if the assignment is global or not. If set to false, the default org ID of the authenticated user will be used from the request.
roleUidslistYesList of role UIDs.
includeHiddenbooleanNoSpecify whether the hidden role assignments should be updated.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "User roles have been updated."
}

Status codes

CodeDescription
200Roles have been assigned.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Create and remove team role assignments

List roles assigned to a team

GET /api/access-control/teams/:teamId/roles

Lists the roles that have been directly assigned to a given team.

Query Parameters:

  • includeHidden: Optional. Set to true to include roles that are hidden.

Required permissions

ActionScope
teams.roles:readteams:id:<team ID>

Example request

http
GET /api/access-control/teams/1/roles
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

[
    {
        "version": 4,
        "uid": "j08ZBi-nk",
        "name": "fixed:licensing:reader",
        "displayName": "Licensing reader",
        "description": "Read licensing information and licensing reports.",
        "group": "Licenses",
        "updated": "2022-02-03T14:19:50+01:00",
        "created": "0001-01-01T00:00:00Z",
        "global": false
    }
]

Status codes

CodeDescription
200Set of assigned roles is returned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Add a team role assignment

POST /api/access-control/teams/:teamId/roles

Assign a role to a specific team.

For bulk updates consider Set team role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. For example, if a user does not have the permissions required to create users, they won’t be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.

ActionScope
teams.roles:addpermissions:type:delegate

Example request

http
POST /api/access-control/teams/1/roles
Accept: application/json
Content-Type: application/json

{
    "roleUid": "XvHQJq57z"
}

JSON body schema

Field NameData TypeRequiredDescription
roleUidstringYesUID of the role.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role added to the team."
}

Status codes

CodeDescription
200Role is assigned to a team.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Remove a team role assignment

DELETE /api/access-control/teams/:teams/roles/:roleUID

Revoke a role from a team.

For bulk updates consider Set team role assignments.

Required permissions

permissions:type:delegate scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have the permissions required to create users, they won’t be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.```

ActionScope
teams.roles:removepermissions:type:delegate

Example request

http
DELETE /api/access-control/teams/1/roles/AFUXBHKnk
Accept: application/json

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Role removed from team."
}

Status codes

CodeDescription
200Role is unassigned.
403Access denied.
500Unexpected error. Refer to body and/or server logs for more details.

Set team role assignments

PUT /api/access-control/teams/:teamId/roles

Update the team’s role assignments to match the provided set of UIDs. This will remove any assigned roles that aren’t in the request and add roles that are in the set but are not already assigned to the user.

If you want to add or remove a single role, consider using Add a team role assignment or Remove a team role assignment instead.

Required permissions

permissions:type:delegate scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. For example, if a user does not have required permissions for creating users, they won’t be able to assign or unassign a role to a team which will allow to do that. This is done to prevent escalation of privileges.

ActionScope
teams.roles:addpermissions:type:delegate
teams.roles:removepermissions:type:delegate

Example request

http
PUT /api/access-control/teams/1/roles
Accept: application/json
Content-Type: application/json

{
    "roleUids": [
        "ZiHQJq5nk",
        "GzNQ1357k"
    ]
}

JSON body schema

Field NameDate TypeRequiredDescription
roleUidslistYesList of role UIDs.
includeHiddenbooleanNoSpecify whether the hidden role assignments should be updated.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Team roles have been updated."
}

Status codes

CodeDescription
200Roles have been assigned.
403Access denied.
404Role not found.
500Unexpected error. Refer to body and/or server logs for more details.

Reset basic roles to their default

POST /api/access-control/roles/hard-reset

permissions:type:escalate scope enables users to reset basic roles permissions. This could result in basic roles having permissions exceedind those of callers.

Reset basic roles permissions to their default.

Required permissions

ActionScope
roles:writepermissions:type:escalate

Example request

http
POST /api/access-control/roles/hard-reset
Accept: application/json
Content-Type: application/json

{
    "BasicRoles": true
}

JSON body schema

Field NameData TypeRequiredDescription
BasicRolesbooleanNoOption to reset basic roles permissions.

Example response

http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "message": "Reset performed"
}

Status codes

CodeDescription
200Reset performed
500Failed to reset basic roles