Role permissions determine what an Operator or Application User can see/do on an account according to their assigned role. Read the Roles section for more information on managing roles through the API.

Read Roles and Permissions in the Documentation section for more conceptual information on roles and permissions usage.

Note

If a role's permissions are changed while a user with that role has an open Pub/Sub Broker connection, the changes will not apply for those users until they disconnect and reconnect.

API Status
General Availability:
`/roles/:roleId/permissions`
`/roles/:roleId/permission/:permissionName`

Operator Role Permissions

Jump To ↓

OperatorRolePermissionDocument Data Model
Enable/Disable an Operator Role Permission
Enable/Disable a Project-scoped Operator Role Permission
Read an Operator Role's Permissions

OperatorRolePermissionDocument Data Model

Enable/Disable an Operator Role Permission

Enable or disable a specific permission for a given Operator role. Set enabled to true to grant that permission, false to revoke it.

Enable/Disable a Project-scoped Operator Role Permission

PUT /roles/:roleId/permissions/:permissionName

For project_* type permissions, it is also possible to specify which projects the permission applies to. For example, to enable the project_read permission for a single project include an array of project IDs in the projects field of the request:

Read an Operator Role's Permissions

Read the state of all permission types for a given role. In the case of reading all permissions for an Operator type role the following response is returned, containing the state of all permissions for that role.

Since it is a collection of OperatorRolePermissionDocument objects, the fields themselves are the same as detailed in the OperatorRolePermissionDocument section above.

Application User Role Permissions

The Application User role permissions model is similar to that used for Operator roles, with one key difference: each role has a set of permissions that can be added or removed, instead of enabled or disabled. The set of paths and access modes a role has determines the resources it can see and interact with. See the ApplicationUserRolePermissionDocument Data Model section for how to specify this.

Jump To ↓

ApplicationUserRolePermissionDocument Data Model
Update an Application User Role's Permissions
Delete an Application User Role's Permissions
Read an Application User Role's Permissions
Default Application User Role Permissions

ApplicationUserRolePermissionDocument Data Model

This object details a single role permission's path and access methods available to an Application User who is assigned this role. See the Base App User Role Permissions section for a list of available options.

Update an Application User Role's Permissions

Use a PUT request to replace the role's current set of permissions with a new set.

To remove a permission, simply omit it in the payload after reading from the role initially.

Permissions are replaced

This request must include any existing permissions, otherwise they will be deleted if not present in the new payload.

Read an Application User Role's Permissions

Read an array of paths and access types that an Application User with the specified role can access.

Delete an Application User Role's Permissions

To delete all non-default permissions for an Application User role, simple perform an update with an empty array payload ([]).

Default Application User Role Permissions

When a new Application User role is created, it inherits some immutable permissions that all users in that role will get. These are identified by the default field. Any additional permissions the role requires can be added in addition to these default permissions:

Base App User Role Permissions

The base_app_user role has the following set of permissions, from which each custom role may choose.