Role permissions determine what an Operator or Application User can see/do on an account according to their assigned role. Read the Roles section for more information on managing roles through the API.

Read Roles and Permissions in the Documentation section for more conceptual information on roles and permissions usage.

📘

Note

If a role's permissions are changed while a user with that role has an open Pub/Sub Broker connection, the changes will not apply for those users until they disconnect and reconnect.


API Status
General Availability:
/roles/:roleId/permissions
/roles/:roleId/permission/:permissionName


Operator Role Permissions

Jump To ↓

OperatorRolePermissionDocument Data Model
Enable/Disable an Operator Role Permission
Enable/Disable a Project-scoped Operator Role Permission
Read an Operator Role's Permissions


OperatorRolePermissionDocument Data Model

.name (string, required, one of 'global_read', 'gl_resource_update', 'gl_project_update', 'project_read', 'project_update', 'project_resource_update')
    Name of the specific role permission.

.enabled (boolean, required)
    `true` if this permission is enabled, `false` otherwise.

.projectScoped (boolean, read-only)
    `true` if this permission if enabled only for specific 
    project(s), `false` otherwise.

.projects (array of string)
    Array of project IDs that this permission is enabled for.

.children (string)
    Object describing Operator role permissions
{
  "type": "string",
  "description": "Object describing Operator role permissions",
  "properties": {
    "name": {
      "type": "string",
      "description": "Name of the specific role permission.",
      "enum": [ "global_read", "gl_resource_update", "gl_project_update", "project_read", "project_update", "project_resource_update" ]
    },
    "enabled": {
      "type": "boolean",
      "description": "`true` if this permission is enabled, `false` otherwise."
    },
    "projectScoped": {
      "type": "boolean",
      "description": "`true` if this permission if enabled only for specific project(s), `false` otherwise.",
      "readOnly": true
    },
    "projects": {
      "type": "array",
      "description": "Array of project IDs that this permission is enabled for.",
      "items": {
        "type": "string",
        "pattern": "^[abcdefghkmnpqrstwxyABCDEFGHKMNPQRSTUVWXY0123456789]{24}$"
      }
    },
    "children": {
      "$ref": "OperatorRolePermissionDocument",
      "readOnly": true
    }
  }
}
[
  {
    "name": "global_read",
    "enabled": false,
    "projectScoped": false,
    "children": [
      {
        "name": "gl_resource_update",
        "enabled": false,
        "projectScoped": false
      },
      {
        "name": "gl_project_update",
        "enabled": false,
        "projectScoped": false
      }
    ]
  },
  {
    "name": "project_read",
    "enabled": false,
    "projectScoped": true,
    "projects": [],
    "children": [
      {
        "name": "project_update",
        "enabled": false,
        "projectScoped": true,
        "projects": []
      },
      {
        "name": "project_resource_update",
        "enabled": false,
        "projectScoped": true,
        "projects": []
      }
    ]
  }
]

Enable/Disable an Operator Role Permission

Enable or disable a specific permission for a given Operator role. Set enabled to true to grant that permission, false to revoke it.

PUT /roles/:roleId/permissions/:permissionName
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

OperatorRolePermissionDocument
curl -i -H "Content-Type: application/json" \
  -H "Authorization: $OPERATOR_API_KEY" \
  -X PUT 'https://api.evrythng.com/roles/UhpHrg39QCy9dsSddN8xhwnb/permissions/global_read' \
  -d '{ 
    "name": "global_read", 
    "enabled": true 
  }'
const roleId = '59aeb3abb24413002c7d8651';
const name = 'global_read';
const payload = { name, enabled: true };

operator.role(roleId).permission(name)
  .update(payload)
  .then(console.log);
HTTP/1.1 200 OK
Content-Type: application/json

{ 
  "name": "global_read", 
  "enabled": true, 
  "projectScoped": false 
}

Enable/Disable a Project-scoped Operator Role Permission

PUT /roles/:roleId/permissions/:permissionName

For project_* type permissions, it is also possible to specify which projects the permission applies to. For example, to enable the project_read permission for a single project include an array of project IDs in the projects field of the request:

PUT /roles/:roleId/permissions/:permissionName
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

OperatorRolePermissionDocument
curl -i -H "Content-Type: application/json" \
  -H "Authorization: $OPERATOR_API_KEY" \
  -X PUT 'https://api.evrythng.com/roles/5805f5012229bd50693aac24/permissions/project_read' \
  -d '{ 
    "name": "project_read", 
    "enabled": true,
    "projects": [ "Uh5qRBqc4DcmbNbAANtMnrYm" ]
  }'
const roleId = '59aeb3abb24413002c7d8651';
const name = 'project_read';
const payload = { 
  name, 
  enabled: true,
  projects: ['Uh5qRBqc4DcmbNbAANtMnrYm'],
};

operator.role(roleId).permission(name)
  .update(payload)
  .then(console.log);
HTTP/1.1 200 OK
Content-Type: application/json

{ 
  "name": "project_read", 
  "enabled": true, 
  "projectScoped": true, 
  "projects": [ "Uh5qRBqc4DcmbNbAANtMnrYm" ] 
}

Read an Operator Role's Permissions

Read the state of all permission types for a given role. In the case of reading all permissions for an Operator type role the following response is returned, containing the state of all permissions for that role.

Since it is a collection of OperatorRolePermissionDocument objects, the fields themselves are the same as detailed in the OperatorRolePermissionDocument section above.

GET /roles/:roleId/permissions
Authorization: $OPERATOR_API_KEY
curl -H "Authorization: $OPERATOR_API_KEY" \
  -X GET 'https://api.evrythng.com/roles/5805f5012229bd50693aac24/permissions'
const roleId = '5805f5012229bd50693aac24';

operator.role(roleId).permission()
  .read()
  .then(console.log);
HTTP/1.1 200 OK
Content-Type: application/json

[
  {
    "name": "global_read",
    "enabled": false,
    "projectScoped": false,
    "children": [
      {
        "name": "gl_resource_update",
        "enabled": false,
        "projectScoped": false
      }, 
      {
        "name": "gl_project_update",
        "enabled": false,
        "projectScoped": false
      }
    ]
  }, 
  {
    "name": "project_read",
    "enabled": false,
    "projectScoped": true,
    "projects": [],
    "children": [
      {
        "name": "project_update",
        "enabled": false,
        "projectScoped": true,
        "projects": []
      }, 
      {
        "name": "project_resource_update",
        "enabled": false,
        "projectScoped": true,
        "projects": []
      }
    ]
  }
]

Application User Role Permissions

The Application User role permissions model is similar to that used for Operator roles, with one key difference: each role has a set of permissions that can be added or removed, instead of enabled or disabled. The set of paths and access modes a role has determines the resources it can see and interact with. See the ApplicationUserRolePermissionDocument Data Model section for how to specify this.


Jump To ↓

ApplicationUserRolePermissionDocument Data Model
Update an Application User Role's Permissions
Delete an Application User Role's Permissions
Read an Application User Role's Permissions
Default Application User Role Permissions


ApplicationUserRolePermissionDocument Data Model

This object details a single role permission's path and access methods available to an Application User who is assigned this role. See the Base App User Role Permissions section for a list of available options.

.path (string, required)
    The API path the role can access. Must be a subset of the 
    default `base_app_user` permissions.

.access (string, required)
    A four letter combination of 'c', 'r', 'u', and 'd' 
    describing the access to create, read, update, or destroy 
    the resources in the 'path' of this permission.

.default (boolean, read-only)
    `true` for default permissions.
{
  "additionalProperties": false,
  "type": "object",
  "description": "An object representing an account role permission. Depending on the type of role, different fields may be returned.",
  "required": ["path", "access"],
  "properties": {
    "path": {
      "type": "string",
      "description": "The API path the role can access. Must be a subset of the default `base_app_user` permissions."
    },
    "access": {
      "type": "string",
      "description": "A four letter combination of 'c', 'r', 'u', and 'd' describing the access to create, read, update, or destroy the resources in the 'path' of this permission.",
      "minLength": 1,
      "maxLength": 4
    },
    "default": {
      "type": "boolean",
      "description": "`true` for default permissions.",
      "readOnly": true
    }
  }
}
[
  {
    "path": "/access$",
    "access": "r",
    "default": true
  },
  {
    "path": "/accesses",
    "access": "crd",
    "default": true
  },
  {
    "path": "/auth/all/logout",
    "access": "c",
    "default": true
  },
  {
    "path": "/rateLimits$",
    "access": "r",
    "default": true
  },
  {
    "path": "/roles",
    "access": "r",
    "default": true
  },
  {
    "path": "/thngs",
    "access": "cru"
  },
  {
    "path": "/products",
    "access": "cru"
  },
  {
    "path": "/collections",
    "access": "cru"
  },
  {
    "path": "/collections/*/thngs/*",
    "access": "d"
  },
  {
    "path": "/actions/*",
    "access": "cr"
  },
  {
    "path": "/actions",
    "access": "r"
  },
  {
    "path": "/auth/evrythng/thngs",
    "access": "crd"
  },
  {
    "path": "/users/{user}",
    "access": "ru"
  },
  {
    "path": "/places",
    "access": "r"
  },
  {
    "path": "/connectors/*/auth",
    "access": "rd"
  },
  {
    "path": "/connectors/*/auth/token",
    "access": "c"
  },
  {
    "path": "/connectors",
    "access": "r"
  }
]

Update an Application User Role's Permissions

Use a PUT request to replace the role's current set of permissions with a new set.

To remove a permission, simply omit it in the payload after reading from the role initially.

🚧

Permissions are replaced

This request must include any existing permissions, otherwise they will be deleted if not present in the new payload.

PUT /roles/:roleId/permissions
Content-Type: application/json
Authorization: $OPERATOR_API_KEY

[ ApplicationUserRolePermissionDocument, ... ]
curl -H "Content-Type: application/json" \
  -H "Authorization: $OPERATOR_API_KEY" \
  -X PUT 'https://api.evrythng.com/roles/5805f5012229bd50693aac24/permissions' \
  -d '[
    {
      "path": "/thngs",
      "access": "cr"
    }
  ]'
const roleId = '5805f5012229bd50693aac24';
const payload = [{ path: '/thngs', access: 'cru' }];

operator.role(roleId).permission()
  .update(payload)
  .then(console.log);
HTTP/1.1 200 OK
Content-Type: application/json

[
  {
    "path": "/thngs",
    "access": "cru"
  }
]

Read an Application User Role's Permissions

Read an array of paths and access types that an Application User with the specified role can access.

GET /roles/:roleId/permissions
Authorization: $OPERATOR_API_KEY
curl -H "Authorization: $OPERATOR_API_KEY" \
  -X GET 'https://api.evrythng.com/roles/593e8f3fcfe9a42c00bf1434/permissions'
const roleId = '593e8f3fcfe9a42c00bf1434';

operator.role(roleId).permission()
  .read()
  .then(console.log);
HTTP/1.1 200 OK
Content-Type: application/json

[
  {
    "path": "/thngs",
    "access": "cru"
  },
  {
    "path": "/products",
    "access": "cru"
  }
]

Delete an Application User Role's Permissions

To delete all non-default permissions for an Application User role, simple perform an update with an empty array payload ([]).

PUT /roles/:roleId/permissions
Authorization: $OPERATOR_API_KEY

[]
curl -H "Content-Type: application/json" \
  -H "Authorization: $OPERATOR_API_KEY" \
  -X PUT 'https://api.evrythng.com/roles/5805f5012229bd50693aac24/permissions' \
  -d '[]'
const roleId = '592d70418c5e3f2800408a74';

// Set to zero permissions
const payload = [];

operator.role(roleId).permission()
  .update(payload)
  .then(console.log);

Default Application User Role Permissions

When a new Application User role is created, it inherits some immutable permissions that all users in that role will get. These are identified by the default field. Any additional permissions the role requires can be added in addition to these default permissions:

[
  {
    "path": "/access$",
    "access": "r",
    "default": true
  },
  {
    "path": "/accesses",
    "access": "crd",
    "default": true
  },
  {
    "path": "/auth/all/logout",
    "access": "c",
    "default": true
  }, 
  {
    "path": "/rateLimits$",
    "access": "r",
    "default": true
  }, 
  {
    "path": "/roles",
    "access": "r",
    "default": true
  }
]

Base App User Role Permissions

The base_app_user role has the following set of permissions, from which each custom role may choose.

[
  {
    "path": "/access$",
    "access": "r",
    "default": true
  },
  {
    "path": "/accesses",
    "access": "crd",
    "default": true
  },
  {
    "path": "/auth/all/logout",
    "access": "c",
    "default": true
  },
  {
    "path": "/rateLimits$",
    "access": "r",
    "default": true
  },
  {
    "path": "/roles",
    "access": "r",
    "default": true
  },
  {
    "path": "/thngs",
    "access": "cru"
  },
  {
    "path": "/thngs/*",
    "access": "cru"
  },
  {
    "path": "/products",
    "access": "cru"
  },
  {
    "path": "/products/*",
    "access": "cru"
  },
  {
    "path": "/collections",
    "access": "cru"
  },
  {
    "path": "/collections/*",
    "access": "cru"
  },
  {
    "path": "/collections/*/thngs/*",
    "access": "d"
  },
  {
    "path": "/actions/*",
    "access": "cr"
  },
  {
    "path": "/actions",
    "access": "r"
  },
  {
    "path": "/auth/evrythng/thngs",
    "access": "crd"
  },
  {
    "path": "/users/{user}",
    "access": "ru"
  },
  {
    "path": "/places",
    "access": "r"
  },
  {
    "path": "/places/*",
    "access": "r"
  },
  {
    "path": "/connectors/*/auth",
    "access": "rd"
  },
  {
    "path": "/connectors/*/auth/token",
    "access": "c"
  },
  {
    "path": "/connectors",
    "access": "r"
  },
  {
    "path": "/ifttt/v1",
    "access": "crd"
  },
  {
    "path": "/auth/oauth2",
    "access": "cr"
  },
  {
    "path": "/cujo",
    "access": "c"
  },
  {
    "path": "/thngs/*/actions/commissions",
    "access": "cr"
  },
  {
    "path": "/thngs/*/actions/decommissions",
    "access": "cr"
  },
  {
    "path": "/thngs/*/commissionState",
    "access": "r"
  }
]