| title |
|---|
Roles, Role Members, and Role Actions |
A role is a collection of permissions (actions) that define what members of the role are allowed to do within a specific entity. Each entity (like a Client, Channel, Group, or Domain) can have multiple roles, each with its own members and actions.
- Role Members: These are users assigned to a role. Members are the only users allowed to perform the role's actions on the entity.
- Role Actions: These are permissions defining what members of the role can do. For example, actions can include
read,update,delete, or more specific actions likepublishorconnect_to_channel. Refer toauthz-spec.mdfor the available actions for each entity type.
All API requests use the base URL:
http://localhost/<entity_type>/<entity_id>
Replace <entity_type> with one of the entity types (clients, channels, groups, domains) and <entity_id> with the ID of the specific entity.
POST /role
Creates a role for the given entity.
Request Body:
{
"role_name": "member",
"optional_actions": ["read"],
"optional_members": ["user_1"]
}Request:
POST http://localhost/channels/<channel_id>/role
Response:
{
"role_id": "id_xxxxx",
"role_name": "member",
"actions": ["read"],
"members": ["user_1"]
}GET /roles
Retrieves all roles for the given entity.
Request:
GET http://localhost/clients/<client_id>/roles
Response:
[
{
"role_id": "xxxxx",
"role_name": "Admin",
"actions": ["read", "update", "delete"],
"members": ["user_1", "user_2"]
},
{
"role_id": "xxxxx",
"role_name": "Viewer",
"actions": ["read"],
"members": ["user_3"]
}
]GET /roles/role_id
Fetches details of a specific role.
Request:
GET http://localhost/groups/<group_id>/roles/<role_id>
Response:
{
"role_id": "xxxxx",
"role_name": "Admin",
"actions": ["read", "update", "delete"],
"members": ["user_1", "user_2"]
}PUT /roles/roleID
Updates the role's name, actions, or other properties.
DELETE /roles/role_id
Deletes the specified role.
Request:
DELETE http://localhost/domains/<domain_id>/roles/<role_id>
POST /roles/role_id/members
Adds members to the specified role.
Request Body:
{
"members": ["user_4"]
}Request:
POST http://localhost/clients/<client_id>/roles/<role_id>/members
Request Body:
{
"members": ["user_4"]
}GET /roles/role_id/members
Retrieves all members of the specified role.
Request:
GET http://localhost/channels/<channel_id>/roles/<role_id>/members
Response:
POST /roles/role_id/members/delete
Deletes specific members from the role.
If the role being modified is the built-in
adminrole, the system will reject the request if it would result in removing all remaining members from the role.This restriction ensures that every domain always retains at least one administrator to prevent orphaned domains.
Request Body:
{
"members": ["user_4"]
}Request:
POST http://localhost/groups/<group_id>/roles/<role_id>/members/delete
Response:
{
"message": "Members removed successfully"
}POST /roles/role_id/members/delete-all
Removes all members from the role.
For the built-in
adminrole, this operation is not permitted.
The system will reject any request that attempts to remove all members from theadminrole to prevent administrative lockout.
This ensures that every domain retains at least one user with administrative privileges at all times.
Request:
POST http://localhost/domains/<domain_id>/roles/<role_id>/members/delete-all
POST /roles/role_id/actions
Adds actions to the specified role.
Request Body:
{
"actions": ["publish"]
}Request:
POST http://localhost/clients/<client_id>/roles/<role_id>/actions
GET /roles/role_id/actions
Retrieves all actions of the specified role.
Request:
GET http://localhost/channels/<channel_id>/roles/<role_id>/actions
Response:
["read", "update", "publish"]POST /roles/role_id/actions/delete
Deletes specific actions from the role.
Request:
POST http://localhost/groups/<group_id>/roles/<role_id>/actions/delete
POST /roles/role_id/actions/delete-all
Removes all actions from the role.
Request:
POST http://localhost/domains/<domain_id>/roles/<role_id>/actions/delete-all