EndUser Role Management

Overview

The EndUser Role Management API provides endpoints for implementing RBAC (Role-Based Access Control) for end users. You can define roles, assign them to end users or groups, and manage permissions.

EndUser vs Admin

This API manages roles for end users (stored in DB_CORE). For Admin user role management (stored in DB_ADMIN), use the Admin Role Management API.

Endpoint List

Method	Endpoint	Description
GET	/api/admin/roles	List roles
GET	/api/admin/roles/:id	Get role details
POST	/api/admin/roles	Create role
PUT	/api/admin/roles/:id	Update role
DELETE	/api/admin/roles/:id	Delete role
GET	/api/admin/users/:id/roles	List user’s roles
POST	/api/admin/users/:id/roles	Assign role to user
DELETE	/api/admin/users/:id/roles/:roleId	Remove role from user

---

List Roles

Retrieve a list of roles within the tenant.

Endpoint

GET /api/admin/roles

Query Parameters

Parameter	Type	Required	Description
limit	integer	-	Number of items (default: 20, max: 100)
cursor	string	-	Pagination cursor
search	string	-	Search by name
type	string	-	Filter by role type (system, custom)

Request Example

curl -X GET "https://{tenant-domain}/api/admin/roles" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "role_admin",
      "name": "admin",
      "display_name": "Administrator",
      "description": "Tenant administrator role",
      "type": "system",
      "permissions": ["users:*", "clients:*", "settings:*"],
      "user_count": 5,
      "created_at": 1705881600,
      "updated_at": 1705881600
    },
    {
      "id": "role_editor",
      "name": "editor",
      "display_name": "Editor",
      "description": "Content editing permissions",
      "type": "custom",
      "permissions": ["content:read", "content:write"],
      "user_count": 20,
      "created_at": 1705968000,
      "updated_at": 1706054400
    }
  ],
  "total": 10,
  "cursor": null
}

---

Get Role Details

Retrieve detailed information for a specified role.

Endpoint

GET /api/admin/roles/:id

Path Parameters

Parameter	Type	Required	Description
id	string	✓	Role ID

Request Example

curl -X GET "https://{tenant-domain}/api/admin/roles/role_editor" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "id": "role_editor",
  "name": "editor",
  "display_name": "Editor",
  "description": "Role with content editing permissions",
  "type": "custom",
  "permissions": [
    "content:read",
    "content:write",
    "content:delete",
    "media:read",
    "media:upload"
  ],
  "inherits_from": ["role_viewer"],
  "user_count": 20,
  "metadata": {
    "department": "Marketing"
  },
  "created_at": 1705968000,
  "updated_at": 1706054400
}

---

Create Role

Create a new role.

Endpoint

POST /api/admin/roles

Request Body

Field	Type	Required	Description
name	string	✓	Role name (alphanumeric, hyphens, underscores)
display_name	string	✓	Display name
description	string	-	Description
permissions	string[]	✓	Permission list
inherits_from	string[]	-	Parent role IDs to inherit from
metadata	object	-	Custom metadata

Request Example

curl -X POST "https://{tenant-domain}/api/admin/roles" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "content_manager",
    "display_name": "Content Manager",
    "description": "Content management permissions",
    "permissions": [
      "content:read",
      "content:write",
      "content:delete",
      "content:publish"
    ],
    "inherits_from": ["role_viewer"]
  }'

Response Example

{
  "id": "role_content_manager",
  "name": "content_manager",
  "display_name": "Content Manager",
  "type": "custom",
  "permissions": [
    "content:read",
    "content:write",
    "content:delete",
    "content:publish"
  ],
  "inherits_from": ["role_viewer"],
  "created_at": 1706140800
}

---

Update Role

Update existing role settings.

Endpoint

PUT /api/admin/roles/:id

Request Example

curl -X PUT "https://{tenant-domain}/api/admin/roles/role_editor" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "Senior Editor",
    "permissions": [
      "content:read",
      "content:write",
      "content:delete",
      "content:publish",
      "content:archive"
    ]
  }'

System Roles

System roles with type: "system" cannot be updated.

---

Delete Role

Delete a role.

Endpoint

DELETE /api/admin/roles/:id

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/roles/role_editor" \
  -H "Authorization: Bearer {token}"

Response

Status code 204 No Content (no body)

Deletion Constraints

• System roles cannot be deleted
• Roles assigned to users must have their assignments removed first

---

List User’s Roles

Retrieve a list of roles assigned to a specified user.

Endpoint

GET /api/admin/users/:id/roles

Path Parameters

Parameter	Type	Required	Description
id	string	✓	User ID

Request Example

curl -X GET "https://{tenant-domain}/api/admin/users/usr_abc123/roles" \
  -H "Authorization: Bearer {token}"

Response Example

{
  "items": [
    {
      "id": "role_editor",
      "name": "editor",
      "display_name": "Editor",
      "assigned_at": 1705968000,
      "assigned_by": "usr_admin001",
      "scope": {
        "type": "global"
      }
    },
    {
      "id": "role_org_admin",
      "name": "org_admin",
      "display_name": "Organization Admin",
      "assigned_at": 1706054400,
      "assigned_by": "usr_admin001",
      "scope": {
        "type": "organization",
        "organization_id": "org_abc123",
        "organization_name": "Engineering"
      }
    }
  ]
}

---

Assign Role to User

Assign a role to a user.

Endpoint

POST /api/admin/users/:id/roles

Path Parameters

Parameter	Type	Required	Description
id	string	✓	User ID

Request Body

Field	Type	Required	Description
role_id	string	✓	Role ID
scope	object	-	Scope (for organization-specific assignments)

Request Example (Global Scope)

curl -X POST "https://{tenant-domain}/api/admin/users/usr_abc123/roles" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": "role_editor"
  }'

Request Example (Organization Scope)

curl -X POST "https://{tenant-domain}/api/admin/users/usr_abc123/roles" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": "role_org_admin",
    "scope": {
      "type": "organization",
      "organization_id": "org_abc123"
    }
  }'

Response Example

{
  "user_id": "usr_abc123",
  "role_id": "role_editor",
  "assigned_at": 1706140800,
  "assigned_by": "usr_admin001"
}

---

Remove Role from User

Remove a role assignment from a user.

Endpoint

DELETE /api/admin/users/:id/roles/:roleId

Path Parameters

Parameter	Type	Required	Description
id	string	✓	User ID
roleId	string	✓	Role ID

Query Parameters

Parameter	Type	Required	Description
organization_id	string	-	Organization ID for organization-scoped assignments

Request Example

curl -X DELETE "https://{tenant-domain}/api/admin/users/usr_abc123/roles/role_editor" \
  -H "Authorization: Bearer {token}"

Response

Status code 204 No Content (no body)

---

Permission Format

Permissions are specified in the format resource:action.

Wildcards

• users:* - All actions on the users resource
• *:read - Read access to all resources
• *:* - All permissions

Common Permission Examples

Permission	Description
users:read	Read user information
users:write	Create/update users
users:delete	Delete users
clients:read	Read client information
clients:write	Create/update clients
settings:read	Read settings
settings:write	Modify settings
audit:read	Read audit logs