Back to API overview
RBAC
7 endpoints
Manage custom roles and member assignments. Requires the RBAC app to be enabled for your organization.
roles.read
roles.write
Manage custom roles and member assignments. Requires the RBAC app to be enabled for your organization.
GET
/v1/rbac/rolesList system roles, custom roles, and member role assignments. Requires roles.read.
Query Parameters
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | No | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
Response — 200
{
"systemRoles": [ /* built-in roles */ ],
"customRoles": [ /* custom role definitions */ ],
"assignments": [ { "membershipId": "...", "roleId": "..." } ]
}
POST
/v1/rbac/rolesCreate a custom role with permissions. Requires roles.write.
Request Body
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | Yes | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
| name | string | Yes | Role name |
| description | string | No | Role description |
| permissions | string[] | Yes | Array of OS permission IDs (e.g. members:read, audit:read) |
Response — 200
{ "role": { /* role definition */ } }
GET
/v1/rbac/roles/{roleId}Get a single custom role by ID. Requires roles.read.
Query Parameters
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | No | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
Response — 200
{ "role": { /* role definition */ } }
PATCH
/v1/rbac/roles/{roleId}Update a custom role's name, description, or permissions. Requires roles.write.
Request Body
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | Yes | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
| name | string | No | Role name |
| description | string | No | Role description |
| permissions | string[] | No | Array of OS permission IDs (e.g. members:read, audit:read) |
Response — 200
{ "role": { /* updated role */ } }
DELETE
/v1/rbac/roles/{roleId}Delete a custom role. Requires roles.write.
Query Parameters
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | No | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
Response — 200
{ "success": true }
GET
/v1/rbac/members/{membershipId}/rolesList custom role IDs assigned to an organization member. Requires roles.read.
Query Parameters
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | No | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
Response — 200
{ "roleIds": [ "role-id-1", "role-id-2" ] }
PUT
/v1/rbac/members/{membershipId}/rolesReplace custom role assignments for a member. Requires roles.write.
Request Body
| Param | Type | Required | Description |
|---|---|---|---|
| subOrgId | string | Yes | Sub-organization ID. Required for org-wide keys on write operations; optional on list when the key is scoped to one sub-org. |
| roleIds | string[] | Yes | Array of custom role IDs to assign to the member |
Response — 200
{ "success": true, "roleIds": [ /* assigned ids */ ] }