The role object and the allowed CRUD operations on the related resource endpoint

Roles are organization-specific and can be assigned to a membership (to grant a specific user a set of permissions) or to an integration API credential.

Roles can be of three types (identified by the kind attribute):

  • read_only — to perform GET requests on any Core API single resource or list of resources).

  • admin — to perform any available CRUD operation on any Core API resource.

  • custom — to grant a different set of permissions on multiple resources (available for Enterprise plans only).

Custom roles

While the permission for the read_only and admin roles are set by default and assigned at runtime by the Core API, Enterprise customers can define custom roles specifying custom permissions on CRUD actions at the single resource level so as to leverage a granular control, tailored to their needs.

Existing roles cannot be deleted using the Provisioning API. A read_only and an admin roles are automatically created for your organization, so the POST method on the /api/roles endpoint will be successful only for Enterprise customers: in that case, all you need to do to create a custom role is to give it a name, the related kind will be automatically set to custom.

Last updated