Roles & permissions
Concepts: Roles & permissions · Permission scopes.
Base path: /api/org/{slug}/roles (authenticated; org membership resolved by middleware).
| Method · Route | Purpose | Source |
|---|---|---|
GET / | List roles (?includeInactive) | RoleEndpoints.cs:24 |
GET /{roleId} | Get role detail | :38 |
POST / | Create role (Name, RoleKey, Description, RequiresApproval) | :52 |
PUT /{roleId} | Update role | :75 |
DELETE /{roleId} | Delete role | :98 |
Permission templates
Section titled “Permission templates”| Method · Route | Purpose | Source |
|---|---|---|
POST /{roleId}/permissions | Add a scope expression to a role (base scope resolved server-side from the catalog) | :121 |
DELETE /{roleId}/permissions/{templateId} | Remove a permission template | :232 |
The scope expression follows namespace.resource.action[:key{op}value,…]. The axowl namespace is restricted to the resource whitelist (:161). See Permission scopes.
Role assignment
Section titled “Role assignment”| Method · Route | Purpose | Source |
|---|---|---|
POST /{roleId}/members | Assign role to a member (ConnectedIdId, optional Variables) → snapshots permissions | :256 |
DELETE /{roleId}/members/{connectedIdRoleId} | Revoke role from a member | :279 |
Assignment runs SnapshotService.CreateSnapshotAsync and recomputes the member’s MembershipType via MembershipTierService.