# RBAC


        Endpoints for retrieving Role-Based Access Control (RBAC) configurations and managing roles,
        resources, permissions and role-to-user assignments.
         Scoped Role Definition (`RBACRole`):
         - Represents roles within the RBAC system.
         - Each role has a unique `roleId`, a `name`, an optional `description`, and a `scope`.
         - The `scope` defines the domain or area in which the role is valid.
         - The `scope` can be Global (hardcoded), currently the only one is "global"
         - The `scope` also can be dynamic, currently we use Group Ids, like "gr_05hxcvk1hjexere4pvtrj0hggt"
         - Roles come with assigned permissions (`RBACPermissions`) that define what actions the role can perform on system resources.
         - Metadata such as `createdAt` and `updatedAt` timestamps track the role's lifecycle events.

         Permissions (`RBACPermissions`):
         - Encapsulates resource-specific access controls.
         - Each permission object specifies the `resource` (e.g., "user", "document") and an associated list of allowed `RBACAccess` types.
         - `RBACAccess` enumerates the supported actions: `Read`, `Add`, `Modify`, `Delete`.

         Role Assignments to Actors (`RBACActorRole`):
         - Maps actors (e.g., users, services) to specific roles.
         - Tracks the association through `actorId` (representing the unique entity being assigned) and `roleId` (specific role ID).
         - Includes timestamps to record when the assignment was created or updated.
    

## Retrieves all RBAC-guarded resources and their access lists

 - [GET /api/v1/rbac](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac/get.md): Returns the complete list of RBAC-protected resources along with their supported access types (Read, Add, Modify, Delete, etc.). Use this to understand what resources exist in the system and what permissions can be assigned to them. No authentication required.

## Retrieves permissions for the specified actor within a scope

 - [GET /api/v1/rbac/actors/{actorId}/permissions](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1actors~1%7Bactorid%7D~1permissions/get.md): Retrieves all permissions assigned to an actor within a specified scope.
        If no scope is provided, assumes GlobalScope

## Retrieves roles for the specified actor within the specified scope

 - [GET /api/v1/rbac/actors/{actorId}/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1actors~1%7Bactorid%7D~1roles/get.md): Retrieves all roles assigned to the specified actor within the specified scope.
            If no scope is specified, assumes the GlobalScope

RBAC:
- requires ANY of GroupRoles.Read, Roles.Read

## Retrieves all roles in the specified scope

 - [GET /api/v1/rbac/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1roles/get.md): Returns all roles that exist within the specified scope. The scope can be 'global' for global roles or a group ID for group-scoped roles.

RBAC:
- requires ANY of Roles.Read, GroupRoles.Read

## Create a new role in the specified scope

 - [POST /api/v1/rbac/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1roles/post.md): Creates a new role with specified permissions within the specified scope. The scope can be 'global' for global roles or a group ID for group-scoped roles. The scope value in the request body is ignored — the scope query parameter is authoritative. Group-scoped roles cannot include restricted permissions (GroupRoles.Manage, Group.Delete).

RBAC:
- requires ANY of Roles.Manage, GroupRoles.Manage

## Update the specified role

 - [PUT /api/v1/rbac/roles/{roleId}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1roles~1%7Broleid%7D/put.md): Updates the name, description, and/or permissions of an existing role identified by its role ID within the specified scope. The role's scope cannot be changed. Group-scoped roles cannot include restricted permissions (GroupRoles.Manage, Group.Delete).

RBAC:
- requires ANY of Roles.Manage, GroupRoles.Manage

## Delete the specified role

 - [DELETE /api/v1/rbac/roles/{roleName}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1roles~1%7Brolename%7D/delete.md): Permanently deletes a role by name within the specified scope. All actor-to-role assignments for this role will also be removed. This operation cannot be undone.

RBAC:
- requires ANY of Roles.Manage, GroupRoles.Manage

## Retrieves the description and the access list for the specified resource

 - [GET /api/v1/rbac/{resource}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1%7Bresource%7D/get.md): Returns the resource model including its name, description, and supported access types for a specific RBAC-guarded resource. Use the resource name as it appears in the full resource list (e.g., 'GroupMembers', 'Users', 'Roles'). Returns ResourceNotFound if the resource does not exist. No authentication required.

