# RBAC Endpoints for retrieving Role-Based Access Control (RBAC) configurations and managing roles, resources, permissions and role-to-user assignments. Scoped Role Definition (`RBACRole`): - Represents roles within the RBAC system. - Each role has a unique `roleId`, a `name`, an optional `description`, and a `scope`. - The `scope` defines the domain or area in which the role is valid. - The `scope` can be Global (hardcoded), currently the only one is "System" - The `scope` also can be dynamic, currently we use Group Ids, like "gr_05hxcvk1hjexere4pvtrj0hggt" - Roles come with assigned permissions (`RBACPermissions`) that define what actions the role can perform on system resources. - Metadata such as `createdAt` and `updatedAt` timestamps track the role's lifecycle events. Permissions** (`RBACPermissions`): - Encapsulates resource-specific access controls. - Each permission object specifies the `resource` (e.g., "user", "document") and an associated list of allowed `RBACAccess` types. - `RBACAccess` enumerates the supported actions: `Read`, `Add`, `Modify`, `Delete`. Role Assignments to Actors (`RBACActorRole`): - Maps actors (e.g., users, services) to specific roles. - Tracks the association through `actorId` (representing the unique entity being assigned) and `roleId` (specific role ID). - Includes timestamps to record when the assignment was created or updated. ## Retrieves all RBAC-guarded resources and their access lists - [GET /api/v1/rbac](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac/get.md) ## Retrieves permissions for the specified actor within a scope - [GET /api/v1/rbac/actors/{actorId}/permissions](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1actors~1%7Bactorid%7D~1permissions/get.md): Retrieves all permissions assigned to an actor within a specified scope. If no scope is provided, assumes GlobalScope ## Retrieves roles for the specified actor within the specified scope - [GET /api/v1/rbac/actors/{actorId}/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1actors~1%7Bactorid%7D~1roles/get.md): Retrieves all roles assigned to the specified actor within the specified scope. If no scope is specified, assumes the GlobalScope RBAC: requires Roles.Read ## Update the specified role - [PUT /api/v1/rbac/roles/{roleId}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1roles~1%7Broleid%7D/put.md): RBAC: requires Roles.Manage ## Retrieves all roles defined within the specified scope - [GET /api/v1/rbac/scopes/{scope}/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1scopes~1%7Bscope%7D~1roles/get.md): RBAC: requires Roles.Read ## Create a new role within the specified scope - [POST /api/v1/rbac/scopes/{scope}/roles](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1scopes~1%7Bscope%7D~1roles/post.md): Creates a new role with specified permissions within the specified scope. RBAC: requires Roles.Manage ## Delete the specified role from the specified scope - [DELETE /api/v1/rbac/scopes/{scope}/roles/{roleName}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1scopes~1%7Bscope%7D~1roles~1%7Brolename%7D/delete.md): RBAC: requires Roles.Manage ## Retrieves the description and the access list for the specified resource - [GET /api/v1/rbac/{resource}](https://docs.wellesley.social/openapi/rbac/paths/~1api~1v1~1rbac~1%7Bresource%7D/get.md)