Role API redesign

[byewokko]

Proposed API

GET /admin/role/{tenant_id}

• list all global and {tenant} roles (as objects)
• supports standard pagination
• use ?assign_cid={credentials_id} to annotate every role object with "assign_cid": {"assigned": true|false, "editable": true|false} where
  • assigned means if the credentials have the role assigned and
  • editable means whether the agent is allowed to (un)assign the role to the credentials

Filtering

• ?aassign_cid.assigned=true|false
• ?aassign_cid.editable=true|false
• ?f={text_to_search} (filter by role ID)

Sorting

• ?sassign_cid.assigned=a|d
• ?sassign_cid.editable=a|d
• ?s_id=a|d (default, sort by role ID)

GET /admin/credentials/{credentials_id}/role/{tenant}

• list credentials' assigned roles (as array of role ID strings), include global and {tenant} roles

PUT /admin/credentials/{credentials_id}/role/{tenant}

• set credentials' global and {tenant} roles (as array of role ID strings)
• global roles must be included unchanged if the agent is not allowed to manage global roles

PUT|DELETE /admin/credentials/{credentials_id}/role/{tenant}/{role_name}

• assign/unassign a single role
• can be extended with assignment expiration and other metadata

GET /admin/role/{tenant}/{role_name}/credentials

• list credentials with the role (as credentials ID strings)