RBAC: Allow listing user permissions with scope (#57538)

* RBAC: Allow listing user permissions with scope * Add docs * Document the api endpoint * Update docs Co-authored-by: Garrett Guillotte <100453168+gguillotte-grafana@users.noreply.github.com> * Split endpoint in two * document reloadcache * Update docs/sources/developers/http_api/access_control.md * Fix test * Ieva's nit. * Simplify flag description Co-authored-by: Garrett Guillotte <100453168+gguillotte-grafana@users.noreply.github.com>
2025-07-28 13:42:15 +08:00 · 2022-11-02 10:48:11 +01:00
parent f1f0a6f88b
commit 101ce57a94
5 changed files with 247 additions and 6 deletions
--- a/docs/sources/developers/http_api/access_control.md
+++ b/docs/sources/developers/http_api/access_control.md
@ -527,11 +527,60 @@ Content-Type: application/json; charset=UTF-8

 `permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
 For example, if a user does not have required permissions for creating users, they won't be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges.
+
+| Action             | Scope                     |
+| ------------------ | ------------------------- |
+| users.roles:remove | permissions:type:delegate |
+
+#### Query parameters
+
+| Param  | Type    | Required | Description                                                                                                                                                               |
+| ------ | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| global | boolean | No       | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request to remove assignment. |
+
+#### Example request
+
+```http
+DELETE /api/access-control/users/1/roles/AFUXBHKnk
+Accept: application/json
+```
+
+#### Example response
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+```
+
+#### Status codes
+
+| Code | Description                                                          |
+| ---- | -------------------------------------------------------------------- |
+| 200  | Role is unassigned.                                                  |
+| 403  | Access denied.                                                       |
+| 500  | Unexpected error. Refer to body and/or server logs for more details. |
+
+### Set user role assignments
+
+`PUT /api/access-control/users/:userId/roles`
+
+Update the user's role assignments to match the provided set of UIDs.
+This will remove any assigned roles that aren't in the request and add
+roles that are in the set but are not already assigned to the user.
+
+If you want to add or remove a single role, consider using
+[Add a user role assignment]({{< ref "#add-a-user-role-assignment" >}}) or
+[Remove a user role assignment]({{< ref "#remove-a-user-role-assignment" >}})
+instead.
+
+#### Required permissions
+
 `permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
 For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.

 | Action             | Scope                     |
-[Add a user role assignment]({{< ref "#add-a-user-role-assignment" >}}) or
+| ------------------ | ------------------------- |
 | users.roles:add    | permissions:type:delegate |
 | users.roles:remove | permissions:type:delegate |