Roles
Roles let you control what members of your organization can do. A role is a named bundle of permissions; a member’s effective access is the union of the permissions across every role they hold.
The authenticated caller can read their own resolved access from the identity
service’s GetMyUser response, whose permissions field lists the effective
permission keys (e.g. INTEGRATIONS_WRITE) granted by their assigned
roles.
Every organization starts with a single seeded system role, Admin, which holds every permission and cannot be edited or deleted. You create additional roles, choose which permissions each grants, pick one as the default assigned to new members, and assign roles to individual members.
Service: firetiger.rbac.v1.RolesService
Resource name pattern: roles/{role_id}
Access: Read-write
Resource type: Role
Two rules are enforced on every mutation:
- No privilege escalation. You can only grant permissions that you hold
yourself. Creating or editing a role, changing the default role, or assigning
a role whose permissions exceed your own is rejected with
permission_denied. - Last-admin guardrail. An organization must always retain at least one
member holding the system Admin role. A change that would remove the final
admin is rejected with
failed_precondition.
Example flow
Create a role, make it the default for new members, then assign it to a user.
1. Create a role
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/CreateRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"role_id": "integrations-owner",
"role": {
"display_name": "Integrations Owner",
"description": "Manages connections and integrations",
"permissions": ["INTEGRATIONS_WRITE"]
}
}'
{
"role": {
"name": "roles/integrations-owner",
"displayName": "Integrations Owner",
"description": "Manages connections and integrations",
"permissions": ["INTEGRATIONS_WRITE"],
"system": false,
"isDefault": false,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T14:30:00Z"
}
}
2. Assign the role to a member
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/AssignRoles" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"user": "users/u-a1b2c3",
"roles": ["roles/integrations-owner"]
}'
{
"roles": ["roles/integrations-owner"]
}
Methods
| Method | Description |
|---|---|
| CreateRole | Create a new role |
| GetRole | Retrieve a single role |
| ListRoles | List roles in your organization |
| UpdateRole | Edit a role’s name, description, or permissions |
| DeleteRole | Soft-delete a role |
| ListUsersWithPermission | Find members holding a permission |
| SetDefaultRole | Choose the default role for new members |
| AssignRoles | Replace a member’s role assignments |
CreateRole
Creates a new role in your organization.
POST /firetiger.rbac.v1.RolesService/CreateRole
Request body
| Field | Type | Required | Description |
|---|---|---|---|
role_id |
string | Optional kebab-case slug for the resource name (roles/{role_id}). Must match ^[a-zA-Z0-9][a-zA-Z0-9_-]*$. If omitted, the server generates one. |
|
role |
Role | Yes | The role to create. Only display_name, description, and permissions are read; server-managed fields are ignored. |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/CreateRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"role_id": "billing-manager",
"role": {
"display_name": "Billing Manager",
"permissions": ["BILLING_WRITE"]
}
}'
Response
{
"role": {
"name": "roles/billing-manager",
"displayName": "Billing Manager",
"permissions": ["BILLING_WRITE"],
"system": false,
"isDefault": false,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T14:30:00Z"
}
}
GetRole
Retrieves a single role by resource name.
POST /firetiger.rbac.v1.RolesService/GetRole
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Role resource name (roles/{role_id}) |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/GetRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{"name": "roles/integrations-owner"}'
Response
{
"role": {
"name": "roles/integrations-owner",
"displayName": "Integrations Owner",
"permissions": ["INTEGRATIONS_WRITE"],
"system": false,
"isDefault": false,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T14:30:00Z"
}
}
ListRoles
Lists roles in your organization.
POST /firetiger.rbac.v1.RolesService/ListRoles
Request body
| Field | Type | Required | Description |
|---|---|---|---|
filter |
string | AIP-160 filter expression | |
order_by |
string | Sort order (e.g. create_time desc) |
|
page_size |
integer | Maximum results per page | |
page_token |
string | Token from a previous next_page_token |
|
show_deleted |
boolean | Include soft-deleted roles when true |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/ListRoles" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{}'
Response
{
"roles": [
{
"name": "roles/admin",
"displayName": "Admin",
"system": true,
"isDefault": true,
"createTime": "2024-01-01T00:00:00Z",
"updateTime": "2024-01-01T00:00:00Z"
},
{
"name": "roles/integrations-owner",
"displayName": "Integrations Owner",
"permissions": ["INTEGRATIONS_WRITE"],
"system": false,
"isDefault": false,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T14:30:00Z"
}
],
"nextPageToken": ""
}
UpdateRole
Edits a role’s display name, description, or permissions. The system Admin role
cannot be edited (rejected with failed_precondition). Server-managed fields
(system, is_default, name, timestamps) are ignored even if included in
update_mask.
POST /firetiger.rbac.v1.RolesService/UpdateRole
Request body
| Field | Type | Required | Description |
|---|---|---|---|
role |
Role | Yes | The role with name set and the fields to change |
update_mask |
string | Comma-separated field paths to modify (display_name, description, permissions). Omitted or * updates all mutable fields. |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/UpdateRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"role": {
"name": "roles/integrations-owner",
"permissions": ["INTEGRATIONS_WRITE", "CHANGE_MONITOR_WRITE"]
},
"update_mask": "permissions"
}'
Response
{
"role": {
"name": "roles/integrations-owner",
"displayName": "Integrations Owner",
"permissions": ["INTEGRATIONS_WRITE", "CHANGE_MONITOR_WRITE"],
"system": false,
"isDefault": false,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T15:00:00Z"
}
}
DeleteRole
Soft-deletes a role. Rejected with failed_precondition when the role is the
system Admin role or the current default role (change the default with
SetDefaultRole first). Members who still held the role lose
its permissions on their next request.
POST /firetiger.rbac.v1.RolesService/DeleteRole
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Role resource name (roles/{role_id}) |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/DeleteRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{"name": "roles/integrations-owner"}'
Response
{}
ListUsersWithPermission
Returns the members of your organization whose combined role permissions include a given permission. Useful for audits and for answering “who can do X?”.
POST /firetiger.rbac.v1.RolesService/ListUsersWithPermission
Request body
| Field | Type | Required | Description |
|---|---|---|---|
permission |
Permission | Yes | The permission to query |
page_size |
integer | Maximum results per page | |
page_token |
string | Token from a previous next_page_token |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/ListUsersWithPermission" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{"permission": "INTEGRATIONS_WRITE"}'
Response
{
"users": ["users/u-a1b2c3", "users/u-d4e5f6"],
"nextPageToken": ""
}
SetDefaultRole
Atomically makes a role the default assigned to new members, clearing the flag from the previous default. Subject to the no-privilege-escalation rule: the target role’s permissions must be a subset of your own.
POST /firetiger.rbac.v1.RolesService/SetDefaultRole
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Role resource name to make default (roles/{role_id}) |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/SetDefaultRole" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{"name": "roles/integrations-owner"}'
Response
{
"role": {
"name": "roles/integrations-owner",
"displayName": "Integrations Owner",
"permissions": ["INTEGRATIONS_WRITE"],
"system": false,
"isDefault": true,
"createTime": "2024-06-15T14:30:00Z",
"updateTime": "2024-06-15T15:30:00Z"
}
}
AssignRoles
Replaces a member’s entire set of role assignments with the provided list. The set is order-independent and deduplicated by the server. An empty list leaves the member with no roles. Subject to the no-privilege-escalation rule and the last-admin guardrail; there is no separate demote method, remove the Admin role from the list to demote a member.
POST /firetiger.rbac.v1.RolesService/AssignRoles
Request body
| Field | Type | Required | Description |
|---|---|---|---|
user |
string | Yes | Target member resource name (users/{user}) |
roles |
string[] | Role resource names to assign. Every role must exist and belong to your organization. |
Example
curl -X POST "https://api.cloud.firetiger.com/firetiger.rbac.v1.RolesService/AssignRoles" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"user": "users/u-a1b2c3",
"roles": ["roles/integrations-owner", "roles/billing-manager"]
}'
Response
{
"roles": ["roles/billing-manager", "roles/integrations-owner"]
}