Manage roles
Added in
v1.29Role-based access control (RBAC) is generally available in Weaviate from version v1.29.
In Weaviate, Role-based access control (RBAC) allows you to define roles and assign permissions to those roles. Users can then be assigned to roles and inherit the permissions associated with those roles.
On this page, you will find examples of how to manage roles and permissions with Weaviate client libraries.
Follow these general steps to configure RBAC:
Step 1. Connect to Weaviate with a user possessing
role management permissions
.
Step 2. Grant permissions to a
new role
or an
existing role
.
- Step 3.
Assign the role to a user
.
Requirements for managing roles
Role management requires appropriate role resource permissions that can be obtained through:
- A predefined
rootrole when configuring RBAC. - A role with
Role Managementpermissions granted.
- Python
- JS/TS
- Go
- Java
import weaviate
from weaviate.classes.init import Auth
# Connect to Weaviate as root user
client = weaviate.connect_to_local(
auth_credentials=Auth.api_key("root-user-key"),
)
import weaviate, { WeaviateClient } from 'weaviate-client'
// Connect to Weaviate as root user
const client: WeaviateClient = await weaviate.connectToLocal({
authCredentials: new weaviate.ApiKey("user-a-key")
})
cfg := weaviate.Config{
Host: "localhost:8580",
Scheme: "http",
AuthConfig: auth.ApiKey{Value: "root-user-key"},
}
// Connect to Weaviate as root user
client, err := weaviate.NewClient(cfg)
String scheme = "http";
String host = "localhost";
String port = "8580"; // Custom port for RBAC testing
Config config = new Config(scheme, host + ":" + port);
client = WeaviateAuthClient.apiKey(config, "root-user-key");
Role management
Create new roles with permissions
Permissions for these resource types can be assigned to roles:
-
Collections (collection definitions only, data object permissions are separate)
Create a role with Role Management permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete all roles starting with
testRole*.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions, RoleScope
permissions = [
Permissions.roles(
role="testRole*", # Applies to all roles starting with "testRole"
scope=RoleScope.MATCH, # Only allow role management with the current user's permission level
# scope=RoleScope.ALL # Allow role management with all permissions
create=True, # Allow creating roles
read=True, # Allow reading roles
update=True, # Allow updating roles
delete=True, # Allow deleting roles
)
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const rolePermission = permissions.roles({
role: "testRole",
create: true,
read: true,
update: true,
delete: true,
})
await client.roles.create("testRole", rolePermission)
permissions := []rbac.Permission{
rbac.RolesPermission{
Role: "testRole*", // Applies to all roles starting with "testRole"
Scope: "match", // Only allow role management with the current user's permission level, can also be "all"
// Scope: rbac.RoleScopeAll, // Allow role management with all permissions
Actions: []string{
models.PermissionActionCreateRoles, // Allow creating roles
models.PermissionActionReadRoles, // Allow reading roles
models.PermissionActionUpdateRoles, // Allow updating roles
models.PermissionActionDeleteRoles, // Allow deleting roles
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.roles(
"testRole*", // Applies to all roles starting with "testRole"
RolesPermission.Action.CREATE, // Allow creating roles
RolesPermission.Action.READ, // Allow reading roles
RolesPermission.Action.UPDATE, // Allow updating roles
RolesPermission.Action.DELETE // Allow deleting roles
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with User Management permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete all users starting with
testUser*. - Assign and revoke roles to and from users starting with
testUser*.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.users(
user="testUser*", # Applies to all users starting with "testUser"
create=True, # Allow creating users
read=True, # Allow reading user info
update=True, # Allow rotating user API key
delete=True, # Allow deleting users
assign_and_revoke=True, # Allow assigning and revoking roles to and from users
)
]
client.roles.create(role_name="testRole", permissions=permissions)
// TS/JS support coming soon
permissions := []rbac.Permission{
rbac.UsersPermission{
Actions: []string{
models.PermissionActionCreateUsers, // Allow creating users
models.PermissionActionReadUsers, // Allow reading user info
models.PermissionActionUpdateUsers, // Allow rotating user API key
models.PermissionActionDeleteUsers, // Allow deleting users
models.PermissionActionAssignAndRevokeUsers, // Allow assigning and revoking roles to and from users
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.users(
UsersPermission.Action.CREATE, // Allow creating users
UsersPermission.Action.READ, // Allow reading user info
UsersPermission.Action.UPDATE, // Allow rotating user API key
UsersPermission.Action.DELETE, // Allow deleting users
UsersPermission.Action.ASSIGN_AND_REVOKE // Allow assigning and revoking roles
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Collections permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete all collections starting with
TargetCollection.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.collections(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
create_collection=True, # Allow creating new collections
read_config=True, # Allow reading collection info/metadata
update_config=True, # Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
delete_collection=True, # Allow deleting collections
),
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const collectionPermissions = [
permissions.collections({
collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
create_collection: true, // Allow creating new collections
read_config: true, // Allow reading collection info/metadata
update_config: true, // Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
delete_collection: true, // Allow deleting collections
}),
]
await client.roles.create("testRole", collectionPermissions)
permissions := []rbac.Permission{
rbac.CollectionsPermission{
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Actions: []string{
models.PermissionActionCreateCollections, // Allow creating new collections
models.PermissionActionReadCollections, // Allow reading collection info/metadata
models.PermissionActionUpdateCollections, // Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
models.PermissionActionDeleteCollections, // Allow deleting collections
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.collections(
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
CollectionsPermission.Action.CREATE, // Allow creating new collections
CollectionsPermission.Action.READ, // Allow reading collection info/metadata
CollectionsPermission.Action.UPDATE, // Allow updating collection configuration
CollectionsPermission.Action.DELETE // Allow deleting collections
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Tenant permissions
This example creates a role called testRole with permissions to:
- Create and delete tenants starting with
TargetTenantin collections starting withTargetCollection. - Read metadata (like tenant names and status) for tenants starting with
TargetTenantin collections starting withTargetCollection. - Update the status of tenants starting with
TargetTenantin collections starting withTargetCollection.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.tenants(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
tenant="TargetTenant*", # Applies to all tenants starting with "TargetTenant"
create=True, # Allow creating new tenants
read=True, # Allow reading tenant info/metadata
update=True, # Allow updating tenant states
delete=True, # Allow deleting tenants
),
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const AddTenantPermissions = [
permissions.tenants({
collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
tenant: "TargetTenant*", // Applies to all tenants starting with "TargetTenant"
create: true, // Allow creating new tenants
read: true, // Allow reading tenant info/metadata
update: true, // Allow updating tenant states
delete: true, // Allow deleting tenants
}),
]
await client.roles.create("testRole", AddTenantPermissions)
permissions := []rbac.Permission{
rbac.TenantsPermission{
Actions: []string{
models.PermissionActionCreateTenants, // Allow creating new tenants
models.PermissionActionReadTenants, // Allow reading tenant info/metadata
models.PermissionActionUpdateTenants, // Allow updating tenant states
models.PermissionActionDeleteTenants, // Allow deleting tenants
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.tenants(
TenantsPermission.Action.CREATE, // Allow creating new tenants
TenantsPermission.Action.READ, // Allow reading tenant info/metadata
TenantsPermission.Action.UPDATE, // Allow updating tenant states
TenantsPermission.Action.DELETE // Allow deleting tenants
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Data Objects permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete data from collections starting with
TargetCollection. - If multi-tenancy is enabled and the
tenantfilter is set, the permission only applies to tenants starting withTargetTenant.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.data(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
tenant="TargetTenant*", # Applies to all tenants starting with "TargetTenant"
create=True, # Allow data inserts
read=True, # Allow query and fetch operations
update=True, # Allow data updates
delete=False, # Allow data deletes
),
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const dataPermissions = [
permissions.data({
collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
tenant: "TargetTenant*", // Applies to all tenants starting with "TargetTenant"
create: true, // Allow data inserts
read: true, // Allow query and fetch operations
update: true, // Allow data updates
delete: false, // Allow data deletes
}),
]
await client.roles.create("testRole", dataPermissions)
permissions := []rbac.Permission{
rbac.DataPermission{
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Actions: []string{
models.PermissionActionCreateData, // Allow data inserts
models.PermissionActionReadData, // Allow query and fetch operations
models.PermissionActionUpdateData, // Allow data updates
// models.PermissionActionDeleteData, // Allow data deletes - set to false by not including
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.data(
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
DataPermission.Action.CREATE, // Allow data inserts
DataPermission.Action.READ, // Allow query and fetch operations
DataPermission.Action.UPDATE // Allow data updates
// Note: DELETE is not included, similar to Python example
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Backups permissions
This example creates a role called testRole with permissions to:
- Manage backups for collections starting with
TargetCollection.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.backup(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
manage=True, # Allow managing backups
),
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const backupsPermissions = [
permissions.backup({
collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
manage: true, // Allow managing backups
}),
]
await client.roles.create("testRole", backupsPermissions)
permissions := []rbac.Permission{
rbac.BackupsPermission{
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Actions: []string{
models.PermissionActionManageBackups, // Allow managing backups
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.backups(
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
BackupsPermission.Action.MANAGE // Allow managing backups
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Cluster Data Access permissions
This example creates a role called testRole with permissions to:
- Read cluster metadata.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.cluster(read=True), # Allow reading cluster data
]
client.roles.create(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const clusterPermissions = [
permissions.cluster({
read: true // Allow reading cluster data
}),
]
await client.roles.create("testRole", clusterPermissions)
permissions := []rbac.Permission{
rbac.ClusterPermission{
Actions: []string{
models.PermissionActionReadCluster, // Allow reading cluster data
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.cluster(ClusterPermission.Action.READ) // Allow reading cluster data
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Node Data Access permissions
This example creates a role called testRole with permissions to:
- Read node metadata at the specified verbosity level for collections starting with
TargetCollection.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
verbose_permissions = [
Permissions.Nodes.verbose(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
read=True, # Allow reading node metadata
),
]
# The `minimal` verbosity level applies to all collections unlike
# the `verbose` level where you specify the collection name filter
minimal_permissions = [
Permissions.Nodes.minimal(
read=True, # Allow reading node metadata
),
]
client.roles.create(
role_name="testRole", permissions=verbose_permissions
) # or `minimal_permissions`
const { permissions } = weaviate
const verboseNodePermissions = [
permissions.nodes.verbose({
collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
read: true, // Allow reading node metadata
}),
]
// The `minimal` verbosity level applies to all collections unlike
// the `verbose` level where you specify the collection name filter
const minimalNodePermissions = [
permissions.nodes.minimal({
read: true, // Allow reading node metadata
}),
]
await client.roles.create("testRole", verboseNodePermissions) // or `minimalNodePermissions`
verbosePermissions := []rbac.Permission{
rbac.NodesPermission{
Verbosity: "verbose",
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Actions: []string{
models.PermissionActionReadNodes, // Allow reading node metadata
},
},
}
// The `minimal` verbosity level applies to all collections unlike
// the `verbose` level where you specify the collection name filter
err = client.Roles().Creator().WithRole(
rbac.NewRole("testRole", verbosePermissions...),
).Do(ctx)
// Verbose permissions - applies to specific collections
Permission<?>[] verbosePermissions = new Permission<?>[] {
Permission.nodes(
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
NodesPermission.Action.READ // Allow reading node metadata
)
};
// Minimal permissions - applies to all collections
Permission<?>[] minimalPermissions = new Permission<?>[] {
Permission.nodes(
"*", // Applies to all collections
NodesPermission.Action.READ // Allow reading node metadata
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(verbosePermissions) // or minimalPermissions
.run();
Create a role with Collection Alias permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete collection aliases starting with
TargetAlias.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.alias(
alias="TargetAlias*", # Applies to all aliases starting with "TargetAlias"
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
create=True, # Allow alias creation
read=True, # Allow listing aliases
update=True, # Allow updating aliases
delete=False, # Allow deleting aliases
),
]
client.roles.create(role_name="testRole", permissions=permissions)
// TS/JS support coming soon
permissions := []rbac.Permission{
rbac.AliasPermission{
Alias: "TargetAlias*", // Applies to all aliases starting with "TargetAlias"
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Actions: []string{
models.PermissionActionCreateAliases, // Allow alias creation
models.PermissionActionReadAliases, // Allow listing aliases
models.PermissionActionUpdateAliases, // Allow updating aliases
// models.PermissionActionDeleteAliases, // Allow deleting aliases - set to false by not including
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.alias(
"TargetAlias*", // Applies to all aliases starting with "TargetAlias"
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
AliasPermission.Action.CREATE, // Allow alias creation
AliasPermission.Action.READ, // Allow listing aliases
AliasPermission.Action.UPDATE // Allow updating aliases
// Note: DELETE is not included, similar to Python example
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Replications permissions
This example creates a role called testRole with permissions to:
- Create, read, update and delete replica movement operations for collections starting with
TargetCollectionand shards starting withTargetShard.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.replicate(
collection="TargetCollection*", # Applies to all collections starting with "TargetCollection"
shard="TargetShard*", # Applies to all shards starting with "TargetShard"
create=True, # Allow replica movement operations
read=True, # Allow retrieving replication status
update=True, # Allow cancelling replication operations
delete=False, # Allow deleting replication operations
),
]
client.roles.create(role_name="testRole", permissions=permissions)
// TS/JS support coming soon
permissions := []rbac.Permission{
rbac.ReplicatePermission{
Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
Shard: "TargetShard*", // Applies to all shards starting with "TargetShard"
Actions: []string{
models.PermissionActionCreateReplicate, // Allow replica movement operations
models.PermissionActionReadReplicate, // Allow retrieving replication status
models.PermissionActionUpdateReplicate, // Allow cancelling replication operations
// models.PermissionActionDeleteReplicate, // Allow deleting replication operations - set to false by not including
},
},
}
err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.replicate(
"TargetCollection*", // Applies to all collections starting with "TargetCollection"
"TargetShard*", // Applies to all shards starting with "TargetShard"
ReplicatePermission.Action.CREATE, // Allow replica movement operations
ReplicatePermission.Action.READ, // Allow retrieving replication status
ReplicatePermission.Action.UPDATE // Allow cancelling replication operations
// Note: DELETE is not included, similar to Python example
)
};
Result<Boolean> createResult = client.roles().creator()
.withName("testRole")
.withPermissions(permissions)
.run();
Create a role with Groups permissions
This example creates a role called testRole with permissions to:
- Read information about and assign/revoke group membership for OIDC groups starting with
TargetGroup.
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.Groups.oidc(
group="TargetGroup*", # Applies to all groups starting with "TargetGroup"
read=True, # Allow reading group information
assign_and_revoke=True, # Allow assigning and revoking group memberships
),
]
client.roles.create(role_name="testRole", permissions=permissions)
// TS/JS support coming soon
// Coming soon
// permissions := []rbac.Permission{
// rbac.GroupsPermission{
// Group: "TargetGroup*", // Applies to all groups starting with "TargetGroup"
// Actions: []string{
// models.PermissionActionReadGroups, // Allow reading group information
// models.PermissionActionAssignAndRevokeGroups, // Allow assigning and revoking group memberships
// },
// },
// }
// err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)
// Permission<?>[] permissions = new Permission<?>[] {
// Permission.groups(
// "TargetGroup*", // Applies to all groups starting with "TargetGroup"
// "oidc", // Group type (OIDC)
// GroupsPermission.Action.READ, // Allow reading group information
// GroupsPermission.Action.ASSIGN_AND_REVOKE // Allow assigning and revoking
// group memberships
// )
// };
// Result<Boolean> createResult = client.roles().creator()
// .withName("testRole")
// .withPermissions(permissions)
// .run();
Grant additional permissions
Additional permissions can be granted to a role at any time. The role must already exist.
This example grants additional permissions to the role testRole to:
- Create new data in collections that start with
TargetCollection
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.data(collection="TargetCollection*", create=True),
]
client.roles.add_permissions(permissions=permissions, role_name="testRole")
const { permissions } = weaviate
const additionalDataPermissions = [
permissions.data({
collection: "TargetCollection*",
read: true,
create: true
}),
permissions.data({
collection: "TargetCollection*",
read: true,
create: false
}),
]
client.roles.addPermissions("testRole", additionalDataPermissions)
permissions := []rbac.Permission{
rbac.DataPermission{
Collection: "TargetCollection*",
Actions: []string{
models.PermissionActionCreateData,
},
},
}
err = client.Roles().PermissionAdder().
WithRole("testRole").
WithPermissions(permissions...).
Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.data("TargetCollection*", DataPermission.Action.CREATE)
};
Result<?> addResult = client.roles().permissionAdder()
.withRole("testRole")
.withPermissions(permissions)
.run();
Remove permissions from a role
Permissions can be revoked from a role at any time. Removing all permissions from a role will delete the role itself.
This example removes the following permissions from the role testRole:
- Read the data from collections that start with
TargetCollection - Create and delete collections that start with
TargetCollection
- Python
- JS/TS
- Go
- Java
from weaviate.classes.rbac import Permissions
permissions = [
Permissions.collections(
collection="TargetCollection*",
read_config=True,
create_collection=True,
delete_collection=True,
),
Permissions.data(collection="TargetCollection*", read=True, create=False),
]
client.roles.remove_permissions(role_name="testRole", permissions=permissions)
const { permissions } = weaviate
const permissionsToRemove = [
permissions.collections({
collection: "TargetCollection*",
read_config: true,
create_collection: true,
delete_collection: true,
}),
permissions.data({
collection: "TargetCollection*",
read: true,
create: false
}),
]
await client.roles.removePermissions("testRole", permissionsToRemove)
permissions = []rbac.Permission{
rbac.CollectionsPermission{
Collection: "TargetCollection*",
Actions: []string{
models.PermissionActionReadCollections,
models.PermissionActionCreateCollections,
models.PermissionActionDeleteCollections,
},
},
rbac.DataPermission{
Collection: "TargetCollection*",
Actions: []string{
models.PermissionActionReadData,
// models.PermissionActionCreateData, // create=False
},
},
}
err = client.Roles().PermissionRemover().
WithRole("testRole").
WithPermissions(permissions...).
Do(ctx)
Permission<?>[] permissions = new Permission<?>[] {
Permission.collections("TargetCollection*",
CollectionsPermission.Action.READ,
CollectionsPermission.Action.CREATE,
CollectionsPermission.Action.DELETE),
Permission.data("TargetCollection*",
DataPermission.Action.READ)
// Note: CREATE is not removed, similar to Python example
};
Result<?> removeResult = client.roles().permissionRemover()
.withRole("testRole")
.withPermissions(permissions)
.run();
Check if a role exists
Check if the role testRole exists:
- Python
- JS/TS
- Go
- Java
print(client.roles.exists(role_name="testRole")) # Returns True or False
console.log(await client.roles.exists("testRole")) // Returns true or false
exists, err := client.Roles().Exists().WithName("testRole").Do(ctx)
fmt.Println(exists) // Returns true or false
Result<Boolean> exists = client.roles().exists()
.withName("testRole")
.run();
System.out.println(exists.getResult()); // Returns true or false
Inspect a role
View the permissions assigned to a role.
- Python
- JS/TS
- Go
- Java
test_role = client.roles.get(role_name="testRole")
print(test_role)
print(test_role.collections_permissions)
print(test_role.data_permissions)
const testRole = await client.roles.byName("testRole")
console.log(testRole)
console.log(testRole?.collectionsPermissions)
console.log(testRole?.dataPermissions)
testRole, err := client.Roles().Getter().WithName("testRole").Do(ctx)
fmt.Println(testRole)
fmt.Println(testRole.Collections)
fmt.Println(testRole.Data)
Result<Role> roleResult = client.roles().getter()
.withName("testRole")
.run();
Role testRole = roleResult.getResult();
System.out.println(testRole);
System.out.println(testRole.getName());
System.out.println(testRole.getPermissions());
List all roles
View all roles in the system and their permissions.
- Python
- JS/TS
- Go
- Java
all_roles = client.roles.list_all()
for role_name, role in all_roles.items():
print(role_name, role)
const allRoles = await client.roles.listAll()
for (const [key, value] of Object.entries(allRoles)) {
console.log(key)
}
allRoles, err := client.Roles().AllGetter().Do(ctx)
for _, role := range allRoles {
fmt.Println(role.Name, role)
}
Result<List<Role>> rolesResult = client.roles().allGetter().run();
List<Role> allRoles = rolesResult.getResult();
for (Role role : allRoles) {
System.out.println(role.getName() + ": " + role.getPermissions());
}
List users with a role
List all users who have the role testRole.
- Python
- JS/TS
- Go
- Java
assigned_users = client.roles.get_user_assignments(role_name="testRole")
for user in assigned_users:
print(user)
const assignedUsers = await client.roles.userAssignments("testRole")
for (const users of assignedUsers) {
console.log(users)
}
assignedUsers, err := client.Roles().UserAssignmentGetter().
WithRole("testRole").
Do(ctx)
for _, user := range assignedUsers {
fmt.Println(user)
}
Result<List<UserAssignment>> assignmentsResult = client.roles()
.userAssignmentsGetter()
.withRole("testRole")
.run();
List<UserAssignment> assignedUsers = assignmentsResult.getResult();
for (UserAssignment user : assignedUsers) {
System.out.println(user.getUserId() + " - " + user.getUserType());
}
Delete a role
Deleting a role will remove it from the system, and revoke the associated permissions from all users who had this role.
- Python
- JS/TS
- Go
- Java
User management
Visit the Manage users page to learn more about assigning roles to users as well as creating, updating and deleting users.
Further resources
Questions and feedback
If you have any questions or feedback, let us know in the user forum.