# Create a role

This endpoint creates a new role that can be then applied to a user or multiple users in order to define their permissions to access Trusted Twin resources and perform operations on them.

Method Path Operation*
POST /roles create_user_role

*

In order for a user to perform the "create_user_role" operation, the "create_user_role" permission must be included in the list of allowed actions in the statement of the user's role.

# Request

Parameter Type In Description
name
required
string body Name of the role. It must match the regular expression (opens new window) [0-9A-Za-z][0-9A-Za-z_ \-]{0,30}[0-9A-Za-z]. It does not need to be unique in the context of the account.
rules
optional *
dictionary, DEFAULT=null body Access rule for a "twin", an "entry" and/or an "identity". If the rule evaluates to True, it allows to access the given resource.
statement
optional **
dictionary, DEFAULT={"effect": "deny", "actions": null} body
Statement that lists "actions" which correspond with the names of endpoint operations that a user with the role is allowed to perform.
Attribute Type In Description
effect
required
string, value is "allow" or "deny" body Permission to perform an "action" applied at the level of the account.
actions
required
list body List of "actions" that we grant the user with the role the permission to perform. The value must correspond with the name of an endpoint operation.
- Value: Value of the given dimension.

*

The "rules" parameter is optional and does not need to be included in the request body when creating a role. If a rule for a Twin, an Entry or an Identity is not included in the request, its default value (null) is used.

**

The "statement" attribute is optional. If not provided, a role is created that allows the user to perform all available "actions" ("effect": "deny", "actions": null).

In our example, we create a role with the name "Read only":

  • We create one rule to access the "twin" resource ("TWIN.company == USER.company"). If the rule evaluates to True, the user with the role will be able to access the Twin.
  • We allow ("effect": "allow") the following "actions": "get_twin_ledger_entry", "get_twin_identities", "get_user_role", "get_twin_identity", "get_user", and "get_twin". These actions are held in the "statement" attribute of the role.

# Response

Attribute Type Description
uuid string Role UUID.
name string Name of the role. It must match the regular expression (opens new window) [0-9A-Za-z][0-9A-Za-z_ \-]{0,30}[0-9A-Za-z]. It does not need to be unique in the context of the account.
account string Account UUID.
rules dictionary Access rules that control access to a "twin", an "entry" and/or an "identity". If a rule evaluates to True, it allows to access the given resource.
statement dictionary
Statement lists "actions" that correspond with the names of endpoint operations that a user with the role is allowed to perform.
Attribute Type Description
effect string, value is "allow" or "deny"</td> <td> Permission to perform an"action"` applied at the level of the account.
actions list List of actions that we grant the user with the role the permission to perform. The value must correspond with the name of an endpoint operation.
created_ts timestamp Time at which the role was created. Measured in seconds (to three decimal places) that have elapsed since the Unix epoch (opens new window).
updated_ts timestamp Time at which the role was last updated. Measured in seconds (to three decimal places) that have elapsed since the Unix epoch (opens new window).

The response returns the role "Read only" with the role UUID "3d4c3ec0-6c5f-4d32-ab23-4df8c69f142c":

  • The role has a rule which allows the user with the role to access the "twin" resource if the rule "TWIN.company == USER.company" evaluates to True.
  • The role does not have an "entry" rule.
  • The role does not have an "identity" rule.
  • The rule allows ("effect": "allow") the user to perform the following "actions": "get_twin_ledger_entry", "get_twin_identities", "get_user_role", "get_twin_identity", "get_user", and "get_twin" "actions". These actions are held in the "statement" attribute of the role.

# Status codes

Requests to this endpoint result in generic status codes. For a comprehensive list of status codes, please consult the Status Codes section.