Guides

Roles & Permissions

Suggest Edits

Endpoint Permission Protection

Endpoints are protected according to permissions.

For example, a service account wishing to call POST /api/assets must have the asset_create permission

NOTE - accounts should be given the minimum permissions necessary (see Principle of Least Privilege)

Roles versus Permissions

A Role can be thought of as a collection of Permissions

Example: a user with the asset_manager role will be granted the asset_create permission

Determining Current User's Roles and Permissions

To determine the current user's roles and permissions, make a request to user profile

example:

response = requests.get(f"{BASE_URL}/api/users/me/", headers={"Authorization": "Token <access-token>"})

assert "asset_manager" in response.json()["roles"]
assert "asset_create" in response.json()["permissions"]

fetch(
  `${BASE_URL}/api/users/me/`,
  { headers: {"Authorization": "Token <access-token>" } },
).then(res => res.json()).then(data => {
    data.roles.indexOf("asset_manager")
    data.permissions.indexOf("asset_create")
});

Updated over 2 years ago