Roles are named sets of one or more permissions, and are useful for defining specific access levels to resources in your Usergrid data store. Multiple roles can be assigned to a user or group, giving you a great deal of flexibility in how access to resources are defined.
For example, in a blogging app you might create a ‘reviewer’ role that allows GET and PUT access to an articles collection to allow the user to retrieve and update articles, but not allow them to create new articles.
While you can create as many custom roles as you want per application, all Usegrid applications include three default roles. These roles each serve a special purpose and should not be deleted; however, you can and should adjust the permissions assigned to these roles to suit the needs of you app.
The following table describes each pre-defined role, and the permissions that are assigned to them by default.
post: /devices
post: /users
put: /devices/*
Assigned to all unauthenticated requests. Includes a basic set of permissions that are commonly needed by unregistered or unauthenticated users.
get, post, put, delete: /**
Default for authenticated users. Assigns the associated permissions to all users whose requests are authenticated with a valid access token.
Unused until you associate it with users or groups. By default, includes no permissions that provide access. Grants no access. Consider this a blank slate. Add permission rules and associate this role with users and groups as needed.
Generally, it is easiest to a create a role for each access type you want to enable in your app. You may, however, assign multiple roles to any user or group entity, so you have the flexibility to define any schema for applying roles that you like.
The following shows how to create a new role and assign permissions to it.
With cURL requests a role entity is created with a POST request, then permissions must be assigned to it with a separate request. For more on assigning permissions with cURL, see Using Permissions.
The following details how to create a new role entity.
curl -X POST https://api.usergrid.com/<org>/<app>/roles -d '{"name":<roleName>}'
Parameters
Parameter Description
org Organization UUID or organization name app Application UUID or application name roleName The name of the role to be created
curl -X POST "https://api.usergrid.com/my-org/my-app/roles/ -d '{"name":"manager"}'
{ "action" : "post", "application" : "f34f4222-a166-11e2-a7f7-02e81adcf3d0", "params" : { }, "path" : "/roles", "uri" : "https://api.usergrid.com/your-org/your-app/roles", "entities" : [ { "uuid" : "382d0991-74bb-3548-8166-6b07e44495ef", "type" : "role", "name" : "manager", "created" : 1402612783104, "modified" : 1402612783104, "roleName" : "manager", "title" : "manager", "inactivity" : 0, "metadata" : { "path" : "/roles/382d0991-74bb-3548-8166-6b07e44495ef", "sets" : { "permissions" : "/roles/382d0991-74bb-3548-8166-6b07e44495ef/permissions" }, "collections" : { "groups" : "/roles/382d0991-74bb-3548-8166-6b07e44495ef/groups", "users" : "/roles/382d0991-74bb-3548-8166-6b07e44495ef/users" } } } ], "timestamp" : 1402612783102, "duration" : 30, "organization" : "your-org", "applicationName" : "your-app" }
Once you have created some roles, you will need to explicitly assign them to a user or group entity. The permissions associated with that role will be granted to the entity immediately for any requests they send that are authenticated by a valid access token. Please note that assigning a role to a group will grant the associated permissions to every user in that group.
The following shows how to assign a role to an entity.
curl -X POST https://api.usergrid.com/<org>/<app>/roles/<roleName>/<entityType>/<entityID>
Parameters
Parameter Description
org Organization UUID or organization name app Application UUID or application name roleName The name of the role to be created entityType The type of the entity the role is being assigned to. ‘Group’ and ‘user’ are valid values. entityID The UUID of the entity the role is being assigned to.
For groups, the ‘name’ property can be used. For users, the ‘username’ property can be used.
curl -X POST "https://api.usergrid.com/my-org/my-app/roles/manager/users/someUser
{ "action" : "post", "application" : "f34f4222-a166-11e2-a7f7-02e81adcf3d0", "params" : { }, "path" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users", "uri" : "https://api.usergrid.com/your-org/your-app/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users", "entities" : [ { "uuid" : "410b213a-b379-11e3-a0e5-9953085ea376", "type" : "user", "name" : "someUser", "created" : 1395681911491, "modified" : 1399070010291, "username" : "someUser", "activated" : true, "file" : "fobnszewobnioerabnoiawegbrn\n", "metadata" : { "connecting" : { "friends" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/connecting/friends", "likes" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/connecting/likes" }, "path" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376", "sets" : { "rolenames" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/roles", "permissions" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/permissions" }, "connections" : { "completed" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/completed", "follows" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/follows" }, "collections" : { "activities" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/activities", "devices" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/devices", "feed" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/feed", "groups" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/groups", "roles" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/roles", "following" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/following", "followers" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/followers" } } } ], "timestamp" : 1402965083889, "duration" : 41, "organization" : "your-org", "applicationName" : "your-app" }
The easiest way to assign roles to user or group entities is to use the ‘Users’ tab of the Usergrid admin portal, by doing the following:
At times it may be necessary to remove a role from a user or group entity, for example if a user changes jobs, or the duties of a group are altered. Please note that removing a role from a group will remove the associated permissions from every user in that group.
The following shows how to remove a role from an entity.
curl -X DELETE https://api.usergrid.com/<org>/<app>/roles/<roleName>/<entityType>/<entityID>
Parameters
Parameter Description
org Organization UUID or organization name app Application UUID or application name roleName The name of the role to be created entityType The type of the entity the role is being removed from. ‘Group’ and ‘user’ are valid values. entityID The UUID of the entity the role is being removed from.
For groups, the ‘name’ property can be used. For users, the ‘username’ property can be used.
curl -X DELETE https://api.usergrid.com/my-org/my-app/roles/manager/users/someUser
{ "action" : "delete", "application" : "f34f4222-a166-11e2-a7f7-02e81adcf3d0", "params" : { }, "path" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users", "uri" : "https://api.usergrid.com/your-org/your-app/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users", "entities" : [ { "uuid" : "410b213a-b379-11e3-a0e5-9953085ea376", "type" : "user", "name" : "someUser", "created" : 1395681911491, "modified" : 1399070010291, "username" : "someUser", "activated" : true, "metadata" : { "connecting" : { "friends" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/connecting/friends", "likes" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/connecting/likes" }, "path" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376", "sets" : { "rolenames" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/roles", "permissions" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/permissions" }, "connections" : { "completed" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/completed", "follows" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/follows" }, "collections" : { "activities" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/activities", "devices" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/devices", "feed" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/feed", "groups" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/groups", "roles" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/roles", "following" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/following", "followers" : "/roles/348388de-a5c5-3c1e-9de5-9efc8ad529d8/users/410b213a-b379-11e3-a0e5-9953085ea376/followers" } } } ], "timestamp" : 1403214283808, "duration" : 358, "organization" : "your-org", "applicationName" : "your-app" }
The easiest way to remove roles from user or group entities is to use the ‘Users’ tab of the Usergrid admin portal, by doing the following: