{ "openapi": "3.0.4", "info": { "title": "Permissions-access-control-API", "description": "External API for managing role assignments in the Relativity Permissions service.\r\n\r\nThis API allows you to:\r\n- **List** current role assignments on a fileshare or instance (tenant) node.\r\n- **Assign** roles to groups on a fileshare or instance node.\r\n- **Revoke** roles from groups on a fileshare or instance node.\r\n\r\n**Authentication**: End user bearer tokens only.\r\n\r\n**Authorization**: The authenticated user must hold the `secure` permission on the target node and have view access to referenced groups.\r\n\r\n**Role keys** follow the `r1_{product}_{role_name}` convention (e.g. `r1_staging_viewer`).", "version": "v1.0" }, "servers": [ { "url": "/Relativity.REST/api", "description": "The URL prefix" } ], "paths": { "/access-control/public/v1/role-assignments/{nodeType}/{nodeKey}": { "get": { "tags": [ "Permissions Access Control" ], "summary": "List role assignments on a node.", "parameters": [ { "name": "nodeType", "in": "path", "description": "The type of the node. Only 'fileshare' is supported.", "required": true, "schema": { "type": "string" } }, { "name": "nodeKey", "in": "path", "description": "The key of the node.", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "text/plain": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } }, "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } }, "text/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } } } }, "400": { "description": "Bad Request" }, "401": { "description": "Unauthorized" }, "403": { "description": "Forbidden" }, "500": { "description": "Internal Server Error" } } }, "post": { "tags": [ "Permissions Access Control" ], "summary": "Batch assign and/or revoke roles on a node.", "parameters": [ { "name": "nodeType", "in": "path", "description": "The type of the node. Only 'fileshare' is supported.", "required": true, "schema": { "type": "string" } }, { "name": "nodeKey", "in": "path", "description": "The key of the node.", "required": true, "schema": { "type": "string" } } ], "requestBody": { "description": "The role assignment/revocation request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } }, "text/json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } }, "application/*+json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } } } }, "responses": { "200": { "description": "OK" }, "400": { "description": "Bad Request" }, "401": { "description": "Unauthorized" }, "403": { "description": "Forbidden" }, "500": { "description": "Internal Server Error" } } } }, "/access-control/public/v1/role-assignments/instance": { "get": { "tags": [ "Permissions Access Control" ], "summary": "List role assignments on the instance (tenant) node.", "responses": { "200": { "description": "OK", "content": { "text/plain": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } }, "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } }, "text/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/RoleAssignment" } } } } }, "400": { "description": "Bad Request" }, "401": { "description": "Unauthorized" }, "403": { "description": "Forbidden" }, "500": { "description": "Internal Server Error" } } }, "post": { "tags": [ "Permissions Access Control" ], "summary": "Batch assign and/or revoke roles on the instance (tenant) node.", "requestBody": { "description": "The role assignment/revocation request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } }, "text/json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } }, "application/*+json": { "schema": { "$ref": "#/components/schemas/ExternalBulkRoleAssignmentRequest" } } } }, "responses": { "200": { "description": "OK" }, "400": { "description": "Bad Request" }, "401": { "description": "Unauthorized" }, "403": { "description": "Forbidden" }, "500": { "description": "Internal Server Error" } } } } }, "components": { "schemas": { "ExternalBulkRoleAssignmentRequest": { "type": "object", "properties": { "assign": { "type": "array", "items": { "$ref": "#/components/schemas/ExternalRoleAssignmentPair" }, "description": "Role assignments to apply. Role keys must use the r1_ prefix.", "nullable": true }, "revoke": { "type": "array", "items": { "$ref": "#/components/schemas/ExternalRoleAssignmentPair" }, "description": "Role assignments to revoke. Role keys must use the r1_ prefix.", "nullable": true } }, "additionalProperties": false, "description": "Request to batch assign and/or revoke roles via the external API.\r\nRole keys must use the r1_ prefix (e.g. r1_staging_viewer)." }, "ExternalRoleAssignmentPair": { "required": [ "groupId", "roleKey" ], "type": "object", "properties": { "roleKey": { "minLength": 1, "type": "string", "description": "The role key with r1_ prefix (e.g. r1_staging_viewer)." }, "groupId": { "minLength": 1, "type": "string", "description": "The group identifier." } }, "additionalProperties": false, "description": "A role and group pair used in external bulk operations." }, "RoleAssignment": { "required": [ "groupId", "roleKey" ], "type": "object", "properties": { "roleKey": { "minLength": 1, "type": "string", "description": "The role key with r1_ prefix (e.g. r1_staging_viewer)." }, "groupId": { "minLength": 1, "type": "string", "description": "The group identifier." } }, "additionalProperties": false, "description": "A single role assignment entry in the external API." } }, "securitySchemes": { "OAuth": { "type": "http", "description": "Standard Authorization header using the OAuth scheme. Paste in token without Bearer prefix.", "scheme": "bearer", "bearerFormat": "JWT" } } }, "security": [ { "OAuth": [ ] } ], "tags": [ { "name": "Permissions Access Control", "description": "External public API for managing role assignments.\r\nRole keys must use the r1_ prefix (e.g. r1_staging_viewer).\r\nEnd user token is required" } ] }