/api/configs/role#

Roles config is used to configure user roles and permissions for access control.

Role#

Field

Type

Description

Default Values

name

String

Name of the role.

Required field

description

String

Quick explanation of the purpose of the role.

Required field

immutable

Boolean

If true, the role cannot be modified. This cannot be set for any role besides the admin role.

False

policies

List[Policy]

List of policies which define the actions, resources, and effect for the role.

[]

Policy#

A policy defines which actions a role can or cannot perform, optionally scoped to specific resources.

Field

Type

Description

Default Values

effect

String

Whether the policy allows or denies access. Must be "Allow" or "Deny". Deny takes precedence over Allow.

"Allow"

actions

List[String]

List of semantic action strings (e.g., "workflow:Create", "pool:List"). See Actions and Resources Reference for all available actions.

Required field

resources

List[String]

List of resource patterns this policy applies to (e.g., ["*"], ["pool/my-pool"], ["bucket/my-data"]). Supports wildcards. If omitted, the policy only matches globally-scoped actions. Set to ["*"] to match all resources.

[]

Action#

An action is a string in the format <resource_type>:<action_name>.

Component

Description

resource_type

The type of resource (e.g., workflow, pool, dataset, config). See Actions and Resources Reference.

action_name

The operation to perform (e.g., Create, Read, List, Update, Delete).

Wildcards are supported:

  • *:* – matches all actions on all resources

  • workflow:* – matches all workflow actions

  • *:Read – matches all Read actions across all resource types

See Actions and Resources Reference for the full list of actions and resource scoping rules.

On this page