Permissions
Manage atomic permissions defined as resource:action pairs. Permissions are the finest-grained access control unit and are attached to roles.
Admin Endpoints
List Permissions (Admin)
Lists permissions from the primary database with optional resource filtering.
Endpoint: GET /uflow/admin/permissions
Headers
| Header | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer JWT token |
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
resource | string | No | Filter by resource name |
Response
Success (200):
[
{
"resource": "string",
"action": "string",
"description": "string",
"full_permission_string": "string",
"role_names": ["string"]
}
]
Response Fields
| Field | Type | Description |
|---|---|---|
resource | string | Resource name (e.g., users, billing) |
action | string | Action name (e.g., read, write, delete) |
description | string | Human-readable description |
full_permission_string | string | Combined resource:action string |
role_names | array | Roles that include this permission |
Error Responses:
400- Bad Request401- Unauthorized500- Internal Server Error
Register Atomic Permission (Admin)
Insert a new permission into the primary database. Fails if the resource:action pair already exists.
Endpoint: POST /uflow/admin/permissions
Request Body
{
"resource": "string",
"action": "string",
"description": "string"
}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
resource | string | Yes | Resource name |
action | string | Yes | Action name |
description | string | No | Permission description |
Response
Success (200):
{
"id": "string",
"resource": "string",
"action": "string",
"description": "string"
}
Error Responses:
400- Bad Request (duplicate resource:action pair)500- Internal Server Error
Delete Permission by ID (Admin)
Delete a permission from the primary database by its ID.
Endpoint: DELETE /uflow/admin/permissions/{id}
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Permission ID |
Response
Success (200):
{
"message": "string"
}
Error Responses:
400- Bad Request401- Unauthorized404- Permission not found500- Internal Server Error
Delete Permission by Body (Admin)
Delete a permission from the primary database using resource and action in body.
Endpoint: DELETE /uflow/admin/permissions
Request Body
{
"resource": "string",
"action": "string"
}
Response
Success (200):
{
"message": "string"
}
Error Responses:
400- Bad Request404- Permission not found500- Internal Server Error
List Resources (Admin)
Returns unique resource names from the permissions table.
Endpoint: GET /uflow/admin/permissions/resources
Response
Success (200):
{
"resources": ["string"]
}
Error Responses:
401- Unauthorized500- Internal Server Error
End-User Endpoints
Get My Permissions (End User)
Get all permissions assigned to the authenticated user from the tenant database.
Endpoint: GET /uflow/user/permissions
Headers
| Header | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer JWT token |
Response
Success (200):
[
{
"id": "string",
"resource": "string",
"action": "string",
"description": "string",
"created_at": "string"
}
]
Error Responses:
401- Unauthorized500- Internal Server Error
Check Permission (End User)
Check if the authenticated user has a specific permission in the tenant database.
Endpoint: GET /uflow/user/permissions/check
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
resource | string | Yes | Resource name |
scope | string | Yes | Scope name |
Response
Success (200):
{
"allowed": true,
"resource": "string",
"scope": "string"
}
Error Responses:
400- Bad Request401- Unauthorized500- Internal Server Error
Get My Effective Permissions (End User)
Get all effective permissions for the authenticated user, computed from all role bindings.
Endpoint: GET /uflow/user/permissions/effective
Response
Success (200):
{
"permissions": [
{
"resource": "string",
"action": "string",
"scope_type": "string",
"scope_id": "string"
}
]
}
Error Responses:
401- Unauthorized500- Internal Server Error
List Permissions (End User)
Lists permissions from the tenant database with optional resource filtering.
Endpoint: GET /uflow/user/rbac/permissions
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
resource | string | No | Filter by resource |
Response
Success (200):
[
{
"resource": "string",
"action": "string",
"description": "string",
"full_permission_string": "string",
"role_names": ["string"]
}
]
Error Responses:
400- Bad Request401- Unauthorized500- Internal Server Error
Register Atomic Permission (End User)
Insert a new permission into the tenant database. Fails if the resource:action pair already exists.
Endpoint: POST /uflow/user/rbac/permissions
Request Body
{
"resource": "string",
"action": "string",
"description": "string"
}
Response
Success (200):
{
"id": "string",
"resource": "string",
"action": "string",
"description": "string"
}
Error Responses:
400- Bad Request401- Unauthorized500- Internal Server Error
Delete Permission by Body (End User)
Delete a permission from the tenant database using resource and action in body.
Endpoint: DELETE /uflow/user/rbac/permissions
Request Body
{
"resource": "string",
"action": "string"
}
Response
Success (200):
{
"message": "string"
}
Error Responses:
400- Bad Request401- Unauthorized500- Internal Server Error
Delete Permission by ID (End User)
Delete a permission from the tenant database by its ID.
Endpoint: DELETE /uflow/user/rbac/permissions/{id}
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Permission ID |
Response
Success (200):
{
"message": "string"
}
Error Responses:
400- Bad Request401- Unauthorized404- Permission not found500- Internal Server Error
List Resources (End User)
Returns unique resource names from the tenant permissions table.
Endpoint: GET /uflow/user/rbac/permissions/resources
Response
Success (200):
{
"resources": ["string"]
}
Error Responses:
401- Unauthorized500- Internal Server Error