Roles & Bindings

Manage roles and role bindings for RBAC. Roles group permissions together, and role bindings assign roles to users with optional scope.

Admin Endpoints

List Roles (Admin)

Returns role summary (id, name, description, permissions_count, users_assigned). Optional filters: resource, role_id, user_id.

Endpoint: GET /uflow/admin/roles

Headers

Header	Type	Required	Description
Authorization	string	Yes	Bearer JWT token

Response

Success (200):

[
  {
    "id": "string",
    "name": "string",
    "description": "string",
    "permissions_count": 0,
    "users_assigned": 0
  }
]

Error Responses:

• 401 - Unauthorized
• 500 - Internal Server Error

---

Create Role (Admin)

Create a new role in the primary admin database.

Endpoint: POST /uflow/admin/roles

Headers

Header	Type	Required	Description
Authorization	string	Yes	Bearer JWT token

Request Body

{
  "name": "string",
  "description": "string",
  "permissions_count": 0
}

Parameters

Parameter	Type	Required	Description
name	string	Yes	Role name
description	string	No	Role description

Response

Success (200):

{
  "id": "string",
  "name": "string",
  "description": "string"
}

Error Responses:

• 400 - Bad Request - invalid input
• 401 - Unauthorized
• 500 - Internal Server Error

---

Update Role (Admin)

Update an existing role's name or description.

Endpoint: PUT /uflow/admin/roles/{role_id}

Path Parameters

Parameter	Type	Required	Description
role_id	string	Yes	Role ID

Request Body

{
  "name": "string",
  "description": "string"
}

Response

Success (200):

{
  "id": "string",
  "name": "string",
  "description": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 404 - Role not found
• 500 - Internal Server Error

---

Delete Role (Admin)

Delete a role from the primary admin database.

Endpoint: DELETE /uflow/admin/roles/{role_id}

Path Parameters

Parameter	Type	Required	Description
role_id	string	Yes	Role ID

Response

Success (200):

{
  "message": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 404 - Role not found
• 500 - Internal Server Error

---

List Role Bindings (Admin)

Returns all role bindings with user/role details. Optional filters: user_id, role_id, scope_type.

Endpoint: GET /uflow/admin/bindings

Query Parameters

Parameter	Type	Required	Description
user_id	string	No	Filter by user ID
role_id	string	No	Filter by role ID
scope_type	string	No	Filter by scope type

Response

Success (200):

[
  {
    "id": "string",
    "user_id": "string",
    "role_id": "string",
    "role_name": "string",
    "scope_type": "string",
    "scope_id": "string",
    "conditions": {}
  }
]

Error Responses:

• 401 - Unauthorized
• 500 - Internal Server Error

---

Assign Role (Admin)

Create a role binding to assign a role to a user. Scope can be tenant-wide (null) or resource-scoped (type/id).

Endpoint: POST /uflow/admin/bindings

Request Body

{
  "user_id": "string",
  "role_id": "string",
  "scope_type": "string",
  "scope_id": "string",
  "conditions": {}
}

Response

Success (200):

{
  "id": "string",
  "user_id": "string",
  "role_id": "string",
  "scope_type": "string",
  "scope_id": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 500 - Internal Server Error

---

End-User Endpoints

List Roles (End User)

Returns role summary from the tenant database.

Endpoint: GET /uflow/user/rbac/roles

Headers

Header	Type	Required	Description
Authorization	string	Yes	Bearer JWT token

Response

Success (200):

[
  {
    "id": "string",
    "name": "string",
    "description": "string",
    "permissions_count": 0,
    "users_assigned": 0
  }
]

Error Responses:

• 401 - Unauthorized
• 500 - Internal Server Error

---

Create Role (End User)

Create a new role in the tenant database.

Endpoint: POST /uflow/user/rbac/roles

Request Body

{
  "name": "string",
  "description": "string"
}

Response

Success (200):

{
  "id": "string",
  "name": "string",
  "description": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 500 - Internal Server Error

---

Update Role (End User)

Update an existing role in the tenant database.

Endpoint: PUT /uflow/user/rbac/roles/{role_id}

Path Parameters

Parameter	Type	Required	Description
role_id	string	Yes	Role ID

Request Body

{
  "name": "string",
  "description": "string"
}

Response

Success (200):

{
  "id": "string",
  "name": "string",
  "description": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 404 - Role not found
• 500 - Internal Server Error

---

Delete Role (End User)

Delete a role from the tenant database.

Endpoint: DELETE /uflow/user/rbac/roles/{role_id}

Path Parameters

Parameter	Type	Required	Description
role_id	string	Yes	Role ID

Response

Success (200):

{
  "message": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 404 - Role not found
• 500 - Internal Server Error

---

List Role Bindings (End User)

Returns all role bindings from the tenant database. Optional filters: user_id, role_id, scope_type.

Endpoint: GET /uflow/user/rbac/bindings

Query Parameters

Parameter	Type	Required	Description
user_id	string	No	Filter by user ID
role_id	string	No	Filter by role ID
scope_type	string	No	Filter by scope type

Response

Success (200):

[
  {
    "id": "string",
    "user_id": "string",
    "role_id": "string",
    "role_name": "string",
    "scope_type": "string",
    "scope_id": "string",
    "conditions": {}
  }
]

Error Responses:

• 401 - Unauthorized
• 500 - Internal Server Error

---

Assign Role (End User)

Create a role binding in the tenant database. Scope can be tenant-wide (null) or scoped (type/id). Conditions JSON stored on binding.

Endpoint: POST /uflow/user/rbac/bindings

Request Body

{
  "user_id": "string",
  "role_id": "string",
  "scope_type": "string",
  "scope_id": "string",
  "conditions": {}
}

Response

Success (200):

{
  "id": "string",
  "user_id": "string",
  "role_id": "string"
}

Error Responses:

• 400 - Bad Request
• 401 - Unauthorized
• 500 - Internal Server Error