Manage roles programmatically
What are custom roles?
Custom roles allow the administrator to restrict access of users to certain resources. Roles follow a whitelisting approach, wherein everything that a user is allowed to do, needs to be explicitly defined.
Along with a name and description, a role contains, permissions and policies. Permissions are basic rules that define whether (or not) a user can access content types, settings, and entries. It can be specified if a user can read and/or manage those.
On the other hand, there are policies that are used to allow or deny access to resources in a very fine-grained fashion. For example, with policies it is possible to limit read access to only entries of a specific content type or write access to only certain parts of an entry (e.g. for a specific locale).
Create a role
Endpoint: [POST] /spaces/{{ spaceId }}/roles
Base URL: https://api.contentful.com
Description: This endpoint is used to create a custom role.
Response:
To enable all the permissions pertaining to a role, use the “all” keyword. It enables all possible values for the respective permission.
Instead of “all”, it is possible to define an array of allowed actions, thereby providing partial access to the system.
Accessible environments can also be set via policies. In order for them to take effect, the Environments permission must not be set to “all”. In cases where multiple roles are assigned to a user, this applies to each of the user’s roles. More details on this can be found under managing access to environments
Constraints
Constraints are fine-grained and content-focused access rules defined with the role’s policies. For example,
A constraint is made of a keyword and the values that keyword requires. Some keywords accept constraints as values, allowing nested constraints. Supported keywords are equals, and, or, not, in, all, range, paths. You can specify nested constraints for and, or, not. The paths constraint specifies which content paths can be modified and is only used for the update action. The list operators in, all only work for content paths that contain lists. The following table show usage of the supported constraints:
Important notes about roles and constraints
-
Whenever content is accessed or searched for, read policies must be satisfied. Policies with complex constraints could slow down access to content.
-
There are no
pathsconstraints for the create action so users that can create content can always create content with values for any path. -
If a content path is missing, the constraint will not be satisfied. If the constraint is nested, other constraints may still be satisfied. For instance, if one
orconstraint references a missing content path but the otherorconstraint is satisfied, then the entireorconstraint is satisfied.
Important notes about combining roles
-
Policies are global. Allow policies expand the set of possible actions a user can perform. Deny policies reduce that set. Each Allow policy has its set of actions reduced by every Deny policy. If the user is assigned multiple roles, the Deny policies from each role will reduce the Allow policy actions on all of the roles. This can lead to unexpected results depending on how the policies are constructed. If one role grants access to all actions with an Allow rule and denies access to half of those actions with a Deny rule, and another role grants access to all actions with an Allow rule and denies access to a different half of those actions with a Deny rule, then the combination of the two roles result in no access at all. Because the Deny rules are global and each denies a different half of all actions, they combine to deny everything. If instead one role had an Allow rule that granted access to half of all actions, and the other role granted access to a different half of all actions, then the combination of those two roles would lead to complete access.
-
Since policies are global, environment-related access is combined in a similar way: if a user has multiple roles, all Allow and Deny policies are applied to all selected environments across roles. For example: if role A restricts environment A to a set of content policies A, and role B restricts environment B to a set of content policies B, a user with both roles A and B has access to environments A and B, and both of these environments have the content policies A and B applied. More details on this can be found under assigning multiple environment access options to a single user.
-
Environment permissions override environment policies. For environment-related policies (aka selecting which environments a role has access to) to take effect, the Environments permission must not be set to “all”, as it overrides the respective environment-related policies. As a result of the permission being set to “true”, a user has CRUD access to all content in all environments, and all content-related policies are applied only in the master environment. More details on this can be found under managing access to environments.
Update a role
Endpoint: PUT /spaces/{{ spaceId }}/roles/{{ roleId }}
Base URL: https://api.contentful.com
Description: This endpoint is used to update an existing custom role. This endpoint can also be used to create a new role with a specific id.
When updating a role, you must also include the X-Contentful-Version header.
Response:
It is possible to apply the constraints while updating a role.
Delete a role
Endpoint: PUT /spaces/{{ spaceId }}/roles/{{ roleId }}
Base URL: https://api.contentful.com
Description: This endpoint is used to delete an existing custom role. It is not possible to delete a role, if the user corresponding to this role does not have any other assigned roles.
Response: The server responds with a http code ‘204’ in case of successful deletion of the role. If the user is assigned only with the role that is to deleted, the server responds with a http code ‘412’.