Overview
The Permissions API provides endpoints to create, manage, and assign permissions to roles. Permissions define fine-grained access control for specific actions and resources within the application.Authentication
All Permissions endpoints require the Administrator role. You must include a valid JWT token in the Authorization header:Base URL
Available Endpoints
Permission Management
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/Permissions | Get all permissions |
| GET | /api/Permissions/{permissionId} | Get a specific permission by ID |
| POST | /api/Permissions | Create a new permission |
| PUT | /api/Permissions/{permissionId} | Update an existing permission |
| DELETE | /api/Permissions/{permissionId} | Delete a permission |
Permission Assignment
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/Permissions/role/{roleId} | Get all permissions for a role |
| POST | /api/Permissions/assign | Assign a permission to a role |
| POST | /api/Permissions/remove | Remove a permission from a role |
Permission Entity Structure
Permissions in the system have the following structure:Unique identifier for the permission
Unique name of the permission (e.g., “users.create”, “reports.view”)
Human-readable description of what the permission allows
Module or feature area this permission belongs to (e.g., “Users”, “Reports”, “Settings”)
Whether the permission is currently active and can be used
ISO 8601 timestamp when the permission was created
Permission Naming Convention
Permissions follow a hierarchical naming convention:users.create- Create usersusers.read- View usersusers.update- Update usersusers.delete- Delete usersreports.view- View reportsreports.export- Export reportssettings.manage- Manage system settings
Example Response
Role-Permission Relationship
Permissions are assigned to roles through theRolePermission entity:
ID of the role
ID of the permission
ISO 8601 timestamp when the permission was assigned to the role
User ID of the administrator who assigned the permission
Filtering Permissions
The GET/api/Permissions endpoint supports filtering:
When set to
true, returns only active permissionsPermission Modules
Permissions are organized into modules for better management:- Users - User management permissions
- Roles - Role management permissions
- Permissions - Permission management permissions
- Reports - Reporting and analytics permissions
- Settings - System configuration permissions
- Documents - Document management permissions
- Audit - Audit log access permissions
Error Responses
All endpoints may return the following error responses:- 400 Bad Request - Invalid request parameters
- 401 Unauthorized - Missing or invalid authentication token
- 403 Forbidden - User does not have Administrator role
- 404 Not Found - Permission not found
- 409 Conflict - Permission name already exists (for create)
- 500 Internal Server Error - Server error
Best Practices
Principle of Least Privilege
Principle of Least Privilege
Only assign permissions that are necessary for a role’s function. Start with minimal permissions and add more as needed.
Use Descriptive Names
Use Descriptive Names
Permission names should clearly describe what they allow. Use the module.action convention for consistency.
Group Related Permissions
Group Related Permissions
Document Permission Purpose
Document Permission Purpose
Always provide clear descriptions for permissions so administrators understand what they control.
Regular Permission Audits
Regular Permission Audits
Periodically review role-permission assignments to ensure they’re still appropriate and remove unnecessary access.
Next Steps
Manage Permissions
Create, update, and delete permissions
Assign to Roles
Assign permissions to roles