Breaking API Changes (RBAC)

On this page

Latest API Documentation

The central theme of this release is the full migration from the old tenant-relationship authorization model to the new RBAC system with granular user-role-assignments.

1. Removed Endpoints (UsersController)

Removed Route Old Action Replacement
POST /api/v1/users/create-from-person CreateFromPerson POST /api/v1/users/bulk-create
POST /api/v1/users/grant-access GrantAccessRbac New UserRoleAssignmentsController
POST /api/v1/users/add-roles BulkAssignRolesToPeople New UserRoleAssignmentsController
POST /api/v1/users/remove-roles BulkRemoveRolesFromPeople New UserRoleAssignmentsController

POST /api/v1/users/bulk-create (replaces create-from-person)

Old request body (CreateUserFromPersonRequest):
{
  "personId": int,
  "hasManagementAccess": bool
}

New request body (CreateUserFromPersonRequest):
{
  "personIds": [int],        // min 1 required
  "expirationTime": string
}
  • Single PersonId โ†’ List<int> PersonIds
  • HasManagementAccess removed, ExpirationTime added
  • Return type changed from GetUserResponse to CreateUsersFromPersonIdsResponse

PUT /api/v1/users/{userId} (UpdateUserPayload changed)

Old: { id, isAdmin, tenantId, canManageCrossTenantDeployments, hasManagementAccess }
New: { id, isAdmin, tenantId, canManageCrossTenantDeployments }

HasManagementAccess removed.

GrantAccessRequest simplified

Old: { isAdmin, hasManagementAccess, expirationTime }
New: { expirationTime }

2. GetUserResponse Changes

Removed properties

  • bool HasManagementAccess
  • List<string> Roles

Added properties

  • int GroupCount
  • List<string> Groups
  • int DirectRoleCount

3. GetAuthDetailsResponse Changes

Removed from DTO

  • bool HasManagementAccess

No longer populated by controller (properties still exist on DTO but always default)

  • IsAdmin
  • IsSupportTechnician
  • CanManageCrossTenantDeployments
  • IsImmense

Behavior changes

  • BackendRegAppId โ€” was only set for MSP admins, now unconditionally set
  • OpenAccessRequestCount โ€” was gated on isMspAdmin, now gated on IUsersManageAccessRequestsPermission

New auth endpoints

  • GET /api/v1/auth/me/permissions/{permissionType}/tenants
  • GET /api/v1/me/permissions

4. Tenant Relationships โ†’ Authorized Viewers

Applies to all resource models: Software, Scripts, Maintenance Tasks, Media, and Tags.

Removed from all resource models

  • ICollection<TenantXxx> TenantRelationships
  • bool Owned

Added to all resource models

  • ICollection<XxxViewer> AuthorizedViewers
  • bool VisibleToAllTenants
  • int TenantId (owner tenant)
  • Tenant? OwnerTenant

New /authorization sub-endpoints

These replace per-entity tenant relationship management.

Controller GET POST
Scripts /api/v1/scripts/local/{id}/authorization /api/v1/scripts/local/{id}/authorization
Software /api/v1/software/local/{id}/authorization /api/v1/software/local/{id}/authorization
MaintenanceTasks /api/v1/maintenance-tasks/{id}/authorization /api/v1/maintenance-tasks/{id}/authorization
Media /api/v1/media/local/{id}/authorization /api/v1/media/local/{id}/authorization
Tags /api/v1/tags/{id}/authorization /api/v1/tags/{id}/authorization

5. ScriptType โ†’ DatabaseType

On IScriptDetailsBase and all implementing DTOs, the property ScriptType was renamed to DatabaseType.

6. Permission Type Renames

Roles permissions

Old New
IRbacSubject IRolesSubject
IRbacSubjectPermission IRolesSubjectPermission
IRbacViewPermission IRolesViewPermission
IRbacManagePermission IRolesManagePermission

New permission added: IRolesManageApplicationLevelPermissionsPermission

ChangeRequests permissions (split from one into three)

Old New
IChangeRequestManagePermission IDeploymentsManageChangeRequestsPermission
IDeploymentsViewChangeRequestsPermission
IDeploymentsApproveChangeRequestsPermission

ChangeRequestsController endpoint permission mapping

Endpoints Old Permission New Permission
DELETE /api/v1/change-requests/{id} IChangeRequestManagePermission IDeploymentsManageChangeRequestsPermission
POST .../approve, .../deny, .../require-changes IChangeRequestManagePermission IDeploymentsApproveChangeRequestsPermission
POST .../comment, GET .../dx, GET .../open-count IChangeRequestManagePermission IDeploymentsViewChangeRequestsPermission

RolesController GetPermissions authorization change

GetPermissions changed from IRbacViewPermission to INoAuthorizationPermission (accessible to all authenticated users).

IPermissionMetadata simplified

Removed properties:

  • string Claim
  • string DenyClaim
  • string SubjectClaimType
  • string TenantClaimType
  • string ResourceClaimType

Added: string SubjectPermissionClaimType

Retained: string AllowClaim (backwards compatibility with frontend)

IRoleClaimMetadataService

Deleted entirely, along with RoleClaimParseException.

7. New Controllers

GroupsController โ€” /api/v1/groups

Method Route Action
GET /api/v1/groups GetAll
GET /api/v1/groups/{groupId} Get
POST /api/v1/groups Create
PUT /api/v1/groups/{groupId} Update
DELETE /api/v1/groups/{groupId} Delete
GET /api/v1/groups/{groupId}/role-assignments GetRoleAssignments
POST /api/v1/groups/{groupId}/members AddUserToGroup
POST /api/v1/groups/{groupId}/members/bulk AddUsersToGroup
DELETE /api/v1/groups/{groupId}/members/{userId} RemoveUserFromGroup
GET /api/v1/groups/{groupId}/members GetGroupMembers

UserRoleAssignmentsController โ€” /api/v1/user-role-assignments

Method Route Action
GET /api/v1/user-role-assignments DxGetAll
GET /api/v1/user-role-assignments/users/{userId} DxGetByUserId
GET /api/v1/user-role-assignments/users/{userId}/count GetUserRoleAssignmentsCount
POST /api/v1/user-role-assignments/owner/create CreateOwnerAssignments
POST /api/v1/user-role-assignments/msp/create CreateMspAssignments
POST /api/v1/user-role-assignments/tenant-tag/create CreateTenantTagAssignments
POST /api/v1/user-role-assignments/specific-tenant/create CreateSpecificTenantAssignments
POST /api/v1/user-role-assignments/user-tenant/create CreateUserTenantAssignments
POST /api/v1/user-role-assignments/tag-resource/create CreateTagResourceAssignments
POST /api/v1/user-role-assignments/specific-resource/create CreateSpecificResourceAssignments
POST /api/v1/user-role-assignments/category-resource/create CreateCategoryResourceAssignments
DELETE /api/v1/user-role-assignments/delete DeleteUserRoleAssignments

EffectivePermissionsController โ€” /api/v1/effective-permissions

Method Route Action
POST /api/v1/effective-permissions/users/{userId}/evaluate/all-assignments EvaluateAllAssignments
POST /api/v1/effective-permissions/users/{userId}/evaluate/tenant EvaluateForTenant
POST /api/v1/effective-permissions/users/{userId}/evaluate/resource EvaluateForResource
POST /api/v1/effective-permissions/groups/{groupId}/evaluate/all-assignments EvaluateAllAssignmentsForGroup
POST /api/v1/effective-permissions/groups/{groupId}/evaluate/tenant EvaluateForTenantForGroup
POST /api/v1/effective-permissions/groups/{groupId}/evaluate/resource EvaluateForResourceForGroup

New endpoint on UsersController

Method Route Action
GET /api/v1/users/{userId}/groups GetUserGroups

New endpoint on MaintenanceTasksController

Method Route Action
GET /api/v1/maintenance-tasks/tenant-management GetTenantManagement

New endpoint on RolesController

Method Route Action
GET /api/v1/roles/{roleId}/assignments GetRoleAssignments

8. Roles & ChangeRequests Model Changes

CreateOrUpdateRoleRequest

Added required property:

int OwnerTenantId  // required

GetRoleResponse

Added properties:

int? OwnerTenantId
string OwnerTenantName

IChangeRequestStore

Both CreateChangeRequestForNewEntity and CreateChangeRequestForExistingEntity now require an additional int ownerTenantId parameter.

Was this article helpful?

Previous Article

Known Issues