Roles and Groups Overview
In the LYNIO Cloud platform, access control is organized around Roles & Groups (modeled and referenced as Roles in the underlying database schemas and APIs). Roles enable tenant administrators to define permission policies and assign them collectively to users, simplifying access control at scale.
Console Roles & Groups Operations
Within the LYNIO Console, access control policies are managed under the Identity & Access Management page (/identity) in the Roles tab. The interface displays a table listing the role name, its associated permissions displayed as blue badges, and available actions.
Creating a Role/Group
To create a new role:
- Click the Add Role button.
- In the modal, fill in the following fields:
- Name: A descriptive name for the role (e.g.,
Read-Only Admin). - Permissions: Enter permissions in the text area as a comma-separated list (e.g.,
networks:read, compute:read, snapshots:create).
- Name: A descriptive name for the role (e.g.,
- Click save. The Console frontend automatically parses the comma-separated string, splits it by commas, trims whitespace, and packages the result into a JSON string array to send to the backend API.
Editing a Role/Group
To modify an existing role:
- Click the Edit action icon next to the target role.
- Update the role Name or modify the list of permissions in the text area.
- Save the changes. The frontend will process and send the updated permissions array to the database.
Managing User Assignments (Members)
To manage user memberships for a role:
- Click the Members action icon on the role row.
- A modal will open displaying a list of all user members currently assigned to the role, showing their IDs and emails (fetched dynamically from the
/api/v1/roles/:id/usersendpoint). - To assign a role to a user, navigate back to the Users tab, click Manage Roles on the target user, and use the multi-select dropdown to map roles.
Deleting a Role/Group
To delete a role:
- Click the trash icon (Delete) on the target role row.
- Confirm the action in the popup modal. Deleting a role automatically removes the relationship mapping for any assigned users.
HTTP API Integration
Access control configurations can be managed programmatically using the /api/v1/roles endpoints.
List Roles
- Endpoint:
GET /api/v1/roles - Description: Returns all roles defined within the caller's tenant.
Create Role
- Endpoint:
POST /api/v1/roles - Request Payload:
{ "name": "Network Manager", "description": "Allows full management of network resources", "permissions": ["networks:create", "networks:read", "networks:update", "networks:delete"] }
Update Role
- Endpoint:
PUT /api/v1/roles/:id - Request Payload:
{ "name": "Network Manager", "description": "Allows full management of network and firewall resources", "permissions": ["networks:create", "networks:read", "networks:update", "networks:delete", "firewall:read"] }
Delete Role
- Endpoint:
DELETE /api/v1/roles/:id - Description: Permanently deletes the role record.
Get Role Members
- Endpoint:
GET /api/v1/roles/:id/users - Description: Retrieves a list of users (ID and email) who are members of the specified role.
Assign Roles to User
- Endpoint:
POST /api/v1/users/:id/roles - Request Payload:
{ "role_ids": ["lid.role.12345...", "lid.role.67890..."] }
Remove Role Assignment
- Endpoint:
DELETE /api/v1/users/:id/roles/:roleId - Description: Removes the assignment of a specific role from the specified user.