Roles & RBAC API
On this page
List Roles
GET /api/rbac/roles?realm={realm}
Authorization: Bearer <token>
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8080/api/rbac/roles?realm=master"[
{ "id": "role-uuid-1", "name": "ROLE_ADMIN", "description": "Full access", "composite": false },
{ "id": "role-uuid-2", "name": "ROLE_USER", "description": "Standard access", "composite": false }
]Create Role
POST /api/rbac/roles
Authorization: Bearer <token>
Content-Type: application/json
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"realmName": "master",
"name": "ROLE_EDITOR",
"description": "Can create and edit content",
"composite": false
}' \
http://localhost:8080/api/rbac/rolesResponse: 201 Created
| Field | Type | Required | Description |
|---|---|---|---|
realmName | string | ✅ | Target realm |
name | string | ✅ | Role name — convention: ROLE_NAME |
description | string | — | Human-readable description |
composite | boolean | — | Whether this role inherits others (default: false) |
Assign Roles to User
POST /api/rbac/user-role-mappings
Authorization: Bearer <token>
Content-Type: application/json
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"userId": "usr_abc123",
"roleId": "role-uuid-1",
"realmName": "master"
}' \
http://localhost:8080/api/rbac/user-role-mappingsGet User Roles
GET /api/rbac/user-role-mappings?userId={userId}&realm={realm}
Authorization: Bearer <token>
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8080/api/rbac/user-role-mappings?userId=usr_abc123&realm=master"Remove Role from User
DELETE /api/rbac/user-role-mappings/{mappingId}
Authorization: Bearer <token>
Response: 204 No Content
Policy Evaluation
Check whether a user has permission for an action:
POST /api/rbac/evaluate
Authorization: Bearer <token>
Content-Type: application/json
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"userId": "usr_abc123",
"realmName": "master",
"requiredRoles": ["ROLE_EDITOR"]
}' \
http://localhost:8080/api/rbac/evaluate{ "decision": "PERMIT" }PERMIT / DENY
Returns PERMIT if the user has any of the requiredRoles. Returns DENY otherwise.