kendo.dev

Appearance

Roles API

Roles define what actions users can perform. Each role has per-resource permissions for 16 resources with Create (boolean), Read (boolean), Update (None/Own/All), and Delete (None/Own/All) scopes.

Two system roles exist by default: Admin (full access, cannot be modified) and Member (read access to all resources). Custom roles can be created with any permission combination.

Permissions

ActionRequired PermissionScope
ListRoles: ReadAll roles in tenant
CreateRoles: Create
UpdateRoles: UpdateCannot modify system roles' permissions
DeleteRoles: DeleteCannot delete system roles

Admins bypass all permission checks. Roles are tenant-scoped (not project-scoped), so the project owner bypass does not apply.

Endpoints

MethodEndpointDescription
GET/api/rolesList all roles
POST/api/rolesCreate a custom role
PUT/api/roles/{id}Update a role
DELETE/api/roles/{id}Delete a custom role

List Roles

GET /api/roles

bash
curl https://{tenant}.kendo.dev/api/roles \
  -H "Authorization: Bearer your-token"
json
[
  {
    "id": 1,
    "name": "Admin",
    "slug": "admin",
    "is_system": true,
    "is_admin": true,
    "access_all_projects": true,
    "users_count": 2,
    "permissions": [],
    "created_at": "2026-01-22T07:29:17.000000Z"
  },
  {
    "id": 2,
    "name": "Member",
    "slug": "member",
    "is_system": true,
    "is_admin": false,
    "access_all_projects": false,
    "users_count": 8,
    "permissions": [
      {
        "resource": 2,
        "can_create": true,
        "can_read": true,
        "can_update": 1,
        "can_delete": 1
      }
    ],
    "created_at": "2026-01-22T07:29:17.000000Z"
  }
]

Create Role

POST /api/roles

Request Fields

FieldTypeRequiredDescription
namestringYesRole name (unique slug derived automatically)
access_all_projectsbooleanNoWhether users with this role can access all projects (default: false)
permissionsarrayYesArray of permission objects (one per resource)
permissions[].resourceintegerYesResource enum value (0–15, see Resources)
permissions[].can_createbooleanYesWhether users can create this resource
permissions[].can_readbooleanYesWhether users can view this resource
permissions[].can_updateintegerYesUpdate scope: 0 = None, 1 = Own, 2 = All
permissions[].can_deleteintegerYesDelete scope: 0 = None, 1 = Own, 2 = All
bash
curl -X POST https://{tenant}.kendo.dev/api/roles \
  -H "Authorization: Bearer your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Developer",
    "access_all_projects": false,
    "permissions": [
      {
        "resource": 2,
        "can_create": true,
        "can_read": true,
        "can_update": 1,
        "can_delete": 1
      }
    ]
  }'
json
{
  "id": 5,
  "name": "Developer",
  "slug": "developer",
  "is_system": false,
  "is_admin": false,
  "access_all_projects": false,
  "users_count": 0,
  "permissions": [
    {
      "resource": 2,
      "can_create": true,
      "can_read": true,
      "can_update": 1,
      "can_delete": 1
    }
  ],
  "created_at": "2026-03-13T10:30:00.000000Z"
}

Update Role

PUT /api/roles/{id}

Same request fields as Create Role. System roles' permissions cannot be modified (their name can be changed for non-admin system roles).

bash
curl -X PUT https://{tenant}.kendo.dev/api/roles/5 \
  -H "Authorization: Bearer your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Senior Developer",
    "access_all_projects": true,
    "permissions": [
      {
        "resource": 2,
        "can_create": true,
        "can_read": true,
        "can_update": 2,
        "can_delete": 2
      }
    ]
  }'
json
{
  "id": 5,
  "name": "Senior Developer",
  "slug": "senior-developer",
  "is_system": false,
  "is_admin": false,
  "access_all_projects": true,
  "users_count": 0,
  "permissions": [
    {
      "resource": 2,
      "can_create": true,
      "can_read": true,
      "can_update": 2,
      "can_delete": 2
    }
  ],
  "created_at": "2026-03-13T10:30:00.000000Z"
}

Delete Role

DELETE /api/roles/{id}

Request Fields

FieldTypeRequiredDescription
fallback_role_idintegerYesRole to reassign affected users to. Cannot be the role being deleted.

Returns 204 No Content on success. All users previously assigned to the deleted role are reassigned to the fallback role.

bash
curl -X DELETE https://{tenant}.kendo.dev/api/roles/5 \
  -H "Authorization: Bearer your-token" \
  -H "Content-Type: application/json" \
  -d '{
    "fallback_role_id": 2
  }'

Resources

The 16 resources and their enum values:

ValueResourceScoped to
0ProjectsProject
1LanesProject
2IssuesProject
3SprintsProject
4AttachmentsProject
5CommentsProject
6EpicsProject
7TimeEntriesProject
8IssueBranchLinksProject
9ReportsProject
10IssueTemplatesProject
11ProjectTokensProject
12UsersTenant
13RolesTenant
14TeamsTenant
15AppSettingsTenant

Project-scoped resources (0-11) are subject to the project owner bypass — project owners automatically get full access regardless of role permissions.

See Also