Appearance
Roles API
Roles define what actions users can perform. Each role has per-resource permissions for 16 resources with Create (boolean), Read (boolean), Update (None/Own/All), and Delete (None/Own/All) scopes.
Two system roles exist by default: Admin (full access, cannot be modified) and Member (read access to all resources). Custom roles can be created with any permission combination.
Role Flags
Beyond per-resource permissions, roles carry two boolean flags that grant broad bypasses:
| Flag | Default | Effect |
|---|---|---|
access_all_projects | false | Holder sees and operates on every project in the tenant, regardless of team membership or direct project assignment. |
access_all_users | false | Holder sees every user in the tenant on /api/users and bypasses the visibility gate on the /api/users/{id} action routes (update, delete, resend-invitation). See Users API — Visibility scope. |
The two flags are independent:
access_all_projectswidens the user-visibility scope to every user affiliated with any project (any team member, any direct member). Orphan invites with no project link remain invisible.access_all_usersadds full visibility on top — including orphan invites and users with no project link.- A role with both flags grants full project access and full user visibility.
Admins (is_admin: true) implicitly have both bypasses.
Both flags can only be set to true by an admin submitter — non-admins editing a role receive a 422 validation error if they attempt to enable either flag.
Permissions
| Action | Required Permission | Scope |
|---|---|---|
| List | Roles: Read | All roles in tenant |
| Create | Roles: Create | — |
| Update | Roles: Update | Cannot modify system roles' permissions |
| Delete | Roles: Delete | Cannot delete system roles |
Admins bypass all permission checks. Roles are tenant-scoped (not project-scoped), so the project owner bypass does not apply.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /api/roles | List all roles |
POST | /api/roles | Create a custom role |
PUT | /api/roles/{id} | Update a role |
DELETE | /api/roles/{id} | Delete a custom role |
List Roles
GET /api/roles
bash
curl https://{tenant}.kendo.dev/api/roles \
-H "Authorization: Bearer your-token"json
[
{
"id": 1,
"name": "Admin",
"slug": "admin",
"is_system": true,
"is_admin": true,
"access_all_projects": true,
"access_all_users": true,
"users_count": 2,
"permissions": [],
"created_at": "2026-01-22T07:29:17.000000Z"
},
{
"id": 2,
"name": "Member",
"slug": "member",
"is_system": true,
"is_admin": false,
"access_all_projects": false,
"access_all_users": false,
"users_count": 8,
"permissions": [
{
"resource": 2,
"can_create": true,
"can_read": true,
"can_update": 1,
"can_delete": 1
}
],
"created_at": "2026-01-22T07:29:17.000000Z"
}
]Create Role
POST /api/roles
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Role name (unique slug derived automatically) |
access_all_projects | boolean | No | Whether users with this role can access all projects (default: false). Admin-only when set to true. |
access_all_users | boolean | No | Whether users with this role can see and act on every user in the tenant (default: false). Admin-only when set to true. See Role Flags. |
permissions | array | Yes | Array of permission objects (one per resource) |
permissions[].resource | integer | Yes | Resource enum value (0–15, see Resources) |
permissions[].can_create | boolean | Yes | Whether users can create this resource |
permissions[].can_read | boolean | Yes | Whether users can view this resource |
permissions[].can_update | integer | Yes | Update scope: 0 = None, 1 = Own, 2 = All |
permissions[].can_delete | integer | Yes | Delete scope: 0 = None, 1 = Own, 2 = All |
bash
curl -X POST https://{tenant}.kendo.dev/api/roles \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{
"name": "Developer",
"access_all_projects": false,
"access_all_users": false,
"permissions": [
{
"resource": 2,
"can_create": true,
"can_read": true,
"can_update": 1,
"can_delete": 1
}
]
}'json
{
"id": 5,
"name": "Developer",
"slug": "developer",
"is_system": false,
"is_admin": false,
"access_all_projects": false,
"access_all_users": false,
"users_count": 0,
"permissions": [
{
"resource": 2,
"can_create": true,
"can_read": true,
"can_update": 1,
"can_delete": 1
}
],
"created_at": "2026-03-13T10:30:00.000000Z"
}Update Role
PUT /api/roles/{id}
Same request fields as Create Role. System roles' permissions cannot be modified (their name can be changed for non-admin system roles).
bash
curl -X PUT https://{tenant}.kendo.dev/api/roles/5 \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{
"name": "Senior Developer",
"access_all_projects": true,
"access_all_users": true,
"permissions": [
{
"resource": 2,
"can_create": true,
"can_read": true,
"can_update": 2,
"can_delete": 2
}
]
}'json
{
"id": 5,
"name": "Senior Developer",
"slug": "senior-developer",
"is_system": false,
"is_admin": false,
"access_all_projects": true,
"access_all_users": true,
"users_count": 0,
"permissions": [
{
"resource": 2,
"can_create": true,
"can_read": true,
"can_update": 2,
"can_delete": 2
}
],
"created_at": "2026-03-13T10:30:00.000000Z"
}Delete Role
DELETE /api/roles/{id}
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
fallback_role_id | integer | Yes | Role to reassign affected users to. Cannot be the role being deleted. |
Returns 204 No Content on success. All users previously assigned to the deleted role are reassigned to the fallback role.
bash
curl -X DELETE https://{tenant}.kendo.dev/api/roles/5 \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{
"fallback_role_id": 2
}'Resources
The 16 resources and their enum values:
| Value | Resource | Scoped to |
|---|---|---|
| 0 | Projects | Project |
| 1 | Lanes | Project |
| 2 | Issues | Project |
| 3 | Sprints | Project |
| 4 | Attachments | Project |
| 5 | Comments | Project |
| 6 | Epics | Project |
| 7 | TimeEntries | Project |
| 8 | IssueBranchLinks | Project |
| 9 | Reports | Project |
| 10 | IssueTemplates | Project |
| 11 | ProjectTokens | Project |
| 12 | Users | Tenant |
| 13 | Roles | Tenant |
| 14 | Teams | Tenant |
| 15 | AppSettings | Tenant |
Project-scoped resources (0-11) are subject to the project owner bypass — project owners automatically get full access regardless of role permissions.
See Also
- Users API — Assign roles to users