# uip or roles > `uip or roles` manages Orchestrator roles and permissions (RBAC). Roles bundle permissions and are assigned to users at either the tenant (globally) or folder (scoped) level. Verbs on this page cover roles and their permissions, role-user membership, and folder-level assignments. For tenant-level role assignment per user, see `users assign-roles` in [`uip or users`](./uip-orchestrator-users.md). `uip or roles` manages Orchestrator roles and permissions (RBAC). Roles bundle permissions and are assigned to users at either the tenant (globally) or folder (scoped) level. Verbs on this page cover roles and their permissions, role-user membership, and folder-level assignments. For tenant-level role assignment per user, see `users assign-roles` in [`uip or users`](./uip-orchestrator-users.md). ## Synopsis ``` uip or roles [options] ``` ## Verbs | Verb | Purpose | |---|---| | `list-permissions` | List grantable permission names. | | `list-roles` | List roles in the tenant. | | `get-role` | Fetch one role with its granted permissions. | | `create-role` | Create a role (with no permissions) at `Tenant` or `Folder` scope. | | `edit-role` | Add or remove permissions on a role. | | `delete-role` | Delete a user-created role. | | `list-role-users` | List users assigned to a role. | | `set-role-users` | Add or remove users on a role (bulk). | | `list-user-roles` | Show a user's complete role assignments across tenant and every folder. | | `assign` | Assign folder-level roles to a user in a specific folder. | ## uip or roles list-permissions List every grantable permission name. Use these names with `roles edit-role --add-permissions`. ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | | `-l` | `--limit` | number | `50` | Page size. | | — | `--offset` | number | `0` | Skip count. | | — | `--order-by` | field | `Name asc` | OData sort. | ### Examples ```bash uip or roles list-permissions --limit 200 uip or roles list-permissions --output-filter 'Data[].Name' uip or roles list-permissions --output table ``` ### Data shape (--output json) ```json { "Code": "PermissionList", "Data": [{ "Name": "Assets.Create" }, { "Name": "Assets.Delete" }] } ``` ## uip or roles list-roles List roles. Returns key (GUID), ID, name, display name, type, and whether the role is editable. ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | | `-l` | `--limit` | number | `50` | Page size. | | — | `--offset` | number | `0` | Skip count. | | — | `--order-by` | field | `Id desc` | OData sort. | ### Examples ```bash uip or roles list-roles --limit 50 uip or roles list-roles --output-filter "Data[?Type=='Tenant'].Name" uip or roles list-roles --output table ``` ### Data shape (--output json) ```json { "Code": "RoleList", "Data": [ { "Key": "a1b2c3d4-0000-0000-0000-000000000001", "ID": 1, "Name": "Administrator", "DisplayName": "Administrator", "Type": "Tenant", "IsEditable": false } ] } ``` ## uip or roles get-role Fetch a role with its granted permissions. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Role key (GUID). | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | ### Examples ```bash uip or roles get-role a1b2c3d4-0000-0000-0000-000000000001 uip or roles get-role a1b2c3d4-0000-0000-0000-000000000001 \ --output-filter 'Data.Permissions' uip or roles get-role a1b2c3d4-0000-0000-0000-000000000001 --output table ``` ### Data shape (--output json) ```json { "Code": "Role", "Data": { "Key": "a1b2c3d4-0000-0000-0000-000000000001", "ID": 1, "Name": "Administrator", "DisplayName": "Administrator", "Type": "Tenant", "IsStatic": true, "IsEditable": false, "Permissions": "Assets.View, Assets.Create, Jobs.View" } } ``` ## uip or roles create-role Create a role with no permissions. After creation, grant permissions with `roles edit-role --add-permissions`. ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | — | `--name` | text | **required** | Role name. | | — | `--type` | enum | **required** | `Tenant` (applies across the tenant) or `Folder` (applies within folders). | | `-t` | `--tenant` | name | session default | Override the tenant. | ### Examples ```bash uip or roles create-role --name "Read Only" --type Tenant uip or roles create-role --name "Folder Viewer" --type Folder uip or roles create-role --name "Read Only" --type Tenant \ --output-filter 'Data.Key' ``` ### Data shape (--output json) ```json { "Code": "RoleCreated", "Data": { "Key": "a1b2c3d4-0000-0000-0000-000000000010", "ID": 10, "Name": "Read Only", "Type": "Tenant", "Status": "Created successfully" } } ``` ## uip or roles edit-role Add or remove permissions on a role. Reads current permissions, toggles `isGranted` for names in `--add-permissions` / `--remove-permissions`, and saves. New names (not yet on the role) are looked up in the tenant's full permission catalog and added. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Role key (GUID). | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | — | `--add-permissions` | CSV of names | — | Permissions to grant. | | — | `--remove-permissions` | CSV of names | — | Permissions to revoke. | | `-t` | `--tenant` | name | session default | Override the tenant. | At least one of `--add-permissions` or `--remove-permissions` is required. ### Examples ```bash uip or roles edit-role a1b2c3d4-0000-0000-0000-000000000010 \ --add-permissions Assets.View,Jobs.View uip or roles edit-role a1b2c3d4-0000-0000-0000-000000000010 \ --remove-permissions Jobs.Edit uip or roles edit-role a1b2c3d4-0000-0000-0000-000000000010 \ --add-permissions Assets.View --output-filter 'Data.Status' ``` ### Data shape (--output json) ```json { "Code": "RoleUpdated", "Data": { "Key": "a1b2c3d4-0000-0000-0000-000000000010", "Status": "Updated successfully" } } ``` ## uip or roles delete-role Delete a user-created role. Built-in roles (where `IsStatic=true`) cannot be removed. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Role key (GUID). | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | ### Examples ```bash uip or roles delete-role a1b2c3d4-0000-0000-0000-000000000010 uip or roles delete-role a1b2c3d4-0000-0000-0000-000000000010 \ --output-filter 'Data.Status' uip or roles delete-role a1b2c3d4-0000-0000-0000-000000000010 --output plain ``` ### Data shape (--output json) ```json { "Code": "RoleDeleted", "Data": { "Key": "a1b2c3d4-0000-0000-0000-000000000010", "Status": "Deleted successfully" } } ``` ## uip or roles list-role-users List users assigned to a role. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Role key (GUID). | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | | `-l` | `--limit` | number | `50` | Page size. | | — | `--offset` | number | `0` | Skip count. | ### Examples ```bash uip or roles list-role-users a1b2c3d4-0000-0000-0000-000000000001 uip or roles list-role-users a1b2c3d4-0000-0000-0000-000000000001 --limit 200 uip or roles list-role-users a1b2c3d4-0000-0000-0000-000000000001 \ --output-filter 'Data[].UserName' ``` ### Data shape (--output json) ```json { "Code": "RoleUserList", "Data": [ { "Key": "d4e5f6a7-0000-0000-0000-000000000001", "ID": 101, "UserName": "admin@example.com", "FullName": "Admin User", "Type": "User" } ] } ``` ## uip or roles set-role-users Add or remove users on a role (bulk). Provide `--add-user-keys`, `--remove-user-keys`, or both. At least one is required. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Role key (GUID). | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | — | `--add-user-keys` | CSV of GUIDs | — | Users to add. | | — | `--remove-user-keys` | CSV of GUIDs | — | Users to remove. | | `-t` | `--tenant` | name | session default | Override the tenant. | ### Examples ```bash uip or roles set-role-users a1b2c3d4-0000-0000-0000-000000000010 \ --add-user-keys d4e5f6a7-0000-0000-0000-000000000001 uip or roles set-role-users a1b2c3d4-0000-0000-0000-000000000010 \ --add-user-keys d4e5f6a7-…-001,d4e5f6a7-…-002 \ --remove-user-keys d4e5f6a7-…-099 uip or roles set-role-users a1b2c3d4-0000-0000-0000-000000000010 \ --add-user-keys d4e5f6a7-…-001 --output-filter 'Data.Added' ``` ### Data shape (--output json) ```json { "Code": "RoleUsersUpdated", "Data": { "RoleKey": "a1b2c3d4-0000-0000-0000-000000000010", "Added": 1, "Removed": 0, "Status": "Updated successfully" } } ``` ## uip or roles list-user-roles List all role assignments for a user across the tenant and every folder. Useful for auditing a user's full access profile. ### Arguments | Name | Required | Purpose | |---|---|---| | `` | yes | Username to look up. | ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | `-t` | `--tenant` | name | session default | Override the tenant. | | `-l` | `--limit` | number | `50` | Page size. | | — | `--offset` | number | `0` | Skip count. | ### Examples ```bash uip or roles list-user-roles admin@example.com uip or roles list-user-roles admin@example.com \ --output-filter "Data[?Scope=='Folder']" uip or roles list-user-roles admin@example.com --output table ``` ### Data shape (--output json) ```json { "Code": "UserRoleList", "Data": [ { "Scope": "Tenant", "FolderPath": "", "Role": "Administrator" }, { "Scope": "Folder", "FolderPath": "Shared", "Role": "Folder Administrator" } ] } ``` ## uip or roles assign Assign folder-level roles to a user. Use Folder-type roles only. Requires `--folder-path` or `--folder-key`. ### Options | Short | Long | Value | Default | Description | |---|---|---|---|---| | — | `--user-key` | GUID | **required** | User key. | | — | `--role-keys` | CSV of GUIDs | **required** | Role GUIDs to assign in the folder. | | — | `--folder-path` | path | — | Target folder. Provide this or `--folder-key`. | | — | `--folder-key` | GUID | — | Target folder. | | `-t` | `--tenant` | name | session default | Override the tenant. | ### Examples ```bash uip or roles assign --user-key d4e5f6a7-0000-0000-0000-000000000001 \ --role-keys a1b2c3d4-0000-0000-0000-000000000002 \ --folder-path "Shared" uip or roles assign --user-key d4e5f6a7-0000-0000-0000-000000000001 \ --role-keys a1b2c3d4-…-002,a1b2c3d4-…-003 \ --folder-key b1c2d3e4-0000-0000-0000-000000000001 uip or roles assign --user-key d4e5f6a7-0000-0000-0000-000000000001 \ --role-keys a1b2c3d4-0000-0000-0000-000000000002 \ --folder-path "Shared" --output-filter 'Data.Status' ``` ### Data shape (--output json) ```json { "Code": "PermissionsAssigned", "Data": { "UserKey": "d4e5f6a7-0000-0000-0000-000000000001", "FolderPath": "Shared", "Status": "Assigned successfully" } } ``` ## Exit codes See [Exit codes](./exit-codes.md). No verb-specific overrides. ## Related commands - [`uip or users`](./uip-orchestrator-users.md) — find user keys; `users assign-roles` for tenant-level role assignments. - [`uip or folders`](./uip-orchestrator-folders.md) — locate folder keys for `roles assign`. ## See also - [Global options](./global-options.md). - [Authentication](./authentication.md).