Class: WorkOS::Authorization

Inherits:

Object

• Object
• WorkOS::Authorization

Defined in:

lib/workos/authorization.rb

Defined Under Namespace

Classes: ParentByExternalId, ParentById, ParentResourceByExternalId, ParentResourceById, ResourceTargetByExternalId, ResourceTargetById

Instance Attribute Summary

• #parent_external_id ⇒ String readonly
• #parent_resource_external_id ⇒ String readonly
• #parent_resource_id ⇒ String readonly
• #parent_resource_type_slug ⇒ String readonly
• #resource_external_id ⇒ String readonly
• #resource_id ⇒ String readonly
• #resource_type_slug ⇒ String readonly

Instance Method Summary

• #add_environment_role_permission(slug:, body_slug:, request_options: {}) ⇒ WorkOS::Role

  Add a permission to an environment role.

• #add_organization_role_permission(organization_id:, slug:, body_slug:, request_options: {}) ⇒ WorkOS::Role

  Add a permission to a custom role.

• #assign_role(organization_membership_id:, role_slug:, resource_target:, request_options: {}) ⇒ WorkOS::RoleAssignment

  Assign a role.

• #check(organization_membership_id:, permission_slug:, resource_target:, request_options: {}) ⇒ WorkOS::AuthorizationCheck

  Check authorization.

• #create_environment_role(slug:, name:, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Role

  Create an environment role.

• #create_organization_role(organization_id:, name:, slug: nil, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Role

  Create a custom role.

• #create_permission(slug:, name:, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Permission

  Create a permission.

• #create_resource(external_id:, name:, resource_type_slug:, organization_id:, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

  Create an authorization resource.

• #delete_organization_role(organization_id:, slug:, request_options: {}) ⇒ void

  Delete a custom role.

• #delete_permission(slug:, request_options: {}) ⇒ void

  Delete a permission.

• #delete_resource(resource_id:, cascade_delete: nil, request_options: {}) ⇒ void

  Delete an authorization resource.

• #delete_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, cascade_delete: nil, request_options: {}) ⇒ void

  Delete an authorization resource by external ID.

• #get_environment_role(slug:, request_options: {}) ⇒ WorkOS::Role

  Get an environment role.

• #get_organization_role(organization_id:, slug:, request_options: {}) ⇒ WorkOS::Role

  Get a custom role.

• #get_permission(slug:, request_options: {}) ⇒ WorkOS::AuthorizationPermission

  Get a permission.

• #get_resource(resource_id:, request_options: {}) ⇒ WorkOS::AuthorizationResource

  Get a resource.

• #get_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, request_options: {}) ⇒ WorkOS::AuthorizationResource

  Get a resource by external ID.

• #initialize(client) ⇒ Authorization constructor

  A new instance of Authorization.

• #list_effective_permissions(organization_membership_id:, resource_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

  List effective permissions for an organization membership on a resource.

• #list_effective_permissions_by_external_id(organization_membership_id:, resource_type_slug:, external_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

  List effective permissions for an organization membership on a resource by external ID.

• #list_environment_roles(request_options: {}) ⇒ WorkOS::RoleList

  List environment roles.

• #list_memberships_for_resource(resource_id:, permission_slug:, before: nil, after: nil, limit: nil, order: "desc", assignment: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>

  List organization memberships for resource.

• #list_memberships_for_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, permission_slug:, before: nil, after: nil, limit: nil, order: "desc", assignment: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>

  List memberships for a resource by external ID.

• #list_organization_roles(organization_id:, request_options: {}) ⇒ WorkOS::RoleList

  List custom roles.

• #list_permissions(before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

  List permissions.

• #list_resources(before: nil, after: nil, limit: nil, order: "desc", organization_id: nil, resource_type_slug: nil, resource_external_id: nil, search: nil, parent: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>

  List resources.

• #list_resources_for_membership(organization_membership_id:, permission_slug:, parent_resource:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>

  List resources for organization membership.

• #list_role_assignments(organization_membership_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::RoleAssignment>

  List role assignments.

• #remove_organization_role_permission(organization_id:, slug:, permission_slug:, request_options: {}) ⇒ WorkOS::Role

  Remove a permission from a custom role.

• #remove_role(organization_membership_id:, role_slug:, resource_target:, request_options: {}) ⇒ void

  Remove a role assignment.

• #remove_role_assignment(organization_membership_id:, role_assignment_id:, request_options: {}) ⇒ void

  Remove a role assignment by ID.

• #set_environment_role_permissions(slug:, permissions:, request_options: {}) ⇒ WorkOS::Role

  Set permissions for an environment role.

• #set_organization_role_permissions(organization_id:, slug:, permissions:, request_options: {}) ⇒ WorkOS::Role

  Set permissions for a custom role.

• #update_environment_role(slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::Role

  Update an environment role.

• #update_organization_role(organization_id:, slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::Role

  Update a custom role.

• #update_permission(slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::AuthorizationPermission

  Update a permission.

• #update_resource(resource_id:, name: nil, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

  Update a resource.

• #update_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, name: nil, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

  Update a resource by external ID.

Constructor Details

#initialize(client) ⇒ Authorization

Returns a new instance of Authorization.

# File 'lib/workos/authorization.rb', line 51

def initialize(client)
  @client = client
end

Instance Attribute Details

#parent_external_id ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 49

ParentByExternalId = Data.define(:parent_resource_type_slug, :parent_external_id)

#parent_resource_external_id ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 35

ParentResourceByExternalId = Data.define(:parent_resource_type_slug, :parent_resource_external_id)

#parent_resource_id ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 27

ParentResourceById = Data.define(:parent_resource_id)

#parent_resource_type_slug ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 35

ParentResourceByExternalId = Data.define(:parent_resource_type_slug, :parent_resource_external_id)

#resource_external_id ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 21

ResourceTargetByExternalId = Data.define(:resource_external_id, :resource_type_slug)

#resource_id ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 13

ResourceTargetById = Data.define(:resource_id)

#resource_type_slug ⇒ String (readonly)

Returns:

• (String)

# File 'lib/workos/authorization.rb', line 21

ResourceTargetByExternalId = Data.define(:resource_external_id, :resource_type_slug)

Instance Method Details

#add_environment_role_permission(slug:, body_slug:, request_options: {}) ⇒ WorkOS::Role

Add a permission to an environment role

Parameters:

• slug (String) —

  The slug of the environment role.

• body_slug (String) —

  The slug of the permission to add to the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 1110

def add_environment_role_permission(
  slug:,
  body_slug:,
  request_options: {}
)
  body = {
    "slug" => body_slug
  }
  response = @client.request(
    method: :post,
    path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#add_organization_role_permission(organization_id:, slug:, body_slug:, request_options: {}) ⇒ WorkOS::Role

Add a permission to a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• body_slug (String) —

  The slug of the permission to add to the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 524

def add_organization_role_permission(
  organization_id:,
  slug:,
  body_slug:,
  request_options: {}
)
  body = {
    "slug" => body_slug
  }
  response = @client.request(
    method: :post,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#assign_role(organization_membership_id:, role_slug:, resource_target:, request_options: {}) ⇒ WorkOS::RoleAssignment

Assign a role

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• role_slug (String) —

  The slug of the role to assign.

• resource_target (WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId) —

  Identifies the resource target.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::RoleAssignment)

# File 'lib/workos/authorization.rb', line 310

def assign_role(
  organization_membership_id:,
  role_slug:,
  resource_target:,
  request_options: {}
)
  body = {
    "role_slug" => role_slug
  }
  case resource_target
  when WorkOS::Authorization::ResourceTargetById
    body["resource_id"] = resource_target.resource_id
  when WorkOS::Authorization::ResourceTargetByExternalId
    body["resource_external_id"] = resource_target.resource_external_id
    body["resource_type_slug"] = resource_target.resource_type_slug
  else
    raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
  end
  response = @client.request(
    method: :post,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::RoleAssignment.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#check(organization_membership_id:, permission_slug:, resource_target:, request_options: {}) ⇒ WorkOS::AuthorizationCheck

Check authorization

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership to check.

• permission_slug (String) —

  The slug of the permission to check.

• resource_target (WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId) —

  Identifies the resource target.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationCheck)

# File 'lib/workos/authorization.rb', line 61

def check(
  organization_membership_id:,
  permission_slug:,
  resource_target:,
  request_options: {}
)
  body = {
    "permission_slug" => permission_slug
  }
  case resource_target
  when WorkOS::Authorization::ResourceTargetById
    body["resource_id"] = resource_target.resource_id
  when WorkOS::Authorization::ResourceTargetByExternalId
    body["resource_external_id"] = resource_target.resource_external_id
    body["resource_type_slug"] = resource_target.resource_type_slug
  else
    raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
  end
  response = @client.request(
    method: :post,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/check",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthorizationCheck.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_environment_role(slug:, name:, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Role

Create an environment role

Parameters:

• slug (String) —

  A unique slug for the role.

• name (String) —

  A descriptive name for the role.

• description (String, nil) (defaults to: nil) —

  An optional description of the role.

• resource_type_slug (String, nil) (defaults to: nil) —

  The slug of the resource type the role is scoped to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 1033

def create_environment_role(
  slug:,
  name:,
  description: nil,
  resource_type_slug: nil,
  request_options: {}
)
  body = {
    "slug" => slug,
    "name" => name,
    "description" => description,
    "resource_type_slug" => resource_type_slug
  }.compact
  response = @client.request(
    method: :post,
    path: "/authorization/roles",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_organization_role(organization_id:, name:, slug: nil, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Role

Create a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String, nil) (defaults to: nil) —

  A unique identifier for the role within the organization. When provided, must begin with ‘org-’ and contain only lowercase letters, numbers, hyphens, and underscores. When omitted, a slug is auto-generated from the role name and a random suffix.

• name (String) —

  A descriptive name for the role.

• description (String, nil) (defaults to: nil) —

  An optional description of the role’s purpose.

• resource_type_slug (String, nil) (defaults to: nil) —

  The slug of the resource type the role is scoped to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 422

def create_organization_role(
  organization_id:,
  name:,
  slug: nil,
  description: nil,
  resource_type_slug: nil,
  request_options: {}
)
  body = {
    "slug" => slug,
    "name" => name,
    "description" => description,
    "resource_type_slug" => resource_type_slug
  }.compact
  response = @client.request(
    method: :post,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_permission(slug:, name:, description: nil, resource_type_slug: nil, request_options: {}) ⇒ WorkOS::Permission

Create a permission

Parameters:

• slug (String) —

  A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.

• name (String) —

  A descriptive name for the Permission.

• description (String, nil) (defaults to: nil) —

  An optional description of the Permission.

• resource_type_slug (String, nil) (defaults to: nil) —

  The slug of the resource type this permission is scoped to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Permission)

# File 'lib/workos/authorization.rb', line 1206

def create_permission(
  slug:,
  name:,
  description: nil,
  resource_type_slug: nil,
  request_options: {}
)
  body = {
    "slug" => slug,
    "name" => name,
    "description" => description,
    "resource_type_slug" => resource_type_slug
  }.compact
  response = @client.request(
    method: :post,
    path: "/authorization/permissions",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Permission.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_resource(external_id:, name:, resource_type_slug:, organization_id:, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

Create an authorization resource

Parameters:

• external_id (String) —

  An external identifier for the resource.

• name (String) —

  A display name for the resource.

• description (String, nil) (defaults to: nil) —

  An optional description of the resource.

• resource_type_slug (String) —

  The slug of the resource type.

• organization_id (String) —

  The ID of the organization this resource belongs to.

• parent_resource (WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil) (defaults to: nil) —

  Identifies the parent resource.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationResource)

# File 'lib/workos/authorization.rb', line 834

def create_resource(
  external_id:,
  name:,
  resource_type_slug:,
  organization_id:,
  description: nil,
  parent_resource: nil,
  request_options: {}
)
  body = {
    "external_id" => external_id,
    "name" => name,
    "description" => description,
    "resource_type_slug" => resource_type_slug,
    "organization_id" => organization_id
  }.compact
  if parent_resource
    case parent_resource
    when WorkOS::Authorization::ParentResourceById
      body["parent_resource_id"] = parent_resource.parent_resource_id
    when WorkOS::Authorization::ParentResourceByExternalId
      body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
      body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
    else
      raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
    end
  end
  response = @client.request(
    method: :post,
    path: "/authorization/resources",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthorizationResource.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#delete_organization_role(organization_id:, slug:, request_options: {}) ⇒ void

This method returns an undefined value.

Delete a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 504

def delete_organization_role(
  organization_id:,
  slug:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#delete_permission(slug:, request_options: {}) ⇒ void

This method returns an undefined value.

Delete a permission

Parameters:

• slug (String) —

  A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 1282

def delete_permission(
  slug:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#delete_resource(resource_id:, cascade_delete: nil, request_options: {}) ⇒ void

This method returns an undefined value.

Delete an authorization resource

Parameters:

• resource_id (String) —

  The ID of the authorization resource.

• cascade_delete (Boolean, nil) (defaults to: nil) —

  If true, deletes all descendant resources and role assignments. If not set and the resource has children or assignments, the request will fail.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 938

def delete_resource(
  resource_id:,
  cascade_delete: nil,
  request_options: {}
)
  params = {
    "cascade_delete" => cascade_delete
  }.compact
  @client.request(
    method: :delete,
    path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
    auth: true,
    params: params,
    request_options: request_options
  )
  nil
end

#delete_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, cascade_delete: nil, request_options: {}) ⇒ void

This method returns an undefined value.

Delete an authorization resource by external ID

Parameters:

• organization_id (String) —

  The ID of the organization that owns the resource.

• resource_type_slug (String) —

  The slug of the resource type.

• external_id (String) —

  An identifier you provide to reference the resource in your system.

• cascade_delete (Boolean, nil) (defaults to: nil) —

  If true, deletes all descendant resources and role assignments. If not set and the resource has children or assignments, the request will fail.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 670

def delete_resource_by_external_id(
  organization_id:,
  resource_type_slug:,
  external_id:,
  cascade_delete: nil,
  request_options: {}
)
  params = {
    "cascade_delete" => cascade_delete
  }.compact
  @client.request(
    method: :delete,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
    auth: true,
    params: params,
    request_options: request_options
  )
  nil
end

#get_environment_role(slug:, request_options: {}) ⇒ WorkOS::Role

Get an environment role

Parameters:

• slug (String) —

  The slug of the environment role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 1062

def get_environment_role(
  slug:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_organization_role(organization_id:, slug:, request_options: {}) ⇒ WorkOS::Role

Get a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 453

def get_organization_role(
  organization_id:,
  slug:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_permission(slug:, request_options: {}) ⇒ WorkOS::AuthorizationPermission

Get a permission

Parameters:

• slug (String) —

  A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationPermission)

# File 'lib/workos/authorization.rb', line 1235

def get_permission(
  slug:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::AuthorizationPermission.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_resource(resource_id:, request_options: {}) ⇒ WorkOS::AuthorizationResource

Get a resource

Parameters:

• resource_id (String) —

  The ID of the authorization resource.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationResource)

# File 'lib/workos/authorization.rb', line 877

def get_resource(
  resource_id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::AuthorizationResource.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, request_options: {}) ⇒ WorkOS::AuthorizationResource

Get a resource by external ID

Parameters:

• organization_id (String) —

  The ID of the organization that owns the resource.

• resource_type_slug (String) —

  The slug of the resource type.

• external_id (String) —

  An identifier you provide to reference the resource in your system.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationResource)

# File 'lib/workos/authorization.rb', line 601

def get_resource_by_external_id(
  organization_id:,
  resource_type_slug:,
  external_id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::AuthorizationResource.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_effective_permissions(organization_membership_id:, resource_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

List effective permissions for an organization membership on a resource

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• resource_id (String) —

  The ID of the authorization resource.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>)

# File 'lib/workos/authorization.rb', line 163

def list_effective_permissions(
  organization_membership_id:,
  resource_id:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources/#{WorkOS::Util.encode_path(resource_id)}/permissions",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_effective_permissions(
      organization_membership_id: organization_membership_id,
      resource_id: resource_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizationPermission,
    filters: {organization_membership_id: organization_membership_id, resource_id: resource_id, before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#list_effective_permissions_by_external_id(organization_membership_id:, resource_type_slug:, external_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

List effective permissions for an organization membership on a resource by external ID

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• resource_type_slug (String) —

  The slug of the resource type.

• external_id (String) —

  An identifier you provide to reference the resource in your system.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>)

# File 'lib/workos/authorization.rb', line 214

def list_effective_permissions_by_external_id(
  organization_membership_id:,
  resource_type_slug:,
  external_id:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}/permissions",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_effective_permissions_by_external_id(
      organization_membership_id: organization_membership_id,
      resource_type_slug: resource_type_slug,
      external_id: external_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizationPermission,
    filters: {organization_membership_id: organization_membership_id, resource_type_slug: resource_type_slug, external_id: external_id, before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#list_environment_roles(request_options: {}) ⇒ WorkOS::RoleList

List environment roles

Parameters:

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::RoleList)

# File 'lib/workos/authorization.rb', line 1014

def list_environment_roles(request_options: {})
  response = @client.request(
    method: :get,
    path: "/authorization/roles",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::RoleList.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_memberships_for_resource(resource_id:, permission_slug:, before: nil, after: nil, limit: nil, order: "desc", assignment: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>

List organization memberships for resource

Parameters:

• resource_id (String) —

  The ID of the authorization resource.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• permission_slug (String) —

  The permission slug to filter by. Only users with this permission on the resource are returned.

• assignment (WorkOS::Types::AuthorizationAssignment, nil) (defaults to: nil) —

  Filter by assignment type. Use ‘direct` for direct assignments only, or `indirect` to include inherited assignments.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>)

# File 'lib/workos/authorization.rb', line 966

def list_memberships_for_resource(
  resource_id:,
  permission_slug:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  assignment: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "permission_slug" => permission_slug,
    "assignment" => assignment
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}/organization_memberships",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_memberships_for_resource(
      resource_id: resource_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      permission_slug: permission_slug,
      assignment: assignment,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::UserOrganizationMembershipBaseListData,
    filters: {resource_id: resource_id, before: before, limit: limit, order: order, permission_slug: permission_slug, assignment: assignment},
    fetch_next: fetch_next
  )
end

#list_memberships_for_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, permission_slug:, before: nil, after: nil, limit: nil, order: "desc", assignment: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>

List memberships for a resource by external ID

Parameters:

• organization_id (String) —

  The ID of the organization that owns the resource.

• resource_type_slug (String) —

  The slug of the resource type this resource belongs to.

• external_id (String) —

  An identifier you provide to reference the resource in your system.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• permission_slug (String) —

  The permission slug to filter by. Only users with this permission on the resource are returned.

• assignment (WorkOS::Types::AuthorizationAssignment, nil) (defaults to: nil) —

  Filter by assignment type. Use “direct” for direct assignments only, or “indirect” to include inherited assignments.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>)

# File 'lib/workos/authorization.rb', line 702

def list_memberships_for_resource_by_external_id(
  organization_id:,
  resource_type_slug:,
  external_id:,
  permission_slug:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  assignment: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "permission_slug" => permission_slug,
    "assignment" => assignment
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}/organization_memberships",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_memberships_for_resource_by_external_id(
      organization_id: organization_id,
      resource_type_slug: resource_type_slug,
      external_id: external_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      permission_slug: permission_slug,
      assignment: assignment,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::UserOrganizationMembershipBaseListData,
    filters: {organization_id: organization_id, resource_type_slug: resource_type_slug, external_id: external_id, before: before, limit: limit, order: order, permission_slug: permission_slug, assignment: assignment},
    fetch_next: fetch_next
  )
end

#list_organization_roles(organization_id:, request_options: {}) ⇒ WorkOS::RoleList

List custom roles

Parameters:

• organization_id (String) —

  The ID of the organization.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::RoleList)

# File 'lib/workos/authorization.rb', line 399

def list_organization_roles(
  organization_id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::RoleList.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_permissions(before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>

List permissions

Parameters:

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::PermissionsOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>)

# File 'lib/workos/authorization.rb', line 1162

def list_permissions(
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/permissions",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_permissions(
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizationPermission,
    filters: {before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#list_resources(before: nil, after: nil, limit: nil, order: "desc", organization_id: nil, resource_type_slug: nil, resource_external_id: nil, search: nil, parent: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>

List resources

Parameters:

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• organization_id (String, nil) (defaults to: nil) —

  Filter resources by organization ID.

• resource_type_slug (String, nil) (defaults to: nil) —

  Filter resources by resource type slug.

• resource_external_id (String, nil) (defaults to: nil) —

  Filter resources by external ID.

• search (String, nil) (defaults to: nil) —

  Search resources by name.

• parent (WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, nil) (defaults to: nil) —

  Identifies the parent.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>)

# File 'lib/workos/authorization.rb', line 763

def list_resources(
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  organization_id: nil,
  resource_type_slug: nil,
  resource_external_id: nil,
  search: nil,
  parent: nil,
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "organization_id" => organization_id,
    "resource_type_slug" => resource_type_slug,
    "resource_external_id" => resource_external_id,
    "search" => search
  }.compact
  if parent
    case parent
    when WorkOS::Authorization::ParentById
      params["parent_resource_id"] = parent.parent_resource_id
    when WorkOS::Authorization::ParentByExternalId
      params["parent_resource_type_slug"] = parent.parent_resource_type_slug
      params["parent_external_id"] = parent.parent_external_id
    else
      raise ArgumentError, "expected parent to be one of: WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, got #{parent.class}"
    end
  end
  response = @client.request(
    method: :get,
    path: "/authorization/resources",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_resources(
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      organization_id: organization_id,
      resource_type_slug: resource_type_slug,
      resource_external_id: resource_external_id,
      search: search,
      parent: parent,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizationResource,
    filters: {before: before, limit: limit, order: order, organization_id: organization_id, resource_type_slug: resource_type_slug, resource_external_id: resource_external_id, search: search, parent: parent},
    fetch_next: fetch_next
  )
end

#list_resources_for_membership(organization_membership_id:, permission_slug:, parent_resource:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>

List resources for organization membership

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• permission_slug (String) —

  The permission slug to filter by. Only child resources where the organization membership has this permission are returned.

• parent_resource (WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId) —

  Identifies the parent resource.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>)

# File 'lib/workos/authorization.rb', line 101

def list_resources_for_membership(
  organization_membership_id:,
  permission_slug:,
  parent_resource:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order,
    "permission_slug" => permission_slug
  }.compact
  case parent_resource
  when WorkOS::Authorization::ParentResourceById
    params["parent_resource_id"] = parent_resource.parent_resource_id
  when WorkOS::Authorization::ParentResourceByExternalId
    params["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
    params["parent_resource_external_id"] = parent_resource.parent_resource_external_id
  else
    raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
  end
  response = @client.request(
    method: :get,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_resources_for_membership(
      organization_membership_id: organization_membership_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      permission_slug: permission_slug,
      parent_resource: parent_resource,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::AuthorizationResource,
    filters: {organization_membership_id: organization_membership_id, before: before, limit: limit, order: order, permission_slug: permission_slug, parent_resource: parent_resource},
    fetch_next: fetch_next
  )
end

#list_role_assignments(organization_membership_id:, before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::RoleAssignment>

List role assignments

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::AuthorizationOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::RoleAssignment>)

# File 'lib/workos/authorization.rb', line 265

def list_role_assignments(
  organization_membership_id:,
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_role_assignments(
      organization_membership_id: organization_membership_id,
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::RoleAssignment,
    filters: {organization_membership_id: organization_membership_id, before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#remove_organization_role_permission(organization_id:, slug:, permission_slug:, request_options: {}) ⇒ WorkOS::Role

Remove a permission from a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• permission_slug (String) —

  The slug of the permission to remove.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 578

def remove_organization_role_permission(
  organization_id:,
  slug:,
  permission_slug:,
  request_options: {}
)
  response = @client.request(
    method: :delete,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions/#{WorkOS::Util.encode_path(permission_slug)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#remove_role(organization_membership_id:, role_slug:, resource_target:, request_options: {}) ⇒ void

This method returns an undefined value.

Remove a role assignment

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• role_slug (String) —

  The slug of the role to remove.

• resource_target (WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId) —

  Identifies the resource target.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 346

def remove_role(
  organization_membership_id:,
  role_slug:,
  resource_target:,
  request_options: {}
)
  params = {}
  case resource_target
  when WorkOS::Authorization::ResourceTargetById
    params["resource_id"] = resource_target.resource_id
  when WorkOS::Authorization::ResourceTargetByExternalId
    params["resource_external_id"] = resource_target.resource_external_id
    params["resource_type_slug"] = resource_target.resource_type_slug
  else
    raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
  end
  body = {
    "role_slug" => role_slug
  }
  @client.request(
    method: :delete,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
    auth: true,
    params: params,
    body: body,
    request_options: request_options
  )
  nil
end

#remove_role_assignment(organization_membership_id:, role_assignment_id:, request_options: {}) ⇒ void

This method returns an undefined value.

Remove a role assignment by ID

Parameters:

• organization_membership_id (String) —

  The ID of the organization membership.

• role_assignment_id (String) —

  The ID of the role assignment to remove.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/authorization.rb', line 381

def remove_role_assignment(
  organization_membership_id:,
  role_assignment_id:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments/#{WorkOS::Util.encode_path(role_assignment_id)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#set_environment_role_permissions(slug:, permissions:, request_options: {}) ⇒ WorkOS::Role

Set permissions for an environment role

Parameters:

• slug (String) —

  The slug of the environment role.

• permissions (Array<String>) —

  The permission slugs to assign to the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 1135

def set_environment_role_permissions(
  slug:,
  permissions:,
  request_options: {}
)
  body = {
    "permissions" => permissions
  }
  response = @client.request(
    method: :put,
    path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#set_organization_role_permissions(organization_id:, slug:, permissions:, request_options: {}) ⇒ WorkOS::Role

Set permissions for a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• permissions (Array<String>) —

  The permission slugs to assign to the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 551

def set_organization_role_permissions(
  organization_id:,
  slug:,
  permissions:,
  request_options: {}
)
  body = {
    "permissions" => permissions
  }
  response = @client.request(
    method: :put,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_environment_role(slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::Role

Update an environment role

Parameters:

• slug (String) —

  The slug of the environment role.

• name (String, nil) (defaults to: nil) —

  A descriptive name for the role.

• description (String, nil) (defaults to: nil) —

  An optional description of the role.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 1083

def update_environment_role(
  slug:,
  name: nil,
  description: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "description" => description
  }.compact
  response = @client.request(
    method: :patch,
    path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_organization_role(organization_id:, slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::Role

Update a custom role

Parameters:

• organization_id (String) —

  The ID of the organization.

• slug (String) —

  The slug of the role.

• name (String, nil) (defaults to: nil) —

  A descriptive name for the role.

• description (String, nil) (defaults to: nil) —

  An optional description of the role’s purpose.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Role)

# File 'lib/workos/authorization.rb', line 476

def update_organization_role(
  organization_id:,
  slug:,
  name: nil,
  description: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "description" => description
  }.compact
  response = @client.request(
    method: :patch,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::Role.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_permission(slug:, name: nil, description: nil, request_options: {}) ⇒ WorkOS::AuthorizationPermission

Update a permission

Parameters:

• slug (String) —

  A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.

• name (String, nil) (defaults to: nil) —

  A descriptive name for the Permission.

• description (String, nil) (defaults to: nil) —

  An optional description of the Permission.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationPermission)

# File 'lib/workos/authorization.rb', line 1256

def update_permission(
  slug:,
  name: nil,
  description: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "description" => description
  }.compact
  response = @client.request(
    method: :patch,
    path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthorizationPermission.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_resource(resource_id:, name: nil, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

Update a resource

Parameters:

• resource_id (String) —

  The ID of the authorization resource.

• name (String, nil) (defaults to: nil) —

  A display name for the resource.

• description (String, nil) (defaults to: nil) —

  An optional description of the resource.

• parent_resource (WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil) (defaults to: nil) —

  Identifies the parent resource.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationResource)

# File 'lib/workos/authorization.rb', line 899

def update_resource(
  resource_id:,
  name: nil,
  description: nil,
  parent_resource: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "description" => description
  }.compact
  if parent_resource
    case parent_resource
    when WorkOS::Authorization::ParentResourceById
      body["parent_resource_id"] = parent_resource.parent_resource_id
    when WorkOS::Authorization::ParentResourceByExternalId
      body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
      body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
    else
      raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
    end
  end
  response = @client.request(
    method: :patch,
    path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthorizationResource.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#update_resource_by_external_id(organization_id:, resource_type_slug:, external_id:, name: nil, description: nil, parent_resource: nil, request_options: {}) ⇒ WorkOS::AuthorizationResource

Update a resource by external ID

Parameters:

• organization_id (String) —

  The ID of the organization that owns the resource.

• resource_type_slug (String) —

  The slug of the resource type.

• external_id (String) —

  An identifier you provide to reference the resource in your system.

• name (String, nil) (defaults to: nil) —

  A display name for the resource.

• description (String, nil) (defaults to: nil) —

  An optional description of the resource.

• parent_resource (WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil) (defaults to: nil) —

  Identifies the parent resource.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::AuthorizationResource)

# File 'lib/workos/authorization.rb', line 627

def update_resource_by_external_id(
  organization_id:,
  resource_type_slug:,
  external_id:,
  name: nil,
  description: nil,
  parent_resource: nil,
  request_options: {}
)
  body = {
    "name" => name,
    "description" => description
  }.compact
  if parent_resource
    case parent_resource
    when WorkOS::Authorization::ParentResourceById
      body["parent_resource_id"] = parent_resource.parent_resource_id
    when WorkOS::Authorization::ParentResourceByExternalId
      body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
      body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
    else
      raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
    end
  end
  response = @client.request(
    method: :patch,
    path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::AuthorizationResource.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end