Genesys Cloud - Developer Community!

Dear all,

I try to remove ALL permission roles from a user using a data action, though it seems that the PUT /api/v2/users/{subjectId}/roles, which sets the user's roles, does not allow a blank input. Is it possible to remove all roles using an API ? It's possible using the users GUI via the user management > Users interface.

we would like t automate the removal of all roles when a user has been inactive for over 30 days.

In addition to the above, when all role's and permissions are removed the get /api/v2/users/{subjectId}/roles throws a 404 error:

{ "message": "No such user 73123f82-452a-49b5-97ad-64ed7bd9a9e4", "code": "not.found", "status": 404, "messageWithParams": "No such user {userId}", "messageParams": { "userId": "73123f82-452a-49b5-97ad-64ed7bd9a9e4" }, "contextId": "fd1243cd-185c-492e-bd11-6722d733e571", "details": [], "errors": [] }

However, I would expect an output like: "roles": [], "permissions": [], "permissionPolicies": []

Dear all,

I try to remove ALL permission roles from a user using a data action, though it seems that the PUT /api/v2/users/{subjectId}/roles, which sets the user's roles, does not allow a blank input. Is it possible to remove all roles using an API ? It's possible using the users GUI via the user management > Users interface.

we would like t automate the removal of all roles when a user has been inactive for over 30 days.

Hi Rudy, 

If your goal is to automatically remove all access after 30 days of inactivity, the better option is to update the user to inactive through the Users API. Making the user inactive removes their access and is the supported method for this type of offboarding scenario.

This removes all roles from the user as well as makes them inactive on the platform >  PATCH /api/v2/users/{userId}

In addition to the above, when all role's and permissions are removed the get /api/v2/users/{subjectId}/roles throws a 404 error:

{ "message": "No such user 73123f82-452a-49b5-97ad-64ed7bd9a9e4", "code": "not.found", "status": 404, "messageWithParams": "No such user {userId}", "messageParams": { "userId": "73123f82-452a-49b5-97ad-64ed7bd9a9e4" }, "contextId": "fd1243cd-185c-492e-bd11-6722d733e571", "details": [], "errors": [] }

However, I would expect an output like: "roles": [], "permissions": [], "permissionPolicies": []

Dear all,

I try to remove ALL permission roles from a user using a data action, though it seems that the PUT /api/v2/users/{subjectId}/roles, which sets the user's roles, does not allow a blank input. Is it possible to remove all roles using an API ? It's possible using the users GUI via the user management > Users interface.

we would like t automate the removal of all roles when a user has been inactive for over 30 days.

I agree and that is the last step in the process. However, before doing so, we remove all security groups the user is member off, all work teams, all DID numbers assigned and also any direct applied roles. The latter though seems to be a tricky one, by default each new user gets the Employee role assigned to them. We already removed all permissions from the role. Let me say I am a tad paranoid since we where breached through our partners maintenance access and incurred a hefty calling cost invoice. It could have been worse though but since then I am extremely conscious about lingering rights on inactive users.

Hi Rudy, 

If your goal is to automatically remove all access after 30 days of inactivity, the better option is to update the user to inactive through the Users API. Making the user inactive removes their access and is the supported method for this type of offboarding scenario.

This removes all roles from the user as well as makes them inactive on the platform >  PATCH /api/v2/users/{userId}

In addition to the above, when all role's and permissions are removed the get /api/v2/users/{subjectId}/roles throws a 404 error:

{ "message": "No such user 73123f82-452a-49b5-97ad-64ed7bd9a9e4", "code": "not.found", "status": 404, "messageWithParams": "No such user {userId}", "messageParams": { "userId": "73123f82-452a-49b5-97ad-64ed7bd9a9e4" }, "contextId": "fd1243cd-185c-492e-bd11-6722d733e571", "details": [], "errors": [] }

However, I would expect an output like: "roles": [], "permissions": [], "permissionPolicies": []

Dear all,

I try to remove ALL permission roles from a user using a data action, though it seems that the PUT /api/v2/users/{subjectId}/roles, which sets the user's roles, does not allow a blank input. Is it possible to remove all roles using an API ? It's possible using the users GUI via the user management > Users interface.

we would like t automate the removal of all roles when a user has been inactive for over 30 days.

Fundamentally the goal is achieved via making the user inactive, if the user then becomes active again they do not get the roles previously. 

With that said you may wish to use the below sequence however this is more API calls to make and invoke:

1. Get all current role grants GET /api/v2/authorization/subjects/{userId}
   • This returns all assigned roles in a grants array with roleId and divisionId pairs.
2. Remove ALL roles POST /api/v2/authorization/subjects/{userId}/bulkremove
   • In the request body, pass the grants array from above. This removes ALL roles, including Employee.
3. Deactivate the user PATCH /api/v2/users/{userId} with state set to "inactive"

I agree and that is the last step in the process. However, before doing so, we remove all security groups the user is member off, all work teams, all DID numbers assigned and also any direct applied roles. The latter though seems to be a tricky one, by default each new user gets the Employee role assigned to them. We already removed all permissions from the role. Let me say I am a tad paranoid since we where breached through our partners maintenance access and incurred a hefty calling cost invoice. It could have been worse though but since then I am extremely conscious about lingering rights on inactive users.

Hi Rudy, 

If your goal is to automatically remove all access after 30 days of inactivity, the better option is to update the user to inactive through the Users API. Making the user inactive removes their access and is the supported method for this type of offboarding scenario.

This removes all roles from the user as well as makes them inactive on the platform >  PATCH /api/v2/users/{userId}

In addition to the above, when all role's and permissions are removed the get /api/v2/users/{subjectId}/roles throws a 404 error:

{ "message": "No such user 73123f82-452a-49b5-97ad-64ed7bd9a9e4", "code": "not.found", "status": 404, "messageWithParams": "No such user {userId}", "messageParams": { "userId": "73123f82-452a-49b5-97ad-64ed7bd9a9e4" }, "contextId": "fd1243cd-185c-492e-bd11-6722d733e571", "details": [], "errors": [] }

However, I would expect an output like: "roles": [], "permissions": [], "permissionPolicies": []

Dear all,

I try to remove ALL permission roles from a user using a data action, though it seems that the PUT /api/v2/users/{subjectId}/roles, which sets the user's roles, does not allow a blank input. Is it possible to remove all roles using an API ? It's possible using the users GUI via the user management > Users interface.

we would like t automate the removal of all roles when a user has been inactive for over 30 days.