propelauth 0.4.1, Mar 7 25

propelauth 0.4.1 published on Friday, Mar 7, 2025 by propelauth

propelauth/terraform-provider-propelauth

propelauth.RolesAndPermissions

Explore with Pulumi AI

propelauth 0.4.1 published on Friday, Mar 7, 2025 by propelauth

propelauth/terraform-provider-propelauth

Example Usage

Coming soon!

Coming soon!

Coming soon!

Coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.propelauth.RolesAndPermissions;
import com.pulumi.propelauth.RolesAndPermissionsArgs;
import com.pulumi.propelauth.inputs.RolesAndPermissionsPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Configure what organization roles are available to your users and the permissions associated with them.
        var example = new RolesAndPermissions("example", RolesAndPermissionsArgs.builder()
            .defaultOwnerRole("Owner")
            .defaultRole("Member")
            .permissions(            
                RolesAndPermissionsPermissionArgs.builder()
                    .description("A description here.")
                    .displayName("Can read documents.")
                    .name("doc::read")
                    .build(),
                RolesAndPermissionsPermissionArgs.builder()
                    .name("doc::write")
                    .build(),
                RolesAndPermissionsPermissionArgs.builder()
                    .name("ticket::read")
                    .build(),
                RolesAndPermissionsPermissionArgs.builder()
                    .name("ticket::write")
                    .build(),
                RolesAndPermissionsPermissionArgs.builder()
                    .name("ai::deploy")
                    .build())
            .roleHierarchies(            
                "Owner",
                "Admin",
                "Support",
                "Member")
            .roles(Map.ofEntries(
                Map.entry("Admin", Map.ofEntries(
                    Map.entry("canChangeRoles", true),
                    Map.entry("canDeleteOrg", false),
                    Map.entry("canEditOrgAccess", false),
                    Map.entry("canInvite", true),
                    Map.entry("canManageApiKeys", false),
                    Map.entry("canRemoveUsers", true),
                    Map.entry("canSetupSaml", false),
                    Map.entry("canUpdateOrgMetadata", false),
                    Map.entry("canViewOtherMembers", true),
                    Map.entry("permissions",                     
                        "doc::read",
                        "doc::write",
                        "ticket::read")
                )),
                Map.entry("Member", Map.of("permissions",                 
                    "doc::read",
                    "ticket::read")),
                Map.entry("Owner", Map.ofEntries(
                    Map.entry("canChangeRoles", true),
                    Map.entry("canDeleteOrg", true),
                    Map.entry("canEditOrgAccess", true),
                    Map.entry("canInvite", true),
                    Map.entry("canManageApiKeys", true),
                    Map.entry("canRemoveUsers", true),
                    Map.entry("canSetupSaml", true),
                    Map.entry("canUpdateOrgMetadata", true),
                    Map.entry("canViewOtherMembers", true),
                    Map.entry("permissions",                     
                        "doc::read",
                        "doc::write",
                        "ticket::read",
                        "ticket::write")
                )),
                Map.entry("Support", Map.ofEntries(
                    Map.entry("canChangeRoles", false),
                    Map.entry("canDeleteOrg", false),
                    Map.entry("canEditOrgAccess", false),
                    Map.entry("canInvite", false),
                    Map.entry("canManageApiKeys", false),
                    Map.entry("canRemoveUsers", false),
                    Map.entry("canSetupSaml", false),
                    Map.entry("canUpdateOrgMetadata", false),
                    Map.entry("canViewOtherMembers", true),
                    Map.entry("isInternal", true),
                    Map.entry("permissions",                     
                        "doc::read",
                        "ticket::read",
                        "ai::deploy")
                ))
            ))
            .build());

    }
}

resources:
  # Configure what organization roles are available to your users and the permissions associated with them.
  example:
    type: propelauth:RolesAndPermissions
    properties:
      defaultOwnerRole: Owner
      defaultRole: Member
      permissions:
        - description: A description here.
          displayName: Can read documents.
          name: doc::read
        - name: doc::write
        - name: ticket::read
        - name: ticket::write
        - name: ai::deploy
      roleHierarchies:
        - Owner
        - Admin
        - Support
        - Member
      roles:
        Admin:
          - canChangeRoles: true
            canDeleteOrg: false
            canEditOrgAccess: false
            canInvite: true
            canManageApiKeys: false
            canRemoveUsers: true
            canSetupSaml: false
            canUpdateOrgMetadata: false
            canViewOtherMembers: true
            permissions:
              - doc::read
              - doc::write
              - ticket::read
        Member:
          - permissions:
              - doc::read
              - ticket::read
        Owner:
          - canChangeRoles: true
            canDeleteOrg: true
            canEditOrgAccess: true
            canInvite: true
            canManageApiKeys: true
            canRemoveUsers: true
            canSetupSaml: true
            canUpdateOrgMetadata: true
            canViewOtherMembers: true
            permissions:
              - doc::read
              - doc::write
              - ticket::read
              - ticket::write
        Support:
          - canChangeRoles: false
            canDeleteOrg: false
            canEditOrgAccess: false
            canInvite: false
            canManageApiKeys: false
            canRemoveUsers: false
            canSetupSaml: false
            canUpdateOrgMetadata: false
            canViewOtherMembers: true
            isInternal: true
            permissions:
              - doc::read
              - ticket::read
              - ai::deploy

Create RolesAndPermissions Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new RolesAndPermissions(name: string, args: RolesAndPermissionsArgs, opts?: CustomResourceOptions);

@overload
def RolesAndPermissions(resource_name: str,
                        args: RolesAndPermissionsArgs,
                        opts: Optional[ResourceOptions] = None)

@overload
def RolesAndPermissions(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        default_owner_role: Optional[str] = None,
                        default_role: Optional[str] = None,
                        roles: Optional[Mapping[str, RolesAndPermissionsRolesArgs]] = None,
                        permissions: Optional[Sequence[RolesAndPermissionsPermissionArgs]] = None,
                        role_hierarchies: Optional[Sequence[str]] = None)

func NewRolesAndPermissions(ctx *Context, name string, args RolesAndPermissionsArgs, opts ...ResourceOption) (*RolesAndPermissions, error)

public RolesAndPermissions(string name, RolesAndPermissionsArgs args, CustomResourceOptions? opts = null)

public RolesAndPermissions(String name, RolesAndPermissionsArgs args)
public RolesAndPermissions(String name, RolesAndPermissionsArgs args, CustomResourceOptions options)

type: propelauth:RolesAndPermissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args RolesAndPermissionsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RolesAndPermissionsArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RolesAndPermissionsArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RolesAndPermissionsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RolesAndPermissionsArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var rolesAndPermissionsResource = new Propelauth.RolesAndPermissions("rolesAndPermissionsResource", new()
{
    DefaultOwnerRole = "string",
    DefaultRole = "string",
    Roles = 
    {
        { "string", new Propelauth.Inputs.RolesAndPermissionsRolesArgs
        {
            CanChangeRoles = false,
            CanDeleteOrg = false,
            CanEditOrgAccess = false,
            CanInvite = false,
            CanManageApiKeys = false,
            CanRemoveUsers = false,
            CanSetupSaml = false,
            CanUpdateOrgMetadata = false,
            CanViewOtherMembers = false,
            Description = "string",
            Disabled = false,
            IsInternal = false,
            Permissions = new[]
            {
                "string",
            },
            ReplacingRole = "string",
            RolesCanManages = new[]
            {
                "string",
            },
        } },
    },
    Permissions = new[]
    {
        new Propelauth.Inputs.RolesAndPermissionsPermissionArgs
        {
            Name = "string",
            Description = "string",
            DisplayName = "string",
        },
    },
    RoleHierarchies = new[]
    {
        "string",
    },
});

example, err := propelauth.NewRolesAndPermissions(ctx, "rolesAndPermissionsResource", &propelauth.RolesAndPermissionsArgs{
DefaultOwnerRole: pulumi.String("string"),
DefaultRole: pulumi.String("string"),
Roles: .RolesAndPermissionsRolesMap{
"string": &.RolesAndPermissionsRolesArgs{
CanChangeRoles: pulumi.Bool(false),
CanDeleteOrg: pulumi.Bool(false),
CanEditOrgAccess: pulumi.Bool(false),
CanInvite: pulumi.Bool(false),
CanManageApiKeys: pulumi.Bool(false),
CanRemoveUsers: pulumi.Bool(false),
CanSetupSaml: pulumi.Bool(false),
CanUpdateOrgMetadata: pulumi.Bool(false),
CanViewOtherMembers: pulumi.Bool(false),
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
IsInternal: pulumi.Bool(false),
Permissions: pulumi.StringArray{
pulumi.String("string"),
},
ReplacingRole: pulumi.String("string"),
RolesCanManages: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Permissions: .RolesAndPermissionsPermissionArray{
&.RolesAndPermissionsPermissionArgs{
Name: pulumi.String("string"),
Description: pulumi.String("string"),
DisplayName: pulumi.String("string"),
},
},
RoleHierarchies: pulumi.StringArray{
pulumi.String("string"),
},
})

var rolesAndPermissionsResource = new RolesAndPermissions("rolesAndPermissionsResource", RolesAndPermissionsArgs.builder()
    .defaultOwnerRole("string")
    .defaultRole("string")
    .roles(Map.of("string", Map.ofEntries(
        Map.entry("canChangeRoles", false),
        Map.entry("canDeleteOrg", false),
        Map.entry("canEditOrgAccess", false),
        Map.entry("canInvite", false),
        Map.entry("canManageApiKeys", false),
        Map.entry("canRemoveUsers", false),
        Map.entry("canSetupSaml", false),
        Map.entry("canUpdateOrgMetadata", false),
        Map.entry("canViewOtherMembers", false),
        Map.entry("description", "string"),
        Map.entry("disabled", false),
        Map.entry("isInternal", false),
        Map.entry("permissions", "string"),
        Map.entry("replacingRole", "string"),
        Map.entry("rolesCanManages", "string")
    )))
    .permissions(RolesAndPermissionsPermissionArgs.builder()
        .name("string")
        .description("string")
        .displayName("string")
        .build())
    .roleHierarchies("string")
    .build());

roles_and_permissions_resource = propelauth.RolesAndPermissions("rolesAndPermissionsResource",
    default_owner_role="string",
    default_role="string",
    roles={
        "string": {
            "can_change_roles": False,
            "can_delete_org": False,
            "can_edit_org_access": False,
            "can_invite": False,
            "can_manage_api_keys": False,
            "can_remove_users": False,
            "can_setup_saml": False,
            "can_update_org_metadata": False,
            "can_view_other_members": False,
            "description": "string",
            "disabled": False,
            "is_internal": False,
            "permissions": ["string"],
            "replacing_role": "string",
            "roles_can_manages": ["string"],
        },
    },
    permissions=[{
        "name": "string",
        "description": "string",
        "display_name": "string",
    }],
    role_hierarchies=["string"])

const rolesAndPermissionsResource = new propelauth.RolesAndPermissions("rolesAndPermissionsResource", {
    defaultOwnerRole: "string",
    defaultRole: "string",
    roles: {
        string: {
            canChangeRoles: false,
            canDeleteOrg: false,
            canEditOrgAccess: false,
            canInvite: false,
            canManageApiKeys: false,
            canRemoveUsers: false,
            canSetupSaml: false,
            canUpdateOrgMetadata: false,
            canViewOtherMembers: false,
            description: "string",
            disabled: false,
            isInternal: false,
            permissions: ["string"],
            replacingRole: "string",
            rolesCanManages: ["string"],
        },
    },
    permissions: [{
        name: "string",
        description: "string",
        displayName: "string",
    }],
    roleHierarchies: ["string"],
});

type: propelauth:RolesAndPermissions
properties:
    defaultOwnerRole: string
    defaultRole: string
    permissions:
        - description: string
          displayName: string
          name: string
    roleHierarchies:
        - string
    roles:
        string:
            canChangeRoles: false
            canDeleteOrg: false
            canEditOrgAccess: false
            canInvite: false
            canManageApiKeys: false
            canRemoveUsers: false
            canSetupSaml: false
            canUpdateOrgMetadata: false
            canViewOtherMembers: false
            description: string
            disabled: false
            isInternal: false
            permissions:
                - string
            replacingRole: string
            rolesCanManages:
                - string

RolesAndPermissions Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The RolesAndPermissions resource accepts the following input properties:

DefaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
DefaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
Roles Dictionary<string, RolesAndPermissionsRolesArgs>
Permissions List<RolesAndPermissionsPermission>: A list of permissions that are specific to your application and can be assigned to individual roles.
RoleHierarchies List<string>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

DefaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
DefaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
Roles map[string]RolesAndPermissionsRolesArgs
Permissions []RolesAndPermissionsPermissionArgs: A list of permissions that are specific to your application and can be assigned to individual roles.
RoleHierarchies []string: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

defaultOwnerRole String: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole String: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
roles Map<String,RolesAndPermissionsRolesArgs>
permissions List<RolesAndPermissionsPermission>: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies List<String>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

defaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
roles {[key: string]: RolesAndPermissionsRolesArgs}
permissions RolesAndPermissionsPermission[]: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies string[]: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

default_owner_role str: The default_owner_role is the role automatically assigned to the user who creates the organization.
default_role str: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
roles Mapping[str, RolesAndPermissionsRolesArgs]
permissions Sequence[RolesAndPermissionsPermissionArgs]: A list of permissions that are specific to your application and can be assigned to individual roles.
role_hierarchies Sequence[str]: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

defaultOwnerRole String: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole String: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
roles Map<Property Map>
permissions List<Property Map>: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies List<String>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.

Outputs

All input properties are implicitly available as output properties. Additionally, the RolesAndPermissions resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
MultipleRolesPerUser bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

Id string: The provider-assigned unique ID for this managed resource.
MultipleRolesPerUser bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

id String: The provider-assigned unique ID for this managed resource.
multipleRolesPerUser Boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

id string: The provider-assigned unique ID for this managed resource.
multipleRolesPerUser boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

id str: The provider-assigned unique ID for this managed resource.
multiple_roles_per_user bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

id String: The provider-assigned unique ID for this managed resource.
multipleRolesPerUser Boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.

Look up Existing RolesAndPermissions Resource

Get an existing RolesAndPermissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RolesAndPermissionsState, opts?: CustomResourceOptions): RolesAndPermissions

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        default_owner_role: Optional[str] = None,
        default_role: Optional[str] = None,
        multiple_roles_per_user: Optional[bool] = None,
        permissions: Optional[Sequence[RolesAndPermissionsPermissionArgs]] = None,
        role_hierarchies: Optional[Sequence[str]] = None,
        roles: Optional[Mapping[str, RolesAndPermissionsRolesArgs]] = None) -> RolesAndPermissions

func GetRolesAndPermissions(ctx *Context, name string, id IDInput, state *RolesAndPermissionsState, opts ...ResourceOption) (*RolesAndPermissions, error)

public static RolesAndPermissions Get(string name, Input<string> id, RolesAndPermissionsState? state, CustomResourceOptions? opts = null)

public static RolesAndPermissions get(String name, Output<String> id, RolesAndPermissionsState state, CustomResourceOptions options)

resources:  _:    type: propelauth:RolesAndPermissions    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

DefaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
DefaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
MultipleRolesPerUser bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
Permissions List<RolesAndPermissionsPermission>: A list of permissions that are specific to your application and can be assigned to individual roles.
RoleHierarchies List<string>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
Roles Dictionary<string, RolesAndPermissionsRolesArgs>

DefaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
DefaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
MultipleRolesPerUser bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
Permissions []RolesAndPermissionsPermissionArgs: A list of permissions that are specific to your application and can be assigned to individual roles.
RoleHierarchies []string: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
Roles map[string]RolesAndPermissionsRolesArgs

defaultOwnerRole String: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole String: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
multipleRolesPerUser Boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
permissions List<RolesAndPermissionsPermission>: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies List<String>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
roles Map<String,RolesAndPermissionsRolesArgs>

defaultOwnerRole string: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole string: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
multipleRolesPerUser boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
permissions RolesAndPermissionsPermission[]: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies string[]: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
roles {[key: string]: RolesAndPermissionsRolesArgs}

default_owner_role str: The default_owner_role is the role automatically assigned to the user who creates the organization.
default_role str: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
multiple_roles_per_user bool: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
permissions Sequence[RolesAndPermissionsPermissionArgs]: A list of permissions that are specific to your application and can be assigned to individual roles.
role_hierarchies Sequence[str]: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
roles Mapping[str, RolesAndPermissionsRolesArgs]

defaultOwnerRole String: The default_owner_role is the role automatically assigned to the user who creates the organization.
defaultRole String: The default_role is the role assigned to a user if they join an organization and no other role is assigned to them. It is also the fallback role in the instance their role is deleted from the configuration without a replacement.
multipleRolesPerUser Boolean: If true, than each member of an organization can have multiple roles and their is no hierarchy between roles. Instead, the relationship between roles is defined by the roles_can_manage field on each individual role definition. A single-role project can be migrated to multi-role, but not the other way around. Because of this, this can only be set in the PropelAuth dashboard.
permissions List<Property Map>: A list of permissions that are specific to your application and can be assigned to individual roles.
roleHierarchies List<String>: A list of roles in order of hierarchy. The first role in the list is the highest role and the last role is the lowest role. This is only relevant if multiple_roles_per_user is false. If multiple_roles_per_user is true, the roles that a role can manage is defined by the roles_can_manage field on each individual role definition.
roles Map<Property Map>

Supporting Types

RolesAndPermissionsPermission, RolesAndPermissionsPermissionArgs

Name string: The name of the permission. This should be a unique identifier for the permission.
Description string: A description of the permission. This is a human readable description of what the permission allows.
DisplayName string: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

Name string: The name of the permission. This should be a unique identifier for the permission.
Description string: A description of the permission. This is a human readable description of what the permission allows.
DisplayName string: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

name String: The name of the permission. This should be a unique identifier for the permission.
description String: A description of the permission. This is a human readable description of what the permission allows.
displayName String: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

name string: The name of the permission. This should be a unique identifier for the permission.
description string: A description of the permission. This is a human readable description of what the permission allows.
displayName string: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

name str: The name of the permission. This should be a unique identifier for the permission.
description str: A description of the permission. This is a human readable description of what the permission allows.
display_name str: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

name String: The name of the permission. This should be a unique identifier for the permission.
description String: A description of the permission. This is a human readable description of what the permission allows.
displayName String: The display name of the permission. This is the human readable name of the permission. If not provided, the name will be used.

RolesAndPermissionsRoles, RolesAndPermissionsRolesArgs

CanChangeRoles bool: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
CanDeleteOrg bool: If true, users with this role in the org can delete the organization. The default is false.
CanEditOrgAccess bool: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
CanInvite bool: If true, users with this role in the org can invite other users to the organization. The default is false.
CanManageApiKeys bool: If true, users with this role in the org can manage API keys for the organization. The default is false.
CanRemoveUsers bool: If true, users with this role in the org can remove other users from the organization. The default is false.
CanSetupSaml bool: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
CanUpdateOrgMetadata bool: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
CanViewOtherMembers bool: If true, users with this role in the org can view other members of the organization. The default is true.
Description string: A human-readable description of the role.
Disabled bool: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
IsInternal bool: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
Permissions List<string>: A list of permissions specific to your application that are assigned to this role.
ReplacingRole string: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
RolesCanManages List<string>: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

CanChangeRoles bool: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
CanDeleteOrg bool: If true, users with this role in the org can delete the organization. The default is false.
CanEditOrgAccess bool: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
CanInvite bool: If true, users with this role in the org can invite other users to the organization. The default is false.
CanManageApiKeys bool: If true, users with this role in the org can manage API keys for the organization. The default is false.
CanRemoveUsers bool: If true, users with this role in the org can remove other users from the organization. The default is false.
CanSetupSaml bool: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
CanUpdateOrgMetadata bool: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
CanViewOtherMembers bool: If true, users with this role in the org can view other members of the organization. The default is true.
Description string: A human-readable description of the role.
Disabled bool: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
IsInternal bool: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
Permissions []string: A list of permissions specific to your application that are assigned to this role.
ReplacingRole string: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
RolesCanManages []string: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

canChangeRoles Boolean: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
canDeleteOrg Boolean: If true, users with this role in the org can delete the organization. The default is false.
canEditOrgAccess Boolean: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
canInvite Boolean: If true, users with this role in the org can invite other users to the organization. The default is false.
canManageApiKeys Boolean: If true, users with this role in the org can manage API keys for the organization. The default is false.
canRemoveUsers Boolean: If true, users with this role in the org can remove other users from the organization. The default is false.
canSetupSaml Boolean: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
canUpdateOrgMetadata Boolean: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
canViewOtherMembers Boolean: If true, users with this role in the org can view other members of the organization. The default is true.
description String: A human-readable description of the role.
disabled Boolean: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
isInternal Boolean: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
permissions List<String>: A list of permissions specific to your application that are assigned to this role.
replacingRole String: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
rolesCanManages List<String>: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

canChangeRoles boolean: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
canDeleteOrg boolean: If true, users with this role in the org can delete the organization. The default is false.
canEditOrgAccess boolean: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
canInvite boolean: If true, users with this role in the org can invite other users to the organization. The default is false.
canManageApiKeys boolean: If true, users with this role in the org can manage API keys for the organization. The default is false.
canRemoveUsers boolean: If true, users with this role in the org can remove other users from the organization. The default is false.
canSetupSaml boolean: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
canUpdateOrgMetadata boolean: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
canViewOtherMembers boolean: If true, users with this role in the org can view other members of the organization. The default is true.
description string: A human-readable description of the role.
disabled boolean: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
isInternal boolean: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
permissions string[]: A list of permissions specific to your application that are assigned to this role.
replacingRole string: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
rolesCanManages string[]: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

can_change_roles bool: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
can_delete_org bool: If true, users with this role in the org can delete the organization. The default is false.
can_edit_org_access bool: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
can_invite bool: If true, users with this role in the org can invite other users to the organization. The default is false.
can_manage_api_keys bool: If true, users with this role in the org can manage API keys for the organization. The default is false.
can_remove_users bool: If true, users with this role in the org can remove other users from the organization. The default is false.
can_setup_saml bool: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
can_update_org_metadata bool: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
can_view_other_members bool: If true, users with this role in the org can view other members of the organization. The default is true.
description str: A human-readable description of the role.
disabled bool: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
is_internal bool: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
permissions Sequence[str]: A list of permissions specific to your application that are assigned to this role.
replacing_role str: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
roles_can_manages Sequence[str]: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

canChangeRoles Boolean: If true, users with this role in the org can change the roles of other users in the organization. The default is false.
canDeleteOrg Boolean: If true, users with this role in the org can delete the organization. The default is false.
canEditOrgAccess Boolean: If true, users with this role in the org can edit the organization's access settings. These settings incluede what email domains are included and whether 2FA is enforced for the org. The default is false.
canInvite Boolean: If true, users with this role in the org can invite other users to the organization. The default is false.
canManageApiKeys Boolean: If true, users with this role in the org can manage API keys for the organization. The default is false.
canRemoveUsers Boolean: If true, users with this role in the org can remove other users from the organization. The default is false.
canSetupSaml Boolean: If true, users with this role in the org can setup enterprise SSO for the organization. The default is false.
canUpdateOrgMetadata Boolean: If true, users with this role in the org can update the organization's metadata. This includes changing the name of the organization. The default is false.
canViewOtherMembers Boolean: If true, users with this role in the org can view other members of the organization. The default is true.
description String: A human-readable description of the role.
disabled Boolean: If true, this role is disabled and cannot be assigned to users. It is only useful if you intend to use the role in non-default role mappings exclusively. The default is false.
isInternal Boolean: If true, this role is an internal role and cannot be assigned to or viewed by end users. The default is false.
permissions List<String>: A list of permissions specific to your application that are assigned to this role.
replacingRole String: The name of a role that no longer exists but this role is replacing. This should only be used if you are attempting to change the name of an existing role and want to ensure that users who had the old role now have this role. The replacing_role should not exist in the roles map.
rolesCanManages List<String>: A list of roles that this role can manage. This is only relevant if multiple_roles_per_user is true. If multiple_roles_per_user is false, the other roles that a role can manage is defined by the order in role_hierarchy where the first role is able to manage every other role including itself.

Import

As there is only one default roles_and_permissions per project there’s no need to specify the id,

$ pulumi import propelauth:index/rolesAndPermissions:RolesAndPermissions but requires an id to be specified, so we can use an arbitrary string here.

$ pulumi import propelauth:index/rolesAndPermissions:RolesAndPermissions example arbitrary_string_here

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: propelauth propelauth/terraform-provider-propelauth
License
Notes: This Pulumi package is based on the propelauth Terraform Provider.

propelauth 0.4.1 published on Friday, Mar 7, 2025 by propelauth

propelauth/terraform-provider-propelauth

propelauth.RolesAndPermissions

On this page

On this page

Example Usage

Create RolesAndPermissions Resource

Constructor syntax

Parameters

Constructor example

RolesAndPermissions Resource Properties

Inputs

Outputs

Look up Existing RolesAndPermissions Resource

Supporting Types

RolesAndPermissionsPermission, RolesAndPermissionsPermissionArgs

RolesAndPermissionsRoles, RolesAndPermissionsRolesArgs

Import

Package Details

On this page

On this page