These endpoints are currently in Alpha. Breaking changes are possible. See API Version Stages for details.
Authentication
All RBAC endpoints require Bearer token authentication:Key Concepts
Permission hierarchy
Arize AX uses a hierarchical RBAC model: Account → Organization → Space → Project. Permissions granted at a higher level flow down to resources below it. When a project is restricted, that inheritance is cut off — only users with an explicit role binding on that project can access it.Permission strings
Each permission follows the{RESOURCE}_{ACTION} pattern, for example DATASET_CREATE or PROJECT_READ. When building a custom role, you specify which permissions to grant. To discover available permissions on predefined roles, call GET /v2/roles?is_predefined=true and inspect the permissions arrays.
Predefined vs. custom roles
Predefined roles are built-in system roles (e.g., Admin, Member, Read-only). They cannot be modified or deleted. Custom roles are account-scoped, user-defined roles that can hold any combination of permissions. See Custom Roles for conceptual details.Role binding uniqueness
A user can have at most one role binding per resource. To change a user’s role, update the existing binding — do not delete and recreate it.Privilege escalation prevention
When creating service keys or assigning roles, you can only assign roles at or below your own privilege level.User Management
Invite, list, update, and remove users across your account, organizations, and spaces.| Method | Path | Description |
|---|---|---|
POST | /v2/users | Create a user |
GET | /v2/users | List users |
GET | /v2/users/{user_id} | Get a user |
PATCH | /v2/users/{user_id} | Update a user |
DELETE | /v2/users/{user_id} | Delete a user |
POST | /v2/users/{user_id}/resend-invitation | Resend a user invitation |
POST | /v2/users/{user_id}/reset-password | Trigger a password-reset email for a user |
POST | /v2/organizations/{org_id}/users | Add a user to an organization |
DELETE | /v2/organizations/{org_id}/users/{user_id} | Remove a user from an organization |
POST | /v2/spaces/{space_id}/users | Add a user to a space |
DELETE | /v2/spaces/{space_id}/users/{user_id} | Remove a user from a space |
invite_mode options when creating a user, see Invite a user via API in the Common Workflows section below.
Roles
Manage custom and predefined roles for your account.| Method | Path | Description |
|---|---|---|
GET | /v2/roles | List roles |
POST | /v2/roles | Create a role |
GET | /v2/roles/{role_id} | Get a role |
PATCH | /v2/roles/{role_id} | Update a role |
DELETE | /v2/roles/{role_id} | Delete a role |
Predefined roles (e.g., Admin, Member, Read-only) cannot be updated or deleted.
List roles
is_predefined=true or is_predefined=false to see only built-in or custom roles. Responses are paginated — use limit and cursor parameters for large role lists.
Get a role
Create a custom role
Update a custom role
403 Forbidden.
Delete a custom role
Role Bindings
Assign roles to users on specific resources (spaces or projects).| Method | Path | Description |
|---|---|---|
POST | /v2/role-bindings | Create a role binding |
GET | /v2/role-bindings/{binding_id} | Get a role binding |
PATCH | /v2/role-bindings/{binding_id} | Update a role binding |
DELETE | /v2/role-bindings/{binding_id} | Delete a role binding |
Each user can have one role binding per resource. Attempting to create a duplicate binding returns a
409 Conflict error.Assign a role
Theresource_type field accepts SPACE or PROJECT.
Get a role binding
Update a role binding
To change the role assigned to a user, update the binding with a newrole_id:
role_id can be updated. The user, resource type, and resource cannot be changed — delete and recreate the binding instead.
Delete a role binding
Resource Restrictions
Mark projects as restricted so only users with explicit role bindings can access them.| Method | Path | Description |
|---|---|---|
POST | /v2/resource-restrictions | Restrict a resource |
DELETE | /v2/resource-restrictions/{resource_id} | Unrestrict a resource |
Currently, only projects can be restricted. Support for additional resource types is planned.
Restrict a project
Remove a restriction
Schema Reference
Role
RoleBinding
ResourceRestriction
Common Workflows
Invite a user via API
UsePOST /v2/users to invite a user programmatically. The invite_mode field controls how the invited user completes sign-up:
Onboard a team member with scoped project access
- Restrict the project (if not already restricted):
POST /v2/resource-restrictionswith the project ID. - Create a role binding for the user:
POST /v2/role-bindingswith the user ID, a role ID (e.g., Member), and the project ID.
Create a least-privilege custom role and assign it
- Identify the permissions your use case requires — call
GET /v2/roles?is_predefined=trueto inspect what permissions predefined roles use. - Create a custom role with only those permissions:
POST /v2/roles - Restrict the target project so access is opt-in:
POST /v2/resource-restrictions - Bind the role to the user on that project:
POST /v2/role-bindings
Rotate a user’s role on a project
- Find the existing binding ID (use your own records or
GET /v2/role-bindings/<id>). - Update the binding with the new role:
PATCH /v2/role-bindings/<binding-id>with{ "role_id": "<new-role-id>" }
Audit roles and access
- List all custom roles:
GET /v2/roles?is_predefined=false - List predefined roles:
GET /v2/roles?is_predefined=true - Inspect a specific binding:
GET /v2/role-bindings/<binding-id>