Skip to main content
The Arize REST API provides endpoints for managing access control programmatically. Use these endpoints to automate role assignment, manage project restrictions, and integrate RBAC into your workflows.
These endpoints are currently in Alpha. Breaking changes are possible. See API Version Stages for details.

Authentication

All RBAC endpoints require Bearer token authentication:
Both User Keys and Service Keys are supported. See Authentication for details.

Key Concepts

Permission hierarchy

Arize AX uses a hierarchical RBAC model: Account → Organization → Space → Project. Permissions granted at a higher level flow down to resources below it. When a project is restricted, that inheritance is cut off — only users with an explicit role binding on that project can access it.

Permission strings

Each permission follows the {RESOURCE}_{ACTION} pattern, for example DATASET_CREATE or PROJECT_READ. When building a custom role, you specify which permissions to grant. To discover available permissions on predefined roles, call GET /v2/roles?is_predefined=true and inspect the permissions arrays.

Predefined vs. custom roles

Predefined roles are built-in system roles (e.g., Admin, Member, Read-only). They cannot be modified or deleted. Custom roles are account-scoped, user-defined roles that can hold any combination of permissions. See Custom Roles for conceptual details.

Role binding uniqueness

A user can have at most one role binding per resource. To change a user’s role, update the existing binding — do not delete and recreate it.

Privilege escalation prevention

When creating service keys or assigning roles, you can only assign roles at or below your own privilege level.

User Management

Invite, list, update, and remove users across your account, organizations, and spaces.
MethodPathDescription
POST/v2/usersCreate a user
GET/v2/usersList users
GET/v2/users/{user_id}Get a user
PATCH/v2/users/{user_id}Update a user
DELETE/v2/users/{user_id}Delete a user
POST/v2/users/{user_id}/resend-invitationResend a user invitation
POST/v2/users/{user_id}/reset-passwordTrigger a password-reset email for a user
POST/v2/organizations/{org_id}/usersAdd a user to an organization
DELETE/v2/organizations/{org_id}/users/{user_id}Remove a user from an organization
POST/v2/spaces/{space_id}/usersAdd a user to a space
DELETE/v2/spaces/{space_id}/users/{user_id}Remove a user from a space
For invite_mode options when creating a user, see Invite a user via API in the Common Workflows section below.

Roles

Manage custom and predefined roles for your account.
MethodPathDescription
GET/v2/rolesList roles
POST/v2/rolesCreate a role
GET/v2/roles/{role_id}Get a role
PATCH/v2/roles/{role_id}Update a role
DELETE/v2/roles/{role_id}Delete a role
Predefined roles (e.g., Admin, Member, Read-only) cannot be updated or deleted.

List roles

You can filter by is_predefined=true or is_predefined=false to see only built-in or custom roles. Responses are paginated — use limit and cursor parameters for large role lists.

Get a role

Create a custom role

To discover available permission values on predefined roles, call GET /v2/roles?is_predefined=true and inspect the permissions arrays.

Update a custom role

When updating permissions, the provided list replaces the entire set — it is not a merge. Include all permissions you want the role to have.
Predefined roles cannot be updated. Attempting to do so returns a 403 Forbidden.

Delete a custom role

Roles are soft-deleted. Predefined roles cannot be deleted.

Role Bindings

Assign roles to users on specific resources (spaces or projects).
MethodPathDescription
POST/v2/role-bindingsCreate a role binding
GET/v2/role-bindings/{binding_id}Get a role binding
PATCH/v2/role-bindings/{binding_id}Update a role binding
DELETE/v2/role-bindings/{binding_id}Delete a role binding
Each user can have one role binding per resource. Attempting to create a duplicate binding returns a 409 Conflict error.

Assign a role

The resource_type field accepts SPACE or PROJECT.

Get a role binding

Update a role binding

To change the role assigned to a user, update the binding with a new role_id:
Only the role_id can be updated. The user, resource type, and resource cannot be changed — delete and recreate the binding instead.

Delete a role binding

Resource Restrictions

Mark projects as restricted so only users with explicit role bindings can access them.
MethodPathDescription
POST/v2/resource-restrictionsRestrict a resource
DELETE/v2/resource-restrictions/{resource_id}Unrestrict a resource
Currently, only projects can be restricted. Support for additional resource types is planned.

Restrict a project

This operation is idempotent — restricting an already-restricted project returns successfully.

Remove a restriction

See Project-Level Restrictions for details on how restrictions affect access.

Schema Reference

Role

RoleBinding

ResourceRestriction

Common Workflows

Invite a user via API

Use POST /v2/users to invite a user programmatically. The invite_mode field controls how the invited user completes sign-up:
Using invite_mode: none on an account where Allow Only SAML Logins is not enabled will leave the user with no way to complete sign-up.

Onboard a team member with scoped project access

  1. Restrict the project (if not already restricted): POST /v2/resource-restrictions with the project ID.
  2. Create a role binding for the user: POST /v2/role-bindings with the user ID, a role ID (e.g., Member), and the project ID.

Create a least-privilege custom role and assign it

  1. Identify the permissions your use case requires — call GET /v2/roles?is_predefined=true to inspect what permissions predefined roles use.
  2. Create a custom role with only those permissions: POST /v2/roles
  3. Restrict the target project so access is opt-in: POST /v2/resource-restrictions
  4. Bind the role to the user on that project: POST /v2/role-bindings

Rotate a user’s role on a project

  1. Find the existing binding ID (use your own records or GET /v2/role-bindings/<id>).
  2. Update the binding with the new role: PATCH /v2/role-bindings/<binding-id> with { "role_id": "<new-role-id>" }

Audit roles and access

  1. List all custom roles: GET /v2/roles?is_predefined=false
  2. List predefined roles: GET /v2/roles?is_predefined=true
  3. Inspect a specific binding: GET /v2/role-bindings/<binding-id>

Full API Reference

For complete request and response schemas, see the API reference: You can also explore and try out all endpoints interactively at api.arize.com/v2/docs.
For additional support, join the Arize Community Slack.