REST Resource: roleAssignments

Resource: RoleAssignment

Defines an assignment of a role.

JSON representation
{
  "roleAssignmentId": string,
  "roleId": string,
  "kind": string,
  "etag": string,
  "assignedTo": string,
  "assigneeType": enum (AssigneeType),
  "scopeType": string,
  "orgUnitId": string,
  "condition": string
}
Fields
roleAssignmentId

string (int64 format)

ID of this roleAssignment.

roleId

string (int64 format)

The ID of the role that is assigned.

kind

string

The type of the API resource. This is always admin#directory#roleAssignment.

etag

string

ETag of the resource.

assignedTo

string

The unique ID of the entity this role is assigned to—either the userId of a user, the groupId of a group, or the uniqueId of a service account as defined in Identity and Access Management (IAM).

assigneeType

enum (AssigneeType)

Output only. The type of the assignee (USER or GROUP).

scopeType

string

The scope in which this role is assigned.

Acceptable values are:

  • CUSTOMER
  • ORG_UNIT
orgUnitId

string

If the role is restricted to an organization unit, this contains the ID for the organization unit the exercise of this role is restricted to.

condition

string

Optional. (Open Beta - Available at the /admin/directory/v1.1beta1 version of the API)

Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. No additional setup is needed to use the feature. Currently in the Beta version, the RoleAssignment associated with a condition is not respected in Admin Console (http://admin.google.com) yet.

The condition associated with this role assignment. A RoleAssignment with the condition field set will only take effect when the resource being accessed meets the condition. If condition is empty, the role (roleId) is applied to the actor (assignedTo) at the scope (scopeType) unconditionally.

Currently, only two conditions are supported:

  • To make the RoleAssignment only applicable to Security Groups: api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'

  • To make the RoleAssignment not applicable to Security Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'

Currently, the two condition strings have to be verbatim and they only work with the following pre-built administrator roles:

  • Groups Editor
  • Groups Reader

The condition follows Cloud IAM condition syntax.

AssigneeType

The type of identity to which a role is assigned.

Enums
USER An individual user within the domain.
GROUP A group within the domain.

Methods

delete

Deletes a role assignment.

get

Retrieves a role assignment.

insert

Creates a role assignment.

list

Retrieves a paginated list of all roleAssignments.