User to Role Maps are the final linking objects in the Role-Based Access Control (RBAC) system that establish the relationship between users and roles. They define which roles are assigned to specific users, completing the RBAC chain that enables users to inherit permissions through their assigned roles.
API Endpoints
User to Role Maps are managed via the Configuration server API at [http|https]://[hostname]:[port]/v1.0/tenants/[tenant-guid]/userrolemaps
Supported HTTP Methods: GET, HEAD, PUT, DELETE
Important: All user role map operations require administrator-level access tokens.
User Role Map Object Structure
User Role Map objects contain the essential linking information between users and roles. Here's the complete structure:
{
"GUID": "00000000-0000-0000-0000-000000000000",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true,
"IsProtected": true,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}Field Descriptions
- GUID (GUID): Globally unique identifier for the user role map object
- TenantGUID (GUID): Globally unique identifier for the tenant
- UserGUID (GUID): GUID of the user this map belongs to
- RoleGUID (GUID): GUID of the role being assigned to the user
- Active (boolean): Indicates whether the user role map is active and can be used
- IsProtected (boolean): Indicates whether the user role map is protected from modification
- CreatedUtc (datetime): UTC timestamp when the user role map was created
Complete RBAC System Integration
User Role Maps complete the RBAC hierarchy and enable the full permission inheritance chain:
- Permissions define what operations can be performed on specific resources
- Role Permission Maps link permissions to roles
- Roles group related permissions together
- User Role Maps assign roles to users ← This API
- Users inherit permissions through their assigned roles
This design enables:
- Flexible User Management: Users can be assigned multiple roles
- Dynamic Permission Inheritance: Users automatically inherit all permissions from their assigned roles
- Centralized Role Management: Changes to role permissions affect all users with that role
- Granular Access Control: Fine-grained control over user access through role assignments
Enumerate User Role Maps
Retrieves a paginated list of all user role map objects in the system using GET /v2.0/tenants/[tenant-guid]/userrolemaps/. This endpoint provides comprehensive enumeration with pagination support for managing multiple user role assignments.
Request Parameters
No additional parameters required beyond authentication.
curl --location 'http://localhost:8000/v2.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps/' \
--header 'Authorization: ••••••'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const enumerateUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.enumerate();
console.log(response, 'User role map fetched successfully');
} catch (err) {
console.log('Error fetching User role map:', err);
}
};
enumerateUserRoleMap();Response
Returns a paginated enumeration result containing user role map objects:
{
"Success": true,
"Timestamp": {
"Start": "2025-10-15T08:24:17.876793Z",
"TotalMs": 6.39,
"Messages": {}
},
"MaxResults": 1000,
"Skip": 0,
"IterationsRequired": 1,
"EndOfResults": true,
"TotalRecords": 1,
"RecordsRemaining": 0,
"Objects": [
{
"GUID": "00000000-0000-0000-0000-000000000000",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true,
"IsProtected": true,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}
]
}Read All User Role Maps
Retrieves all user role map objects in a single request using GET /v1.0/tenants/[tenant-guid]/userrolemaps. This endpoint provides a simple way to get all user role assignments without pagination.
Request Parameters
No additional parameters required beyond authentication.
curl --location 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps' \
--header 'Authorization: ••••••'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const readAllUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.readAll();
console.log(response, 'User role map fetched successfully');
} catch (err) {
console.log('Error fetching User role map:', err);
}
};
readAllUserRoleMaps();Response
Returns an array of all user role map objects:
[
{
"GUID": "00000000-0000-0000-0000-000000000000",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true,
"IsProtected": true,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}
]Read User Role Map
Retrieves a specific user role map object by its GUID using GET /v1.0/tenants/[tenant-guid]/userrolemaps/[map-guid]. This endpoint allows you to get detailed information about a single user role assignment.
Request Parameters
- map-guid (string, Path, Required): GUID of the user role map to retrieve
curl --location 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps/00000000-0000-0000-0000-000000000000' \
--header 'Authorization: ••••••'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const readUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.read('00000000-0000-0000-0000-000000000000');
console.log(response, 'User role map fetched successfully');
} catch (err) {
console.log('Error fetching User role map:', err);
}
};
readUserRoleMap();Response
Returns the requested user role map object:
{
"GUID": "00000000-0000-0000-0000-000000000000",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true,
"IsProtected": true,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}Create User Role Map
Creates a new user role map object using PUT /v1.0/tenants/[tenant-guid]/userrolemaps. This endpoint allows you to assign roles to users, completing the RBAC permission inheritance chain.
Request Parameters
{
"UserGUID": "11111111-1111-1111-1111-111111111111",
"RoleGUID": "22222222-2222-2222-2222-222222222222",
"Active": true,
}curl --location --request PUT 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps' \
--header 'content-type: application/json' \
--header 'Authorization: ••••••' \
--data '{
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true
}'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const createUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.create({
UserGUID: '00000000-0000-0000-0000-000000000000',
RoleGUID: '00000000-0000-0000-0000-000000000000',
Active: true,
});
console.log(response, 'User role map created successfully');
} catch (err) {
console.log('Error creating User role map:', err);
}
};
createUserRoleMap();Response
Returns the created user role map object with generated GUID and timestamps:
{
"GUID": "33333333-3333-3333-3333-333333333333",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "11111111-1111-1111-1111-111111111111",
"RoleGUID": "22222222-2222-2222-2222-222222222222",
"Active": true,
"IsProtected": false,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}Update User Role Map
Updates an existing user role map object using PUT /v1.0/tenants/[tenant-guid]/userrolemaps/[map-guid]. This endpoint allows you to modify user role assignments.
Request Parameters
{
"GUID": "33333333-3333-3333-3333-333333333333",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "11111111-1111-1111-1111-111111111111",
"RoleGUID": "44444444-4444-4444-4444-444444444444",
"Active": true,
"IsProtected": false
}curl --location --request PUT 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps/00000000-0000-0000-0000-000000000000' \
--header 'content-type: application/json' \
--header 'Authorization: ••••••' \
--data '{
"UserGUID": "00000000-0000-0000-0000-000000000000",
"RoleGUID": "00000000-0000-0000-0000-000000000000",
"Active": true
}'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const updateUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.update({
GUID: '85306043-5464-4257-9c75-6ea4dd55d590',
TenantGUID: '00000000-0000-0000-0000-000000000000',
UserGUID: '00000000-0000-0000-0000-000000000000',
RoleGUID: '00000000-0000-0000-0000-000000000000',
Active: true,
IsProtected: false,
CreatedUtc: '2025-10-15T06:31:02.212738Z',
});
console.log(response, 'User role map updated successfully');
} catch (err) {
console.log('Error updating User role map:', err);
}
};
updateUserRoleMap();Response
Returns the updated user role map object:
{
"GUID": "33333333-3333-3333-3333-333333333333",
"TenantGUID": "00000000-0000-0000-0000-000000000000",
"UserGUID": "11111111-1111-1111-1111-111111111111",
"RoleGUID": "44444444-4444-4444-4444-444444444444",
"Active": true,
"IsProtected": false,
"CreatedUtc": "2025-10-09T17:27:05.247203Z"
}Delete User Role Map
Deletes a user role map object by its GUID using DELETE /v1.0/tenants/[tenant-guid]/userrolemaps/[map-guid]. This endpoint permanently removes the user role assignment from the system.
Request Parameters
- map-guid (string, Path, Required): GUID of the user role map to delete
curl --location --request DELETE 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps/33333333-3333-3333-3333-333333333333' \
--header 'Authorization: ••••••'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const deleteUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.delete('85306043-5464-4257-9c75-6ea4dd55d590');
console.log(response, 'User role map deleted successfully');
} catch (err) {
console.log('Error deleting User role map:', err);
}
};
deleteUserRoleMap();Check User Role Map Existence
Checks if a user role map exists by its GUID using HEAD /v1.0/tenants/[tenant-guid]/userrolemaps/[map-guid]. This endpoint allows you to verify user role map presence without retrieving the full object.
Request Parameters
- map-guid (string, Path, Required): GUID of the user role map to check
curl --location --head 'http://localhost:8000/v1.0/tenants/00000000-0000-0000-0000-000000000000/userrolemaps/33333333-3333-3333-3333-333333333333' \
--header 'Authorization: ••••••'import { ViewConfigurationSdk } from "view-sdk";
const api = new ViewConfigurationSdk(
"http://localhost:8000/", //endpoint
"default", //tenant Id
"default" //access key
);
const existsUserRoleMap = async () => {
try {
const response = await api.Rbac.UserRoleMap.exists('85306043-5464-4257-9c75-6ea4dd55d590');
console.log(response, 'User role map exists successfully');
} catch (err) {
console.log('Error checking User role map existence:', err);
}
};
checkUserRoleMapExists();Best Practices
- Principle of Least Privilege: Only assign roles that provide the minimum necessary permissions
- Regular Auditing: Periodically review user role assignments for accuracy and appropriateness
- Role-Based Management: Use roles to group users with similar access requirements
- Testing: Test user role changes in a development environment before production deployment
- Documentation: Maintain documentation of user role assignments and their business justification
- Monitoring: Monitor the impact of user role changes on access patterns and system security
- Separation of Duties: Ensure critical operations require multiple roles or approval processes