Permission endpoint

The Permission endpoint and fields are described below including details of the supported RESTful CRUD verbs. For details of the conventions of the API see the general conventions.

Endpoint path prefix: 

/n/v1/permission/

permission was introduced in API version V1

Permission has not been marked for deprecation

Description

Endpoint for managing permission grants on the platform.

Use the search endpoint for searching for permissions

Verbs / methods

This endpoint supports the following CRUD operations in line with our API conventions. See the conventions section for more details.

CREATE HTTP POST

Request payload

Permission reference

{
  "owner" : {
    "urn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
    "url" : "/n/v1/company/32a90f18-aaa0-4bdc-a63e-4efd2e16c28c"
  },
  "subjectUrn" : "3d059a42-2095-4d19-aea9-3243787e1ccd",
  "subjectScope" : "API_CLIENT",
  "objectUrn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
  "objectScope" : "COMPANY",
  "label" : "ADMINISTER",
  "fromTimestamp" : "2025-09-05T18:36:00"
}

Response payload

Permission reference
Representation of a permission grant. Permissions are fail closed so if an object requires a permission it must be present for the subject with the given label.
Permissions represent directed edges granting a subject(type) [label] to object(type). When applied to an object the permissions will be checked for an exists style relationship from the subject scope.

{
  "urn" : "db5d0ba1-5e7b-4c3c-ab08-5098ba68e948",
  "owner" : {
    "urn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
    "url" : "/n/v1/company/32a90f18-aaa0-4bdc-a63e-4efd2e16c28c"
  },
  "subjectUrn" : "3d059a42-2095-4d19-aea9-3243787e1ccd",
  "subjectScope" : "API_CLIENT",
  "objectUrn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
  "objectScope" : "COMPANY",
  "label" : "ADMINISTER",
  "fromTimestamp" : "2025-09-05T18:36:00"
}

Response codes / scenarios

  • CREATE_SUCCESS

    API code CREATE_SUCCESS HTTP status code 201 : When the representation provided was successfully created return HTTP created (201). Note that when other context like authorisation and permissions are satisfied but the representation is invalid or missing required information typically a error representation with details of the missing information may be returned instead with REPRESENTATION_MISSING_REQUIRED_FIELD api error for example

  • INVALID_REPRESENTATION

    API code INVALID_REPRESENTATION HTTP status code 400 : When creating or updating a representation and the provided representation is invalid. May include an error representation with details of the issue

  • REPRESENTATION_MISSING_REQUIRED_FIELD

    API code REPRESENTATION_MISSING_REQUIRED_FIELD HTTP status code 400 : When creating or updating a representation the provided representation was missing a required filed. Typically has a error response representation with details of the missing required field.

READ HTTP GET

Response example

Permission
Representation of a permission grant. Permissions are fail closed so if an object requires a permission it must be present for the subject with the given label.
Permissions represent directed edges granting a subject(type) [label] to object(type). When applied to an object the permissions will be checked for an exists style relationship from the subject scope.

{
  "urn" : "db5d0ba1-5e7b-4c3c-ab08-5098ba68e948",
  "owner" : {
    "urn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
    "url" : "/n/v1/company/32a90f18-aaa0-4bdc-a63e-4efd2e16c28c"
  },
  "subjectUrn" : "3d059a42-2095-4d19-aea9-3243787e1ccd",
  "subjectScope" : "API_CLIENT",
  "objectUrn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
  "objectScope" : "COMPANY",
  "label" : "ADMINISTER",
  "fromTimestamp" : "2025-09-05T18:36:00"
}

Response codes / scenarios

  • READ_SUCCESS

    API code READ_SUCCESS HTTP status code 200 : On read when the request is successful. The returned representation is given with the relevant 2XX HTTP code without further detail.

  • NOT_FOUND

    API code NOT_FOUND HTTP status code 404 : When the request referenced a representation or a concept that was not found including other request context requirements. Note that if a request is missing other concepts including authorisation, permissions or restrictions on the visibility HTTP not found (404) will typically be returned. Note that when creating a representation if the owner or other references can't be resolved the endpoint may return not found.

UPDATE HTTP PUT

Response example

Permission
Representation of a permission grant. Permissions are fail closed so if an object requires a permission it must be present for the subject with the given label.
Permissions represent directed edges granting a subject(type) [label] to object(type). When applied to an object the permissions will be checked for an exists style relationship from the subject scope.

{
  "urn" : "db5d0ba1-5e7b-4c3c-ab08-5098ba68e948",
  "owner" : {
    "urn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
    "url" : "/n/v1/company/32a90f18-aaa0-4bdc-a63e-4efd2e16c28c"
  },
  "subjectUrn" : "3d059a42-2095-4d19-aea9-3243787e1ccd",
  "subjectScope" : "API_CLIENT",
  "objectUrn" : "32a90f18-aaa0-4bdc-a63e-4efd2e16c28c",
  "objectScope" : "COMPANY",
  "label" : "ADMINISTER",
  "fromTimestamp" : "2025-09-05T18:36:00"
}

Response codes / scenarios

  • UPDATE_SUCCESS

    API code UPDATE_SUCCESS HTTP status code 202 : When creation was successful and the representation was created. Returns HTTP accepted (202) response and typically includes the representation of the created representation for reference. Note that CREATE / UPDATE can trigger async operations after the representation is accepted which can update state.

  • INVALID_REPRESENTATION

    API code INVALID_REPRESENTATION HTTP status code 400 : When creating or updating a representation and the provided representation is invalid. May include an error representation with details of the issue

  • REPRESENTATION_MISSING_REQUIRED_FIELD

    API code REPRESENTATION_MISSING_REQUIRED_FIELD HTTP status code 400 : When creating or updating a representation the provided representation was missing a required filed. Typically has a error response representation with details of the missing required field.

DELETE HTTP DELETE

Response codes / scenarios

  • DELETE_SUCCESS

    API code DELETE_SUCCESS HTTP status code 202 : When deletion of a representation was successful. Note that returns HTTP accepted (202) to represent the success of the deletion state transfer rather than HTTP gone (410) as 4XX represent client errors for semantic consistency

  • NOT_FOUND

    API code NOT_FOUND HTTP status code 404 : When the request referenced a representation or a concept that was not found including other request context requirements. Note that if a request is missing other concepts including authorisation, permissions or restrictions on the visibility HTTP not found (404) will typically be returned. Note that when creating a representation if the owner or other references can't be resolved the endpoint may return not found.