REST Resource: roleAssignments

Resource: RoleAssignment

Defines an assignment of a role.

JSON representation

JSON representation
{ "roleAssignmentId": string, "roleId": string, "kind": string, "etag": string, "assignedTo": string, "assigneeType": enum (`AssigneeType`), "scopeType": string, "orgUnitId": string, "condition": string }

{
  "roleAssignmentId": string,
  "roleId": string,
  "kind": string,
  "etag": string,
  "assignedTo": string,
  "assigneeType": enum (AssigneeType),
  "scopeType": string,
  "orgUnitId": string,
  "condition": string
}

Fields
`roleAssignmentId`	`string (int64 format)` ID of this roleAssignment.
`roleId`	`string (int64 format)` The ID of the role that is assigned.
`kind`	`string` The type of the API resource. This is always `admin#directory#roleAssignment`.
`etag`	`string` ETag of the resource.
`assignedTo`	`string` The unique ID of the entity this role is assigned to—either the `userId` of a user, the `groupId` of a group, or the `uniqueId` of a service account as defined in Identity and Access Management (IAM).
`assigneeType`	`enum (AssigneeType)` Output only. The type of the assignee (`USER` or `GROUP`).
`scopeType`	`string` The scope in which this role is assigned. Acceptable values are: `CUSTOMER` `ORG_UNIT`
`orgUnitId`	`string` If the role is restricted to an organization unit, this contains the ID for the organization unit the exercise of this role is restricted to.
`condition`	`string` Optional. The condition associated with this role assignment. Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. A `RoleAssignment` with the `condition` field set will only take effect when the resource being accessed meets the condition. If `condition` is empty, the role (`roleId`) is applied to the actor (`assignedTo`) at the scope (`scopeType`) unconditionally. Currently, the following conditions are supported: To make the `RoleAssignment` only applicable to Security Groups: `api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'` To make the `RoleAssignment` not applicable to Security Groups: `!api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'` Currently, the condition strings have to be verbatim and they only work with the following pre-built administrator roles: Groups Editor Groups Reader The condition follows Cloud IAM condition syntax. Additional conditions related to Locked Groups are available under Open Beta. To make the `RoleAssignment` not applicable to Locked Groups: `!api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.locked']) && resource.type == 'cloudidentity.googleapis.com/Group'` This condition can also be used in conjunction with a Security-related condition.

AssigneeType

The type of identity to which a role is assigned.

Enums
`USER`	An individual user within the domain.
`GROUP`	A group within the domain.

Methods
`delete`	Deletes a role assignment.
`get`	Retrieves a role assignment.
`insert`	Creates a role assignment.
`list`	Retrieves a paginated list of all roleAssignments.

REST Resource: roleAssignments

Resource: RoleAssignment

AssigneeType

Methods

`delete`

`get`

`insert`

`list`