• Get Started
  • Documentation
  • Samples
  • Blog
  • Pricing
    • Table of contents
    Overview
    Tutorials
    Samples
    Changelog
    iModels
    Download API definition:
    Update iModel Role Permissions
    PATCH https://api.bentley.com/imodels/{id}/rolepermissions

    Configures RBAC role permissions for the individual iModel. Specified permissions are assigned to the provided role.

    Individual iModel permissions allow to have more granular permissions than assigned at iTwin level. This either broadens or shrinks the set of permission the user has at iTwin level. That is, once at least one role permission is configured on the given iModel, then this configuration takes precedence over permissions configured at iTwin level.

    Role and User permissions are mutually exclusive and cannot be configured for an iModel at the same time.

    Please refer to Access Control API to learn more about Role Based Access Control principles in general.

    iModel permissions that could be assigned to the provided role:

    imodels_webview - allows to view iModel in web browser, but does not allow to get its local copy and view in desktop app.

    imodels_read - allows to open and view an iModel only in read-only state.

    imodels_write - allows to make changes to an iModel. Allows to create and modify named versions. Allows to create mapping between PW connection and iModel to facilitate bridges.

    imodels_manage - allows to manage locks, codes or local copies for the entire iModel.

    Authentication

    Requires Authorization header with valid Bearer token for scope itwin-platform.

    For more documentation on authorization and how to get access token visit OAUTH2 Authorization page.

    Authorization

    User must have imodels_manage permission assigned at the iModel level. If iModel Role permissions at the iModel level are configured, then user must additionally have at least imodels_webview permission assigned at the iTwin level. If permissions at the iModel level are not configured, then user must have imodels_manage permission assigned at the iTwin level.

    Alternatively the user should be an Organization Administrator for the Organization that owns a given iTwin the iModel belongs to.

    For more information please refer to Account Administrator documentation section on Access Control API documentation page.

    Rate limits

    All iTwin Platform API operations have a rate limit. For more documentation on that visit Rate limits and quotas page.

    Request

    Request parameters

    Name
    Required?
    Description
    id
    Yes

    iModel id

    Request headers

    Name
    Required?
    Description
    Content-Type
    No
    Authorization
    Yes

    OAuth access token with itwin-platform scope

    Accept
    Yes

    Setting to application/vnd.bentley.itwin-platform.v2+json is recommended.

    Request body

    Role permissions (update)

    Name
    Type
    Required?
    Description
    rolePermissions
    RolePermissions[]
    No

    An array of role permissions.

    Example

    json
    {
    "rolePermissions": [{
            "roleId": "119a0b34-d11a-4412-93ff-d991b085d8f0",
            "permissions": ["imodels_webview"]
        },
        {
            "roleId": "e8ad12d7-c475-48ac-a178-d6ee0efe44ba",
            "permissions": ["imodels_webview", "imodels_read", "imodels_write", "imodels_manage"]
        }
    ]
}

    Response

    Response 200 OK

    OK

    json
    {
    "rolePermissions": [{
            "roleId": "119a0b34-d11a-4412-93ff-d991b085d8f0",
            "permissions": ["imodels_webview"]
        },
        {
            "roleId": "e8ad12d7-c475-48ac-a178-d6ee0efe44ba",
            "permissions": ["imodels_webview", "imodels_read", "imodels_write", "imodels_manage"]
        }
    ]
}

    Response 401 Unauthorized

    This response indicates that request lacks valid authentication credentials. Access token might not been provided, issued by the wrong issuer, does not have required scopes or request headers were malformed.

    json
    {
    "error": {
        "code": "HeaderNotFound",
        "message": "Header Authorization was not found in the request. Access denied."
    }
}

    Response 403 Forbidden

    User is not authorized to update a Role permissions.

    json
    {
    "error": {
        "code": "InsufficientPermissions",
        "message": "The user has insufficient permissions for the requested operation."
    }
}

    Response 404 Not Found

    Requested iModel is not available.

    json
    {
    "error": {
        "code": "iModelNotFound",
        "message": "Requested iModel is not available."
    }
}

    Response 409 Conflict

    User permissions are already configured or iModel is not initialized and modify operations are not allowed.

    json
    {
    "error": {
        "code": "PermissionsConflict",
        "message": "User permissions are already configured."
    }
}

    Response 415 Unsupported Media Type

    This response indicates that the user has specified not supported media type in the request.

    json
    {
    "error": {
        "code": "UnsupportedMediaType",
        "message": "Media Type is not supported."
    }
}

    Response 422 Unprocessable Entity

    The 422 (Unprocessable Entity) status code indicates that the request cannot be processed by the server due to a client error (e.g. malformed request syntax)

    json
    {
    "error": {
        "code": "InvalidiModelsRequest",
        "message": "Cannot update Role permissions.",
        "details": [{
                "code": "MissingRequiredProperty",
                "message": "Required property is missing.",
                "target": "rolePermissions"
            },
            {
                "code": "InvalidRequestBody",
                "message": "Failed to parse request body. Make sure it is a valid JSON."
            }
        ]
    }
}

    Response 429 Too many requests

    This response indicates that the user has sent too many requests in a given amount of time.

    json
    {
    "error": {
        "code": "TooManyRequests",
        "message": "More requests were received than the subscription rate-limit allows."
    }
}

    Response headers

    Name
    Description
    retry-after

    The number of requests exceeds the rate-limit for the client subscription.

    Definitions

    Role permissions (update)

    Properties of role permissions to be updated.

    Name
    Type
    Description
    rolePermissions
    RolePermissions[]

    An array of role permissions.

    Role permissions

    Contains a list of role ids and their individual iModels permissions.

    Name
    Type
    Description
    roleId
    String

    Id of the Role.

    permissions
    String[]

    Array of permissions user has on an iModel.

    Role Permissions Response

    List of Role permissions.

    Name
    Type
    Description
    rolePermissions
    RolePermissions[]

    List of Role permissions.

    Error

    Contains error information.

    Name
    Type
    Description
    code
    String

    One of a server-defined set of error codes.

    message
    String

    A human-readable representation of the error.

    target
    String, null

    The target of the error.

    Error Response

    Gives details for an error that occurred while handling the request. Note that clients MUST NOT assume that every failed request will produce an object of this schema, or that all of the properties in the response will be non-null, as the error may have prevented this response from being constructed.

    Name
    Type
    Description
    error
    Error

    Error information.