> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dados.rio/llms.txt
> Use this file to discover all available pages before exploring further.

# Add action permission to a role

> Grant a specific action permission to a role.

**Authorization**: Users can modify role permissions they have access to manage.
Permissions are checked via Cerbos policies.

**Action Assignment**: Adds the specified action to the role's allowed permissions.

**Use Cases**:
- Grant new permissions to existing roles
- Administrative role management
- Dynamic permission assignment
- Security policy updates

**Policy Updates**: Changes are propagated to Cerbos policy engine for immediate effect.

**Note**: This endpoint manages role permissions through Cerbos policy configuration.



## OpenAPI

````yaml https://raw.githubusercontent.com/prefeitura-rio/heimdall/main/docs/api/openapi.json post /api/v1/roles/{role_name}/actions
openapi: 3.1.0
info:
  title: Heimdall Admin Service
  description: >-
    # Heimdall Admin Service API


    A comprehensive admin service for user and group management with
    authorization powered by Cerbos.


    ## Features


    - **User Management**: Automatic user creation from JWT tokens with
    role-based access control

    - **Group Management**: Create, manage, and assign users to groups with
    hierarchical permissions

    - **Role Management**: Define and assign roles to users and groups

    - **Mapping Management**: Configure API endpoint to action mappings for
    authorization

    - **Action Management**: Define available actions for fine-grained
    permission control

    - **Cerbos Integration**: Policy-based authorization with external Cerbos
    service

    - **Audit Logging**: Comprehensive audit trail for all administrative
    operations

    - **Redis Caching**: High-performance caching for frequently accessed data
  version: 1.0.0
servers:
  - url: https://services.pref.rio/heimdall-admin
    description: Production server
  - url: https://services.staging.app.dados.rio/heimdall-admin
    description: Staging server
security: []
tags:
  - name: health
    description: Service health and readiness checks
  - name: users
    description: >-
      User management operations. Users are automatically created from JWT
      tokens.
  - name: groups
    description: >-
      Group management operations. Groups organize users and can have roles
      assigned.
  - name: memberships
    description: Group membership management. Assign and remove users from groups.
  - name: roles
    description: >-
      Role management operations. Roles define permissions that can be assigned
      to users or groups.
  - name: actions
    description: >-
      Action management operations. Actions define the granular permissions
      available in the system.
  - name: mappings
    description: >-
      API endpoint to action mapping configuration. Maps HTTP endpoints to
      authorization actions.
paths:
  /api/v1/roles/{role_name}/actions:
    post:
      tags:
        - roles
      summary: Add action permission to a role
      description: >-
        Grant a specific action permission to a role.


        **Authorization**: Users can modify role permissions they have access to
        manage.

        Permissions are checked via Cerbos policies.


        **Action Assignment**: Adds the specified action to the role's allowed
        permissions.


        **Use Cases**:

        - Grant new permissions to existing roles

        - Administrative role management

        - Dynamic permission assignment

        - Security policy updates


        **Policy Updates**: Changes are propagated to Cerbos policy engine for
        immediate effect.


        **Note**: This endpoint manages role permissions through Cerbos policy
        configuration.
      operationId: assign_action_to_role_api_v1_roles__role_name__actions_post
      parameters:
        - name: role_name
          in: path
          required: true
          schema:
            type: string
            title: Role Name
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RoleActionRequest'
      responses:
        '200':
          description: Action permission added to role successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RoleActionResponse'
              example:
                status: action_assigned
                role: data_analyst:read
                action: user:read
        '400':
          description: Bad request - Invalid action name or role already has permission
          content:
            application/json:
              example:
                detail: Role already has permission for this action
        '401':
          description: Unauthorized - Invalid or missing JWT token
          content:
            application/json:
              example:
                detail: Could not validate credentials
        '403':
          description: Forbidden - Insufficient permissions to modify role actions
          content:
            application/json:
              example:
                detail: >-
                  Permission denied to modify actions for role
                  'data_analyst:read'
        '404':
          description: Role or action not found
          content:
            application/json:
              example:
                detail: Role 'unknown-role' not found
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                detail: 'Failed to assign action to role: Policy service error'
      security:
        - HTTPBearer: []
components:
  schemas:
    RoleActionRequest:
      properties:
        action_name:
          type: string
          pattern: ^[a-z0-9_:]+$
          title: Action Name
          description: >-
            Name of the action to assign/remove (lowercase letters, numbers,
            underscores, and colons only)
          example: user:read
      type: object
      required:
        - action_name
      title: RoleActionRequest
      description: Request model for role-action operations.
      example:
        action_name: user:read
    RoleActionResponse:
      properties:
        status:
          type: string
          title: Status
          description: Status of the operation
          example: action_assigned
        role:
          type: string
          title: Role
          description: Role name
          example: data_analyst:read
        action:
          type: string
          title: Action
          description: Action name
          example: user:read
      type: object
      required:
        - status
        - role
        - action
      title: RoleActionResponse
      description: Response model for role-action operations.
      example:
        action: user:read
        role: data_analyst:read
        status: action_assigned
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    HTTPBearer:
      type: http
      scheme: bearer

````