> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbal.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Batch Update User Roles

> Replace role attachments for multiple members in one request.



## OpenAPI

````yaml PUT /orgs/{org_id}/iam/users/roles
openapi: 3.1.0
info:
  title: Timbal Platform API
  description: Public API documentation for the Timbal platform
  license:
    name: ''
  version: 2.0.0
servers:
  - url: https://api.timbal.ai
    description: Production
  - url: https://api.dev.timbal.ai
    description: Development
security: []
tags:
  - name: ace
    description: Action Control Engine (ACE) operations
  - name: analytics
    description: Project analytics
  - name: billing
    description: Subscriptions, usage, and payment-related operations
  - name: content
    description: Re-sign stored content URLs
  - name: files
    description: File operations
  - name: iam
    description: IAM — actions, roles, users, and authorization introspection
  - name: k2
    description: Knowledge Bases v2 operations
  - name: orgs
    description: Organization operations
  - name: projects
    description: Project operations
  - name: runs
    description: Execution operations
  - name: templates
    description: Public project template catalog
  - name: users
    description: Authenticated user profile
paths:
  /orgs/{org_id}/iam/users/roles:
    put:
      tags:
        - iam
      description: Replace role attachments for multiple members in one request.
      operationId: bulk_handler
      parameters:
        - name: org_id
          in: path
          required: true
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BulkReplaceRolesReqBody'
        required: true
      responses:
        '204':
          description: Attachments updated
          content:
            application/json:
              schema:
                type: 'null'
                description: Successful responses use HTTP 204 and do not include a body.
        '403':
          description: Insufficient permissions
        '422':
          description: Invalid request
      security:
        - bearer_auth: []
components:
  schemas:
    BulkReplaceRolesReqBody:
      type: object
      required:
        - users
      properties:
        users:
          type: array
          items:
            $ref: '#/components/schemas/UserRolesReq'
          description: |-
            Per-member desired attachment sets. Applied atomically: if any entry
            is rejected the whole request fails and nothing is written. A member
            may not appear twice and may not be the caller.
    UserRolesReq:
      type: object
      description: One member's desired attachment set in a bulk request.
      required:
        - user_id
        - attachments
      properties:
        attachments:
          type: array
          items:
            $ref: '#/components/schemas/AttachmentReq'
          description: |-
            Desired attachment set for this member. Same semantics as the
            single-member endpoint: a full replace, an empty list detaches
            everything, duplicate `(role_id, scope)` pairs are ignored.
        user_id:
          type: integer
          format: int64
    AttachmentReq:
      type: object
      description: |-
        A single (role, scope) attachment in the desired state.

        `scope` is an optional hierarchical resource path (`projects:42`,
        `projects:42:envs:5`). `null` / omitted = unscoped (the role's grants
        apply as-written). The same role may appear multiple times with
        different scopes — the unique key on `OrgUserRoles` is
        `(org, user, role, scope) NULLS NOT DISTINCT`.
      required:
        - role_id
      properties:
        role_id:
          type: integer
          format: int64
        scope:
          type:
            - string
            - 'null'
  securitySchemes:
    bearer_auth:
      type: http
      scheme: bearer
      description: >-
        Timbal API key. Obtain your API key from the Timbal platform settings.
        See [Authentication](/api-reference/authentication) for more
        information.

````