Get User Effective Grants

cURL

curl --request GET \
  --url https://api.timbal.ai/orgs/{org_id}/iam/users/{user_id}/effective-grants \
  --header 'Authorization: Bearer <token>'

{
  "grants": [
    {
      "action": "<string>",
      "via": {
        "role_id": "<string>",
        "role_name": "<string>",
        "attachment_scope": "<string>",
        "grant_resource": "<string>"
      },
      "resource": "<string>"
    }
  ],
  "is_superadmin": true,
  "user_id": "<string>"
}

GET

orgs

{org_id}

iam

users

{user_id}

effective-grants

cURL

curl --request GET \
  --url https://api.timbal.ai/orgs/{org_id}/iam/users/{user_id}/effective-grants \
  --header 'Authorization: Bearer <token>'

{
  "grants": [
    {
      "action": "<string>",
      "via": {
        "role_id": "<string>",
        "role_name": "<string>",
        "attachment_scope": "<string>",
        "grant_resource": "<string>"
      },
      "resource": "<string>"
    }
  ],
  "is_superadmin": true,
  "user_id": "<string>"
}

Authorizations

Authorization

string

header

required

Timbal API key. Obtain your API key from the Timbal platform settings. See Authentication for more information.

Path Parameters

org_id

string

required

user_id

string

required

Response

Effective grants for the user

grants

object[]

required

One row per (attachment × grant) pair, ordered for stable rendering. May contain duplicates on (effect, action, resource) when multiple roles contribute the same grant — via distinguishes them.

Show child attributes

is_superadmin

boolean

required

true if the target is a platform superadmin. RBAC is bypassed for every action regardless of grants[] (which will be empty unless a superadmin happens to also have org role attachments).

user_id

string

required

Echoes the target user id.

Update User Roles List rules