> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbal.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Organization Role

> Retrieve a role and the full set of grants it carries.



## OpenAPI

````yaml GET /orgs/{org_id}/iam/roles/{role_id}
openapi: 3.1.0
info:
  title: Timbal Platform API
  description: Public API documentation for the Timbal platform
  license:
    name: ''
  version: 2.0.0
servers:
  - url: https://api.timbal.ai
    description: Production
  - url: https://api.dev.timbal.ai
    description: Development
security: []
tags:
  - name: ace
    description: Action Control Engine (ACE) operations
  - name: analytics
    description: Project analytics
  - name: billing
    description: Subscriptions, usage, and payment-related operations
  - name: content
    description: Re-sign stored content URLs
  - name: files
    description: File operations
  - name: iam
    description: IAM — actions, roles, users, and authorization introspection
  - name: k2
    description: Knowledge Bases v2 operations
  - name: orgs
    description: Organization operations
  - name: projects
    description: Project operations
  - name: runs
    description: Execution operations
  - name: templates
    description: Public project template catalog
  - name: users
    description: Authenticated user profile
paths:
  /orgs/{org_id}/iam/roles/{role_id}:
    get:
      tags:
        - iam
      description: Retrieve a role and the full set of grants it carries.
      operationId: handler
      parameters:
        - name: org_id
          in: path
          required: true
          schema:
            type: string
        - name: role_id
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Role for the organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RoleDetail'
        '403':
          description: Forbidden
        '404':
          description: Role not found
      security:
        - bearer_auth: []
components:
  schemas:
    RoleDetail:
      type: object
      description: A role with its full grant set.
      required:
        - id
        - name
        - source
        - grants
        - created_at
        - updated_at
      properties:
        created_at:
          type: string
          format: date-time
        description:
          type:
            - string
            - 'null'
        grants:
          type: array
          items:
            $ref: '#/components/schemas/RoleGrant'
          description: Domain grants this role carries. May be empty.
        id:
          type: string
        name:
          type: string
        source:
          $ref: '#/components/schemas/RoleSource'
        updated_at:
          type: string
          format: date-time
    RoleGrant:
      type: object
      description: >-
        A single grant on a role — `(effect, action, resource?, condition?)`.


        `resource` is `None` for `ResourceKind::None` actions (`users.read`),

        or a hierarchical path like `projects:42:envs:5` (or
        `projects:42:envs:*`)

        for typed actions.


        `condition` is opaque JSON reserved for future ABAC; ignored by the

        evaluator in v1, accepted and stored as-is by writes.
      required:
        - effect
        - action
      properties:
        action:
          type: string
        condition: {}
        effect:
          $ref: '#/components/schemas/GrantEffect'
        resource:
          type:
            - string
            - 'null'
    RoleSource:
      type: string
      description: |-
        Whether a role is a built-in preset or defined by the organization.
        `system` roles are read-only; `custom` roles can be edited or deleted
        by an organization admin.
      enum:
        - system
        - custom
    GrantEffect:
      type: string
      description: Effect of a [`RoleGrant`]. `deny` wins at eval time.
      enum:
        - allow
        - deny
  securitySchemes:
    bearer_auth:
      type: http
      scheme: bearer
      description: >-
        Timbal API key. Obtain your API key from the Timbal platform settings.
        See [Authentication](/api-reference/authentication) for more
        information.

````