Roles

📘

Accessing RBAC role API endpoints

Access to these endpoints is governed by both user permissions and organization licensing tiers:

  • Read Access (GET): Available to users with Admin or Super Admin privileges.
  • Write Access (POST, PUT, DELETE): Requires the authenticated user to have the specific RBAC permission "Manage roles".
  • Licensing: Creating and managing custom roles requires the Enterprise+ tier. Editing guest invites in standard roles is available to both Enterprise and Enterprise+ tiers.

Asana’s Roles API allows you to programmatically manage Role-Based Access Control (RBAC) at the domain level. This provides a centralized way to define permissions and ensures that security teams can resolve role IDs found in audit log events to human-readable metadata.

Organizations use these endpoints to:

  • Automate Provisioning: Programmatically create and update custom roles to match internal security policies.
  • Enhance Auditing: Resolve role identifiers in the Audit Log API to understand exactly which permissions are associated with an event.
  • Scale Governance: Manage complex permission structures across large organizations without manual overhead in the Admin Console.
🚧

Important Notes

  • Deletion Logic: The DELETE endpoint follows an "Empty role" policy. A role can only be deleted if it has no active user assignments.
  • Standard vs. Custom: While standard roles (e.g., Admin, Member) can be retrieved, certain fields on standard roles are immutable. Only custom roles support full CRUD operations.

RbacRoleCompact

PropertyTypeDescription
gidstringGlobally unique identifier of the resource, as a string.
resource_typestringThe base type of this resource.
namestringThe name of the role.
descriptionstringThe description of the role.
is_standard_rolebooleanWhether the role is a standard role or a custom role. Defaults to false.

Example JSON for RbacRoleCompact:

{
  "gid": "12345",
  "resource_type": "role",
  "name": "Developer",
  "description": "This role has exclusive access to create app and PAT tokens.",
  "is_standard_role": false
}

RbacRole

PropertyTypeDescription
gidstringGlobally unique identifier of the resource, as a string.
resource_typestringThe base type of this resource.
namestringThe name of the role.
descriptionstringThe description of the role.
is_standard_rolebooleanWhether the role is a standard role or a custom role. Defaults to false.
creation_timestring (date-time)The time at which this role was created.
modified_atstring (date-time)The time at which this role was last modified.
base_role_typestringThe base role type of the role.
Click to show all enum values
  • admin
  • guest
  • member
  • super_admin
permissionsobjectThe permissions of the role.
permissions.create_app_authorizationbooleanControls whether users with this role can create app authorizations
permissions.create_pat_authorizationbooleanControls whether users with this role can create PAT authorizations
permissions.share_goal_with_domainbooleanControls whether users with this role can create company-wide goals
permissions.share_portfolios_with_orgbooleanControls whether users with this role can create portfolios that are shared with the organization and share existing portfolios to the organization
permissions.assign_rolesbooleanControls whether users with this role can assign guest, member, and admin roles to other users
permissions.manage_rolesbooleanControls whether users with this role can create, edit, and delete roles
permissions.export_project_databooleanControls whether users with this role can export project data
permissions.task_deletion_policystringDetermines what tasks users with this role are allowed to delete
Click to show all enum values
  • all
  • none
  • owned
permissions.download_mobile_attachmentsbooleanControls whether users with this role can download attachments from mobile app
permissions.import_databooleanControls whether users with this role can import data into the domain
permissions.create_global_custom_fieldsbooleanControls whether users with this role can create global custom fields
permissions.upload_attachmentsbooleanControls whether users with this role can upload attachments
permissions.create_teambooleanControls whether users with this role can create teams
permissions.allowed_guest_invitesstringControls what type of email users with this role are allowed to invite
Click to show all enum values
  • all
  • none
permissions.create_and_edit_ai_automationsbooleanControls whether users with this role can create and edit AI automations
permissions.proactive_aibooleanControls whether users with this role can use proactive AI features
permissions.standard_aibooleanControls whether users with this role can use standard AI features
permissions.create_and_edit_ai_teammatesbooleanControls whether users with this role can create and edit AI teammates
permissions.share_teams_with_orgbooleanControls whether users with this role can share teams with the organization
permissions.create_goalbooleanControls whether users with this role can create goals
permissions.create_projectbooleanControls whether users with this role can create projects
permissions.create_read_only_linkbooleanControls whether users with this role can create read-only links
permissions.create_portfoliobooleanControls whether users with this role can create portfolios
permissions.view_public_teamsbooleanControls whether users with this role can view public teams
permissions.view_shared_with_org_projectsbooleanControls whether users with this role can view projects shared with the organization
permissions.view_shared_with_org_tasksbooleanControls whether users with this role can view tasks shared with the organization
permissions.view_shared_with_org_portfoliosbooleanControls whether users with this role can view portfolios shared with the organization
workspaceobjectCreate-only. The workspace this role is associated with. Once created, roles cannot be moved to a different workspace. This attribute can only be specified at creation time.
workspace.gidstringGlobally unique identifier of the resource, as a string.
workspace.resource_typestringThe base type of this resource.
workspace.namestringThe name of the workspace.

Example JSON for RbacRole:

{
  "gid": "12345",
  "resource_type": "role",
  "name": "Developer",
  "description": "This role has exclusive access to create app and PAT tokens.",
  "is_standard_role": false,
  "creation_time": "2012-02-22T02:06:58.147Z",
  "modified_at": "2012-02-22T02:06:58.147Z",
  "base_role_type": "example string",
  "permissions": {
    "create_app_authorization": true,
    "create_pat_authorization": true,
    "share_goal_with_domain": true,
    "share_portfolios_with_org": true,
    "assign_roles": true,
    "manage_roles": true,
    "export_project_data": true,
    "task_deletion_policy": "all",
    "download_mobile_attachments": true,
    "import_data": true,
    "create_global_custom_fields": true,
    "upload_attachments": true,
    "create_team": true,
    "allowed_guest_invites": "all",
    "create_and_edit_ai_automations": true,
    "proactive_ai": true,
    "standard_ai": true,
    "create_and_edit_ai_teammates": true,
    "share_teams_with_org": true,
    "create_goal": true,
    "create_project": true,
    "create_read_only_link": true,
    "create_portfolio": true,
    "view_public_teams": true,
    "view_shared_with_org_projects": true,
    "view_shared_with_org_tasks": true,
    "view_shared_with_org_portfolios": true
  },
  "workspace": {
    "gid": "12345",
    "resource_type": "workspace",
    "name": "My Company Workspace"
  }
}