Roles & Permissions

The RBAC system uses three entities: Roles (tenant-scoped), Modules (system-wide), and Permissions (the matrix connecting them). Each role has a set of permissions per module: can_view, can_create, can_edit, can_delete. Four system roles are seeded per tenant and cannot be renamed or deleted: Super Admin, Admin, Faculty, Student.

Create Role

POST /v1/console/roles

Create a custom role for the tenant.

Authentication

Requires ROLE_MANAGEMENT.can_create permission.

Request body

name

string

required

Role name. Must be unique within the tenant. Max 100 characters.

description

string

Role description. Max 500 characters.

Example request

curl -X POST https://mind-be.staging.miva.university/v1/console/roles \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Teaching Assistant",
    "description": "Can view case studies and grade students"
  }'

Response

{
  "success": true,
  "data": {
    "id": "6650f1a2b3c4d5e6f7a8b9c0",
    "name": "Teaching Assistant",
    "description": "Can view case studies and grade students",
    "is_system_role": false,
    "created_at": "2025-06-01T14:00:00Z",
    "updated_at": null
  },
  "message": "Role created successfully"
}

Error responses

Status	Code	Condition
`409`	`CONFLICT`	Role name already exists in this tenant

List Roles

GET /v1/console/roles

List all roles in the tenant.

Authentication

Requires ROLE_MANAGEMENT.can_view permission.

Query parameters

skip

integer

default:"0"

Number of records to skip.

limit

integer

default:"50"

Max records to return (1-100).

Example request

curl "https://mind-be.staging.miva.university/v1/console/roles" \
  -H "Authorization: Bearer <access_token>"

Response

{
  "success": true,
  "data": [
    {
      "id": "6650a0b1c2d3e4f5a6b7c8d9",
      "name": "Super Admin",
      "is_system_role": true,
      "created_at": "2025-01-01T00:00:00Z"
    },
    {
      "id": "6650a0b1c2d3e4f5a6b7c8da",
      "name": "Admin",
      "is_system_role": true,
      "created_at": "2025-01-01T00:00:00Z"
    },
    {
      "id": "6650a0b1c2d3e4f5a6b7c8db",
      "name": "Faculty",
      "is_system_role": true,
      "created_at": "2025-01-01T00:00:00Z"
    },
    {
      "id": "6650a0b1c2d3e4f5a6b7c8dc",
      "name": "Student",
      "is_system_role": true,
      "created_at": "2025-01-01T00:00:00Z"
    },
    {
      "id": "6650f1a2b3c4d5e6f7a8b9c0",
      "name": "Teaching Assistant",
      "is_system_role": false,
      "created_at": "2025-06-01T14:00:00Z"
    }
  ],
  "total": 5,
  "page": 1,
  "page_size": 50,
  "total_pages": 1,
  "message": null
}

Get Role

GET /v1/console/roles/{role_id}

Get a role’s details.

Authentication

Requires ROLE_MANAGEMENT.can_view permission.

Path parameters

role_id

string

required

The role’s ID.

Example request

curl https://mind-be.staging.miva.university/v1/console/roles/6650f1a2b3c4d5e6f7a8b9c0 \
  -H "Authorization: Bearer <access_token>"

Response

{
  "success": true,
  "data": {
    "id": "6650f1a2b3c4d5e6f7a8b9c0",
    "name": "Teaching Assistant",
    "description": "Can view case studies and grade students",
    "is_system_role": false,
    "created_at": "2025-06-01T14:00:00Z",
    "updated_at": null
  },
  "message": null
}

Update Role

PATCH /v1/console/roles/{role_id}

Update a role’s name or description. System roles cannot be renamed.

Authentication

Requires ROLE_MANAGEMENT.can_edit permission.

Path parameters

role_id

string

required

The role’s ID.

Request body

name

string

Updated name (not allowed for system roles).

description

string

Updated description.

Example request

curl -X PATCH https://mind-be.staging.miva.university/v1/console/roles/6650f1a2b3c4d5e6f7a8b9c0 \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Can view and grade case study sessions"
  }'

Response

Returns the full updated role object.

Error responses

Status	Code	Condition
`400`	`VALIDATION_ERROR`	Attempted to rename a system role
`409`	`CONFLICT`	Role name already exists in this tenant

Delete Role

DELETE /v1/console/roles/{role_id}

Delete a custom role. System roles and roles with assigned users cannot be deleted.

Authentication

Requires ROLE_MANAGEMENT.can_delete permission.

Path parameters

role_id

string

required

The role’s ID.

Example request

curl -X DELETE https://mind-be.staging.miva.university/v1/console/roles/6650f1a2b3c4d5e6f7a8b9c0 \
  -H "Authorization: Bearer <access_token>"

Response

Returns the deleted role object.

Error responses

Status	Code	Condition
`400`	`VALIDATION_ERROR`	Cannot delete a system role
`409`	`CONFLICT`	Role has users assigned to it

List Modules

GET /v1/console/modules

List all permission modules in the system.

Authentication

Requires ROLE_MANAGEMENT.can_view permission.

Example request

curl https://mind-be.staging.miva.university/v1/console/modules \
  -H "Authorization: Bearer <access_token>"

Response

{
  "success": true,
  "data": [
    { "id": "6650b0c1d2e3f4a5b6c7d8e9", "key": "USER_MANAGEMENT", "display_name": "User Management" },
    { "id": "6650b0c1d2e3f4a5b6c7d8ea", "key": "ROLE_MANAGEMENT", "display_name": "Role Management" },
    { "id": "6650b0c1d2e3f4a5b6c7d8eb", "key": "TENANT_MANAGEMENT", "display_name": "Tenant Management" },
    { "id": "6650b0c1d2e3f4a5b6c7d8ec", "key": "CASE_STUDIES", "display_name": "Case Studies" },
    { "id": "6650b0c1d2e3f4a5b6c7d8ed", "key": "KNOWLEDGE_BASES", "display_name": "Knowledge Bases" },
    { "id": "6650b0c1d2e3f4a5b6c7d8ee", "key": "ASSESSMENTS", "display_name": "Assessments" },
    { "id": "6650b0c1d2e3f4a5b6c7d8ef", "key": "SESSIONS", "display_name": "Sessions" },
    { "id": "6650b0c1d2e3f4a5b6c7d8f0", "key": "FEEDBACK", "display_name": "Feedback" }
  ],
  "message": null
}

Get Role Permissions

GET /v1/console/roles/{role_id}/permissions

Get the full permission matrix for a role.

Authentication

Requires ROLE_MANAGEMENT.can_view permission.

Path parameters

role_id

string

required

The role’s ID.

Example request

curl https://mind-be.staging.miva.university/v1/console/roles/6650f1a2b3c4d5e6f7a8b9c0/permissions \
  -H "Authorization: Bearer <access_token>"

Response

{
  "success": true,
  "data": [
    {
      "module_key": "CASE_STUDIES",
      "module_display_name": "Case Studies",
      "can_view": true,
      "can_create": false,
      "can_edit": false,
      "can_delete": false
    },
    {
      "module_key": "ASSESSMENTS",
      "module_display_name": "Assessments",
      "can_view": true,
      "can_create": false,
      "can_edit": true,
      "can_delete": false
    }
  ],
  "message": null
}

Update Role Permissions

PUT /v1/console/roles/{role_id}/permissions

Bulk update the permission matrix for a role.

Authentication

Requires ROLE_MANAGEMENT.can_edit permission.

Path parameters

role_id

string

required

The role’s ID.

Request body

permissions

array

required

Array of permission entries to set.

Each entry:

permissions[].module_key

string

required

Module key (e.g. CASE_STUDIES).

permissions[].can_view

boolean

default:"false"

View permission.

permissions[].can_create

boolean

default:"false"

Create permission.

permissions[].can_edit

boolean

default:"false"

Edit permission.

permissions[].can_delete

boolean

default:"false"

Delete permission.

Example request

curl -X PUT https://mind-be.staging.miva.university/v1/console/roles/6650f1a2b3c4d5e6f7a8b9c0/permissions \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "permissions": [
      {
        "module_key": "CASE_STUDIES",
        "can_view": true,
        "can_create": false,
        "can_edit": false,
        "can_delete": false
      },
      {
        "module_key": "ASSESSMENTS",
        "can_view": true,
        "can_create": false,
        "can_edit": true,
        "can_delete": false
      }
    ]
  }'

Response

Returns the full updated permission matrix.

Default System Role Permissions

Module	Super Admin	Admin	Faculty	Student
User Management	Full	Full	-	-
Role Management	Full	View	-	-
Tenant Management	Full	View, Edit	-	-
Case Studies	Full	Full	View, Edit	-
Knowledge Bases	Full	Full	View, Edit	-
Assessments	Full	Full	View, Edit	-
Sessions	Full	Full	View	-
Feedback	Full	Full	View	-

Full = can_view, can_create, can_edit, can_delete

Overview

Responses

Endpoints

Console

​Create Role

​Authentication

​Request body

​Example request

​Response

​Error responses

​List Roles

​Authentication

​Query parameters

​Example request

​Response

​Get Role

​Authentication

​Path parameters

​Example request

​Response

​Update Role

​Authentication

​Path parameters

​Request body

​Example request

​Response

​Error responses

​Delete Role

​Authentication

​Path parameters

​Example request

​Response

​Error responses

​List Modules

​Authentication

​Example request

​Response

​Get Role Permissions

​Authentication

​Path parameters

​Example request

​Response

​Update Role Permissions

​Authentication

​Path parameters

​Request body

​Example request

​Response

​Default System Role Permissions

Create Role

Authentication

Request body

Example request

Response

Error responses

List Roles

Authentication

Query parameters

Example request

Response

Get Role

Authentication

Path parameters

Example request

Response

Update Role

Authentication

Path parameters

Request body

Example request

Response

Error responses

Delete Role

Authentication

Path parameters

Example request

Response

Error responses

List Modules

Authentication

Example request

Response

Get Role Permissions

Authentication

Path parameters

Example request

Response

Update Role Permissions

Authentication

Path parameters

Request body

Example request

Response

Default System Role Permissions