Users & RBAC
The Users API manages team members and their roles within an organisation. Datafly Signal uses role-based access control (RBAC) with five roles that determine what each user can view and modify.
User Object
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"org_id": "org-uuid-here",
"email": "[email protected]",
"name": "Jane Smith",
"role": "org_admin",
"created_at": "2026-01-01T00:00:00Z",
"updated_at": "2026-02-25T09:30:00Z"
}| Field | Type | Description |
|---|---|---|
id | string | UUID identifier |
org_id | string | Parent organisation UUID |
email | string | User’s email address (unique per organisation) |
name | string | Display name |
role | string | Assigned RBAC role |
created_at | string | ISO 8601 creation timestamp |
updated_at | string | ISO 8601 last-updated timestamp |
Roles
| Role | Description |
|---|---|
org_admin | Full access to everything — team management, sources, pipelines, integrations, settings, brands, consent, and audit logs. |
source_admin | Manage sources, integrations, pipelines, brands. Can approve and publish versions. |
source_editor | Create and edit sources, integrations, and transformations. Can submit versions for review. |
source_viewer | Read-only access to sources, metrics, events, and the real-time debugger. |
data_governance_admin | Manage the organisation data layer, transformations, and consent settings. |
Permissions Matrix
| Action | org_admin | source_admin | source_editor | source_viewer | data_governance_admin |
|---|---|---|---|---|---|
| Manage team members | Yes | — | — | — | — |
| Manage sources | Yes | Yes | — | — | — |
| Create/edit integrations | Yes | Yes | Yes | — | Yes |
| Create/edit transformations | Yes | Yes | Yes | — | Yes |
| Manage pipelines | Yes | Yes | Yes | — | — |
| Approve & publish versions | Yes | Yes | — | — | — |
| Manage data layer | Yes | — | — | — | Yes |
| Manage consent settings | Yes | — | — | — | — |
| Manage org settings | Yes | — | — | — | — |
| Manage brands | Yes | Yes | — | — | — |
| View dashboard & metrics | Yes | Yes | Yes | Yes | Yes |
| View audit logs | Yes | Yes | — | — | Yes |
List Users
GET /v1/admin/users
Returns all users in the current organisation.
Request:
curl -X GET "http://localhost:8084/v1/admin/users" \
-H "Authorization: Bearer {access_token}"Response:
{
"users": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"org_id": "org-uuid-here",
"email": "[email protected]",
"name": "Jane Smith",
"role": "org_admin",
"created_at": "2026-01-01T00:00:00Z",
"updated_at": "2026-02-25T09:30:00Z"
}
],
"total": 1
}Required role: org_admin.
Create User
POST /v1/admin/users
Create a new user account in the organisation. The user can immediately sign in with the provided email and password.
Request:
{
"email": "[email protected]",
"name": "John Doe",
"password": "securepassword",
"role": "source_viewer"
}| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | User’s email address (must be unique within the organisation) |
name | string | Yes | Display name |
password | string | Yes | Password (minimum 8 characters) |
role | string | No | RBAC role (defaults to source_viewer) |
Response (201 Created):
{
"id": "new-user-uuid",
"org_id": "org-uuid-here",
"email": "[email protected]",
"name": "John Doe",
"role": "source_viewer",
"created_at": "2026-02-25T10:00:00Z",
"updated_at": "2026-02-25T10:00:00Z"
}Required role: org_admin.
Update User
PUT /v1/admin/users/{id}
Update a user’s details. All fields are optional — only include the fields you want to change.
Request:
{
"name": "Jane Doe",
"email": "[email protected]"
}| Field | Type | Required | Description |
|---|---|---|---|
email | string | No | New email address (must be unique within the organisation) |
name | string | No | New display name |
password | string | No | New password (minimum 8 characters) |
role | string | No | New RBAC role |
Response: Updated user object.
Required role: org_admin.
This endpoint can also be used to reset a user’s password. Pass password in the request body to set a new password. The user will need to use the new password on their next sign-in.
Example: Reset Password
curl -X PUT "http://localhost:8084/v1/admin/users/{id}" \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/json" \
-d '{"password": "newsecurepassword"}'Example: Update Name and Email
curl -X PUT "http://localhost:8084/v1/admin/users/{id}" \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/json" \
-d '{"name": "Jane Doe", "email": "[email protected]"}'Assign Role
PUT /v1/admin/users/{id}/role
Change a user’s role.
Request:
{
"role": "source_admin"
}Response: Updated user object.
Required role: org_admin.
You cannot change your own role or delete your own account.
Get Current User
GET /v1/auth/me
Returns the currently authenticated user’s profile.
Request:
curl -X GET "http://localhost:8084/v1/auth/me" \
-H "Authorization: Bearer {access_token}"Response: User object for the authenticated user.
List Roles
GET /v1/admin/roles
Returns all available roles with descriptions.
Request:
curl -X GET "http://localhost:8084/v1/admin/roles" \
-H "Authorization: Bearer {access_token}"Response:
{
"roles": [
{ "role": "org_admin", "description": "Full access to all organisation resources" },
{ "role": "source_admin", "description": "Manage sources, integrations, and pipelines" },
{ "role": "source_editor", "description": "Create and edit sources and integrations" },
{ "role": "source_viewer", "description": "Read-only access to all resources" },
{ "role": "data_governance_admin", "description": "Manage data layer and consent settings" }
]
}Remove User
DELETE /v1/admin/users/{id}
Remove a user from the organisation. This performs a soft delete (the user record is retained for audit purposes but cannot sign in).
Request:
curl -X DELETE "http://localhost:8084/v1/admin/users/{id}" \
-H "Authorization: Bearer {access_token}"Response: 204 No Content
Required role: org_admin.
You cannot delete your own account. All user operations are recorded in the audit log.
Management UI
Team management is available in the Management UI under Settings > RBAC. From this tab, org admins can:
- Add Member — create a new user with name, email, password, and role
- Edit Details — update a team member’s name and email address
- Reset Password — set a new password for a team member
- Change Role — reassign a team member’s role via an inline dropdown
- Remove — remove a team member with a two-step confirmation