Add permissions to a user
Permissions
Add User Permissions
Adds one or more permissions to a user’s existing permissions list.
Only admin-level users can perform this action.
PUT
Add permissions to a user
Adds one or more permissions to a user’s existing permissions list. Only admin-level users can perform this action.
Request
Headers
| Name | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Yes | Bearer token |
| Content-Type | string | Yes | application/json |
Request Body
Request Body Schema
| Field | Type | Required | Description |
|---|---|---|---|
| payload | object | Yes | Add permissions payload |
| payload.userId | string | Yes | The ID of the user to update |
| payload.permissions | array | Yes | List of permissions to add |
Permission Format
Permissions follow the pattern:compass.module.action
- Use
*as wildcard (e.g.,compass.dashboard.*) - Specific actions (e.g.,
compass.dashboard.overview) - Module-level access (e.g.,
compass.emailmeter)
Response
200 OK - Successfully added permissions
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Example
Notes
- This is an admin-only endpoint - requires administrative privileges
- Permissions are added to the user’s existing permissions (not replaced)
- Duplicate permissions are automatically ignored
- The user ID must be a valid MongoDB ObjectId
- Permission strings must follow the defined pattern
- Changes take effect immediately for the user’s next request
- Use the
/user/remove-permissionsendpoint to remove permissions - Permission changes are logged for audit purposes
Available Permissions
Common permission patterns:compass.dashboard.*- Full dashboard accesscompass.dashboard.overview- Dashboard overview onlycompass.emailmeter.*- Full Email Meter accesscompass.emailmeter.stats- Email Meter statistics onlycompass.hubspot.*- Full HubSpot accesscompass.users.*- User management accesscompass.departments.*- Department management access
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
application/json