Remove permissions from a user
Permissions
Remove User Permissions
Removes one or more permissions from a user’s existing permissions list.
Only admin-level users can perform this action.
PUT
Remove permissions from a user
Removes one or more permissions from a user’s existing permissions list. Only admin-level users can perform this action.
Request
Headers
| Name | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Yes | Bearer token |
| Content-Type | string | Yes | application/json |
Request Body
Request Body Schema
| Field | Type | Required | Description |
|---|---|---|---|
| payload | object | Yes | Remove permissions payload |
| payload.userId | string | Yes | The ID of the user to update |
| payload.permissions | array | Yes | List of permissions to remove |
Permission Format
Permissions follow the pattern:compass.module.action
- Use
*as wildcard (e.g.,compass.dashboard.*) - Specific actions (e.g.,
compass.dashboard.overview) - Module-level access (e.g.,
compass.emailmeter)
Response
200 OK - Successfully removed permissions
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Example
Notes
- This is an admin-only endpoint - requires administrative privileges
- Permissions are removed from the user’s existing permissions
- Non-existent permissions are automatically ignored
- The user ID must be a valid MongoDB ObjectId
- Permission strings must match exactly to be removed
- Changes take effect immediately for the user’s next request
- Use the
/user/add-permissionsendpoint to add permissions - Permission changes are logged for audit purposes
- Removing all permissions may restrict user access to the system
Important Considerations
- Wildcard Permissions: Removing
compass.dashboard.*removes all dashboard permissions - Specific Permissions: Must match exactly (case-sensitive)
- Minimum Permissions: Ensure users retain necessary permissions for their role
- Audit Trail: All permission changes are tracked
- Immediate Effect: Changes apply on the user’s next authenticated request
Best Practices
- Review user’s current permissions before removal
- Test permission changes in a non-production environment
- Document permission changes for compliance
- Consider using role-based permissions instead of individual management
- Regularly audit user permissions for security
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
application/json