> ## Documentation Index
> Fetch the complete documentation index at: https://compass.docs.sunnyscoach.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Remove User Permissions

> Removes one or more permissions from a user's existing permissions list.  
Only admin-level users can perform this action.


Removes one or more permissions from a user's existing permissions list. Only admin-level users can perform this action.

## Request

### Headers

| Name          | Type   | Required | Description      |
| ------------- | ------ | -------- | ---------------- |
| Authorization | string | Yes      | Bearer token     |
| Content-Type  | string | Yes      | application/json |

### Request Body

```json theme={null}
{
  "payload": {
    "userId": "68bb46bb4db8c853599f1ebb",
    "permissions": [
      "compass.dashboard.*",
      "compass.dashboard.overview"
    ]
  }
}
```

### Request Body Schema

| Field               | Type   | Required | Description                   |
| ------------------- | ------ | -------- | ----------------------------- |
| payload             | object | Yes      | Remove permissions payload    |
| payload.userId      | string | Yes      | The ID of the user to update  |
| payload.permissions | array  | Yes      | List of permissions to remove |

#### Permission Format

Permissions follow the pattern: `compass.module.action`

* Use `*` as wildcard (e.g., `compass.dashboard.*`)
* Specific actions (e.g., `compass.dashboard.overview`)
* Module-level access (e.g., `compass.emailmeter`)

## Response

### 200 OK - Successfully removed permissions

```json theme={null}
{
  "message": "Successfully removed permissions for this user.",
  "data": {}
}
```

### 400 Bad Request

```json theme={null}
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid payload or missing required fields"
  }
}
```

### 401 Unauthorized

```json theme={null}
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid authentication token"
  }
}
```

### 403 Forbidden

```json theme={null}
{
  "error": {
    "code": "FORBIDDEN",
    "message": "Insufficient permissions"
  }
}
```

### 404 Not Found

```json theme={null}
{
  "error": {
    "code": "USER_NOT_FOUND",
    "message": "User with this ID does not exist anymore"
  }
}
```

### 500 Internal Server Error

```json theme={null}
{
  "error": {
    "code": "SERVER_ERROR",
    "message": "Internal server error"
  }
}
```

## Example

```bash theme={null}
curl -X PUT 'http://localhost:2000/user/remove-permissions' \
  -H 'Authorization: Bearer your-jwt-token' \
  -H 'Content-Type: application/json' \
  -d '{
    "payload": {
      "userId": "68bb46bb4db8c853599f1ebb",
      "permissions": [
        "compass.dashboard.*",
        "compass.dashboard.overview",
        "compass.emailmeter.stats"
      ]
    }
  }'
```

## Notes

* This is an admin-only endpoint - requires administrative privileges
* Permissions are removed from the user's existing permissions
* Non-existent permissions are automatically ignored
* The user ID must be a valid MongoDB ObjectId
* Permission strings must match exactly to be removed
* Changes take effect immediately for the user's next request
* Use the `/user/add-permissions` endpoint to add permissions
* Permission changes are logged for audit purposes
* Removing all permissions may restrict user access to the system

## Important Considerations

* **Wildcard Permissions**: Removing `compass.dashboard.*` removes all dashboard permissions
* **Specific Permissions**: Must match exactly (case-sensitive)
* **Minimum Permissions**: Ensure users retain necessary permissions for their role
* **Audit Trail**: All permission changes are tracked
* **Immediate Effect**: Changes apply on the user's next authenticated request

## Best Practices

1. Review user's current permissions before removal
2. Test permission changes in a non-production environment
3. Document permission changes for compliance
4. Consider using role-based permissions instead of individual management
5. Regularly audit user permissions for security


## OpenAPI

````yaml PUT /user/remove-permissions
openapi: 3.0.3
info:
  title: COMPASS API
  version: 1.0.0
  description: OpenAPI specification for the Compass backend routes.
servers:
  - url: http://localhost:2000
    description: Local development server
security: []
tags:
  - name: Auth
    description: >-
      Authentication and session management endpoints (OAuth and session
      validation)
  - name: Users
    description: Operations for managing user records
  - name: Departments
    description: Operations for managing departments
  - name: Email Meter
    description: APIs to get Email Meter Stats
  - name: HubSpot Tickets
    description: Feedback APIs
  - name: Permissions
    description: Permissions APIs
  - name: Transcription
    description: Transcription APIs
paths:
  /user/remove-permissions:
    put:
      tags:
        - Users
      summary: Remove permissions from a user
      description: >
        Removes one or more permissions from a user's existing permissions
        list.  

        Only admin-level users can perform this action.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - payload
              properties:
                payload:
                  type: object
                  required:
                    - userId
                    - permissions
                  properties:
                    userId:
                      type: string
                      description: The ID of the user whose permissions are to be updated.
                      example: 68bb46bb4db8c853599f1ebb
                    permissions:
                      type: array
                      description: List of permissions to remove from the user.
                      items:
                        type: string
                        example: compass.dashboard.*
            example:
              payload:
                userId: 68bb46bb4db8c853599f1ebb
                permissions:
                  - compass.dashboard.*
                  - compass.dashboard.overview
      responses:
        '200':
          description: Successfully removed permissions
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: Successfully removed permissions for this user.
                  data:
                    type: object
                    example: {}
        '400':
          description: Invalid payload or missing required fields
        '401':
          description: Unauthorized – Missing or invalid authentication token
        '403':
          description: Forbidden – Insufficient permissions
        '404':
          description: User not found
          content:
            application/json:
              schema:
                type: object
                properties:
                  errorMessage:
                    type: string
                    example: User with this ID does not exist anymore
        '500':
          description: Internal server error
      security:
        - bearerAuth: []
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

````