API Stability Preview

The assignPermissionsForResources() GraphQL mutation is used to assign permissions to users or groups for a resource. This is a preview and subject to change.

Syntax

Below is the syntax for the assignPermissionsForResources() mutation field:

graphql
assignPermissionsForResources(
      input: [PermissionAssignmentInputType]!
   ): [UserOrGroup]!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: "DDKkhSA4j5vf1qbcNwes9ywn", actorType: User }, 
              resource: "searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ "wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB" ] } } ] ) 
   {... on User {username} }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
   assignPermissionsForResources(input: [ ^
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User },  ^
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\",  ^
              permissionSet: {permissionSetType: RoleId,  ^
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] )  ^
   {... on User {username} } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
   assignPermissionsForResources(input: [
    {actor: { actorId: \"DDKkhSA4j5vf1qbcNwes9ywn\", actorType: User }, 
              resource: \"searchdomain/aK9GKAsTnMXfRxT8Fpecx3fX\", 
              permissionSet: {permissionSetType: RoleId, 
              values: [ \"wZ5KEIUY7kRFYDxlQZCHB72VZnFGsmIB\" ] } } ] ) 
   {... on User {username} }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For PermissionAssignmentInputType, there are a few parameters:

Table: PermissionAssignmentInputType

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 19, 2024
actorActorInputyes PreviewThe user or group to assign permissions. See ActorInput.
permissionSetPermissionSetInputyes PreviewThe set of permissions the given actor will gain for the resource. See PermissionSetInput.
resourcestringyes PreviewPath of the resource for which the permissions are assigned. Can be either a search domain or a specific asset in a search domain. For examples, a search domain with ID 123 would be, "searchdomain/123". A dashboard with ID 321 in a search domain with ID 123 would be, "searchdomain/123/dashboard/321".

Returned Datatypes

The returned results, UserOrGroup are sets of users and groups. This is a union between two other datatypes: Group and User. The parameters for them are listed in the tables below:

Table: Group

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Aug 21, 2025
allowedAssetActionsBySource(assetId: string, assetType: AssetPermissionsAssetType, searchDomainId: string): GroupAssetActionsBySourcemultipleyes PreviewGet allowed asset actions for the group on a specific asset and explain how it has gotten this access. See AssetPermissionsAssetType GroupAssetActionsBySource.
defaultQueryPrefixstring  Long-TermThe default prefix for queries.
defaultRoleRole  Long-TermThe default role associated with the group. See Role.
defaultSearchDomainCountintegeryes Long-TermThe default search domain count.
displayNamestringyes Long-TermThe display name of the group.
idstringyes Long-TermThe identifier of the group.
lookupNamestring  Long-TermThe look-up name for the group.
organizationRoles[GroupOrganizationRole]yes Long-TermThe roles of the organization associated with the group. See GroupOrganizationRole.
permissionTypePermissionType  Long-TermIndicates which level of permissions the group contains. See PermissionType.
queryPrefixes(onlyIncludeRestrictiveQueryPrefixes: boolean, onlyForRoleWithId: string): [QueryPrefixes]multiple  Long-TermThe query prefixes for the group. See QueryPrefixes.
roles[SearchDomainRole]yes Long-TermThe roles for the group See SearchDomainRole.
searchAssetPermissions(searchFilter: string, skip: integer, limit: integer, orderBy: OrderBy, sortBy: SortBy, assetTypes: [AssetPermissionsAssetType], searchDomainIds: [string], permissions: [AssetAction], includeUnassignedAssets: boolean): AssetPermissionSearchResultSetmultipleyes PreviewSearch for asset permissions for the group. This is a preview and subject to change. See AssetPermissionsAssetType AssetAction, and AssetPermissionSearchResultSet.
searchDomainCountintegeryes Long-TermThe number of search domains for the group.
searchDomainRoles(searchDomainId: string): [SearchDomainRole]multipleyes Long-TermThe search domain roles assigned to the group. SeeSearchDomainRole.
searchDomainRolesByName(searchDomainName: string): SearchDomainRolemultipleyes Deprecated

The search domain roles assigned to the group, by name. See SearchDomainRole. When multiple roles per view is enabled, this field will return only the first of possibly multiple roles matching the name for the view.

Use roles, searchDomainRoles, or searchDomainRolesBySearchDomainName fields instead. This field will be removed at the earliest in version 1.195.

searchDomainRolesBySearchDomainName(searchDomainName: string): [SearchDomainRole]multipleyes Long-TermThe domain roles by search domain name. See SearchDomainRole.
searchUsers(searchFilter: string, skip: integer, limit: integer, sortBy: OrderByUserField, orderBy: OrderBy): UserResultSetTypemultiple  Long-TermUsed to search the list of users in the group. See OrderByUserField, OrderBy, UserResultSetType.
systemRoles[GroupSystemRole]yes Long-TermThe system roles of the group (see GroupSystemRole Table).
userCountintegeryes Long-TermThe number of users that are part of the group.
users[User]yes Long-TermThe list of users in the group. See User.

Table: User

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Aug 21, 2025
allowedAssetActionsBySource(assetId: string, assetType: AssetPermissionsAssetType, searchDomainId: string): [AssetActionsBySource]multipleyes Short-Term

Get allowed asset actions for the user on a specific asset and explain how these actions have been granted.

See AssetPermissionsAssetType, and AssetActionsBySource.

allowedOrganizationActions[OrganizationAction]yes Long-TermReturns the actions the user is allowed to perform in the organization. See OrganizationAction.
allowedSystemActions[SystemAction]yes Long-TermReturns the actions the user is allowed to perform in the system. See SystemAction Table.
companystring  Long-TermThe name of the company for the user account.
countryCodestring  Long-TermThe two-letter ISO 3166-1 Alpha-2 code for the country of residence (e.g., us).
createdAtdatetimeyes Long-TermThe data and time the account was created.
displayNamestringyes Long-TermThe value of the fullName if used, otherwise the username.
emailstring  Long-TermThe user account's email address for communications from LogScale.
firstNamestring  Long-TermThe user's actual first name (e.g., Bob). Don't use with fullName.
fullNamestring  Long-TermThe user's full name (e.g., Bob Smith). Don't use if using other name parameters.
groups[Group]yes Long-TermThe groups of which the user is a member. See Group.
groupSearchDomainRoles[GroupSearchDomainRole]yes Long-TermThe group search domain roles. See GroupSearchDomainRole.
groupsV2(search: string, typeFilter: [PermissionType], limit: integer, skip: integer, searchInRoles: boolean): GroupResultSetTypemultiple  Preview

The groups of which the user is a member. This is a preview and subject to change. The default for skip is 0, and limit is 50.

See PermissionType, and GroupResultSetType.

idstringyes Long-TermThe identifier or token for the user.
isOrgRootbooleanyes Long-TermWhether the organization is granted root access.
isRootbooleanyes Long-TermWhether the user account is granted root access.
lastNamestring  Long-TermThe user's actual last name or family name (e.g., Smith). Don't use with fullName.
permissions(viewName: string): [UserPermissions]multipleyes Long-TermPermissions of the user. See UserPermissions.
permissionsPage(search: string, pageNumber: integer, pageSize: integer): UserPermissionsPagemultipleyes Deprecated

A page of user permissions.

See UserPermissionsPage.

This field is no longer used. It will be removed at the earliest in version 1.208.

phoneNumberstring  Long-TermThe telephone number for LogScale to use for telephone text messages.
picturestring  Long-TermFile name of an image file for the account.
rolesV2(search: string, typeFilter: [PermissionType], limit: integer, skip: integer, searchInGroups: boolean): RolesResultSetTypemultiple  Short-Term

The roles assigned to the user through a group. The default for skip is 0, and limit is 50.

See PermissionType, and RolesResultSetType.

searchAssetPermissions(searchFilter: string, skip: integer, limit: integer, orderBy: OrderBy, sortBy: SortBy, assetTypes: [AssetPermissionsAssetType], searchDomainIds: [string], permissions: [AssetAction]): AssetPermissionSearchResultSetmultiple  Short-Term

Search for asset permissions for the user. This is a preview and subject to change. The default for skip is 0, limit is 50, and orderBy is ASC.

See AssetPermissionsAssetType, AssetAction, and AssetPermissionSearchResultSet.

searchDomainRoles(searchDomainId: string): [SearchDomainRole]multiple  Long-TermThe search domain roles assigned to the user. See SearchDomainRole.
searchDomainRolesByName(searchDomainName: string): SearchDomainRolemultipleyes Deprecated

The search domain roles for the user, by name. See SearchDomainRole.

This field is deprecated because when multiple roles per view is enabled, it will return only the first of possibly multiple roles matching the name for the view. Use instead searchDomainRoles or searchDomainRolesBySearchDomainName.

searchDomainRolesBySearchDomainName(searchDomainName: string): [SearchDomainRole]multiple  Long-TermThe search domain roles assigned to the user by search domain name. See SearchDomainRole.
stateCodestring  Long-TermThe two-letter, ISO 3166-2 country sub-division code for the state of residence (e.g., ny).
usernamestringyes Long-TermThe user name for the account.
userOrGroupSearchDomainRoles(search: string, skip: integer, limit: integer): UserOrGroupSearchDomainRoleResultSetmultipleyes Long-Term

The user or group search domain roles. The default for skip is 0, and limit is 50.

See UserOrGroupSearchDomainRoleResultSet.