Summary

For easier management of permissions for users, you can create roles and then assign them to users and groups of users. To create a role, use the createRole() GraphQL mutation. This is usable only if roles are not managed externally (e.g., handled in LDAP).

API Stability Long-Term
Security Requirement & Control ManageUsers API permission

Syntax

graphql
createRole(
      input: AddRoleInput!
   ): AddRoleMutation!

For the input, you'll have to give the name of the role to create, and a list of permissions granted users who will be assigned the role. See the Input Parameters section for details.

For the results, you can get plenty on the role. See the Returned Values section for what's available.

Example

Raw
graphql
mutation {
  createRole(input:
      { displayName: "sales",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createRole(input: ^
      { displayName: \"sales\", ^
        viewPermissions: [ReadAccess] ^
      } ) ^
  { role { id } } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createRole(input:
      { displayName: \"sales\",
        viewPermissions: [ReadAccess]
      } )
  { role { id } }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createRole": {
      "role": {
        "id": "abc123"
      }
    }
  }
}

Input Parameters

For the input, you would provide the name of the role to create, and a list of permissions granted users who will be assigned the role. The table below lists other parameters you may give:

Table: AddRoleInput Input Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Sep 17, 2024
colorstring  Long-TermThe color used for highlighting role added.
displayNamestringyes Long-TermThe name to display for the role added.
objectActionObjectAction  Long-TermThe object of the action. See ObjectAction.
organizationManagementPermissions[OrganizationManagementPermission]yes Long-TermThe management permissions for the organization. See OrganizationManagementPermission.
organizationPermissions[OrganizationPermission]yes Long-TermThe permissions for the organization. See OrganizationPermission.
systemPermissions[SystemPermission]yes Long-TermThe permissions for the system. See SystemPermission.
viewPermissions[Permission]yes Long-TermThe permissions for the view. See Permission.

Returned Values

For the results, you can get information on a role and what it entails, such as how many users and a list of assigned the role, and which assets they can access. Of course, you would know this information having just created the role with this mutation.

Table: AddRoleMutation Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Aug 19, 2025
roleRoleyes Long-TermThe role to add. See Role.

The datatype above uses another datatype for information on a role. For your convenience, the table for that sub-datatype is included here:

Table: Role Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Aug 21, 2025
colorstring  DeprecatedThe color associated with the role. However, role colors are no longer used. This parameter will be removed at the earliest in version 1.195.
descriptionstring  Long-TermA description of the role.
displayNamestringyes Long-TermThe display name of the role.
groups[Group]yes Long-TermThe groups related to the role. See Group.
groupsCountintegeryes Long-TermThe number of groups related to the role.
groupsV2(search: string, userId: string, searchInRoles: boolean, onlyIncludeGroupsWithRestrictiveQueryPrefix: boolean, limit: integer, skip: integer): GroupResultSetTypemultipleyes Long-TermThe groups related to the role. See GroupResultSetType.
idstringyes Long-TermThe unique identifier for the role.
organizationManagementPermissions[OrganizationManagementPermission]yes Long-TermThe organization management permissions given to the role. See OrganizationManagementPermission.
organizationPermissions[OrganizationPermission]yes Long-TermThe organization permissions given to the role. See OrganizationPermission.
readonlyDefaultRoleReadonlyDefaultRole  PreviewThe read-only default role. This parameter is a preview and subject to change. See ReadonlyDefaultRole.
systemPermissions[SystemPermission]yes Long-TermThe system permissions given to the role. See SystemPermission.
users[User]yes Long-TermA list of users assigned the role. See User.
usersCountintegeryes Long-TermThe number of users assigned the role.
viewPermissions[Permission]yes Long-TermThe view permissions given to the role. See Permission.