APIIdentity & Access

Roles API

Roles define named permission sets that can be assigned to users and groups. The Roles API allows you to manage both system-defined roles and custom roles created for your tenant. Permission strings follow the resource:action format (e.g., cost_analysis:read, alerts:write).

Endpoints

Method	Path	Description	Required Permission
GET	/roles	List all roles (system + custom) in the tenant	iam:read
GET	/roles/{id}	Get a single role with its full permission set	iam:read
POST	/roles	Create a custom role with a defined permission set	iam:admin
PUT	/roles/{id}	Update a custom role's name or permission set	iam:admin
DELETE	/roles/{id}	Delete a custom role (system roles cannot be deleted)	iam:admin

Role Object

Role Response Object

{
  "id": "role_analyst",
  "name": "Analyst",
  "permissions": [
    "cost_analysis:read",
    "redshift_health:read",
    "vidura:read"
  ],
  "is_system_role": false,
  "created_at": "2024-01-10T08:00:00Z"
}

Available Permission Strings

Permission	Description
cost_analysis:read	View Cost & Usage dashboards and reports
cost_analysis:write	Modify cost analysis configurations and filters
redshift_health:read	View Redshift health dashboards and metrics
alerts:read	View alert rules, incidents, and notification channels
alerts:write	Create and modify alert rules and escalation policies
iam:read	View users, groups, and roles
iam:write	Create and update users and groups
iam:admin	Full IAM control including role management and deletion
vidura:read	Access Vidura AI chat and query the agent

System Roles

System roles are pre-built by Quper and cannot be modified or deleted. They are identified by is_system_role: true in the response.

Role	Description
admin	Full access to all modules including IAM administration
viewer	Read-only access to Cost & Usage module only

System Role Deletion

Attempting to delete a system role (is_system_role: true) will return a 403 Forbidden error. System roles can only be read and assigned — they cannot be modified or deleted.