I’m trying to add a second group to my organization called “analystGroup”, so that once permissions differentiation shows up, I can leave my normal users in this group and my Administrative users in the adminGroup group. I am following this page: https://www.gooddata.com/developers/cloud-native/doc/cloud/manage-deployment/manage-permissions/set-permissions-for-organization/#set-permissions-for-an-organization I have one curl script which exports organization config which looks like so: ‘’' #!/bin/zsh curl --header “Authorization: Bearer $GD_TOKEN” \ $GD_URL/api/v1/layout/organization ‘’' I run this, pipe to jq, then redirect out to organization.json. I update the permissions section identified in step 2 on the page above, like so: ‘’' “permissions”: [ { “assignee”: { “id”: “adminGroup”, “type”: “userGroup” }, “name”: “MANAGE” }, { “assignee”: { “id”: “analystGroup”, “type”: “userGroup” }, “name”: “MANAGE” } ], ‘’' I first got an error because the export had an oauthClientId in it, but no oauthClientSecret. I added it and it got me past the error that the Client Secret was also required, but now I’m getting the following error: ‘’' {“detail”:“Token value is required for BigQuery. DataSource: 1afe28f8-5be6-4a13-9c95-5ecdb6f50f0e”,“status”400,“title”“Bad Request”,“traceId”:“21dfe749e96b091a”}% ‘’' BigQuery is, indeed, the name of one of my DataSources in this organization, but I’m not sure where/how to add the Token value it wants. Bigger picture, since all I want to do is add this new userGroup to my organization so the people I assign to it can see my existing workgroups and items inside them, is there an alternate API which more directly does this without running afoul of having to re-upload the entire json of the organizational config?

You may use entity API

POST /api/v1/entities/userGroups

to create a new user group. Or, you may

PUT /api/v1/layout/userGroups

to create all required user groups at once. Or, there's also

PUT /api/v1/layout/usersAndUserGroups

to create users and groups at once. Refer to https://www.gooddata.com/developers/cloud-native/doc/cloud/api-and-sdk/api/api_reference_all/

Thanks @Robert Moucha, those all API calls work for me fine, the problem is in giving a new userGroups effective permissions in the organization so they can see workspaces and metrics and such. The documentation here only refers to being able to change using the /api/v1/layout/organization API endpoint. That’s the one that’s proving difficult to use because just doing a GET to pull down the json in step 1 on that page results in a file that does not work cleanly when you PUT it back to the same endpoint in Step 3 (even if you don’t change it). If there were a setPermissions API or something, it’d be great, or if the export in step 1 worked in step 3, and all you needed was to make your assignee entry changes. Right now I’m stuck having to give EVERYONE adminGroup just to get them in.

Hi Kevin, it is indeed true that organization-level permissions can only be set via a PUT request to

/api/v1/layout/organization

, which unfortunately also requires everything else for the organization configuration. There is no endpoint for managing only organization-level permissions. However, this is only necessary if you need to assign organization-level permissions (organization.MANAGE) - I would expect that the

analystGroup

would only require workspace-level permissions (such as workspace.ANALYZE). These can be set by PUT on

/api/v1/layout/workspaces/{workspaceId}

, which should require less configuration. There is also a specialized endpoint

/api/v1/layout/workspaces/{workspaceId}/permissions

just for workspace permissions. More information on the available workspace-level permissions can be found here.

🎉 New note created.