# Environment roles

Use the following endpoints to manage environment roles in an Embedded customer workspace.

Environment roles can have the following values:

Value Definition
system Default roles provided by Workato.
custom Roles created manually within a workspace.
inheritable Custom roles from an AHQ admin or Embedded partner workspace that are inheritable by child workspaces.
inherited Roles inherited by a child workspace from its AHQ or Embedded parent workspace.

LEGACY ROLE COMPATIBILITY

The following endpoints are only compatible with new roles where the role_type is environment.

Use the /api/managed_users/:id/roles endpoints instead to manage legacy roles where the role_type is privilege_group.

# Rate limits

The environment roles resource has the following rate limit:

Type Resource Limit
All All Environment roles endpoints10 requests per second

# Quick reference

Type Resource Description
GET /api/managed_users/:managed_user_id/environment_roles List environment roles in a customer workspace.
GET /api/managed_users/:managed_user_id/environment_roles/:id Get an environment role from a customer workspace.
POST /api/managed_users/:managed_user_id/environment_roles Create an environment role in a customer workspace.
PUT /api/managed_users/:managed_user_id/environment_roles/:id Update an environment role in a customer workspace.
DELETE /api/managed_users/:managed_user_id/environment_roles/:id Delete an environment role in a customer workspace.

# List environment roles in a customer workspace

Retrieves a list of environment roles from an Embedded customer workspace.

GET /api/managed_users/:managed_user_id/environment_roles

# Path parameters

Name Type Description
managed_user_id string
required
The Embedded customer ID or external ID.
External IDs must be URL encoded and prefixed with an E, for example: EA2300.

# Query parameters

Name Type Description
name string
optional
Filter environment roles by their name.
page[number] integer
optional
The page number to retrieve. The default value is 1.
page[size] integer
optional
The number of items per page to retrieve. The default and maximum value is 100.

# Sample request

curl -X GET 'https://www.workato.com/api/managed_users/19029/environment_roles?name=Developer&page[number]=1&page[size]=100' \
  -H 'Authorization: Bearer <api_token>'

# Response

{
  "data": [
    {
      "id": 1,
      "name" : "Developer",
      "members_count": 2,
      "type": "custom",
      "created_at": "2024-08-02T13:35:11.691-07:00",
      "updated_at": "2024-08-02T13:35:11.691-07:00"
    }
  ],
  "total": 1,
  "page": {
    "number": 1,
    "size": 100
  }
}

# Get an environment role from a customer workspace

Retrieves an environment role from an Embedded customer workspace.

GET /api/managed_users/:managed_user_id/environment_roles/:id

# Path parameters

Name Type Description
managed_user_id string
required
The Embedded customer ID or external ID.
External IDs must be URL encoded and prefixed with an E, for example: EA2300.
id string
required
The ID of the environment role to retrieve.

# Sample request

curl -X GET 'https://www.workato.com/api/managed_users/19029/environment_roles/1' \
  -H 'Authorization: Bearer <api_token>'

# Response

{
  "data": {
    "id": 1,
    "name" : "Developer",
    "config": { "team": { "privileges": "all" } },
    "members_count": 2,
    "type": "custom",
    "created_at": "2024-08-02T13:35:11.691-07:00",
    "updated_at": "2024-08-02T13:35:11.691-07:00"
  }
}

# Create an environment role in a customer workspace

Creates a new environment role in an Embedded customer workspace.

POST /api/managed_users/:managed_user_id/environment_roles

# Path parameters

Name Type Description
managed_user_id string
required
The Embedded customer ID or external ID.
External IDs must be URL encoded and prefixed with an E, for example: EA2300.

# Request body

Name Type Description
environment_role object
required
Defines the environment role to create.
environment_role[name] string
required
The name of the environment role to create. The maximum length is 200 characters.
environment_role[config] object
required
Defines the privileges assigned to the role.
environment_role[inheritable] boolean
optional
Child workspaces inherit the role when set to true. The default value is false. This value can only be set to true in Admin AHQ or Embedded partner workspaces.

# Sample request

curl -X POST 'https://www.workato.com/api/managed_users/19029/environment_roles' \
  -H 'Authorization: Bearer <api_token>' \
  -H 'Content-Type: application/json' \
  -d '{
        "environment_role": {
          "name": "Developer",
          "config": { "team": { "privileges": "all" } },
          "inheritable": false
        }
      }'

# Response

{
  "data": {
    "id": 1,
    "name" : "Developer",
    "config": { "team": { "privileges": "all" } },
    "members_count": 0,
    "type": "custom",
    "created_at": "2024-08-02T13:35:11.691-07:00",
    "updated_at": "2024-08-02T13:35:11.691-07:00"
  }
}

# Update an environment role in a customer workspace

Updates an existing environment role in an Embedded customer workspace.

PUT /api/managed_users/:managed_user_id/environment_roles/:id

# Path parameters

Name Type Description
managed_user_id string
required
The Embedded customer ID or external ID.
External IDs must be URL encoded and prefixed with an E, for example: EA2300.
id string
required
The ID of the environment role to update.

# Request body

Name Type Description
environment_role object
required
Defines the updated environment role.
environment_role[name] string
required
The updated name of the environment role. The maximum length is 200 characters.
environment_role[config] object
required
Defines the updated privileges for the role.
environment_role[inheritable] boolean
optional
Child workspaces inherit the role when set to true. The default value is false. This value can only be set to true in Admin AHQ or Embedded partner workspaces.

# Sample request

curl -X PUT 'https://www.workato.com/api/managed_users/19029/environment_roles/1' \
  -H 'Authorization: Bearer <api_token>' \
  -H 'Content-Type: application/json' \
  -d '{
        "environment_role": {
          "name": "Builder",
          "config": { "team": { "privileges": "all" } },
          "inheritable": false
        }
      }'

# Response

{
  "data": {
    "id": 1,
    "name" : "Builder",
    "config": { "team": { "privileges": "all" } },
    "members_count": 0,
    "type": "custom",
    "created_at": "2024-08-02T13:35:11.691-07:00",
    "updated_at": "2024-08-02T13:35:11.691-07:00"
  }
}

# Delete an environment role in a customer workspace

Deletes an environment role in an Embedded customer workspace.

DELETE /api/managed_users/:managed_user_id/environment_roles/:id

# Path parameters

Name Type Description
managed_user_id string
required
The Embedded customer ID or external ID.
External IDs must be URL encoded and prefixed with an E, for example: EA2300.
id string
required
The ID of the environment role to delete.

# Sample request

curl -X DELETE 'https://www.workato.com/api/managed_users/19029/environment_roles/1' \
  -H 'Authorization: Bearer <api_token>'

# Response

A successful request returns a 204 No Content status code. The API deletes the environment role and returns an empty response body.

400 BAD REQUEST

A 400 Bad Request error indicates that the server couldn't process the request due to client-side issues. Common causes include malformed requests, invalid fields, or violations of field constraints, such as unsupported data types.

In the following example, the request fails because the role is still assigned to collaborators:

{ 
  "errors": [
    {
      "code": "bad_request",
      "title": "You can’t delete a role when collaborators are assigned to the role."
    }
  ] 
}


Last updated: 9/9/2025, 2:59:57 PM