Skip to main content

Revoke Grants for a Subject

Available since
  • v5.4.2 and later

Endpoint: DELETE /api/auth/subjects/{subjectType}/{subjectId}/grants

Revokes all per-instance grants for a subject. Optionally scoped to a specific resource type. Useful for cleanup when a role-level permission is revoked and the associated per-instance grants need to be cleared as well.

Path parameters

ParameterDescriptionTypeRequired/ Optional
subjectTypeThe type of subject whose grants are being revoked. Supported values:
  • USER: A user in Orkes Conductor.
  • ROLE: A system/custom role.
  • GROUP: A group in Orkes Conductor.
stringRequired.
subjectIdThe unique identifier of the subject (e.g., user email, role name, or group name).stringRequired.

Query parameters

ParameterDescriptionTypeRequired/ Optional
resourceTypeFilter the revocation by resource type. If not specified, all per-instance grants across all resource types are revoked for the subject. Supported values:
  • WORKFLOW
  • WORKFLOW_DEF
  • WORKFLOW_SCHEDULE
  • EVENT_HANDLER
  • TASK_DEF
  • TASK_REF_NAME
  • TASK_ID
  • APPLICATION
  • USER
  • SECRET_NAME
  • ENV_VARIABLE
  • TAG
  • DOMAIN
  • INTEGRATION_PROVIDER
  • INTEGRATION
  • PROMPT
  • USER_FORM_TEMPLATE
  • SCHEMA
  • CLUSTER_CONFIG
  • WEBHOOK
  • API_GATEWAY_SERVICE
  • API_GATEWAY_SERVICE_ROUTE
  • AUTH_CONFIG
  • GROUP
  • ROLE
  • SERVICE_REGISTRY
stringOptional.

Response

Returns a confirmation message.

Examples

Revoke grants for a subject

Request

curl -X 'DELETE' \
'https://<YOUR-SERVER-URL>/api/auth/subjects/USER/jane.doe%40acme.com/grants?resourceType=WORKFLOW_DEF' \
-H 'accept: application/json' \
-H 'X-Authorization: <TOKEN>'

Response

{
"message": "Revoked grants"
}