Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

Unique Finance GPT offers the ability to define Zitadel roles on group level. This means each user that gets assigned to this group (including sub groups) will also gain its defined Zitadel roles.

Of course its also the other way around. If a user gets removed from one group which has a Zitadel role assigned and this user is not part of any other group with this role it will be revoked from the user.

Scenario

  • Group Chat has role chat.chat.basic as Zitadel role assigned.

  • Group Admin has role chat.admin.all as Zitadel role assigned and is a sub group of Group Chat.

  • Group Knowledge has role chat.knowledge.read as Zitadel role assigned and is a sub group of Group Chat.

  • Group Feedback has role chat.feedback.read as Zitadel role assigned.

  • User Reto gets assigned to Group CHAt. This grants his user automatically the role chat.chat.basic

  • User Peter gets assigned to Group Admin. This grants his user automatically the roles chat.chat.basic and chat.admin.all.

  • Peter now gets removed from Group Admin and added to the Group Feedback. Means the User Peter gets revoked the roles chat.chat.basic and chat.admin.all but gets new role chat.feedback.read.

Note: User authorisations (roles) can still be added or removed directly in Zitadel manually. This can cause data inconsistency and will not be detect from Unique FinanceGPT.

Means Unique does not consider such manual role assignments in Zitadel. This primary has an impact if a user looses in Unique FinanceGPT access to a role because the user was removed from a Group.

Example: User Harry has been granted the role chat.feedback.read in Zitadel. Now Harry gets removed from a Group which has this chat.feedback.read role assigned and does in Unique not have access to this role anymore. Results that this chat.feedback.read role will be revoked from Harry.

Configuration

These role assignments can be configured currently only via API. Please use the following curl template to change the role attribute on a group. Adjust the URL, token, groupId, and roles before sending. The user from which this token is needs to have the chat.admin.all role.

APIs & Integrations

Clients or developers can use Unique internal APIs, but must not build any automation or integration with them. These APIs do not guarantee backward compatibility and are excluded from any Service Level Agreement (SLA). Unique will not roll back changes to fix broken integrations caused by updates to internal APIs. Consequently, reliance on these APIs for critical functions is strongly discouraged.

Learn more about the use of Internal APIs.

curl --location 'https://gateway.<baseUrl>/scope-management/graphql' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <yourToken>' \
--data '{"query":"mutation UpdateGroup($updateGroupId: String!, $input: GroupUpdateInput!) {\n  updateGroup(id: $updateGroupId, input: $input) {\n    \n  }\n}","variables":{"updateGroupId":"<groupId>","input":{"roles":["chat.chat.basic","chat.feedback.read"]}}}'

Author

Adrian Gugger

  • No labels

© 2025 Unique AG. All rights reserved. Privacy PolicyTerms of Service