# Get effective permissions Resolve a user's effective permissions within an organization. This aggregates capabilities from all assigned roles, deduplicates them, and determines the user's department scope. #### Path Parameters **`organization_id`** string required Organization ID (org_ prefixed string). **`user_id`** string required User ID to resolve permissions for (usr_ prefixed string). ## Returns An effective permissions object containing: - `user_id` - The user whose permissions were resolved - `capabilities` - Deduplicated list of all capability strings from assigned roles - `department_scope` - Either `"global"` (for users with `override_all_permissions`) or an array of department IDs - `role_ids` - List of all role IDs assigned to this user - `resolved_at` - ISO 8601 timestamp of when permissions were resolved Request ```bash cURL curl "https://api.aitronos.com/v1/organizations/org_abc123/users/usr_target456/effective-permissions" \ -H "Authorization: Bearer $ACCESS_TOKEN" ``` ```python Python SDK from aitronos import Aitronos client = Aitronos(api_key="your-api-key") permissions = client.organizations.users.effective_permissions( organization_id="org_abc123", user_id="usr_target456", ) print(permissions) ``` ```python Python import requests response = requests.get( "https://api.aitronos.com/v1/organizations/org_abc123/users/usr_target456/effective-permissions", headers={"Authorization": "Bearer YOUR_ACCESS_TOKEN"}, ) print(response.json()) ``` ```javascript JavaScript const response = await fetch( "https://api.aitronos.com/v1/organizations/org_abc123/users/usr_target456/effective-permissions", { headers: { Authorization: "Bearer YOUR_ACCESS_TOKEN" }, } ); const permissions = await response.json(); console.log(permissions); ``` Response ```json 200 OK - Admin user { "user_id": "usr_target456", "capabilities": [ "manage_users", "invite_users", "deactivate_users", "remove_users", "manage_departments", "create_subdepartments", "reparent_departments", "manage_roles", "assign_roles", "view_audit_log", "export_audit_log", "manage_knowledge_slices", "manage_billing", "override_all_permissions" ], "department_scope": "global", "role_ids": ["role_owner123"], "resolved_at": "2026-01-15T10:30:00+00:00" } ``` ```json 200 OK - Department manager { "user_id": "usr_manager789", "capabilities": [ "manage_users", "invite_users", "deactivate_users", "create_subdepartments", "manage_knowledge_slices", "view_audit_log" ], "department_scope": ["dept_abc123", "dept_def456"], "role_ids": ["role_deptmgr123"], "resolved_at": "2026-01-15T10:30:00+00:00" } ``` ```json 404 Not Found { "success": false, "error": { "code": "MEMBER_NOT_FOUND", "message": "The specified user is not a member of this organization.", "system_message": "the specified user is not a member of this organization.", "type": "client_error", "status": 404, "details": { "user_id": "usr_nonexistent" }, "trace_id": "abc-123-def", "timestamp": "2026-01-15T10:30:00Z" } } ``` ## Available Capabilities | Capability | Description | | --- | --- | | `manage_users` | Manage user accounts within scope | | `invite_users` | Send invitations to new users | | `deactivate_users` | Deactivate user accounts | | `remove_users` | Remove users from organization | | `manage_departments` | Create and manage departments | | `create_subdepartments` | Create sub-departments | | `reparent_departments` | Move departments in hierarchy | | `manage_roles` | Create and edit roles | | `assign_roles` | Assign roles to users | | `view_audit_log` | View audit log entries | | `export_audit_log` | Export audit log data | | `manage_knowledge_slices` | Manage knowledge slice access | | `manage_billing` | Manage billing and subscriptions | | `override_all_permissions` | Full access across all departments | ## Related Resources - [Retrieve role](/docs/api-reference/organizations/roles/retrieve) - [List capabilities](/docs/api-reference/organizations/roles/capabilities) - [Assign role member](/docs/api-reference/organizations/roles/assign-member) - [Remove role member](/docs/api-reference/organizations/roles/remove-member) - [List roles](/docs/api-reference/organizations/management/list-roles)