## CreateRoleAssignment

**post** `/gitpod.v1.GroupService/CreateRoleAssignment`

Creates a role assignment for a group on a resource.

Use this method to:

- Assign specific roles to groups on runners, projects, or environments
- Grant group-based access to resources

### Examples

- Assign admin role on a runner:

  Grants the group admin access to a runner.

  ```yaml
  groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
  resourceType: RESOURCE_TYPE_RUNNER
  resourceId: "f53d2330-3795-4c5d-a1f3-453121af9c60"
  resourceRole: RESOURCE_ROLE_RUNNER_ADMIN
  ```

- Assign user role on a project:

  Grants the group user access to a project.

  ```yaml
  groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
  resourceType: RESOURCE_TYPE_PROJECT
  resourceId: "a1b2c3d4-5678-90ab-cdef-1234567890ab"
  resourceRole: RESOURCE_ROLE_PROJECT_USER
  ```

### Authorization

Requires admin role on the specific resource.

### Body Parameters

- `groupId: optional string`

- `resourceId: optional string`

- `resourceRole: optional ResourceRole`

  ResourceRole represents roles that can be assigned to groups on resources
  These map directly to the roles defined in backend/db/rule/rbac/role/role.go

  - `"RESOURCE_ROLE_UNSPECIFIED"`

  - `"RESOURCE_ROLE_ORG_ADMIN"`

  - `"RESOURCE_ROLE_ORG_MEMBER"`

  - `"RESOURCE_ROLE_ORG_RUNNERS_ADMIN"`

  - `"RESOURCE_ROLE_ORG_PROJECTS_ADMIN"`

  - `"RESOURCE_ROLE_ORG_AUTOMATIONS_ADMIN"`

  - `"RESOURCE_ROLE_ORG_GROUPS_ADMIN"`

  - `"RESOURCE_ROLE_ORG_AUDIT_LOG_READER"`

  - `"RESOURCE_ROLE_GROUP_ADMIN"`

  - `"RESOURCE_ROLE_GROUP_VIEWER"`

  - `"RESOURCE_ROLE_USER_IDENTITY"`

  - `"RESOURCE_ROLE_USER_VIEWER"`

  - `"RESOURCE_ROLE_USER_ADMIN"`

  - `"RESOURCE_ROLE_ENVIRONMENT_IDENTITY"`

  - `"RESOURCE_ROLE_ENVIRONMENT_ADMIN"`

  - `"RESOURCE_ROLE_ENVIRONMENT_USER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_VIEWER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_RUNNER"`

  - `"RESOURCE_ROLE_RUNNER_IDENTITY"`

  - `"RESOURCE_ROLE_RUNNER_ADMIN"`

  - `"RESOURCE_ROLE_RUNNER_LOCAL_ADMIN"`

  - `"RESOURCE_ROLE_RUNNER_MANAGED_ADMIN"`

  - `"RESOURCE_ROLE_RUNNER_USER"`

  - `"RESOURCE_ROLE_RUNNER_CONFIGURATION_READER"`

  - `"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_ADMIN"`

  - `"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_UPDATER"`

  - `"RESOURCE_ROLE_PROJECT_ADMIN"`

  - `"RESOURCE_ROLE_PROJECT_USER"`

  - `"RESOURCE_ROLE_PROJECT_EDITOR"`

  - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ADMIN"`

  - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_VIEWER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_USER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ENV"`

  - `"RESOURCE_ROLE_ENVIRONMENT_TASK_ADMIN"`

  - `"RESOURCE_ROLE_ENVIRONMENT_TASK_VIEWER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_TASK_USER"`

  - `"RESOURCE_ROLE_ENVIRONMENT_TASK_ENV"`

  - `"RESOURCE_ROLE_SERVICE_ACCOUNT_IDENTITY"`

  - `"RESOURCE_ROLE_SERVICE_ACCOUNT_ADMIN"`

  - `"RESOURCE_ROLE_AGENT_EXECUTION_USER"`

  - `"RESOURCE_ROLE_AGENT_EXECUTION_ADMIN"`

  - `"RESOURCE_ROLE_AGENT_EXECUTION_RUNNER"`

  - `"RESOURCE_ROLE_AGENT_EXECUTION_OUTPUTS_REPORTER"`

  - `"RESOURCE_ROLE_AGENT_EXECUTION_VIEWER"`

  - `"RESOURCE_ROLE_AGENT_ADMIN"`

  - `"RESOURCE_ROLE_AGENT_VIEWER"`

  - `"RESOURCE_ROLE_AGENT_EXECUTOR"`

  - `"RESOURCE_ROLE_WORKFLOW_ADMIN"`

  - `"RESOURCE_ROLE_WORKFLOW_USER"`

  - `"RESOURCE_ROLE_WORKFLOW_VIEWER"`

  - `"RESOURCE_ROLE_WORKFLOW_EXECUTOR"`

  - `"RESOURCE_ROLE_SNAPSHOT_ADMIN"`

  - `"RESOURCE_ROLE_SNAPSHOT_RUNNER"`

  - `"RESOURCE_ROLE_WEBHOOK_ADMIN"`

  - `"RESOURCE_ROLE_WEBHOOK_VIEWER"`

  - `"RESOURCE_ROLE_WARMPOOL_RUNNER"`

  - `"RESOURCE_ROLE_WARMPOOL_ADMIN"`

  - `"RESOURCE_ROLE_WARMPOOL_VIEWER"`

  - `"RESOURCE_ROLE_SESSION_ADMIN"`

  - `"RESOURCE_ROLE_SESSION_USER"`

  - `"RESOURCE_ROLE_TEAM_ADMIN"`

  - `"RESOURCE_ROLE_TEAM_VIEWER"`

- `resourceType: optional ResourceType`

  - `"RESOURCE_TYPE_UNSPECIFIED"`

  - `"RESOURCE_TYPE_ENVIRONMENT"`

  - `"RESOURCE_TYPE_RUNNER"`

  - `"RESOURCE_TYPE_PROJECT"`

  - `"RESOURCE_TYPE_TASK"`

  - `"RESOURCE_TYPE_TASK_EXECUTION"`

  - `"RESOURCE_TYPE_SERVICE"`

  - `"RESOURCE_TYPE_ORGANIZATION"`

  - `"RESOURCE_TYPE_USER"`

  - `"RESOURCE_TYPE_ENVIRONMENT_CLASS"`

  - `"RESOURCE_TYPE_RUNNER_SCM_INTEGRATION"`

  - `"RESOURCE_TYPE_HOST_AUTHENTICATION_TOKEN"`

  - `"RESOURCE_TYPE_GROUP"`

  - `"RESOURCE_TYPE_PERSONAL_ACCESS_TOKEN"`

  - `"RESOURCE_TYPE_USER_PREFERENCE"`

  - `"RESOURCE_TYPE_SERVICE_ACCOUNT"`

  - `"RESOURCE_TYPE_SECRET"`

  - `"RESOURCE_TYPE_SSO_CONFIG"`

  - `"RESOURCE_TYPE_DOMAIN_VERIFICATION"`

  - `"RESOURCE_TYPE_AGENT_EXECUTION"`

  - `"RESOURCE_TYPE_RUNNER_LLM_INTEGRATION"`

  - `"RESOURCE_TYPE_AGENT"`

  - `"RESOURCE_TYPE_ENVIRONMENT_SESSION"`

  - `"RESOURCE_TYPE_USER_SECRET"`

  - `"RESOURCE_TYPE_ORGANIZATION_POLICY"`

  - `"RESOURCE_TYPE_ORGANIZATION_SECRET"`

  - `"RESOURCE_TYPE_PROJECT_ENVIRONMENT_CLASS"`

  - `"RESOURCE_TYPE_BILLING"`

  - `"RESOURCE_TYPE_PROMPT"`

  - `"RESOURCE_TYPE_COUPON"`

  - `"RESOURCE_TYPE_COUPON_REDEMPTION"`

  - `"RESOURCE_TYPE_ACCOUNT"`

  - `"RESOURCE_TYPE_INTEGRATION"`

  - `"RESOURCE_TYPE_WORKFLOW"`

  - `"RESOURCE_TYPE_WORKFLOW_EXECUTION"`

  - `"RESOURCE_TYPE_WORKFLOW_EXECUTION_ACTION"`

  - `"RESOURCE_TYPE_SNAPSHOT"`

  - `"RESOURCE_TYPE_PREBUILD"`

  - `"RESOURCE_TYPE_ORGANIZATION_LLM_INTEGRATION"`

  - `"RESOURCE_TYPE_CUSTOM_DOMAIN"`

  - `"RESOURCE_TYPE_ROLE_ASSIGNMENT_CHANGED"`

  - `"RESOURCE_TYPE_GROUP_MEMBERSHIP_CHANGED"`

  - `"RESOURCE_TYPE_WEBHOOK"`

  - `"RESOURCE_TYPE_SCIM_CONFIGURATION"`

  - `"RESOURCE_TYPE_SERVICE_ACCOUNT_SECRET"`

  - `"RESOURCE_TYPE_ANNOUNCEMENT_BANNER"`

  - `"RESOURCE_TYPE_SERVICE_ACCOUNT_TOKEN"`

  - `"RESOURCE_TYPE_ROLE_ASSIGNMENT"`

  - `"RESOURCE_TYPE_WARM_POOL"`

  - `"RESOURCE_TYPE_NOTIFICATION"`

### Returns

- `assignment: optional RoleAssignment`

  RoleAssignment represents a role assigned to a group on a specific resource

  - `id: optional string`

    Unique identifier for the role assignment

  - `derivedFromOrgRole: optional ResourceRole`

    The org-level role that created this assignment, if any.
    RESOURCE_ROLE_UNSPECIFIED means this is a direct share (manually created).
    Non-zero (e.g., ORG_PROJECTS_ADMIN, ORG_RUNNERS_ADMIN) means this
    assignment was derived from an org-level role.

    - `"RESOURCE_ROLE_UNSPECIFIED"`

    - `"RESOURCE_ROLE_ORG_ADMIN"`

    - `"RESOURCE_ROLE_ORG_MEMBER"`

    - `"RESOURCE_ROLE_ORG_RUNNERS_ADMIN"`

    - `"RESOURCE_ROLE_ORG_PROJECTS_ADMIN"`

    - `"RESOURCE_ROLE_ORG_AUTOMATIONS_ADMIN"`

    - `"RESOURCE_ROLE_ORG_GROUPS_ADMIN"`

    - `"RESOURCE_ROLE_ORG_AUDIT_LOG_READER"`

    - `"RESOURCE_ROLE_GROUP_ADMIN"`

    - `"RESOURCE_ROLE_GROUP_VIEWER"`

    - `"RESOURCE_ROLE_USER_IDENTITY"`

    - `"RESOURCE_ROLE_USER_VIEWER"`

    - `"RESOURCE_ROLE_USER_ADMIN"`

    - `"RESOURCE_ROLE_ENVIRONMENT_IDENTITY"`

    - `"RESOURCE_ROLE_ENVIRONMENT_ADMIN"`

    - `"RESOURCE_ROLE_ENVIRONMENT_USER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_VIEWER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_RUNNER"`

    - `"RESOURCE_ROLE_RUNNER_IDENTITY"`

    - `"RESOURCE_ROLE_RUNNER_ADMIN"`

    - `"RESOURCE_ROLE_RUNNER_LOCAL_ADMIN"`

    - `"RESOURCE_ROLE_RUNNER_MANAGED_ADMIN"`

    - `"RESOURCE_ROLE_RUNNER_USER"`

    - `"RESOURCE_ROLE_RUNNER_CONFIGURATION_READER"`

    - `"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_ADMIN"`

    - `"RESOURCE_ROLE_HOST_AUTHENTICATION_TOKEN_UPDATER"`

    - `"RESOURCE_ROLE_PROJECT_ADMIN"`

    - `"RESOURCE_ROLE_PROJECT_USER"`

    - `"RESOURCE_ROLE_PROJECT_EDITOR"`

    - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ADMIN"`

    - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_VIEWER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_USER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_SERVICE_ENV"`

    - `"RESOURCE_ROLE_ENVIRONMENT_TASK_ADMIN"`

    - `"RESOURCE_ROLE_ENVIRONMENT_TASK_VIEWER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_TASK_USER"`

    - `"RESOURCE_ROLE_ENVIRONMENT_TASK_ENV"`

    - `"RESOURCE_ROLE_SERVICE_ACCOUNT_IDENTITY"`

    - `"RESOURCE_ROLE_SERVICE_ACCOUNT_ADMIN"`

    - `"RESOURCE_ROLE_AGENT_EXECUTION_USER"`

    - `"RESOURCE_ROLE_AGENT_EXECUTION_ADMIN"`

    - `"RESOURCE_ROLE_AGENT_EXECUTION_RUNNER"`

    - `"RESOURCE_ROLE_AGENT_EXECUTION_OUTPUTS_REPORTER"`

    - `"RESOURCE_ROLE_AGENT_EXECUTION_VIEWER"`

    - `"RESOURCE_ROLE_AGENT_ADMIN"`

    - `"RESOURCE_ROLE_AGENT_VIEWER"`

    - `"RESOURCE_ROLE_AGENT_EXECUTOR"`

    - `"RESOURCE_ROLE_WORKFLOW_ADMIN"`

    - `"RESOURCE_ROLE_WORKFLOW_USER"`

    - `"RESOURCE_ROLE_WORKFLOW_VIEWER"`

    - `"RESOURCE_ROLE_WORKFLOW_EXECUTOR"`

    - `"RESOURCE_ROLE_SNAPSHOT_ADMIN"`

    - `"RESOURCE_ROLE_SNAPSHOT_RUNNER"`

    - `"RESOURCE_ROLE_WEBHOOK_ADMIN"`

    - `"RESOURCE_ROLE_WEBHOOK_VIEWER"`

    - `"RESOURCE_ROLE_WARMPOOL_RUNNER"`

    - `"RESOURCE_ROLE_WARMPOOL_ADMIN"`

    - `"RESOURCE_ROLE_WARMPOOL_VIEWER"`

    - `"RESOURCE_ROLE_SESSION_ADMIN"`

    - `"RESOURCE_ROLE_SESSION_USER"`

    - `"RESOURCE_ROLE_TEAM_ADMIN"`

    - `"RESOURCE_ROLE_TEAM_VIEWER"`

  - `groupId: optional string`

    Group identifier

  - `organizationId: optional string`

    Organization identifier

  - `resourceId: optional string`

    Resource identifier

  - `resourceRole: optional ResourceRole`

    Role assigned to the group on this resource

  - `resourceType: optional ResourceType`

    Type of resource (runner, project, environment, etc.)

    - `"RESOURCE_TYPE_UNSPECIFIED"`

    - `"RESOURCE_TYPE_ENVIRONMENT"`

    - `"RESOURCE_TYPE_RUNNER"`

    - `"RESOURCE_TYPE_PROJECT"`

    - `"RESOURCE_TYPE_TASK"`

    - `"RESOURCE_TYPE_TASK_EXECUTION"`

    - `"RESOURCE_TYPE_SERVICE"`

    - `"RESOURCE_TYPE_ORGANIZATION"`

    - `"RESOURCE_TYPE_USER"`

    - `"RESOURCE_TYPE_ENVIRONMENT_CLASS"`

    - `"RESOURCE_TYPE_RUNNER_SCM_INTEGRATION"`

    - `"RESOURCE_TYPE_HOST_AUTHENTICATION_TOKEN"`

    - `"RESOURCE_TYPE_GROUP"`

    - `"RESOURCE_TYPE_PERSONAL_ACCESS_TOKEN"`

    - `"RESOURCE_TYPE_USER_PREFERENCE"`

    - `"RESOURCE_TYPE_SERVICE_ACCOUNT"`

    - `"RESOURCE_TYPE_SECRET"`

    - `"RESOURCE_TYPE_SSO_CONFIG"`

    - `"RESOURCE_TYPE_DOMAIN_VERIFICATION"`

    - `"RESOURCE_TYPE_AGENT_EXECUTION"`

    - `"RESOURCE_TYPE_RUNNER_LLM_INTEGRATION"`

    - `"RESOURCE_TYPE_AGENT"`

    - `"RESOURCE_TYPE_ENVIRONMENT_SESSION"`

    - `"RESOURCE_TYPE_USER_SECRET"`

    - `"RESOURCE_TYPE_ORGANIZATION_POLICY"`

    - `"RESOURCE_TYPE_ORGANIZATION_SECRET"`

    - `"RESOURCE_TYPE_PROJECT_ENVIRONMENT_CLASS"`

    - `"RESOURCE_TYPE_BILLING"`

    - `"RESOURCE_TYPE_PROMPT"`

    - `"RESOURCE_TYPE_COUPON"`

    - `"RESOURCE_TYPE_COUPON_REDEMPTION"`

    - `"RESOURCE_TYPE_ACCOUNT"`

    - `"RESOURCE_TYPE_INTEGRATION"`

    - `"RESOURCE_TYPE_WORKFLOW"`

    - `"RESOURCE_TYPE_WORKFLOW_EXECUTION"`

    - `"RESOURCE_TYPE_WORKFLOW_EXECUTION_ACTION"`

    - `"RESOURCE_TYPE_SNAPSHOT"`

    - `"RESOURCE_TYPE_PREBUILD"`

    - `"RESOURCE_TYPE_ORGANIZATION_LLM_INTEGRATION"`

    - `"RESOURCE_TYPE_CUSTOM_DOMAIN"`

    - `"RESOURCE_TYPE_ROLE_ASSIGNMENT_CHANGED"`

    - `"RESOURCE_TYPE_GROUP_MEMBERSHIP_CHANGED"`

    - `"RESOURCE_TYPE_WEBHOOK"`

    - `"RESOURCE_TYPE_SCIM_CONFIGURATION"`

    - `"RESOURCE_TYPE_SERVICE_ACCOUNT_SECRET"`

    - `"RESOURCE_TYPE_ANNOUNCEMENT_BANNER"`

    - `"RESOURCE_TYPE_SERVICE_ACCOUNT_TOKEN"`

    - `"RESOURCE_TYPE_ROLE_ASSIGNMENT"`

    - `"RESOURCE_TYPE_WARM_POOL"`

    - `"RESOURCE_TYPE_NOTIFICATION"`

### Example

```http
curl https://app.gitpod.io/api/gitpod.v1.GroupService/CreateRoleAssignment \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $GITPOD_API_KEY" \
    -d '{}'
```

#### Response

```json
{
  "assignment": {
    "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "derivedFromOrgRole": "RESOURCE_ROLE_UNSPECIFIED",
    "groupId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "resourceRole": "RESOURCE_ROLE_UNSPECIFIED",
    "resourceType": "RESOURCE_TYPE_UNSPECIFIED"
  }
}
```