The Access Control API provides endpoints to manage and query access control information for Organizations, Projects, Users, and Roles in Globant Enterprise AI, supporting integration with external systems to handle user memberships, role assignments, and access permissions across Organizations and Projects.
For generic variables needed to use the API, see the API Reference.
| Method |
Path |
Description |
| GET |
/accessControl/memberships |
Lists Organizations and Projects a user (by email) belongs to, including Roles in each. |
| GET |
/accessControl/projects/memberships |
Lists Projects and Roles for a user (by email) within a specific Organization. |
| GET |
/accessControl/projects/roles |
Lists all Roles supported by a specific Project. |
| GET |
/accessControl/projects/members |
Lists all members and their Roles for a specific Project. |
| GET |
/accessControl/organizations/members |
Lists all members and their Roles for a specific Organization. |
| GET |
/accessControl/organization/plugin-runtime-policies |
Returns the plugin runtime policies for an organization. |
| POST |
/accessControl/v2/accessControl/projects/members |
Invites a user to a project and assigns roles. |
| DELETE |
/accessControl/projects/{projectIdOrName}/members/{userId} |
Removes a user’s access to a project using a valid project identifier (UUID or name) and user ID. |
All endpoints require authentication using one of the following:
- Authorization: Bearer $GEAI_APITOKEN
- Authorization: Bearer $OAuth_accesstoken
For $OAuth_accesstoken, you must also include the header: ProjectId: $GEAI_PROJECT_ID
Given an email, lists all Organizations and Projects the User belongs to, including their Roles in each.
This endpoint requires a $OAuth_accesstoken from the System Administrator or Provisioning Services role.
| Name |
Type |
Description |
| startPage |
Integer |
Page number for pagination (default: 1) |
| pageSize |
Integer |
Number of items per page (default: 20) |
| orderKey |
String |
Field for sorting (only organizationName supported) |
| orderDirection |
String |
Sort direction: asc or desc (default: desc) |
| userEmail |
String |
Email address for search (case-insensitive) |
| roleTypes |
String |
Comma-separated list: backend, frontend (case-insensitive). |
- Method: GET
- Path: $BASE_URL/v2/accessControl/memberships
- Body: Empty
{
"count": integer, // Total number of Organizations found
"pages": integer, // Total number of pages
"organizations":
{
"isStationAvailable": true, // Indicates if the Organization has station available
"organizationId": "string", // Unique identifier for the Organization
"organizationName": "string", // Organization name
"projects": [
{
"projectDescription": "string", // Description of the Project
"projectId": "string", // Unique identifier for the Project
"projectName": "string", // Project name
"roles": [
{
"id": "string", // Unique identifier for the Role
"name": "string", // Role name
"externalId": "string", // External system identifier for the Role
"type": "string", // Role type: Backend, Frontend, Platform
"origin": "string", // Role origin: System or User defined
}
}
]
}
]
}
curl -X GET "$BASE_URL/v2/accessControl/memberships?userEmail=string&startPage=1&pageSize=3&orderKey=organizationName" \
-H "Authorization: Bearer $GEAI_APITOKEN"
Given an email and an Organization, lists all Projects the User is involved in and their Roles in each Project.
This endpoint requires a $GEAI_APITOKEN with Organization scope or an $OAuth_accesstoken with Organization member permissions.
| Name |
Type |
Description |
| startPage |
Integer |
Page number for pagination (default: 1) |
| pageSize |
Integer |
Number of items per page (default: 20) |
| orderKey |
String |
Field for sorting (only projectName supported) |
| orderDirection |
String |
Sort direction: asc or desc (default: desc) |
| userEmail |
String |
Email address for search (case-insensitive) |
| roleTypes |
String |
Comma-separated list: backend, frontend (case-insensitive). |
- Method: GET
- Path: $BASE_URL/v2/accessControl/projects/memberships
- Body: Empty
{
"count": integer, // Total number of Projects found
"pages": integer, // Total number of pages
"projects":
{
"organizationId": "string", // Organization unique identifier
"organizationName": "string", // Organization name
"projectDescription": "string", // Project description
"projectId": "string", // Project unique identifier
"projectName": "string", // Project name
"roles": [
{
"id": "string", // Role unique identifier
"name": "string", // Role name
"externalId": "string", // External system identifier for the Role
"type": "string", // Role type: Backend, Frontend, Platform
"origin": "string", // Role origin: System or User defined
}
}
curl -X GET "$BASE_URL/v2/accessControl/projects/memberships?userEmail=string&startPage=1&pageSize=3&orderKey=projectName" \
-H "Authorization: Bearer $GEAI_APITOKEN" \
-H "organization-id: $GEAI_ORDANIZATIONID"
Given a Project, retrieves all Roles supported by that Project.
This endpoint requires a $GEAI_APITOKEN with Organization scope or an $OAuth_accesstoken with Organization member permissions.
| Name |
Type |
Description |
| startPage |
Integer |
Page number for pagination (default: 1) |
| pageSize |
Integer |
Number of items per page (default: 20) |
| orderKey |
String |
Field for sorting (only name supported) |
| orderDirection |
String |
Sort direction: asc or desc (default: desc) |
| roleTypes |
String |
Comma-separated list: backend, frontend (case-insensitive). |
- Method: GET
- Path: $BASE_URL/v2/accessControl/projects/roles
- Body: Empty
{
"count": integer, // Total number of Roles found
"pages": integer, // Total number of pages
"project": {
"organizationId": "string", // Organization unique identifier
"organizationName": "string", // Organization name
"projectDescription": "string", // Project description
"projectId": "string", // Project unique identifier
"projectName": "string", // Project name
"roles":
{
"id": "string", // Role unique identifier
"name": "string", // Role name
"externalId": "string", // External system identifier for the Role
"type": "string", // Role type: Backend, Frontend, Platform
"origin": "string", // Role origin: System or User defined
}
}
}
curl -X GET "$BASE_URL/accessControl/projects/roles?startPage=1&pageSize=3&orderKey=name" \
-H "Authorization: Bearer $GEAI_APITOKEN" \
-H "project-id: $GEAI_PROJECTID"
Given a Project, lists all members and their Roles.
This endpoint requires a $GEAI_APITOKEN with Organization scope or an $OAuth_accesstoken with Organization member permissions.
| Name |
Type |
Description |
| startPage |
Integer |
Page number for pagination (default: 1) |
| pageSize |
Integer |
Number of items per page (default: 20) |
| orderKey |
String |
Field for sorting (only name supported) |
| orderDirection |
String |
Sort direction: asc or desc (default: desc) |
| roleTypes |
String |
Comma-separated list: backend, frontend (case-insensitive). |
- Method: GET
- Path: $BASE_URL/v2/accessControl/projects/members
- Body: Empty
{
"count": integer, // Total number of members found
"pages": integer, // Total number of pages
"project": {
"organizationId": "string", // Organization unique identifier
"organizationName": "string", // Organization name
"projectDescription": "string", // Project description
"projectId": "string", // Project unique identifier
"projectName": "string", // Project name
"members":
{
"id": "string", // User unique identifier
"name": "string", // User name
"email": "string", // User email
"accessType": [
"string" // Access type: backend, frontend
,
"roles":
{
"id": "string", // Role unique identifier
"name": "string", // Role name
"externalId": "string", // External system identifier for the Role
"type": "string", // Role type: Backend, Frontend, Platform
"origin": "string", // Role origin: System or User defined
}
}
}
curl -X GET "$BASE_URL/v2/accessControl/projects/members?startPage=1&pageSize=3&orderKey=name" \
-H "Authorization: Bearer $GEAI_APITOKEN" \
-H "project-id: $GEAI_PROJECTID"
Given an Organization, lists all members and their Roles.
This endpoint requires a $GEAI_APITOKEN with Organization scope or an $OAuth_accesstoken with Organization member permissions.
| Name |
Type |
Description |
| startPage |
Integer |
Page number for pagination (default: 1) |
| pageSize |
Integer |
Number of items per page (default: 20) |
| orderKey |
String |
Field for sorting (only name supported) |
| orderDirection |
String |
Sort direction: asc or desc (default: desc) |
| roleTypes |
String |
Only backend is supported for Organizations (case-insensitive). |
- Method: GET
- Path: $BASE_URL/v2/accessControl/organizations/members
- Body: Empty
{
"count": integer, // Total number of members found
"pages": integer, // Total number of pages
"organization": {
"organizationId": "string", // Organization unique identifier
"organizationName": "string", // Organization name
"members":
{
"id": "string", // User unique identifier
"name": "string", // User name
"email": "string", // User email
"accessType": [
"string" // Access type: backend, frontend
,
"roles":
{
"id": "string", // Role unique identifier
"name": "string", // Role name
"externalId": "string", // External system identifier for the Role
"type": "string", // Role type: Backend
"origin": "string" // Role origin: System
}
}
]
}
}
curl -X GET "$BASE_URL/v2/accessControl/organizations/members?startPage=1&pageSize=3&orderKey=name" \
-H "Authorization: Bearer $GEAI_APITOKEN" \
-H "organization-id: $GEAI_PROJECTID"
Retrieves the plugin runtime policies defined for a given organization. If no policies are defined, a message will indicate that individual policies apply.
This endpoint requires a $GEAI_APITOKEN with Organization scope or an $OAuth_accesstoken with Organization member permissions.
- Method: GET
- Path: $BASE_URL/v2/accessControl/organization/plugin-runtime-policies
- Body: Empty
1. Organizations without policies
- Status: 200 OK
- Response Body:
{
"messages":
{
"description": "string” // Message submitted:"Organization plugin-runtime-policies not defined. Individual policy will apply."
}
}
2. Organizations with policies
{
"policies": {
"chatSharingPermissions": "string", // Gets the maximum execution permissions for organization Agents at The Station. Values can be”none” (only available to import), “project” (all users in the project can execute it) or “organization” all users in the organization can execute it.
"externalExecutionPermissions": "string" // Allows sharing conversation by anonymous users to Workspace. Values can be: "none", "project", "organization"
}
}
curl -X GET "$BASE_URL/v2/accessControl/organization/plugin-runtime-policies" \
-H 'authorization: Bearer $GEAI_APITOKEN' \
-H 'content-type: application/json' \
-H 'organization-id: $GEAI_ORGANIZATIONID'
Enables authorized administrators to invite users to a project by email and assign one or more project roles. When a valid request is made, the system sends an invitation email. The invited user must accept the invitation to gain access.
- Method: POST
- Path: $BASE_URL/v2/accessControl/projects/members
{
"userEmail": "string", // Email address of the user to invite. E.g.:"user1@example.com",
"roles": "string” // One or more roles. Allowed role names: "Project member", "Project administrator", "Access all Project Assistants"
}
{
"userEmail": "string", // Email address of the user to invite. E.g.:"user1@example.com",
"roles": "string” // One or more roles. Allowed role names: "Project member", "Project administrator", "Access all Project Assistants"
}
curl --request POST \
--url "$BASE_URL/v2/accessControl/projects/members" \
--header "authorization: Bearer $GEAI_ORGANIZATION_APITOKEN" \
--header "content-type: application/json" \
--header "project-id: $GEAI_PROJECTID" \
--data '{
"userEmail": "user1@example.com",
"roles":
"Project administrator",
"Project member"
}'
Removes a user’s access to a project using a valid project identifier (UUID or name) and user ID.
- Method: DELETE
- Path: $BASE_URL/accessControl/projects/{projectIdOrName}/members/{userIdOrEmail}
- Request body: Empty
{
"projectId": "string", // Unique identifier of the project (UUID)
"projectName": "string", // Project name
"projectRoles": // Roles previously assigned to the user in the project
"string"
,
"status": "string", // Resulting membership status (e.g., "Revoked")
"userEmail": "string" // Email of the affected user
}
curl --request DELETE \
--url "$BASE_URL/accessControl/projects/{projectIdOrName}/members/{userIdOrEmail}" \
--header "Authorization: Bearer $GEAI_APITOKEN"