feat(authorization): add role assignment methods by swaroopAkkineniWorkos · Pull Request #1474 · workos/workos-node

swaroopAkkineniWorkos · 2026-02-11T14:37:16Z

linear: https://linear.app/workos/issue/ENT-4372/sdk-updates

I decided to break up the work for ENT-4372 into a smaller pr's that we can be easily reviewed and merge them into ENT-4372-base-authorization-branch. Then we can have one final merge that merges ENT-4372-base-authorization-branch into the main.

desc: the goal of this pr is to implement the following endpoints in the node sdk.

listRoleAssignments() | GET /authorization/organization_memberships/{om_id}/role_assignments
assignRole() | POST /authorization/organization_memberships/{om_id}/role_assignments
removeRole() | DELETE /authorization/organization_memberships/{om_id}/role_assignments
removeRoleAssignment() | DELETE /authorization/organization_memberships/{om_id}/role_assignments/{ra_id}

listRoleAssignments() ~ https://github.com/workos/workos/blob/1bf21e074e2cde476d83660ca41e05853fa081b8/packages/api/src/authorization/authorization-role-assignments.controller.ts#L83
assignRole() ~ https://github.com/workos/workos/blob/1bf21e074e2cde476d83660ca41e05853fa081b8/packages/api/src/authorization/authorization-role-assignments.controller.ts#L140
removeRole() ~ https://github.com/workos/workos/blob/1bf21e074e2cde476d83660ca41e05853fa081b8/packages/api/src/authorization/authorization-role-assignments.controller.ts#L205
removeRoleAssignment() ~ https://github.com/workos/workos/blob/1bf21e074e2cde476d83660ca41e05853fa081b8/packages/api/src/authorization/authorization-role-assignments.controller.ts#L264

linear · 2026-02-11T14:37:21Z

ENT-4372 SDK Updates

swaroopAkkineniWorkos · 2026-02-11T15:37:19Z

@greptile do a first pass review plz

greptile-apps · 2026-02-11T15:47:52Z

Greptile Overview

Greptile Summary

This PR implements four role assignment methods for the WorkOS Node SDK's authorization module: listRoleAssignments, assignRole, removeRole, and removeRoleAssignment. The implementation follows existing patterns in the codebase with proper serialization/deserialization, comprehensive test coverage, and support for both resource ID and external ID + type slug identification.

Key Changes:

Added 4 new methods to the Authorization class following RESTful conventions
Implemented proper serialization for camelCase (SDK) to snake_case (API) conversion
Added comprehensive test suite covering pagination, both resource identification patterns, and edge cases
Created well-structured TypeScript interfaces separating SDK and API response types
Included test fixtures matching the expected API response format

Testing:
All methods have thorough test coverage including pagination parameters, both resource identification approaches (ID vs external ID + type slug), and proper verification that serialization only includes relevant fields.

Confidence Score: 5/5

This PR is safe to merge with minimal risk
The implementation follows established patterns in the codebase, has comprehensive test coverage for all methods and edge cases, properly handles serialization/deserialization, and includes no security concerns or custom rule violations
No files require special attention

Important Files Changed

Filename	Overview
src/authorization/authorization.ts	Added 4 new role assignment methods (`listRoleAssignments`, `assignRole`, `removeRole`, `removeRoleAssignment`) with proper error handling and serialization
src/authorization/authorization.spec.ts	Comprehensive test coverage for all 4 new methods, including pagination, resource ID vs external ID patterns, and edge cases
src/authorization/serializers/assign-role-options.serializer.ts	Properly serializes camelCase to snake_case with conditional inclusion of resource identification fields
src/authorization/serializers/remove-role-options.serializer.ts	Properly serializes camelCase to snake_case with conditional inclusion of resource identification fields
src/authorization/serializers/role-assignment.serializer.ts	Correctly deserializes API responses, converting snake_case to camelCase for the SDK interface
src/authorization/interfaces/role-assignment.interface.ts	Well-defined TypeScript interfaces for role assignments with proper separation of SDK and API response types

Sequence Diagram

sequenceDiagram
    participant Client
    participant SDK as Authorization SDK
    participant Serializer
    participant API as WorkOS API

    Note over Client,API: List Role Assignments
    Client->>SDK: listRoleAssignments(options)
    SDK->>API: GET /authorization/organization_memberships/{id}/role_assignments
    API-->>SDK: RoleAssignmentListResponse (snake_case)
    SDK->>Serializer: deserializeRoleAssignment()
    Serializer-->>SDK: RoleAssignment (camelCase)
    SDK-->>Client: RoleAssignmentList

    Note over Client,API: Assign Role
    Client->>SDK: assignRole(options)
    SDK->>Serializer: serializeAssignRoleOptions()
    Serializer-->>SDK: SerializedOptions (snake_case)
    SDK->>API: POST /authorization/organization_memberships/{id}/role_assignments
    API-->>SDK: RoleAssignmentResponse (snake_case)
    SDK->>Serializer: deserializeRoleAssignment()
    Serializer-->>SDK: RoleAssignment (camelCase)
    SDK-->>Client: RoleAssignment

    Note over Client,API: Remove Role (by resource)
    Client->>SDK: removeRole(options)
    SDK->>Serializer: serializeRemoveRoleOptions()
    Serializer-->>SDK: Query params (snake_case)
    SDK->>API: DELETE /authorization/organization_memberships/{id}/role_assignments?params
    API-->>SDK: 204 No Content
    SDK-->>Client: void

    Note over Client,API: Remove Role Assignment (by ID)
    Client->>SDK: removeRoleAssignment(options)
    SDK->>API: DELETE /authorization/organization_memberships/{id}/role_assignments/{ra_id}
    API-->>SDK: 204 No Content
    SDK-->>Client: void

greptile-apps

_{14 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

greptile-apps

_{14 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

atainter · 2026-02-11T22:17:53Z

src/authorization/interfaces/remove-role-options.interface.ts

+  organizationMembershipId: string;
+  roleSlug: string;
+  resourceId?: string;
+  resourceExternalId?: string;


I wonder if we should actually make resource argument this for all endpoints

resource: {id: string} | {external_id: string, type_slug: string}

Because we also have it for remove/assign role options

It could be a union of types

type ResourceOptions = {id: string} | {external_id: string, type_slug: string}[3:17 PM]export interface RemoveRoleOptions { organizationMembershipId: string; roleSlug: string; resource: ResourceOptions }

@atainter updated to follow this pattern 1ffafc4

atainter · 2026-02-11T22:19:13Z

src/authorization/authorization.ts

    await this.workos.delete(`/authorization/resources/${resourceId}`);
  }
+
+  // phase 3


Suggested change

// phase 3

atainter · 2026-02-12T20:14:46Z

src/authorization/fixtures/role-assignment.json

+    },
+    "created_at": "2024-01-15T09:30:00.000Z",
+    "updated_at": "2024-01-15T09:30:00.000Z"
+  }


nit newline

atainter · 2026-02-12T20:15:47Z

src/authorization/authorization.spec.ts

 const testOrgId = 'org_01HXYZ123ABC456DEF789ABC';
 const testResourceId = 'authz_resource_01HXYZ123ABC456DEF789ABC';
 const testOrgMembershipId = 'om_01HXYZ123ABC456DEF789ABC';
+const testRoleAssignmentId = 'ra_01HXYZ123ABC456DEF789ABC';


nit the ids are prefixed with role_assignment_

Adding these endpoints to the sdk #1471 ``` getResource() ~ GET /authorization/resources/{resource_id} createResource() ~ POST /authorization/resources updateResource() ~ PATCH /authorization/resources/{resource_id} deleteResource() ~ DELETE /authorization/resources/{resource_id} ``` #1473 ``` check() | POST /authorization/organization_memberships/{om_id}/check ``` #1472 ``` listResources() | GET /authorization/organizations/{org_id}/resources getResourceByExternalId() | GET /authorization/organizations/{org_id}/resources/{type}/{external_id} updateResourceByExternalId() | PATCH /authorization/organizations/{org_id}/resources/{type}/{external_id} deleteResourceByExternalId() | DELETE /authorization/organizations/{org_id}/resources/{type}/{external_id} ``` #1474 ``` listRoleAssignments() | GET /authorization/organization_memberships/{om_id}/role_assignments assignRole() | POST /authorization/organization_memberships/{om_id}/role_assignments removeRole() | DELETE /authorization/organization_memberships/{om_id}/role_assignments removeRoleAssignment() | DELETE /authorization/organization_memberships/{om_id}/role_assignments/{ra_id} ``` #1478 ``` listResourcesForMembership() | GET /authorization/organization_memberships/{om_id}/resources listMembershipsForResource() | GET /authorization/resources/{resource_id}/organization_memberships listMembershipsForResourceByExternalId() | GET /authorization/organizations/{org_id}/resources/{type}/{external_id}/organization_memberships ```

greptile-apps bot reviewed Feb 11, 2026

View reviewed changes

swaroopAkkineniWorkos marked this pull request as ready for review February 11, 2026 16:34

swaroopAkkineniWorkos requested a review from a team as a code owner February 11, 2026 16:34

swaroopAkkineniWorkos requested review from atainter, csrbarber, mattgd and rwtombaugh and removed request for a team February 11, 2026 16:34

greptile-apps bot reviewed Feb 11, 2026

View reviewed changes

Base automatically changed from ENT-4372-Internal-ID to ENT-4372-base-authorization-branch February 11, 2026 19:12

atainter reviewed Feb 11, 2026

View reviewed changes

lol

e1f0d82

swaroopAkkineniWorkos force-pushed the ENt-4372-Role-Assignment branch from 686a33c to e1f0d82 Compare February 12, 2026 15:58

moar

79ec46b

swaroopAkkineniWorkos mentioned this pull request Feb 12, 2026

Authorization Resources endpoints for Internal ID (#1471) #1479

Merged

atainter approved these changes Feb 12, 2026

View reviewed changes

lol

ef777b5

swaroopAkkineniWorkos merged commit 1685f82 into ENT-4372-base-authorization-branch Feb 12, 2026
8 checks passed

swaroopAkkineniWorkos deleted the ENt-4372-Role-Assignment branch February 12, 2026 20:45

Conversation

swaroopAkkineniWorkos commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linear bot commented Feb 11, 2026

Uh oh!

swaroopAkkineniWorkos commented Feb 11, 2026

Uh oh!

greptile-apps bot commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Greptile Overview

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Sequence Diagram

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

atainter Feb 11, 2026

Choose a reason for hiding this comment

Uh oh!

swaroopAkkineniWorkos Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

atainter Feb 11, 2026

Choose a reason for hiding this comment

Uh oh!

swaroopAkkineniWorkos Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

atainter Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

swaroopAkkineniWorkos Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

atainter Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

swaroopAkkineniWorkos Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

swaroopAkkineniWorkos commented Feb 11, 2026 •

edited

Loading

greptile-apps bot commented Feb 11, 2026 •

edited

Loading

swaroopAkkineniWorkos Feb 12, 2026 •

edited

Loading