Permissions & Security Configuration

This page describes the API endpoints for user and role permissions as well as domain management.

Warning

These endpoints require administrator rights. Changes take effect immediately for all users in the organization. Incorrect permission changes — e.g. removing PermissionsAdministrate from all users — can permanently lock you and all other administrators out, with no way to restore access via the API.

---

UserPermission

The UserPermission entity defines the permissions for individual users. Each entry contains a list of permissions for various areas. User permissions apply to the entire account or to specific divisions. In the latter case, DivisionIds are set.

Data Model

Property	Type	Description
Id	guid	Unique ID.
UserPermissionId	guid	Permission ID.
ContactIds	guid[]?	List of associated contact IDs.
DivisionIds	guid[]?	List of associated division IDs, if the permission is restricted to a division.
ReadOnlyLicense	bool	Read-Only license.
PermissionsAdministrate	bool	Full administrator access.
PATAccess	bool	Create and use Personal Access Tokens.
ProjectRead	bool	View projects.
ProjectModify	bool	Edit projects.
ProjectCreate	bool	Create projects.
ProjectDelete	bool	Delete projects.
ProjectLock	bool	Lock projects.
ProjectMemberModify	bool	Manage project members.
ProjectPriorityModify	bool	Change project priority.
ProjectRequestCreate	bool	Create project requests.
ProjectRequestRelease	bool	Approve or reject project requests.
TaskItemAccess	bool	View tasks.
TaskItemModify	bool	Edit tasks.
TaskItemDelete	bool	Delete tasks.
TaskItemStateModify	bool	Change task status.
TaskItemCommentAdd	bool	Add comments to tasks.
TaskItemCommentDelete	bool	Delete task comments.
TaskItemProjectFieldsCreate	bool	Create project-defined fields for tasks.
OwnTaskItemAccess	bool	View own tasks only.
OwnTaskItemModify	bool	Edit own tasks only.
OwnTaskItemDelete	bool	Delete own tasks only.
OwnTaskItemStateModify	bool	Change status of own tasks only.
OwnTaskItemCommentDelete	bool	Delete own task comments only.
PrivateTasksCreate	bool	Create private tasks.
TimeEntryAccess	bool	View all time entries.
TimeEntryModify	bool	Edit all time entries.
UserTimeEntryAccess	bool	View own time entries.
UserTimeEntryModify	bool	Edit own time entries.
DocumentAccess	bool	View documents.
DocumentModify	bool	Edit documents.
BudgetAccess	bool	View budgets.
BudgetModify	bool	Edit budgets.
PlanningAccess	bool	View planning.
PlanningModify	bool	Edit planning.
MindMapAccess	bool	View mind maps.
MindMapModify	bool	Edit mind maps.
CheckListAccess	bool	View lists.
CheckListModify	bool	Edit lists.
ManageAccess	bool	View manage tab.
ManageModify	bool	Edit manage tab.
RiskAccess	bool	View risks.
RiskModify	bool	Edit risks.
AssessmentAccess	bool	View project assessments.
AssessmentModify	bool	Edit project assessments.
NoteAccess	bool	View comments.
AddNote	bool	Add comments.
DeleteNote	bool	Delete comments.
DeleteUserNote	bool	Delete own comments only.
ReportRead	bool	View reports.
ReportModify	bool	Edit reports.
ResourceAllocationRead	bool	View workload.
DashboardsAccess	bool	View dashboards.
DashboardsModify	bool	Edit dashboards.
ProjectDashboardAccess	bool	View project dashboards.
ProjectDashboardModify	bool	Edit project dashboards.
PortfoliosModify	bool	Edit portfolios.
ContactsModify	bool	Edit contacts.
ShowContactsSection	bool	Show contacts section in the navigation.
ShowAllContactsInProjects	bool	Show all contacts when adding project members.

Endpoints

List all user permissions

GET/odata/UserPermission

Supports OData query options.

info

This endpoint is disabled by default. Contact InLoox Support if you need help enabling it.

---

Create new user permissions

POST/odata/UserPermission

Parameter	Type	Required	Description
Body	Delta<ApiUserPermission>	✅	JSON object with the permission properties.

---

Functions

Get the current user's permissions

GET/odata/UserPermission/MyGlobalUserPermissionSet()

tip

Use this endpoint to check at runtime which actions are available to the current user.

---

OData Query Examples

GET /odata/UserPermission/MyGlobalUserPermissionSet()

POST /odata/UserPermission
Content-Type: application/json

{
  "ContactIds": ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"],
  "ProjectRead": true,
  "ProjectModify": true,
  "ProjectCreate": true,
  "TaskItemAccess": true,
  "TaskItemModify": true,
  "TimeEntryAccess": true,
  "TimeEntryModify": true,
  "ReadOnlyLicense": false
}

---

RolePermission

The RolePermission entity defines the default permissions for each role. It shares the same permission fields as UserPermission, plus these role-specific configuration fields:

Data Model

Property	Type	Description
RoleType	int	Role type identifier.
RoleEnabled	bool	Whether the role is enabled.
CustomName	string?	Custom role name. Only available in InLoox Enterprise Plus and InLoox Self-Hosted.

info

The GET /odata/RolePermission endpoint returns the full set of permission fields (as in UserPermission above) for each role. The PATCH endpoint accepts the same permission booleans as well as the role-specific fields listed here.

Endpoints

List all role permissions

GET/odata/RolePermission

Supports OData query options.

---

Update a role permission

PATCH/odata/RolePermission({key})

Parameter	Type	Required	Description
key	guid	✅	The ID of the role permission to update.
Body	Delta<ApiRolePermission>	✅	JSON object with the role permission properties.

Warning

Changes to role permissions take effect immediately for all users assigned to that role. Disabling a role or removing critical permissions can lock out entire user groups.

ValidInviteDomain

The ValidInviteDomain entity manages the allowed domains for user invitations. Only email addresses with a domain listed here can be invited.

Data Model

Property	Type	Description
ValidInviteDomainId	guid	Unique domain ID.
DomainName	string	The domain name (e.g. example.com).

Endpoints

List all allowed invite domains

GET/odata/ValidInviteDomain

Supports OData query options.

---

Get an invite domain by ID

GET/odata/ValidInviteDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidInviteDomainId.

---

Add a new invite domain

POST/odata/ValidInviteDomain

Parameter	Type	Required	Description
Body	Delta<ApiValidInviteDomain>	✅	JSON object with the domain properties.

---

Update an invite domain

PATCH/odata/ValidInviteDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidInviteDomainId.
Body	Delta<ApiValidInviteDomain>	✅	JSON object with the domain properties.

---

Delete an invite domain

DELETE/odata/ValidInviteDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidInviteDomainId.

warning

Deleting an invite domain prevents new users with that domain from being invited. This action cannot be undone.

Returns 204 No Content on success.

---

ValidLoginDomain

The ValidLoginDomain entity manages the allowed domains for user login via Microsoft 365. Only users with an email address in one of these domains can sign in, if the domain login policy for Microsoft 365 is active.

Data Model

Property	Type	Description
ValidLoginDomainId	guid	Unique domain ID.
DomainName	string	The domain name (e.g. company.com).

Endpoints

List all allowed Microsoft 365 login domains

GET/odata/ValidLoginDomain

Supports OData query options.

---

Get a Microsoft 365 login domain by ID

GET/odata/ValidLoginDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidLoginDomainId.

---

Add a new Microsoft 365 login domain

POST/odata/ValidLoginDomain

Parameter	Type	Required	Description
Body	Delta<ApiValidLoginDomain>	✅	JSON object with the domain properties.

---

Update a login domain

PATCH/odata/ValidLoginDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidLoginDomainId.
Body	Delta<ApiValidLoginDomain>	✅	JSON object with the domain properties.

---

Delete a login domain

DELETE/odata/ValidLoginDomain({key})

Parameter	Type	Required	Description
key	guid	✅	The ValidLoginDomainId.

warning

Deleting a login domain prevents new users with that domain from signing in.

Returns 204 No Content on success.