Skip to content

Add authorization environment roles support#550

Merged
csrbarber merged 3 commits intofeature/ent-4799-workos-python-org-rolesfrom
feature/ent-4799-workos-python-env-roles
Feb 17, 2026
Merged

Add authorization environment roles support#550
csrbarber merged 3 commits intofeature/ent-4799-workos-python-org-rolesfrom
feature/ent-4799-workos-python-env-roles

Conversation

@csrbarber
Copy link
Contributor

Description

Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module.

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[X] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

csrbarber and others added 2 commits February 13, 2026 10:54
Add CRUD operations for environment roles including create, list, get,
update, set/add permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The list and get organization role endpoints can return both
EnvironmentRole and OrganizationRole types. This aligns the
Python SDK return types with the Node SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@csrbarber csrbarber requested a review from a team as a code owner February 13, 2026 15:43
@csrbarber csrbarber requested review from gcarvelli and removed request for a team February 13, 2026 15:43
@linear
Copy link

linear bot commented Feb 13, 2026

ENT-4799 workos-python

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 13, 2026

Greptile Overview

Greptile Summary

Added comprehensive CRUD operations for environment roles in the authorization module, including create, list, get, update, and permission management endpoints. Introduced a Role union type that discriminates between EnvironmentRole and OrganizationRole, allowing the organization role endpoints to return either type through Pydantic's discriminated union feature.

Key Changes:

  • Implemented 6 new environment role methods with both sync and async variants
  • Created EnvironmentRole model mirroring OrganizationRole structure but without organization_id field
  • Added Role union type with type field discriminator for polymorphic role handling
  • Updated organization role list/get methods to return RoleList/Role union types instead of concrete types
  • Added comprehensive test coverage with 6 new test cases using consistent mocking patterns

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The implementation follows established patterns in the codebase, includes both sync and async variants, has comprehensive test coverage, uses proper Pydantic discriminated unions for type safety, and mirrors the existing organization role structure
  • No files require special attention

Important Files Changed

Filename Overview
workos/types/authorization/role.py Introduced Role union type with discriminator for EnvironmentRole and OrganizationRole, and RoleList for listing both role types
workos/types/authorization/environment_role.py Added EnvironmentRole model with proper fields and type discriminator, mirroring OrganizationRole structure
workos/authorization.py Implemented complete CRUD operations for environment roles (create, list, get, update, set/add permissions) with both sync and async support
tests/test_authorization.py Added comprehensive test coverage for all environment role operations with proper assertions and mocking

Sequence Diagram

sequenceDiagram
    participant Client
    participant Authorization
    participant HTTPClient
    participant API as WorkOS API

    Note over Client,API: Create Environment Role
    Client->>Authorization: create_environment_role(slug, name, description)
    Authorization->>HTTPClient: POST /authorization/roles
    HTTPClient->>API: Request with {slug, name, description}
    API-->>HTTPClient: 201 Created (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: List Environment Roles
    Client->>Authorization: list_environment_roles()
    Authorization->>HTTPClient: GET /authorization/roles
    HTTPClient->>API: Request
    API-->>HTTPClient: 200 OK (EnvironmentRoleList JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRoleList object

    Note over Client,API: Get Environment Role
    Client->>Authorization: get_environment_role(slug)
    Authorization->>HTTPClient: GET /authorization/roles/{slug}
    HTTPClient->>API: Request
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Update Environment Role
    Client->>Authorization: update_environment_role(slug, name, description)
    Authorization->>HTTPClient: PATCH /authorization/roles/{slug}
    HTTPClient->>API: Request with {name, description}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Set Role Permissions
    Client->>Authorization: set_environment_role_permissions(slug, permissions)
    Authorization->>HTTPClient: PUT /authorization/roles/{slug}/permissions
    HTTPClient->>API: Request with {permissions}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Add Role Permission
    Client->>Authorization: add_environment_role_permission(slug, permission_slug)
    Authorization->>HTTPClient: POST /authorization/roles/{slug}/permissions
    HTTPClient->>API: Request with {slug: permission_slug}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object
Loading

Last reviewed commit: d7496b7

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

Comment on lines +1 to +4
from workos.types.authorization.environment_role import (
EnvironmentRole as EnvironmentRole,
EnvironmentRoleList as EnvironmentRoleList,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the as needed here on the imports?

* Add authorization event and webhook types

Add event and webhook types for organization_role (created, updated,
deleted) and permission (created, updated, deleted) to support
authorization-related event streaming and webhook delivery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Distinct type for organization role events

* mypy

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@csrbarber csrbarber merged commit 871b4ea into feature/ent-4799-workos-python-org-roles Feb 17, 2026
8 checks passed
@csrbarber csrbarber deleted the feature/ent-4799-workos-python-env-roles branch February 17, 2026 15:23
csrbarber added a commit that referenced this pull request Feb 17, 2026
* Add authorization organization roles support

Add CRUD operations for organization roles including create, list, get,
update, set/add/remove permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* format

* Add authorization environment roles support (#550)

* Add authorization environment roles support

Add CRUD operations for environment roles including create, list, get,
update, set/add permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Use Role union type for list/get organization role endpoints

The list and get organization role endpoints can return both
EnvironmentRole and OrganizationRole types. This aligns the
Python SDK return types with the Node SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization event and webhook types (#551)

* Add authorization event and webhook types

Add event and webhook types for organization_role (created, updated,
deleted) and permission (created, updated, deleted) to support
authorization-related event streaming and webhook delivery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Distinct type for organization role events

* mypy

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
csrbarber added a commit that referenced this pull request Feb 17, 2026
* Add authorization organization roles support

Add CRUD operations for organization roles including create, list, get,
update, set/add/remove permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* format

* Add authorization environment roles support (#550)

* Add authorization environment roles support

Add CRUD operations for environment roles including create, list, get,
update, set/add permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Use Role union type for list/get organization role endpoints

The list and get organization role endpoints can return both
EnvironmentRole and OrganizationRole types. This aligns the
Python SDK return types with the Node SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization event and webhook types (#551)

* Add authorization event and webhook types

Add event and webhook types for organization_role (created, updated,
deleted) and permission (created, updated, deleted) to support
authorization-related event streaming and webhook delivery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Distinct type for organization role events

* mypy

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
gjtorikian pushed a commit that referenced this pull request Feb 17, 2026
* Add authorization permissions support

Introduce the authorization module with CRUD operations for permissions
including create, list (paginated), get, update (PATCH), and delete.
Register the module on both sync and async clients.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization organization roles support (#549)

* Add authorization organization roles support

Add CRUD operations for organization roles including create, list, get,
update, set/add/remove permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* format

* Add authorization environment roles support (#550)

* Add authorization environment roles support

Add CRUD operations for environment roles including create, list, get,
update, set/add permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Use Role union type for list/get organization role endpoints

The list and get organization role endpoints can return both
EnvironmentRole and OrganizationRole types. This aligns the
Python SDK return types with the Node SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization event and webhook types (#551)

* Add authorization event and webhook types

Add event and webhook types for organization_role (created, updated,
deleted) and permission (created, updated, deleted) to support
authorization-related event streaming and webhook delivery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Distinct type for organization role events

* mypy

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Remove aliasing, format

* Format, types

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants