Add authorization environment roles support by csrbarber · Pull Request #550 · workos/workos-python

csrbarber · 2026-02-13T15:43:46Z

Description

Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module.

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[X] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

The list and get organization role endpoints can return both EnvironmentRole and OrganizationRole types. This aligns the Python SDK return types with the Node SDK. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

linear · 2026-02-13T15:43:51Z

ENT-4799 workos-python

greptile-apps · 2026-02-13T15:46:20Z

Greptile Overview

Greptile Summary

Added comprehensive CRUD operations for environment roles in the authorization module, including create, list, get, update, and permission management endpoints. Introduced a Role union type that discriminates between EnvironmentRole and OrganizationRole, allowing the organization role endpoints to return either type through Pydantic's discriminated union feature.

Key Changes:

Implemented 6 new environment role methods with both sync and async variants
Created EnvironmentRole model mirroring OrganizationRole structure but without organization_id field
Added Role union type with type field discriminator for polymorphic role handling
Updated organization role list/get methods to return RoleList/Role union types instead of concrete types
Added comprehensive test coverage with 6 new test cases using consistent mocking patterns

Confidence Score: 5/5

This PR is safe to merge with minimal risk
The implementation follows established patterns in the codebase, includes both sync and async variants, has comprehensive test coverage, uses proper Pydantic discriminated unions for type safety, and mirrors the existing organization role structure
No files require special attention

Important Files Changed

Filename	Overview
workos/types/authorization/role.py	Introduced `Role` union type with discriminator for `EnvironmentRole` and `OrganizationRole`, and `RoleList` for listing both role types
workos/types/authorization/environment_role.py	Added `EnvironmentRole` model with proper fields and `type` discriminator, mirroring `OrganizationRole` structure
workos/authorization.py	Implemented complete CRUD operations for environment roles (create, list, get, update, set/add permissions) with both sync and async support
tests/test_authorization.py	Added comprehensive test coverage for all environment role operations with proper assertions and mocking

Sequence Diagram

sequenceDiagram
    participant Client
    participant Authorization
    participant HTTPClient
    participant API as WorkOS API

    Note over Client,API: Create Environment Role
    Client->>Authorization: create_environment_role(slug, name, description)
    Authorization->>HTTPClient: POST /authorization/roles
    HTTPClient->>API: Request with {slug, name, description}
    API-->>HTTPClient: 201 Created (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: List Environment Roles
    Client->>Authorization: list_environment_roles()
    Authorization->>HTTPClient: GET /authorization/roles
    HTTPClient->>API: Request
    API-->>HTTPClient: 200 OK (EnvironmentRoleList JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRoleList object

    Note over Client,API: Get Environment Role
    Client->>Authorization: get_environment_role(slug)
    Authorization->>HTTPClient: GET /authorization/roles/{slug}
    HTTPClient->>API: Request
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Update Environment Role
    Client->>Authorization: update_environment_role(slug, name, description)
    Authorization->>HTTPClient: PATCH /authorization/roles/{slug}
    HTTPClient->>API: Request with {name, description}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Set Role Permissions
    Client->>Authorization: set_environment_role_permissions(slug, permissions)
    Authorization->>HTTPClient: PUT /authorization/roles/{slug}/permissions
    HTTPClient->>API: Request with {permissions}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

    Note over Client,API: Add Role Permission
    Client->>Authorization: add_environment_role_permission(slug, permission_slug)
    Authorization->>HTTPClient: POST /authorization/roles/{slug}/permissions
    HTTPClient->>API: Request with {slug: permission_slug}
    API-->>HTTPClient: 200 OK (EnvironmentRole JSON)
    HTTPClient-->>Authorization: Response
    Authorization-->>Client: EnvironmentRole object

_{Last reviewed commit: d7496b7}

greptile-apps

_{6 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

mattgd · 2026-02-17T14:05:50Z

workos/types/authorization/__init__.py

+from workos.types.authorization.environment_role import (
+    EnvironmentRole as EnvironmentRole,
+    EnvironmentRoleList as EnvironmentRoleList,
+)


Is the as needed here on the imports?

* Add authorization event and webhook types Add event and webhook types for organization_role (created, updated, deleted) and permission (created, updated, deleted) to support authorization-related event streaming and webhook delivery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Distinct type for organization role events * mypy --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization organization roles support Add CRUD operations for organization roles including create, list, get, update, set/add/remove permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * format * Add authorization environment roles support (#550) * Add authorization environment roles support Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Use Role union type for list/get organization role endpoints The list and get organization role endpoints can return both EnvironmentRole and OrganizationRole types. This aligns the Python SDK return types with the Node SDK. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add authorization event and webhook types (#551) * Add authorization event and webhook types Add event and webhook types for organization_role (created, updated, deleted) and permission (created, updated, deleted) to support authorization-related event streaming and webhook delivery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Distinct type for organization role events * mypy --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization permissions support Introduce the authorization module with CRUD operations for permissions including create, list (paginated), get, update (PATCH), and delete. Register the module on both sync and async clients. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add authorization organization roles support (#549) * Add authorization organization roles support Add CRUD operations for organization roles including create, list, get, update, set/add/remove permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * format * Add authorization environment roles support (#550) * Add authorization environment roles support Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Use Role union type for list/get organization role endpoints The list and get organization role endpoints can return both EnvironmentRole and OrganizationRole types. This aligns the Python SDK return types with the Node SDK. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add authorization event and webhook types (#551) * Add authorization event and webhook types Add event and webhook types for organization_role (created, updated, deleted) and permission (created, updated, deleted) to support authorization-related event streaming and webhook delivery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Distinct type for organization role events * mypy --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * Remove aliasing, format * Format, types --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

csrbarber and others added 2 commits February 13, 2026 10:54

Add authorization environment roles support

a27881c

Add CRUD operations for environment roles including create, list, get, update, set/add permissions on the authorization module. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Use Role union type for list/get organization role endpoints

d7496b7

The list and get organization role endpoints can return both EnvironmentRole and OrganizationRole types. This aligns the Python SDK return types with the Node SDK. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

csrbarber requested a review from a team as a code owner February 13, 2026 15:43

csrbarber requested review from gcarvelli and removed request for a team February 13, 2026 15:43

greptile-apps bot reviewed Feb 13, 2026

View reviewed changes

mattgd approved these changes Feb 17, 2026

View reviewed changes

mattgd reviewed Feb 17, 2026

View reviewed changes

csrbarber merged commit 871b4ea into feature/ent-4799-workos-python-org-roles Feb 17, 2026
8 checks passed

csrbarber deleted the feature/ent-4799-workos-python-env-roles branch February 17, 2026 15:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add authorization environment roles support#550

Add authorization environment roles support#550
csrbarber merged 3 commits intofeature/ent-4799-workos-python-org-rolesfrom
feature/ent-4799-workos-python-env-roles

csrbarber commented Feb 13, 2026

Uh oh!

linear bot commented Feb 13, 2026

Uh oh!

greptile-apps bot commented Feb 13, 2026

Uh oh!

greptile-apps bot left a comment

Uh oh!

mattgd Feb 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Conversation

csrbarber commented Feb 13, 2026

Description

Documentation

Uh oh!

linear bot commented Feb 13, 2026

Uh oh!

greptile-apps bot commented Feb 13, 2026

Greptile Overview

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Sequence Diagram

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

mattgd Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants