Manage Roles and Sharing with Reis (Flag Mode)
Create custom roles, assign members to roles, and share individual resources directly from the command line.
Create custom roles, assign members to roles, and share individual resources directly from the command line.
List roles
reis role:listShows each role's handle, name, whether it is a system role, and how many permission grants it has. Alias: reis roles.
Show a role
reis role:show deployerAccepts a role handle or UUID. Prints the role's details and its full permission matrix.
Create a custom role
reis role:create \
--name "Deployer" \
--description "Manage containers; read-only on credentials" \
--permission project:deployables_container_http:create \
--permission project:deployables_container_http:update \
--permission project:deployables_container_http:delete \
--permission organisation:attachables_registries:readEach --permission (short: -p) is one grant in the form level:resource:action:
- level —
organisationorproject. - resource — a resource kind, e.g.
deployables_container_http,attachables_registries,deployables_memcached,billing,user. - action —
create,read,update, ordelete.
The handle is generated from the name and is immutable.
Update a role
reis role:update deployer \
--name "Container Deployer" \
--permission project:deployables_container_http:create \
--permission project:deployables_container_http:updatePassing --permission replaces the whole permission set. System roles cannot be updated.
Delete a role
reis role:delete deployerAdd nothing to be prompted for confirmation, or run with --no-interaction in scripts. A role cannot be deleted while it is still assigned to members. System roles cannot be deleted.
Assign a member to a role
# Organisation-wide
reis role:assign --user <user-id> --role deployer
# Within a single project
reis role:assign --user <user-id> --role deployer --project <project-id>The owner role cannot be assigned — use ownership transfer in the console instead.
Share a specific resource
Sharing gives one member direct access to a single instance, on top of their role. It is additive — it never removes access.
# Share one container with a member, read + update
reis share:create \
--user <user-id> \
--resource-type deployables_container_http \
--resource-id <container-id> \
--permission read \
--permission updateList who a resource is shared with:
reis share:list --resource-type deployables_container_http --resource-id <container-id>Revoke a share by its grant ID (from share:list):
reis share:delete <grant-id>