Manage Roles and Sharing with Reis (Flag Mode)

Create custom roles, assign members to roles, and share individual resources directly from the command line.

Updated 5 Jul 20262 min read

Create custom roles, assign members to roles, and share individual resources directly from the command line.

List roles

reis role:list

Shows each role's handle, name, whether it is a system role, and how many permission grants it has. Alias: reis roles.

Show a role

reis role:show deployer

Accepts a role handle or UUID. Prints the role's details and its full permission matrix.

Create a custom role

reis role:create \
  --name "Deployer" \
  --description "Manage containers; read-only on credentials" \
  --permission project:deployables_container_http:create \
  --permission project:deployables_container_http:update \
  --permission project:deployables_container_http:delete \
  --permission organisation:attachables_registries:read

Each --permission (short: -p) is one grant in the form level:resource:action:

  • levelorganisation or project.
  • resource — a resource kind, e.g. deployables_container_http, attachables_registries, deployables_memcached, billing, user.
  • actioncreate, read, update, or delete.

The handle is generated from the name and is immutable.

Update a role

reis role:update deployer \
  --name "Container Deployer" \
  --permission project:deployables_container_http:create \
  --permission project:deployables_container_http:update

Passing --permission replaces the whole permission set. System roles cannot be updated.

Delete a role

reis role:delete deployer

Add nothing to be prompted for confirmation, or run with --no-interaction in scripts. A role cannot be deleted while it is still assigned to members. System roles cannot be deleted.

Assign a member to a role

# Organisation-wide
reis role:assign --user <user-id> --role deployer
 
# Within a single project
reis role:assign --user <user-id> --role deployer --project <project-id>

The owner role cannot be assigned — use ownership transfer in the console instead.

Share a specific resource

Sharing gives one member direct access to a single instance, on top of their role. It is additive — it never removes access.

# Share one container with a member, read + update
reis share:create \
  --user <user-id> \
  --resource-type deployables_container_http \
  --resource-id <container-id> \
  --permission read \
  --permission update

List who a resource is shared with:

reis share:list --resource-type deployables_container_http --resource-id <container-id>

Revoke a share by its grant ID (from share:list):

reis share:delete <grant-id>

See also