User Roles and Permissions

Connected accounts can have different roles that control what they can do in the embedded map. This guide explains the available roles and how to manage them.

Available Roles

Role

Description

USER

View-only access. Cannot edit parcel geometries or manage resources.

TECHNICIAN

Can view and edit parcel geometries in the embedded map.

COMPANY_ADMIN

Full access to view, edit, and manage all resources.

Permissions by Role

Action

USER

TECHNICIAN

COMPANY_ADMIN

View parcels

Yes

View satellite imagery

Yes

Edit parcel geometries

Yes

Delete parcels

Yes

Manage account settings

Yes

Use Case: Preventing Geometry Edits

A common requirement is to prevent end users from editing parcel geometries in the embedded map - especially when you want to maintain control over the data from your backend system.

Solution: Assign the USER role to accounts that should only view data.

When an account has the USER role:

The edit and delete buttons are not shown in the embedded map
Users can view all parcels and satellite imagery
Any geometry changes must be done through your backend via the API

Checking an Account's Role

Retrieve account details to see the current role:

curl https://app.graniot.com/api/accounts/acc-52a220de-73e9-11ee-8cc3-0242ac130002/ \
  -H 'x-api-key: YOUR_API_KEY'

import requests

GRANIOT_API_ENDPOINT = 'https://app.graniot.com/api/'
HEADERS = {
    'x-api-key': 'YOUR_API_KEY'
}

account_id = 'acc-52a220de-73e9-11ee-8cc3-0242ac130002'
response = requests.get(f'{GRANIOT_API_ENDPOINT}accounts/{account_id}/', headers=HEADERS)
account = response.json()
print(f"Current role: {account.get('role', 'Not set')}")

Changing Account Roles

Use the set_role endpoint to change an account's role:

POST /api/accounts/{account_id}/set_role/

# Set to USER (view-only)
curl https://app.graniot.com/api/accounts/acc-52a220de-73e9-11ee-8cc3-0242ac130002/set_role/ \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: YOUR_API_KEY' \
  -d '{"role": "USER"}'

# Set to TECHNICIAN (can edit)
curl https://app.graniot.com/api/accounts/acc-52a220de-73e9-11ee-8cc3-0242ac130002/set_role/ \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: YOUR_API_KEY' \
  -d '{"role": "TECHNICIAN"}'

import requests

GRANIOT_API_ENDPOINT = 'https://app.graniot.com/api/'
HEADERS = {
    'Content-Type': 'application/json',
    'x-api-key': 'YOUR_API_KEY'
}

account_id = 'acc-52a220de-73e9-11ee-8cc3-0242ac130002'

# Set to USER (view-only)
response = requests.post(
    f'{GRANIOT_API_ENDPOINT}accounts/{account_id}/set_role/',
    headers=HEADERS,
    json={'role': 'USER'}
)

# Set to TECHNICIAN (can edit)
response = requests.post(
    f'{GRANIOT_API_ENDPOINT}accounts/{account_id}/set_role/',
    headers=HEADERS,
    json={'role': 'TECHNICIAN'}
)

License Requirements

Changing roles may require available licenses:

Upgrading from USER to TECHNICIAN requires an available technician license
The system will check license availability before making the change
If no licenses are available, the request will fail with an error

If you receive a license error when changing roles, contact Graniot support to review your license allocation.

Default Role for New Accounts

When you create a new connected account via the API, the default role depends on your organization's settings. If you need accounts to start with a specific role, call set_role immediately after creation:

# Create account
response = requests.post(f'{GRANIOT_API_ENDPOINT}accounts/', headers=HEADERS, json={'account_email': '[email protected]'})
account = response.json()

# Immediately set to USER role (view-only)
requests.post(
    f'{GRANIOT_API_ENDPOINT}accounts/{account["id"]}/set_role/',
    headers=HEADERS,
    json={'role': 'USER'}
)

Integration Pattern: Read-Only Embedded Maps

For integrations where users should only view data (no editing):

Create connected accounts via API
Set each account to USER role
Provide the embedded URL to your frontend
Handle all data modifications through your backend using the API

def create_readonly_account(email):
    """Create a connected account with view-only access."""

    # Create the account
    response = requests.post(
        f'{GRANIOT_API_ENDPOINT}accounts/',
        headers=HEADERS,
        json={'account_email': email}
    )
    account = response.json()

    # Set to USER role (view-only)
    requests.post(
        f'{GRANIOT_API_ENDPOINT}accounts/{account["id"]}/set_role/',
        headers=HEADERS,
        json={'role': 'USER'}
    )

    return account

Troubleshooting

"License not available" error

This occurs when trying to upgrade to a role that requires more licenses than you have available.

Solution: Contact Graniot support to purchase additional licenses or downgrade other accounts.

Role change not taking effect

If a user still sees edit controls after changing their role:

Have the user refresh their browser
Clear browser cache
Verify the embedded URL token has been refreshed (tokens cache role information)

Cannot change role

If you cannot change an account's role:

Verify you're using the correct API key with appropriate permissions
Check that the account ID is correct
Ensure the account is active (not deactivated)

PreviousParcel Metadata NextSatellite Data Overview

Last updated 2 hours ago

hashtagAvailable Roles

hashtagPermissions by Role

hashtagUse Case: Preventing Geometry Edits

hashtagChecking an Account's Role

hashtagChanging Account Roles

hashtagLicense Requirements

hashtagDefault Role for New Accounts

hashtagIntegration Pattern: Read-Only Embedded Maps

hashtagTroubleshooting

hashtag"License not available" error

hashtagRole change not taking effect

hashtagCannot change role