Governance API

The Governance module provides fine-grained access control and compliance features including role-based access control (RBAC), user groups, destination filters, and data access filters.

Endpoint Groups

Group	Description
Roles	System and custom role management
Permissions	Granular permission definitions
Groups	User group management
Members	Group membership management
Destination Filters	Sync-time governance filters
Subsets	Data access restrictions

Roles

Roles define sets of permissions that can be assigned to workspace members or groups. SignalSmith includes three built-in system roles (owner, admin, member) and supports custom roles.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/roles`	List all roles
`POST`	`/api/v1/workspaces/{id}/roles`	Create a custom role
`GET`	`/api/v1/workspaces/{id}/roles/{roleId}`	Get a role with permissions
`PUT`	`/api/v1/workspaces/{id}/roles/{roleId}`	Update a custom role
`DELETE`	`/api/v1/workspaces/{id}/roles/{roleId}`	Delete a custom role

List Roles

GET /api/v1/workspaces/{id}/roles

[
  {
    "id": "00000000-0000-0000-0000-000000000001",
    "workspace_id": null,
    "name": "owner",
    "description": "Full access to all workspace resources",
    "is_system": true,
    "permissions": ["sources.read", "sources.write", "sources.delete", "..."],
    "created_at": "2024-01-01T00:00:00Z",
    "updated_at": "2024-01-01T00:00:00Z"
  },
  {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "workspace_id": "660e8400-e29b-41d4-a716-446655440000",
    "name": "data_analyst",
    "description": "Read-only access to models and audiences",
    "is_system": false,
    "permissions": ["sources.read", "models.read", "audiences.read"],
    "created_at": "2024-01-15T09:30:00Z",
    "updated_at": "2024-01-15T09:30:00Z"
  }
]

Create Custom Role

POST /api/v1/workspaces/{id}/roles

Request Body

Field	Type	Required	Description
`name`	string	Yes	Role name (must be unique within workspace)
`description`	string	No	Description of the role’s purpose
`permissions`	array of strings	Yes	Permission keys to grant

{
  "name": "data_analyst",
  "description": "Read-only access to models and audiences",
  "permissions": [
    "sources.read",
    "models.read",
    "audiences.read",
    "traits.read",
    "insights.read"
  ]
}

System Roles

Role	ID	Description
`owner`	`00000000-0000-0000-0000-000000000001`	Full access; can manage billing and workspace settings
`admin`	`00000000-0000-0000-0000-000000000002`	Full access except billing and ownership transfer
`member`	`00000000-0000-0000-0000-000000000003`	Standard access; cannot manage workspace settings

Permissions

Permissions are granular access control strings organized by category.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/permissions`	List all available permissions

Response

[
  {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "key": "sources.read",
    "category": "sources",
    "description": "View sources and connection details",
    "created_at": "2024-01-01T00:00:00Z"
  },
  {
    "id": "660e8400-e29b-41d4-a716-446655440000",
    "key": "sources.write",
    "category": "sources",
    "description": "Create and update sources",
    "created_at": "2024-01-01T00:00:00Z"
  }
]

Permission Categories

Category	Permissions	Description
`sources`	`read`, `write`, `delete`	Data warehouse connections
`models`	`read`, `write`, `delete`	SQL models
`destinations`	`read`, `write`, `delete`	Write targets
`syncs`	`read`, `write`, `delete`, `trigger`	Data syncs
`audiences`	`read`, `write`, `delete`	Audience segments
`traits`	`read`, `write`, `delete`	Computed properties
`identity_graphs`	`read`, `write`, `delete`, `trigger`	Identity resolution
`journeys`	`read`, `write`, `delete`, `activate`	Automation workflows
`events`	`read`, `write`, `delete`	Event collection
`loaders`	`read`, `write`, `delete`, `trigger`	Data loaders
`governance`	`read`, `write`	RBAC and compliance
`insights`	`read`	Analytics and monitoring
`workspace`	`read`, `write`, `members`	Workspace settings

Groups

Groups organize workspace members and can be assigned a role that applies to all members.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/groups`	List all groups
`POST`	`/api/v1/workspaces/{id}/groups`	Create a group
`GET`	`/api/v1/workspaces/{id}/groups/{groupId}`	Get a group
`PUT`	`/api/v1/workspaces/{id}/groups/{groupId}`	Update a group
`DELETE`	`/api/v1/workspaces/{id}/groups/{groupId}`	Delete a group

Create Group

POST /api/v1/workspaces/{id}/groups

{
  "name": "Marketing Team",
  "description": "Marketing department members",
  "role_id": "550e8400-e29b-41d4-a716-446655440000"
}

Group Object

Field	Type	Description
`id`	string (UUID)	Unique identifier
`workspace_id`	string (UUID)	Owning workspace
`name`	string	Group name
`description`	string	Description
`role_id`	string (UUID) or null	Role assigned to group members
`role_name`	string	Name of the assigned role
`member_count`	integer	Number of members in the group
`created_at`	string (ISO 8601)	Creation timestamp
`updated_at`	string (ISO 8601)	Last update timestamp

Members

Manage group membership.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/groups/{groupId}/members`	List group members
`POST`	`/api/v1/workspaces/{id}/groups/{groupId}/members`	Add a member
`DELETE`	`/api/v1/workspaces/{id}/groups/{groupId}/members/{accountId}`	Remove a member

Add Member

POST /api/v1/workspaces/{id}/groups/{groupId}/members

{
  "account_id": "770e8400-e29b-41d4-a716-446655440000"
}

Group Member Object

Field	Type	Description
`group_id`	string (UUID)	Group ID
`account_id`	string (UUID)	Account ID
`email`	string	Member email
`name`	string	Member name
`avatar_url`	string	Member avatar URL
`created_at`	string (ISO 8601)	When the member was added

Destination Filters

Destination filters are sync-time governance filters that restrict which records can be sent to specific destination types. They act as guardrails to prevent sensitive data from reaching certain platforms.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/destination-rules`	List all rules
`POST`	`/api/v1/workspaces/{id}/destination-rules`	Create a rule
`GET`	`/api/v1/workspaces/{id}/destination-rules/{ruleId}`	Get a rule
`PUT`	`/api/v1/workspaces/{id}/destination-rules/{ruleId}`	Update a rule
`DELETE`	`/api/v1/workspaces/{id}/destination-rules/{ruleId}`	Delete a rule

Create Destination Rule

POST /api/v1/workspaces/{id}/destination-rules

{
  "name": "GDPR - No EU Customers to Facebook",
  "description": "Prevent EU customer data from being synced to Facebook Ads",
  "parent_model_id": "770e8400-e29b-41d4-a716-446655440000",
  "destination_type": "facebook_ads",
  "filter_tree": {
    "type": "condition",
    "condition_type": "property",
    "column": "country",
    "operator": "not_in",
    "value": ["DE", "FR", "IT", "ES", "NL", "BE", "AT", "SE", "DK", "FI"]
  },
  "enabled": true
}

Destination Rule Object

Field	Type	Description
`id`	string (UUID)	Unique identifier
`workspace_id`	string (UUID)	Owning workspace
`parent_model_id`	string (UUID)	Model the rule applies to
`destination_type`	string	Destination type this rule restricts
`name`	string	Display name
`description`	string	Description
`filter_tree`	object	Filter criteria (same format as audience filters)
`enabled`	boolean	Whether the rule is active
`created_by`	string (UUID)	Account that created the rule
`created_at`	string (ISO 8601)	Creation timestamp
`updated_at`	string (ISO 8601)	Last update timestamp

Access Filters

Access Filters provide data-level access control by restricting which records a user or group can see. They use filter trees (same as audiences) to define visibility boundaries.

Subset Categories

Categories organize access filters into logical groups (e.g., Region, Brand, Business Unit).

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/subset-categories`	List categories
`POST`	`/api/v1/workspaces/{id}/subset-categories`	Create a category
`PUT`	`/api/v1/workspaces/{id}/subset-categories/{catId}`	Update a category
`DELETE`	`/api/v1/workspaces/{id}/subset-categories/{catId}`	Delete a category

Access Filters

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/subsets`	List all subsets
`POST`	`/api/v1/workspaces/{id}/subsets`	Create an access filter
`GET`	`/api/v1/workspaces/{id}/subsets/{subsetId}`	Get an access filter
`PUT`	`/api/v1/workspaces/{id}/subsets/{subsetId}`	Update an access filter
`DELETE`	`/api/v1/workspaces/{id}/subsets/{subsetId}`	Delete an access filter

Create Subset

{
  "name": "US Region",
  "description": "Only US customer records",
  "category_id": "550e8400-e29b-41d4-a716-446655440000",
  "parent_model_id": "770e8400-e29b-41d4-a716-446655440000",
  "filter_tree": {
    "type": "condition",
    "condition_type": "property",
    "column": "country",
    "operator": "equals",
    "value": "US"
  }
}

Subset Assignments

Assign access filters to users or groups to restrict their data visibility.

Method	Path	Description
`GET`	`/api/v1/workspaces/{id}/subset-assignments`	List assignments
`POST`	`/api/v1/workspaces/{id}/subset-assignments`	Create an assignment
`DELETE`	`/api/v1/workspaces/{id}/subset-assignments/{assignmentId}`	Remove an assignment

Create Assignment

{
  "subset_id": "880e8400-e29b-41d4-a716-446655440000",
  "account_id": "990e8400-e29b-41d4-a716-446655440000"
}

Or for a group:

{
  "subset_id": "880e8400-e29b-41d4-a716-446655440000",
  "group_id": "aae8400-e29b-41d4-a716-446655440000"
}

Subset Object

Field	Type	Description
`id`	string (UUID)	Unique identifier
`category_id`	string (UUID)	Parent category
`workspace_id`	string (UUID)	Owning workspace
`parent_model_id`	string (UUID) or null	Model the access filter applies to
`name`	string	Display name
`description`	string	Description
`filter_tree`	object	Filter criteria
`created_by`	string (UUID)	Account that created the access filter
`created_at`	string (ISO 8601)	Creation timestamp
`updated_at`	string (ISO 8601)	Last update timestamp

Loaders Insights