Assign new default role without enabling access to all projects?

Hi everyone,

I would like to use the Python SDK to change a user’s default role without modifying their project access. At the start, their default role is “Labeler” and they only have access to 21 out of 44 total projects. Here is the code I’m using to change their role:

my_user = [
    u for u in client.get_users() 
    if u.email == 'rszeto+labeler@safely-you.com'
][0]

my_user_projects = [p for p in my_user.projects()]
print(len(my_user_projects))  # 21

target_role = client.get_roles()['REVIEWER']
my_user.update_org_role(target_role)

my_user_projects = [p for p in my_user.projects()]
print(len(my_user_projects))  # 44

After running the code above, they are now able to access all projects, as verified by printing their project count via the Python SDK and by checking the website:

Is there a way to update their default role without also giving them access to all projects? I am using version 5.1.0 of the Python SDK. Thanks in advance!

2 Likes

So the code you are using is meant to update the user role at the organization level, hence the name update_org_role. For project-based users, the role at the organization level would need to be None.
To update a user’s role at the project level, please use upsert_project_role.
Reference: User — Python SDK reference 6.1.0 documentation
This would need to be done for every project the user is allocated to.

Hope this helps!

Oh and you might have some error saying your user has access to all project, you may need to enforce the project assignment at the organisation level first.
Here is my experiment.

my_user = [u for u in client.get_users() 
    if u.email == 'test_xxx@labelbox.com'][0]

check_user_org_role = client.get_user()

target_role_org = client.get_roles()['NONE']
my_user.update_org_role(target_role_org)

target_role_project = client.get_roles()['REVIEWER']

for projects in my_user_projects:
    my_user.upsert_project_role(projects, target_role)

Hi ptancre,

Thanks for your reply. How exactly does the organization-level role relate to the default role and the “use this role for all projects” flag? It seems like it should be possible to change the default role and the flag independently via the SDK, but the organization-level role doesn’t seem to have any notion of the flag. Does the user having an organization role imply that they also have access to all projects? If so, this contradicts the options presented in the web UI.

For more context, I am generally interested in using the SDK to manage user permissions at the project level, but I don’t want the default role and flag in the web UI to change as a side effect. For example, suppose I updated the above user’s default role to “Reviewer” and unchecked the flag via the web UI:

Then I adapt your code to add them to a specific project as a reviewer:

my_user = [u for u in client.get_users() 
    if u.email == 'rszeto+labeler@safely-you.com'][0]

check_user_org_role = client.get_user()

target_role_org = client.get_roles()['NONE']
my_user.update_org_role(target_role_org)

target_role_project = client.get_roles()['REVIEWER']

for projects in my_user_projects:
    my_user.upsert_project_role(projects, target_role)

This results in their default role in the web UI becoming “Labeler”, not “Reviewer”. I could revert their default role to “Reviewer” per my original post, but this would also check the “Use this role for all projects” flag, which is undesired.

So to rephrase my original question, is there a way to use the SDK to change the default role without affecting the flag?

Sorry for the long post; hope this helps clear up my question.

Organisation role implies that they will have access to ALL projects (so you tick the box on the UI).
So using update_org_role will tick the box except if you are choosing None in that case you defer to the project level roles so upsert_project_role will allocated a user to project.

Got it. In that case, I’ll just ignore the default role in the web UI and manage project-level roles through the SDK based on your code. Thanks!

1 Like

Organisation role implies that they will have access to ALL projects (so you tick the box on the UI).
So using update_org_role will tick the box except if you are choosing None in that case you defer to the project level roles so upsert_project_role will allocated a user to project.