SpaceRole

Last updated: June 22, 2026

A SpaceRole is a bundle of permissions you grant to a member of a Space. It holds in one resource what a member can do (read, create, edit, delete, publish) to Content Types, Content, and Media, and whether they can reach the Space settings. Filters that narrow the scope of a permission (to only certain Content Types, only what the member created, and so on) are also defined inside the SpaceRole.

A SpaceRole you create applies to nobody on its own. You grant it to a member by putting a Refer to this SpaceRole into the roles of a Space Membership. One member can hold several SpaceRoles at once. A DeliveryAccessToken is also bound to a single least-privilege SpaceRole, which determines the scope that token can deliver.

Resource structure

The following is the single-read response for the SpaceRole "Product Read-only". Together with sys (system properties), it has the body properties that define permissions: contentType, content, media, and settings.

{
  "sys": {
    "id": "3trmXRM3RqbgSnifyg7PLzmhWFANg9",
    "type": "SpaceRole",
    "space": { "sys": { "id": "tcq4V2Xb", "type": "Refer", "targetType": "Space" } },
    "createdBy": { "sys": { "id": "3p4tcFbQRwz503VXdtHXNI5dZH5TVB", "type": "Refer", "targetType": "User" } },
    "createdAt": "2026-06-16T09:53:16.617Z",
    "updatedBy": { "sys": { "id": "3p4tcFbQRwz503VXdtHXNI5dZH5TVB", "type": "Refer", "targetType": "User" } },
    "updatedAt": "2026-06-16T09:53:16.617Z",
    "isLocked": false,
    "version": 1
  },
  "name": "Product Read-only",
  "contentType": { "All": { "Allow": [] } },
  "content": {
    "Read": {
      "Allow": [
        { "contentType": { "sys": { "id": "3trmXRM3RqbgSnifyg7PAmlxvX4fGY", "type": "Refer", "targetType": "ContentType" } } }
      ]
    }
  },
  "media": { "All": { "Allow": [] } },
  "settings": []
}

Key properties:

  • contentType: The permission map for Content Types themselves (the schema). It defines, per action, the permission to read, create, edit, delete, and publish a Content Type.
  • content: The permission map for Content (the content data). The example above limits the role to reading only the Content of one specific Content Type.
  • media: The permission map for Media (files and images).
  • settings: A string array that defines access to Space settings. Full access is ["SETTING_ALL"]; if you grant no settings access at all, it is [].
  • isLocked: When true, this is a role Weegloo provides by default (for example, Administrator), so it cannot be edited or deleted.

System properties (sys)

Every SpaceRole carries common system properties in the sys object. space, createdBy, and updatedBy are in the Refer shape ({ "sys": { "id", "type": "Refer", "targetType" } }).

PropertyTypeDescription
idstringUnique resource identifier.
typestringResource kind. For a SpaceRole this is always "SpaceRole".
spaceRefer<Space>The Space this SpaceRole belongs to.
createdByRefer<User>The user who created it.
createdAtstring (date-time)Creation time.
updatedByRefer<User>The user who last updated it.
updatedAtstring (date-time)Last update time.
isLockedbooleanWhen true, this is a default-provided role and cannot be edited or deleted. Roles you create yourself are false.
versioninteger (≥1)Resource version. It increases by 1 with every change.

A SpaceRole is a settings resource with no publishing concept. So unlike Content and Media, its sys has no publish, archive, or status, only version. The version increases each time you update the SpaceRole.

Permission maps: contentType, content, media

contentType, content, and media are each a map keyed by action. The actions are Read, Create, Edit, Delete, and Publish, plus All, which refers to every action at once. The value of each action is an object holding Allow and Deny arrays of rules.

"content": {
  "Read":   { "Allow": [ /* rule */ ], "Deny": [ /* rule */ ] },
  "Edit":   { "Allow": [ /* rule */ ] }
}

Each rule object has optional filters that narrow the permission's scope.

  • contentType: Limits the target the rule applies to a single specific Content Type. You put in a Refer that points to a Content Type.
  • createdBy: Limits to only resources created by a specific user. Put a specific user id in sys.id to limit to what that person created, or the reserved value :self to limit to "only what the user making the current call created".
  • tag: Limits to only resources carrying a specific Tag.

An empty Allow array [] means the action is allowed across the entire kind. Because the filter is empty there is nothing to filter out, so the action is open to all resources.

Example 1: Administrator (full permissions, provided by default)

The Administrator role gives an empty Allow to the All action of contentType, content, and media to allow everything, and gives ["SETTING_ALL"] to settings to reach all Space settings. Because Weegloo provides this role by default, its sys.isLocked is true and it cannot be edited or deleted.

{
  "sys": {
    "id": "3trmXRM3RqbgSnifyg7PAlm4FWTPQ8",
    "type": "SpaceRole",
    "space": { "sys": { "id": "tcq4V2Xb", "type": "Refer", "targetType": "Space" } },
    "createdBy": { "sys": { "id": "_", "type": "Refer", "targetType": "User" } },
    "createdAt": "2026-06-14T14:56:04.737Z",
    "updatedBy": { "sys": { "id": "_", "type": "Refer", "targetType": "User" } },
    "updatedAt": "2026-06-14T14:56:04.737Z",
    "isLocked": true,
    "version": 1
  },
  "name": "Administrator",
  "description": "Members of this role have full access to everything in this space.",
  "contentType": { "All": { "Allow": [] } },
  "content": { "All": { "Allow": [] } },
  "media": { "All": { "Allow": [] } },
  "settings": ["SETTING_ALL"]
}

Example 2: Read-only (one specific Content Type)

This is an example of a least-privilege role you create yourself. It puts a rule only on the Read action of content, and limits that rule to one specific Content Type with the rule's contentType filter. The Content Type itself and Media are left open with All and an empty Allow, but for the content data only reading that one kind is possible. Because settings is [], it cannot reach Space settings. Bind this role to a DeliveryAccessToken and the delivery token will read only that scope. The JSON of this role is the same as "Product Read-only" in Resource structure above.

settings (Space settings access)

settings is not a permission map but a string array. It holds access to Space settings: full access is ["SETTING_ALL"], and you leave it [] to grant no access.

The action list (Read, Create, Edit, Delete, Publish, All), the filter keys (contentType, createdBy, tag), and the meaning of :self follow the weegloo-space-role permission-rule definition.

API

The base URL for all endpoints below is https://cma.weegloo.com/v1, and a Bearer token that authenticates against CMA is required in the Authorization header. Role updates (PUT, PATCH) must also send the X-Weegloo-Version header (the current resource's sys.version) for optimistic concurrency control. Create and delete do not have this header. Default-provided roles whose sys.isLocked is true cannot be edited or deleted.