Permissions & Roles

RESTRICTED API

Requires partner / operator authorization. See CMS → Home.

The CMS side of RBAC. Same model as the Wallet Gateway, different endpoints and scope. Permissions are modeled as resource + action pairs (not dotted strings).

List CMS modules

There is no GET /app/permissions. To read the available CMS modules (each carrying its permissions), use:

curl https://api.ali.app/cms/rest/app/modules \
  -H "Authorization: Bearer <token>" \
  -H "x-user-token: Bearer <cms-user-token>"

A user's effective permissions are read per user/partner via GET /app/users/{cmsUserId}/partners/{partnerId}/permissions (see CMS users).

Standard CMS permissions

A selection of the built-in resource / action pairs:

Resource	Actions
`users`	`create`, `update`, `list`, `detail`, `change_status`
`bulk-create`	`create`
`cardholders`	`create`, `update`, `list`, `detail`, `otp`
`cards-admin`	`activate`, `block`, `unblock`, `transfer`, `addFunds`, `withdrawFunds`, `detail`, `otp`, `balance-account`
`card-movements`	`list`, `detail`, `revert`
`balance-management`	`create`, `list`, `cancel`, `otp`
`approvals`	`list`, `detail`, `update`

Create a permission

The body is an array of { resource, action, description? } items:

curl -X POST https://api.ali.app/cms/rest/app/permissions \
  -H "Authorization: Bearer <token>" \
  -H "x-user-token: Bearer <cms-user-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "permissions": [
      { "resource": "finance", "action": "export", "description": "Export monthly finance reports" }
    ]
  }'

Custom permissions must be defined in Migo's codebase to be enforced — create them only in coordination with your Migo account manager.

Assign permissions to CMS users

Use the endpoints in CMS users.

Scope: per-partner

Every grant/revoke entry requires a partnerId — each { permissionId, partnerId } pair scopes the permission to the named partner. The DTO has no optional/global form, so there is no "omit partnerId for global" mode.

Best practices

Use roles instead of direct permission grants for anything applied to > 5 users.
Review grants quarterly.

Audit

The webhook event catalog lists audit.permission.granted and audit.permission.revoked. Audit emission is not implemented in the CMS gateway/services audited here; confirm the exact payload with Migo before relying on it.

List CMS modules​

Standard CMS permissions​

Create a permission​

Assign permissions to CMS users​

Scope: per-partner​

Best practices​

Audit​