Users API

Manage tenant users, roles, and the current authenticated user.

Base permission: IsAdminOrAbove (user management), authenticated (current user)

Endpoints

Method	Path	Description	Permission
GET	/users	List users	IsAdminOrAbove
GET	/users/{id}	Get user	IsAdminOrAbove
PUT	/users/{id}	Update user	IsAdminOrAbove
POST	/users/{id}/deactivate	Deactivate user	IsTenantAdmin
POST	/users/assign-role	Assign tenant role	IsTenantAdmin
POST	/users/remove-role	Remove tenant role	IsTenantAdmin
GET	/users/me	Get current user + permissions	Authenticated

List Users

GET /api/v1/users?sort=["email","ASC"]&range=[0,24]

Response:

[
  {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "admin@acme.com",
    "first_name": "Admin",
    "last_name": "User",
    "tenant_role": "admin",
    "is_active": true,
    "date_joined": "2026-01-01T00:00:00Z",
    "last_login": "2026-01-15T14:30:00Z"
  }
]

Update User

PUT /api/v1/users/{id}

{
  "first_name": "Admin",
  "last_name": "User",
  "is_active": true
}

Deactivate User

POST /api/v1/users/{id}/deactivate

Sets is_active = false, preventing login.

Assign Role

POST /api/v1/users/assign-role

{
  "user_id": "550e8400-e29b-41d4-a716-446655440000",
  "tenant_role": "loan_officer"
}

Remove Role

POST /api/v1/users/remove-role

{
  "user_id": "550e8400-e29b-41d4-a716-446655440000"
}

Sets tenant_role to null (no permissions).

Tenant Roles

Role	Description
viewer	Read-only access to all resources
collector	Viewer + collection actions, cases, interactions
loan_officer	Collector + loan origination, servicing, borrower management
admin	Loan officer + user management, program configuration, GL operations
superadmin	Full access to all operations including tenant configuration

Roles are hierarchical: each role includes all permissions from lower roles.

Current User

Get Current User

Returns the authenticated user with their tenant role and RBAC permissions. This endpoint is used by the admin dashboard and borrower portal to determine what UI elements to show.

GET /api/v1/users/me

Response:

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "email": "admin@acme.com",
  "first_name": "Admin",
  "last_name": "User",
  "tenant_role": "loan_officer",
  "permissions": [
    {"action": "list", "resource": "borrowers"},
    {"action": "show", "resource": "borrowers"},
    {"action": "create", "resource": "borrowers"},
    {"action": "edit", "resource": "borrowers"},
    {"action": "list", "resource": "loans"},
    {"action": "show", "resource": "loans"},
    {"action": "create", "resource": "loans"},
    {"action": "approve", "resource": "loans"},
    {"action": "disburse", "resource": "loans"},
    {"type": "deny", "action": "show", "resource": "borrowers", "record": {"ssn": true}}
  ]
}

Permission Format

Permissions follow the react-admin RBAC format:

Format	Meaning
{"action": "list", "resource": "loans"}	Can list loans
{"action": "*", "resource": "*"}	Superadmin wildcard
{"type": "deny", "action": "show", "resource": "borrowers", "record": {"ssn": true}}	Deny SSN field access

Permission Sources

Three sources are merged to produce the final permission array:

1. Tenant role mapping --- Defined in common/rbac.py
2. Django auth permissions --- From Group and Permission assignments
3. Object-level grants --- From django-guardian (per-object access)

See Also

• Authentication API --- Login, logout, session management
• API Overview --- Permission classes and role hierarchy