Update request form permissions

post

https://api.seismic.com/programs/v2/spaces/{spaceId}/forms/{formId}/permission

Updates the access control permissions for a request form, determining which users or groups can view, use, or manage the form when creating and submitting requests. This endpoint modifies the permission configuration by specifying user IDs and their granted permission levels, enabling form owners and administrators to control form visibility and usage within the workspace. Use this endpoint to grant access to new users when expanding a team, revoke access when users change roles or leave programs, or adjust permission levels when responsibility shifts occur. The operation replaces the entire permission set with the provided configuration, so include all users who should retain access along with any new additions. Permissions control whether users can see the form in their available forms list, use it to create requests, or modify the form definition itself. This is essential for implementing role-based access control, ensuring sensitive request forms are only accessible to authorized personnel, and managing form lifecycle as organizational needs evolve.

Key Features:

Replace entire permission set with new user access configuration for complete control
Grant or revoke access for individual users or groups using user identifiers
Control form visibility in user interfaces and form selection dropdowns
Manage who can create requests using the form versus who can modify form structure
Implement role-based access control for sensitive or restricted request workflows

Typical Use Cases:

Grant Team Access: When onboarding new team members to a program, call POST /v2/spaces/w5PmrE9p0kicqqRSVJ3VBQ/forms/yS86zRG7smz7NVwdUEyJSj/permission with a PermissionRequest containing the existing user IDs plus new team member IDs to grant them form access for creating requests.
Revoke Departed User Access: When a team member leaves the program, call this endpoint with a PermissionRequest excluding their user ID to remove their access to the form, ensuring they can no longer see or use it for creating requests.
Restrict Sensitive Form: For confidential request forms (HR requests, executive approvals), call this endpoint to limit access to a small set of authorized user IDs, preventing unauthorized users from viewing the form or creating requests with it.

Expected Response:

Returns 200 OK with the updated RequestForm object including the new permission configuration, confirming which users now have access and their permission levels. The response shows the complete form definition with updated permission metadata.

Authorization Logic:

User must have valid JWT token with manage scope (seismic.programs.manage)
User must have permission to manage the specified form (typically form creator or space administrator)
User must have access to the space containing the form
All user IDs specified in the permission request must be valid users in the system
Cannot remove all permissions including your own (must retain at least one admin)

Path Params

spaceId

string

required

length between 7 and 22

The unique identifier of the space containing the target entity. This determines the scope of entity queries and ensures proper access control. The space must be accessible to the authenticated user with appropriate permissions. It can be the unique identifier (GUID) of the space or the word "default" to indicate the default programs space. Common values include "default" and "rkr83lapKkyCJuLLWqLqzB".

formId

string

required

The ID of the request form.

Body Params

permissions for the form

allowedUserIds

array of strings

Array of unique user identifiers (in base64url or GUID format) representing individual users who should be granted access to the workspace. Each user ID must reference a valid user account in the organization's user directory. Use when creating or updating space permissions to specify which individual users should have access. Submitted values replace existing user permissions (not additive). Users in this list will be able to view, create, and manage programs, tasks, and requests within the space subject to their assigned roles and scopes. Can be empty array to revoke all individual user permissions while maintaining group-based access.

allowedUserIds

allowedUserGroupIds

array of strings

Array of unique user group identifiers (in base64url or GUID format) representing organizational groups whose members should be granted access to the workspace. Each group ID must reference a valid user group configured in the organization's directory system. Use when creating or updating space permissions to specify which groups should have access. Submitted values replace existing group permissions (not additive). All members of included groups will inherit space access permissions. Provides scalable access management as group membership changes without requiring individual permission updates. Can be empty array to revoke all group-based permissions while maintaining individual user access.

allowedUserGroupIds

Responses

Language

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/json

200OK

400Bad Request

401Authentication failed due to missing, invalid, or expired JWT token. Obtain a valid token with required permission scopes.

403Access denied due to insufficient permissions to access entity or perform the requested action. Contact your administrator for assistance.

404Entity not found. Verify the entity ID exists to ensure proper permissions are granted.

500Internal server error during entity retrieval, mutation, or deletion.