By name: preset-roles-permissions description: Review Preset role, workspace membership, permission, access-control, DAR/RLS-adjacent, and effective-access changes through direct API calls. Use only for direct API workflows; Do not use for MCP-only work.
preset-roles-permissions
Use as the approval and access-review gate for permission-sensitive workflows.
Always
- Auth and conventions come from
preset-api(JWT exchange, base URLs, Rison); resolve the workspace hostname through the Management API when it is not already known. - Use this skill alongside
preset-adminrole identifier and membership references for Management API role work. - Use
preset-supersetfor workspace current-user roles, permissions, and OpenAPI availability. - Treat role and permission changes as
permission_write. - Do not guess role IDs or custom role identifiers.
- Do not use internal
/api-internal/*, billing, SCIM, broad Superset security manager, or unsupported permission APIs from this skill; defer toreferences/role-permission-changes.md. - Require confirmation of target principal, current access, new access, seat impact, and rollback path.
Decision Rules
- Classify role and permission changes as access mutations.
- Resolve role identifiers before effect summary.
- Require approval with target and effect.
- Avoid applying role or permission changes until approval is explicit.
Workflow Order
- Inspect membership roles and permissions.
- Resolve target and role identifiers.
- Summarize access effect, seat impact, and rollback path.
- Stop before role or permission change.
Retrieve
- Role/permission mutation guidance and approval checks: references/role-permission-changes.md
- Approval policy: load
preset-apiand thenreferences/safety-policy.md.