Manage Role Lifecycle

# Rename to indicate deprecated

PUT /authz/api/v1/roles/role-old

{

  "name": "DEPRECATED-old-role-name",

  "description": "Deprecated - Use new-role-name instead"

}

​

# Remove new assignments

# (existing users keep it until migrated)

# For each user with old role:

PUT /admin/api/remove-assigned-client-roles

{

  "userId": "user-XXX",

  "roles": ["DEPRECATED-old-role-name"]

}

​

PUT /admin/api/assign-client-roles

{

  "userId": "user-XXX",

  "roles": ["new-role-name"]

}

# Only after all users migrated

DELETE /authz/api/v1/roles/role-old

# 1. List all roles

GET /authz/api/v1/roles

​

# 2. Check usage of each role

GET /authz/api/v1/roles/role-XXX

# Look at assignedTo count

​

# 3. Identify:

# - Unused roles (0 assignments)

# - Deprecated roles (should be removed)

# - Overlapping roles (consolidate)