You can remove the permissions assigned to a role using the or the . The assigned permissions and roles are used with the API Authorization Core feature set.

Prerequisite

For role-based access control (RBAC) to work properly, you must enable it for your API using either the Dashboard or the Management API. The Authorization Core functionality is different from the Authorization Extension. For a comparison, read Authorization Core vs. Authorization Extension.

Dashboard

  1. Go to Dashboard > User Management > Roles and click the name of the role to view.
  2. Click the Permissions view, then click the trashcan icon next to the permission you want to remove, and confirm.

Management API

Make a DELETE call to the Delete Role Permissions endpoint. Be sure to replace ROLE_ID, MGMT_API_ACCESS_TOKEN, API_ID, and PERMISSION_NAME placeholder values with your role ID, Management API , API ID(s), and permission name(s), respectively. 
curl --request DELETE \
  --url 'https://{yourDomain}/api/v2/roles/ROLE_ID/permissions' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{ "permissions": [ { "resource_server_identifier": "API_ID", "permission_name": "PERMISSION_NAME" }, { "resource_server_identifier": "API_ID", "permission_name": "PERMISSION_NAME" } ] }'
ValueDescription
ROLE_IDΤhe ID of the role for which you want to remove permissions.
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope update:roles.
API_IDID(s) of the API(s) associated with the permission(s) you would like to remove for the specified role.
PERMISSION_NAMEName(s) of the permission(s) you would like to remove for the specified role.

Learn more