# Story 2.4: Role Management API

## Metadata
- **Story ID**: 2.4
- **Title**: Role Management API
- **Epic**: 2 - Authentication & Authorization
- **Status**: Pending
- **Priority**: High
- **Estimated Time**: 5-6 hours
- **Dependencies**: 1.2, 2.3

## Goal
Provide complete API for managing roles, assigning permissions to roles, and assigning roles to users.

## Description
This story implements the complete role management API allowing administrators to create, update, and delete roles, assign permissions to roles, and assign roles to users.

## Deliverables

### 1. Role Repository (`internal/identity/role_repo.go`)
- CRUD operations for roles
- Assign permissions to roles (many-to-many)
- Assign roles to users (many-to-many)
- List roles with permissions
- List users with roles

### 2. Role Management API Endpoints
- `POST /api/v1/roles` - Create new role
- `GET /api/v1/roles` - List all roles (with pagination)
- `GET /api/v1/roles/:id` - Get role details with permissions
- `PUT /api/v1/roles/:id` - Update role
- `DELETE /api/v1/roles/:id` - Delete role
- `POST /api/v1/roles/:id/permissions` - Assign permissions to role
- `DELETE /api/v1/roles/:id/permissions/:permId` - Remove permission from role
- `POST /api/v1/users/:id/roles` - Assign roles to user
- `DELETE /api/v1/users/:id/roles/:roleId` - Remove role from user

### 3. Authorization and Validation
- All endpoints protected (admin only)
- Input validation
- Error handling

### 4. gRPC Server (Microservices)
- Expose role management via existing Authz service gRPC server
- Role management methods in `api/proto/authz.proto`
- Service registration in service registry

## Acceptance Criteria
- [ ] Admin users can create and manage roles
- [ ] Permissions can be assigned to roles
- [ ] Roles can be assigned to users
- [ ] Role changes affect user permissions immediately
- [ ] All role operations are audited
- [ ] API endpoints are protected with proper permissions

## Related ADRs
- [ADR-0029: Microservices Architecture](../../adr/0029-microservices-architecture.md)
- [ADR-0030: Service Communication Strategy](../../adr/0030-service-communication-strategy.md)

## Files to Create/Modify
- `internal/identity/role_repo.go` - Role repository
- `internal/identity/role_handler.go` - Role handlers
- `internal/server/routes.go` - Add role routes