RubyGems - morpheus-cli - Versions diffs - 6.1.0 → 6.1.1 - Mend

morpheus-cli 6.1.0 → 6.1.1

Files changed (15) hide show

checksums.yaml +4 -4
data/Dockerfile +1 -1
data/lib/morpheus/api/api_client.rb +8 -0
data/lib/morpheus/api/cypher_interface.rb +11 -5
data/lib/morpheus/api/load_balancer_pool_nodes_interface.rb +8 -0
data/lib/morpheus/api/load_balancer_pools_interface.rb +4 -4
data/lib/morpheus/api/load_balancer_pools_secondary_interface.rb +9 -0
data/lib/morpheus/api/roles_interface.rb +8 -8
data/lib/morpheus/cli/commands/load_balancer_pool_nodes.rb +87 -0
data/lib/morpheus/cli/commands/load_balancer_pools.rb +7 -4
data/lib/morpheus/cli/commands/roles.rb +403 -586
data/lib/morpheus/cli/commands/users.rb +46 -2
data/lib/morpheus/cli/mixins/provisioning_helper.rb +6 -6
data/lib/morpheus/cli/version.rb +1 -1
metadata +5 -2

data/lib/morpheus/cli/commands/roles.rb CHANGED Viewed

@@ -139,6 +139,9 @@ class Morpheus::Cli::Roles
       opts.on('-a','--all', "Display All Access Lists") do
         options[:include_all_access] = true
       end
+      opts.on(nil, '--include-default-access', "Include default access levels in the output (returns all available resources)") do
+        options[:include_default_access] = true
+      end
       opts.on('--account-id ID', String, "Clarify Owner of Role") do |val|
         if has_complete_access
           options[:account_id] = val.to_s
@@ -166,7 +169,7 @@ EOT
     account_id = account ? account['id'] : nil
     params.merge!(parse_query_options(options))
+    params['includeDefaultAccess'] = true if options[:include_default_access]
     @roles_interface.setopts(options)
     if options[:dry_run]
       if args[0].to_s =~ /\A\d{1,}\Z/
@@ -181,13 +184,13 @@ EOT
     json_response = nil
     role = nil
     if args[0].to_s =~ /\A\d{1,}\Z/
-      json_response = @roles_interface.get(account_id, args[0].to_i)
+      json_response = @roles_interface.get(account_id, args[0].to_i, params)
       role = json_response['role']
     else
       role = find_role_by_name_or_id(account_id, args[0])
       exit 1 if role.nil?
       # refetch from show action, argh
-      json_response = @roles_interface.get(account_id, role['id'])
+      json_response = @roles_interface.get(account_id, role['id'], params)
       role = json_response['role']
     end
@@ -201,17 +204,20 @@ EOT
       print_h2 "Permissions", options
       print cyan
+      permissions = json_response['featurePermissions'] || role['permissions'] || []
       if options[:include_feature_access] || options[:include_all_access]
-        rows = json_response['featurePermissions'].collect do |it|
+        rows = permissions.collect do |it|
           {
             code: it['code'],
             name: it['name'],
-            subCategory: it['subCategory'],
+            category: it['subCategory'].to_s.titleize,
             access: format_access_string(it['access']),
           }
         end
         if options[:sort]
           rows.sort! {|a,b| a[options[:sort]] <=> b[options[:sort]] }
+        else
+          rows.sort! {|a,b| [a[:category],a[:name],a[:code]] <=> [b[:category],b[:name],b[:code]] }
         end
         if options[:direction] == 'desc'
           rows.reverse!
@@ -220,7 +226,7 @@ EOT
           phrase_regexp = /#{Regexp.escape(options[:phrase])}/i
           rows = rows.select {|row| row[:code].to_s =~ phrase_regexp || row[:name].to_s =~ phrase_regexp }
         end
-        print as_pretty_table(rows, [:code, :name, :subCategory, :access], options)
+        print as_pretty_table(rows, [:category, :name, :code, :access], options)
         # print reset,"\n"
       else
         print cyan,"Use --feature-access to list feature access","\n"
@@ -255,23 +261,20 @@ EOT
       if has_group_access
         #print_h2 "Group Access: #{get_access_string(json_response['globalSiteAccess'])}", options
         print cyan
-        if json_response['sites'].find {|it| !it['access'].nil?}
-          print_h2 "Group Access", options
-          if options[:include_group_access] || options[:include_all_access]
-            rows = json_response['sites'].select {|it| !it['access'].nil?}.collect do |it|
-              {
-                name: it['name'],
-                access: format_access_string(it['access'], ["none","read","full"]),
-              }
-            end
-            print as_pretty_table(rows, [:name, :access], options)
-          else
-            print cyan,"Use -g, --group-access to list custom access","\n"
+        print_h2 "Group Access", options
+        if options[:include_group_access] || options[:include_all_access]
+          rows = json_response['sites'].collect do |it|
+            {
+              name: it['name'],
+              access: format_access_string(it['access'], ["none","read","full"]),
+            }
           end
-          # print reset,"\n"
+          if !options[:include_default_access]
+            rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+          end
+          print as_pretty_table(rows, [:name, :access], options)
         else
-          # print "\n"
-          # print cyan,bold,"Group Access: #{get_access_string(json_response['globalSiteAccess'])}",reset,"\n"
+          print cyan,"Use -g, --group-access to list custom access","\n"
         end
       end
@@ -279,15 +282,18 @@ EOT
         print cyan
         #puts "Cloud Access: #{get_access_string(json_response['globalZoneAccess'])}"
         #print "\n"
-        if json_response['sites'].find{|it| !it['access'].nil?}
+        if json_response['sites'].find{|it| it['access'] && it['access'] != 'default'}
           print_h2 "Cloud Access", options
           if options[:include_cloud_access] || options[:include_all_access]
-            rows = json_response['zones'].select {|it| !it['access'].nil?}.collect do |it|
+            rows = json_response['zones'].collect do |it|
               {
                 name: it['name'],
                 access: format_access_string(it['access'], ["none","read","full"]),
               }
             end
+            if !options[:include_default_access]
+              rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+            end
             print as_pretty_table(rows, [:name, :access], options)
           else
             print cyan,"Use -c, --cloud-access to list custom access","\n"
@@ -316,8 +322,11 @@ EOT
             access: format_access_string(it['access'], ["none","read","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif instance_type_permissions.find {|it| !it['access'].nil?}
+      elsif instance_type_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Instance Type Access", options
         print cyan,"Use -i, --instance-type-access to list custom access","\n"
       end
@@ -327,14 +336,14 @@ EOT
       print cyan
       if options[:include_blueprint_access] || options[:include_all_access]
         print_h2 "Blueprint Access", options
-        rows = blueprint_permissions.select {|it| !it['access'].nil?}.collect do |it|
+        rows = blueprint_permissions.collect do |it|
           {
             name: it['name'],
             access: format_access_string(it['access'], ["none","read","full"]),
           }
         end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif blueprint_permissions.find {|it| !it['access'].nil?}
+      elsif blueprint_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Blueprint Access", options
         print cyan,"Use -b, --blueprint-access to list custom access","\n"
       end
@@ -344,14 +353,17 @@ EOT
       print cyan
       if options[:include_catalog_item_type_access] || options[:include_all_access]
         print_h2 "Catalog Item Type Access", options
-        rows = catalog_item_type_permissions.select {|it| !it['access'].nil?}.collect do |it|
+        rows = catalog_item_type_permissions.collect do |it|
           {
             name: it['name'],
             access: format_access_string(it['access'], ["none","read","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif catalog_item_type_permissions.find {|it| !it['access'].nil?}
+      elsif catalog_item_type_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Catalog Item Type Access", options
         print cyan,"Use --catalog-item-type-access to list access","\n"
       end
@@ -368,7 +380,7 @@ EOT
           }
         end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif persona_permissions.find {|it| !it['access'].nil?}
+      elsif persona_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Persona Access", options
         print cyan,"Use --persona-access to list access","\n"
       end
@@ -378,14 +390,17 @@ EOT
       print cyan
       if options[:include_vdi_pool_access] || options[:include_all_access]
         print_h2 "VDI Pool Access", options
-        rows = vdi_pool_permissions.select {|it| !it['access'].nil?}.collect do |it|
+        rows = vdi_pool_permissions.collect do |it|
           {
             name: it['name'],
             access: format_access_string(it['access'], ["none","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif vdi_pool_permissions.find {|it| !it['access'].nil?}
+      elsif vdi_pool_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "VDI Pool Access", options
         print cyan,"Use --vdi-pool-access to list custom access","\n"
       end
@@ -395,14 +410,17 @@ EOT
       print cyan
       if options[:include_report_type_access] || options[:include_all_access]
         print_h2 "Report Type Access", options
-        rows = report_type_permissions.select {|it| !it['access'].nil?}.collect do |it|
+        rows = report_type_permissions.collect do |it|
           {
             name: it['name'],
             access: format_access_string(it['access'], ["none","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif report_type_permissions.find {|it| !it['access'].nil?}
+      elsif report_type_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Report Type Access", options
         print cyan,"Use --report-type-access to list custom access","\n"
       end
@@ -418,8 +436,11 @@ EOT
             access: format_access_string(it['access'], ["none","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif task_permissions.find {|it| !it['access'].nil?}
+      elsif task_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Task Access", options
         print cyan,"Use --task-access to list custom access","\n"
       end
@@ -429,14 +450,17 @@ EOT
       print cyan
       if options[:include_workflow_access] || options[:include_all_access]
         print_h2 "Workflow", options
-        rows = workflow_permissions.select {|it| !it['access'].nil?}.collect do |it|
+        rows = workflow_permissions.collect do |it|
           {
             name: it['name'],
             access: format_access_string(it['access'], ["none","full"]),
           }
         end
+        if !options[:include_default_access]
+          rows = rows.select {|row| row[:access] && row[:access] != 'default '}
+        end
         print as_pretty_table(rows, [:name, :access], options)
-      elsif workflow_permissions.find {|it| !it['access'].nil?}
+      elsif workflow_permissions.find {|it| it['access'] && it['access'] != 'default'}
         print_h2 "Workflow", options
         print cyan,"Use --workflow-access to list custom access","\n"
       end
@@ -530,11 +554,14 @@ EOT
           {
             code: it['code'],
             name: it['name'],
+            category: it['subCategory'].to_s.titleize,
             access: format_access_string(it['access']),
           }
         end
         if options[:sort]
           rows.sort! {|a,b| a[options[:sort]] <=> b[options[:sort]] }
+        else
+          rows.sort! {|a,b| [a[:category],a[:name],a[:code]] <=> [b[:category],b[:name],b[:code]] }
         end
         if options[:direction] == 'desc'
           rows.reverse!
@@ -543,7 +570,7 @@ EOT
           phrase_regexp = /#{Regexp.escape(options[:phrase])}/i
           rows = rows.select {|row| row[:code].to_s =~ phrase_regexp || row[:name].to_s =~ phrase_regexp }
         end
-        print as_pretty_table(rows, [:code, :name, :access], options)
+        print as_pretty_table(rows, [:category, :name, :code, :access], options)
       else
         puts "No permissions found"
       end
@@ -557,135 +584,15 @@ EOT
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[name] [options]")
       build_option_type_options(opts, options, add_role_option_types)
-      opts.on('--permissions CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
-        options[:permissions] ||= {}
-        parse_access_csv(options[:permissions], val, args, optparse)
-      end
-      opts.add_hidden_option('--permissions')
-      opts.on('--feature-access CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
-        options[:permissions] ||= {}
-        parse_access_csv(options[:permissions], val, args, optparse)
-      end
-      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|full]" ) do |val|
-        params['globalSiteAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-group-access')
-      opts.on('--default-group-access ACCESS', String, "Update the default group (site) access: [none|read|full]" ) do |val|
-        params['globalSiteAccess'] = val.to_s.downcase
-      end
-      opts.on('--groups ID=ACCESS', String, "Set group (site) to a custom access by group id. Example: 1=none,2=full,3=read" ) do |val|
-        options[:group_permissions] ||= {}
-        parse_access_csv(options[:group_permissions], val, args, optparse)
-      end
-      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|read|full]" ) do  |val|
-        params['globalZoneAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-cloud-access')
-      opts.on('--default-cloud-access ACCESS', String, "Update the default cloud (zone) access: [none|read|full]" ) do  |val|
-        params['globalZoneAccess'] = val.to_s.downcase
-      end
-      opts.on('--clouds ID=ACCESS', String, "Set cloud (zone) to a custom access by cloud id. Example: 1=none,2=full,3=read" ) do |val|
-        options[:cloud_permissions] ||= {}
-        parse_access_csv(options[:cloud_permissions], val, args, optparse)
-      end
-      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|full]" ) do  |val|
-        params['globalInstanceTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-instance-type-access')
-      opts.on('--default-instance-type-access ACCESS', String, "Update the default instance type access: [none|full]" ) do  |val|
-        params['globalInstanceTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--instance-types CODE=ACCESS', String, "Set instance type to a custom access instance type code. Example: nginx=full,apache=none" ) do |val|
-        options[:instance_type_permissions] ||= {}
-        parse_access_csv(options[:instance_type_permissions], val, args, optparse)
-      end
-      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|full]" ) do  |val|
-        params['globalAppTemplateAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-blueprint-access')
-      opts.on('--default-blueprint-access ACCESS', String, "Update the default blueprint access: [none|full]" ) do  |val|
-        params['globalAppTemplateAccess'] = val.to_s.downcase
-      end
-      opts.on('--blueprints ID=ACCESS', String, "Set blueprint to a custom access by blueprint id. Example: 1=full,2=none" ) do |val|
-        options[:blueprint_permissions] ||= {}
-        parse_access_csv(options[:blueprint_permissions], val, args, optparse)
-      end
-      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|full]" ) do  |val|
-        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-catalog-item-type-access')
-      opts.on('--default-catalog-item-type-access ACCESS', String, "Update the default catalog item type access: [none|full]" ) do  |val|
-        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--catalog-item-types CODE=ACCESS', String, "Set catalog item type to a custom access by catalog item type id. Example: 1=full,2=none" ) do |val|
-        options[:catalog_item_type_permissions] ||= {}
-        parse_access_csv(options[:catalog_item_type_permissions], val, args, optparse)
-      end
-      opts.on('--default-persona-access ACCESS', String, "Update the default persona access: [none|full]" ) do  |val|
-        params['globalPersonaAccess'] = val.to_s.downcase
-      end
-      opts.on('--personas CODE=ACCESS', String, "Set persona to a custom access by persona code. Example: standard=full,serviceCatalog=full,vdi=full" ) do |val|
-        options[:persona_permissions] ||= {}
-        parse_access_csv(options[:persona_permissions], val, args, optparse)
-      end
-      opts.on('--global-vdi-pool-access-access ACCESS', String, "Update the global VDI pool access: [none|full]" ) do  |val|
-        params['globalVdiPoolAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-vdi-pool-access-access')
-      opts.on('--default-vdi-pool-access-access ACCESS', String, "Update the default VDI pool access: [none|full]" ) do  |val|
-        params['globalVdiPoolAccess'] = val.to_s.downcase
-      end
-      opts.on('--vdi-pools ID=ACCESS', String, "Set VDI pool to a custom access by VDI pool id. Example: 1=full,2=none" ) do |val|
-        options[:vdi_pool_permissions] ||= {}
-        parse_access_csv(options[:vdi_pool_permissions], val, args, optparse)
-      end
-      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|full]" ) do  |val|
-        params['globalReportTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--default-report-type-access ACCESS', String, "Update the default report type access: [none|full]" ) do  |val|
-        params['globalReportTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--default-report-type-access')
-      opts.on('--report-types CODE=ACCESS', String, "Set report type to a custom access by report type code. Example: appCost=none,guidance=full" ) do |val|
-        options[:report_type_permissions] ||= {}
-        parse_access_csv(options[:report_type_permissions], val, args, optparse)
-      end
-      opts.on('--global-task-access ACCESS', String, "Set the global task access: [none|full]" ) do  |val|
-        params['globalTaskAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-task-access')
-      opts.on('--default-task-access ACCESS', String, "Set the default task access: [none|full]" ) do  |val|
-        params['globalTaskAccess'] = val.to_s.downcase
-      end
-      opts.on('--tasks ID=ACCESS', String, "Set task to a custom access by task id. Example: 1=none,2=full" ) do |val|
-        options[:task_permissions] ||= {}
-        parse_access_csv(options[:task_permissions], val, args, optparse)
-      end
-      opts.on('--global-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
-        params['globalTaskSetAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-workflow-access')
-      opts.on('--default-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
-        params['globalTaskSetAccess'] = val.to_s.downcase
-      end
-      opts.on('--workflows ID=ACCESS', String, "Set workflow to a custom access by workflow id. Example: 1=none,2=full" ) do |val|
-        options[:workflow_permissions] ||= {}
-        parse_access_csv(options[:workflow_permissions], val, args, optparse)
-      end
-      opts.on('--reset-permissions', "Reset all feature permission access to none. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
-        options[:reset_permissions] = true
-      end
-      opts.add_hidden_option('--reset-permissions')
-      opts.on('--reset-feature-access', "Reset all feature permission access to none. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
-        options[:reset_permissions] = true
-      end
-      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
-        options[:reset_all_access] = true
-      end
+      build_role_access_options(opts, options, params)
       opts.on('--owner ID', String, "Set the owner/tenant/account for the role by account id. Only master tenants with full permission for Tenant and Role may use this option." ) do |val|
         params['owner'] = val
       end
-            opts.footer = <<-EOT
+      opts.on(nil, '--include-default-access', "Include default access levels in the response (returns all available resources)") do
+        options[:include_default_access] = true
+      end
+      build_standard_add_options(opts, options)
+      opts.footer = <<-EOT
 Create a new role.
 [name] is required. This is a unique name (authority) for the new role.
 All the role permissions and access values can be configured.
@@ -695,7 +602,6 @@ Only the specified permissions,instance types, etc. are updated.
 Use --reset-feature-access to set access to "none" for all unspecified feature permissions.
 Use --reset-all-access to set access to "none" for all unspecified feature permissions and default access values for groups, instance types, etc.
 EOT
-      build_common_options(opts, options, [:options, :payload, :json, :dry_run, :remote])
     end
     optparse.parse!(args)
     verify_args!(args:args, optparse:optparse, max:1)
@@ -721,199 +627,73 @@ EOT
         # argh, some options depend on others here...eg. multitenant is only available when roleType == 'user'
         #prompt_option_types = update_role_option_types()
-        role_payload = params
         v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'authority', 'fieldLabel' => 'Name', 'type' => 'text', 'required' => true, 'displayOrder' => 1}], options[:options])
-        role_payload['authority'] = v_prompt['authority']
+        params['authority'] = v_prompt['authority']
         v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'description', 'fieldLabel' => 'Description', 'type' => 'text', 'displayOrder' => 2}], options[:options])
-        role_payload['description'] = v_prompt['description']
+        params['description'] = v_prompt['description']
         if params['owner']
           if @is_master_account && has_complete_access
-            role_payload['owner'] = params['owner']
+            params['owner'] = params['owner']
           else
             print_red_alert "You do not have the necessary authority to use owner option"
             return
           end
         elsif @is_master_account && has_complete_access
           v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'owner', 'fieldLabel' => 'Owner', 'type' => 'select', 'selectOptions' => role_owner_options, 'defaultValue' => current_account['id'], 'displayOrder' => 3}], options[:options])
-          role_payload['owner'] = v_prompt['owner']
+          params['owner'] = v_prompt['owner']
         else
-          role_payload['owner'] = current_account['id']
+          params['owner'] = current_account['id']
         end
-        if @is_master_account && role_payload['owner'] == current_account['id']
+        if @is_master_account && params['owner'] == current_account['id']
           v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'roleType', 'fieldLabel' => 'Type', 'type' => 'select', 'selectOptions' => role_type_options, 'defaultValue' => 'user', 'displayOrder' => 4}], options[:options])
-          role_payload['roleType'] = v_prompt['roleType']
+          params['roleType'] = v_prompt['roleType']
         else
-          role_payload['roleType'] = 'user'
+          params['roleType'] = 'user'
         end
-        v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'baseRole', 'fieldLabel' => 'Copy From Role', 'type' => 'select', 'selectOptions' => base_role_options(role_payload), 'displayOrder' => 5}], options[:options])
+        if options[:cloud_permissions] && params['roleType'] == 'user'
+          raise_command_error "The --clouds option is only available for user roles, not account roles"
+        end
+        if options[:group_permissions] && params['roleType'] == 'account'
+          raise_command_error "The --groups option is only available for account roles, not user roles"
+        end
+        v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'baseRole', 'fieldLabel' => 'Copy From Role', 'type' => 'select', 'selectOptions' => base_role_options(params), 'displayOrder' => 5}], options[:options])
         if v_prompt['baseRole'].to_s != ''
           base_role = find_role_by_name_or_id(account_id, v_prompt['baseRole'])
           exit 1 if base_role.nil?
-          role_payload['baseRoleId'] = base_role['id']
+          params['baseRoleId'] = base_role['id']
         end
-        if @is_master_account && role_payload['owner'] == current_account['id']
-          if role_payload['roleType'] == 'user'
+        if @is_master_account && params['owner'] == current_account['id']
+          if params['roleType'] == 'user'
             v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'multitenant', 'fieldLabel' => 'Multitenant', 'type' => 'checkbox', 'defaultValue' => 'off', 'description' => 'A Multitenant role is automatically copied into all existing subaccounts as well as placed into a subaccount when created. Useful for providing a set of predefined roles a Customer can use', 'displayOrder' => 5}], options[:options])
-            role_payload['multitenant'] = ['on','true'].include?(v_prompt['multitenant'].to_s)
-            if role_payload['multitenant']
+            params['multitenant'] = ['on','true'].include?(v_prompt['multitenant'].to_s)
+            if params['multitenant']
               v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'multitenantLocked', 'fieldLabel' => 'Multitenant Locked', 'type' => 'checkbox', 'defaultValue' => 'off', 'description' => 'Prevents subtenants from branching off this role/modifying it.'}], options[:options])
-              role_payload['multitenantLocked'] = ['on','true'].include?(v_prompt['multitenantLocked'].to_s)
+              params['multitenantLocked'] = ['on','true'].include?(v_prompt['multitenantLocked'].to_s)
             end
           end
         end
         # v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'defaultPersona', 'fieldLabel' => 'Default Persona', 'type' => 'select', 'optionSource' => 'personas', 'description' => 'Default Persona'}], options[:options], @api_client)
         v_prompt = Morpheus::Cli::OptionTypes.prompt([{'fieldName' => 'defaultPersona', 'fieldLabel' => 'Default Persona', 'type' => 'select', 'selectOptions' => get_persona_select_options(), 'description' => 'Default Persona'}], options[:options], @api_client)
-        role_payload['defaultPersona'] = {'code' => v_prompt['defaultPersona']} unless v_prompt['defaultPersona'].to_s.strip.empty?
-        # bulk permissions
-        if options[:permissions]
-          perms_array = []
-          options[:permissions].each do |k,v|
-            perm_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => perm_code, "access" => access_value}
-          end
-          params['permissions'] = perms_array
-        end
-        if options[:group_permissions]
-          perms_array = []
-          options[:group_permissions].each do |k,v|
-            site_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if site_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => site_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => site_id, "access" => access_value}
-            end
-          end
-          params['sites'] = perms_array
-        end
-        if options[:cloud_permissions]
-          perms_array = []
-          options[:cloud_permissions].each do |k,v|
-            zone_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if zone_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => zone_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => zone_id, "access" => access_value}
-            end
-            perms_array << {"id" => zone_id, "access" => access_value}
-          end
-          params['zones'] = perms_array
-        end
-        if options[:instance_type_permissions]
-          perms_array = []
-          options[:instance_type_permissions].each do |k,v|
-            instance_type_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => instance_type_code, "access" => access_value}
-          end
-          params['instanceTypes'] = perms_array
-        end
-        if options[:blueprint_permissions]
-          perms_array = []
-          options[:blueprint_permissions].each do |k,v|
-            blueprint_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if blueprint_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => blueprint_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => blueprint_id, "access" => access_value}
-            end
-          end
-          params['appTemplates'] = perms_array
-        end
-        if options[:catalog_item_type_permissions]
-          perms_array = []
-          options[:catalog_item_type_permissions].each do |k,v|
-            catalog_item_type_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if catalog_item_type_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => catalog_item_type_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => catalog_item_type_id, "access" => access_value}
-            end
-          end
-          params['catalogItemTypes'] = perms_array
+        params['defaultPersona'] = {'code' => v_prompt['defaultPersona']} unless v_prompt['defaultPersona'].to_s.strip.empty?
-        end
-        if options[:persona_permissions]
-          perms_array = []
-          options[:persona_permissions].each do |k,v|
-            persona_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => persona_code, "access" => access_value}
-          end
-          params['personas'] = perms_array
-        end
-        if options[:vdi_pool_permissions]
-          perms_array = []
-          options[:vdi_pool_permissions].each do |k,v|
-            vdi_pool_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if vdi_pool_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => vdi_pool_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => vdi_pool_id, "access" => access_value}
-            end
-          end
-          params['vdiPools'] = perms_array
-        end
-        if options[:report_type_permissions]
-          perms_array = []
-          options[:report_type_permissions].each do |k,v|
-            report_type_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => report_type_code, "access" => access_value}
-          end
-          params['reportTypes'] = perms_array
-        end
-        if options[:task_permissions]
-          perms_array = []
-          options[:task_permissions].each do |k,v|
-            task_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if task_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => task_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => task_id, "access" => access_value}
-            end
-          end
-          params['tasks'] = perms_array
-        end
-        if options[:workflow_permissions]
-          perms_array = []
-          options[:workflow_permissions].each do |k,v|
-            workflow_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if workflow_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => workflow_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => workflow_id, "access" => access_value}
-            end
-          end
-          params['workflows'] = perms_array
-        end
-        if options[:reset_permissions]
-          params["resetPermissions"] = true
-        end
-        if options[:reset_all_access]
-          params["resetAllAccess"] = true
-        end
-        payload = {"role" => role_payload}
+        # bulk role permissions
+        parse_role_access_options(options, params)
+        payload = {"role" => params}
       end
+      query_params = parse_query_options(options)
+      query_params['includeDefaultAccess'] = true if options[:include_default_access]
       @roles_interface.setopts(options)
       if options[:dry_run]
-        print_dry_run @roles_interface.dry.create(account_id, payload)
+        print_dry_run @roles_interface.dry.create(account_id, payload, query_params)
         return
       end
-      json_response = @roles_interface.create(account_id, payload)
+      json_response = @roles_interface.create(account_id, payload, query_params)
       if options[:json]
         print JSON.pretty_generate(json_response)
@@ -934,13 +714,13 @@ EOT
         get_args.push "--account-id", account['id'].to_s
       end
-      details_options = [role_payload["authority"]]
+      details_options = [params["authority"]]
       if account
         details_options.push "--account-id", account['id'].to_s
       end
-      if role_payload['owner']
-        details_options.push "--account-id", role_payload['owner'].to_s
+      if params['owner']
+        details_options.push "--account-id", params['owner'].to_s
       end
       get(details_options)
@@ -956,127 +736,9 @@ EOT
     optparse = Morpheus::Cli::OptionParser.new do |opts|
       opts.banner = subcommand_usage("[role] [options]")
       build_option_type_options(opts, options, update_role_option_types)
-      opts.on('--permissions CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
-        options[:permissions] ||= {}
-        parse_access_csv(options[:permissions], val, args, optparse)
-      end
-      opts.add_hidden_option('--permissions')
-      opts.on('--feature-access CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
-        options[:permissions] ||= {}
-        parse_access_csv(options[:permissions], val, args, optparse)
-      end
-      opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|full]" ) do |val|
-        params['globalSiteAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-group-access')
-      opts.on('--default-group-access ACCESS', String, "Update the default group (site) access: [none|read|full]" ) do |val|
-        params['globalSiteAccess'] = val.to_s.downcase
-      end
-      opts.on('--groups ID=ACCESS', String, "Set group (site) to a custom access by group id. Example: 1=none,2=full,3=read" ) do |val|
-        options[:group_permissions] ||= {}
-        parse_access_csv(options[:group_permissions], val, args, optparse)
-      end
-      opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|read|full]" ) do  |val|
-        params['globalZoneAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-cloud-access')
-      opts.on('--default-cloud-access ACCESS', String, "Update the default cloud (zone) access: [none|read|full]" ) do  |val|
-        params['globalZoneAccess'] = val.to_s.downcase
-      end
-      opts.on('--clouds ID=ACCESS', String, "Set cloud (zone) to a custom access by cloud id. Example: 1=none,2=full,3=read" ) do |val|
-        options[:cloud_permissions] ||= {}
-        parse_access_csv(options[:cloud_permissions], val, args, optparse)
-      end
-      opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|full]" ) do  |val|
-        params['globalInstanceTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-instance-type-access')
-      opts.on('--default-instance-type-access ACCESS', String, "Update the default instance type access: [none|full]" ) do  |val|
-        params['globalInstanceTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--instance-types CODE=ACCESS', String, "Set instance type to a custom access instance type code. Example: nginx=full,apache=none" ) do |val|
-        options[:instance_type_permissions] ||= {}
-        parse_access_csv(options[:instance_type_permissions], val, args, optparse)
-      end
-      opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|full]" ) do  |val|
-        params['globalAppTemplateAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-blueprint-access')
-      opts.on('--default-blueprint-access ACCESS', String, "Update the default blueprint access: [none|full]" ) do  |val|
-        params['globalAppTemplateAccess'] = val.to_s.downcase
-      end
-      opts.on('--blueprints ID=ACCESS', String, "Set blueprint to a custom access by blueprint id. Example: 1=full,2=none" ) do |val|
-        options[:blueprint_permissions] ||= {}
-        parse_access_csv(options[:blueprint_permissions], val, args, optparse)
-      end
-      opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|full]" ) do  |val|
-        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-catalog-item-type-access')
-      opts.on('--default-catalog-item-type-access ACCESS', String, "Update the default catalog item type access: [none|full]" ) do  |val|
-        params['globalCatalogItemTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--catalog-item-types CODE=ACCESS', String, "Set catalog item type to a custom access by catalog item type id. Example: 1=full,2=none" ) do |val|
-        options[:catalog_item_type_permissions] ||= {}
-        parse_access_csv(options[:catalog_item_type_permissions], val, args, optparse)
-      end
-      opts.on('--personas CODE=ACCESS', String, "Set persona to a custom access by persona code. Example: standard=full,serviceCatalog=full,vdi=full" ) do |val|
-        options[:persona_permissions] ||= {}
-        parse_access_csv(options[:persona_permissions], val, args, optparse)
-      end
-      opts.on('--global-vdi-pool-access ACCESS', String, "Update the global VDI pool access: [none|full]" ) do  |val|
-        params['globalVdiPoolAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-vdi-pool-access')
-      opts.on('--default-vdi-pool-access ACCESS', String, "Update the default VDI pool access: [none|full]" ) do  |val|
-        params['globalVdiPoolAccess'] = val.to_s.downcase
-      end
-      opts.on('--vdi-pools ID=ACCESS', String, "Set VDI pool to a custom access by VDI pool id. Example: 1=full,2=none" ) do |val|
-        options[:vdi_pool_permissions] ||= {}
-        parse_access_csv(options[:vdi_pool_permissions], val, args, optparse)
-      end
-      opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|full]" ) do  |val|
-        params['globalReportTypeAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-report-type-access')
-      opts.on('--default-report-type-access ACCESS', String, "Update the default report type access: [none|full]" ) do  |val|
-        params['globalReportTypeAccess'] = val.to_s.downcase
-      end
-      opts.on('--report-types CODE=ACCESS', String, "Set report type to a custom access by report type code. Example: appCost=none,guidance=full" ) do |val|
-        options[:report_type_permissions] ||= {}
-        parse_access_csv(options[:report_type_permissions], val, args, optparse)
-      end
-      opts.on('--global-task-access ACCESS', String, "Update the global task access: [none|full]" ) do  |val|
-        params['globalTaskAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-task-access')
-      opts.on('--default-task-access ACCESS', String, "Update the default task access: [none|full]" ) do  |val|
-        params['globalTaskAccess'] = val.to_s.downcase
-      end
-      opts.on('--tasks ID=ACCESS', String, "Set task to a custom access by task id. Example: 1=none,2=full" ) do |val|
-        options[:task_permissions] ||= {}
-        parse_access_csv(options[:task_permissions], val, args, optparse)
-      end
-      opts.on('--global-workflow-access ACCESS', String, "Update the global workflow access: [none|full]" ) do  |val|
-        params['globalTaskSetAccess'] = val.to_s.downcase
-      end
-      opts.add_hidden_option('--global-workflow-access')
-      opts.on('--default-workflow-access ACCESS', String, "Update the default workflow access: [none|full]" ) do  |val|
-        params['globalTaskSetAccess'] = val.to_s.downcase
-      end
-      opts.on('--workflows ID=ACCESS', String, "Set workflow to a custom access by workflow id. Example: 1=none,2=full" ) do |val|
-        options[:workflow_permissions] ||= {}
-        parse_access_csv(options[:workflow_permissions], val, args, optparse)
-      end
-      opts.on('--reset-permissions', "Reset all feature permission access to none. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
-        options[:reset_permissions] = true
-      end
-      opts.add_hidden_option('--reset-permissions')
-      opts.on('--reset-feature-access', "Reset all feature permission access to none. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
-        options[:reset_permissions] = true
-      end
-      opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
-        options[:reset_all_access] = true
+      build_role_access_options(opts, options, params)
+      opts.on(nil, '--include-default-access', "Include default access levels in the output (returns all available resources)") do
+        options[:include_default_access] = true
       end
       build_standard_update_options(opts, options)
       opts.footer = <<-EOT
@@ -1122,154 +784,28 @@ EOT
           prompt_option_types = prompt_option_types.reject {|it| ['multitenant','multitenantLocked'].include?(it['fieldName']) }
         end
         #params = Morpheus::Cli::OptionTypes.prompt(prompt_option_types, options[:options], @api_client, options[:params])
-        # bulk permissions
-        if options[:permissions]
-          perms_array = []
-          options[:permissions].each do |k,v|
-            perm_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => perm_code, "access" => access_value}
-          end
-          params['permissions'] = perms_array
-        end
-        if options[:group_permissions]
-          perms_array = []
-          options[:group_permissions].each do |k,v|
-            site_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if site_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => site_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => site_id, "access" => access_value}
-            end
-          end
-          params['sites'] = perms_array
-        end
-        if options[:cloud_permissions]
-          perms_array = []
-          options[:cloud_permissions].each do |k,v|
-            zone_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if zone_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => zone_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => zone_id, "access" => access_value}
-            end
-            perms_array << {"id" => zone_id, "access" => access_value}
-          end
-          params['zones'] = perms_array
-        end
-        if options[:instance_type_permissions]
-          perms_array = []
-          options[:instance_type_permissions].each do |k,v|
-            instance_type_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => instance_type_code, "access" => access_value}
-          end
-          params['instanceTypes'] = perms_array
-        end
-        if options[:blueprint_permissions]
-          perms_array = []
-          options[:blueprint_permissions].each do |k,v|
-            blueprint_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if blueprint_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => blueprint_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => blueprint_id, "access" => access_value}
-            end
-          end
-          params['appTemplates'] = perms_array
-        end
-        if options[:catalog_item_type_permissions]
-          perms_array = []
-          options[:catalog_item_type_permissions].each do |k,v|
-            catalog_item_type_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if catalog_item_type_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => catalog_item_type_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => catalog_item_type_id, "access" => access_value}
-            end
-          end
-          params['catalogItemTypes'] = perms_array
-        end
-        if options[:persona_permissions]
-          perms_array = []
-          options[:persona_permissions].each do |k,v|
-            persona_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => persona_code, "access" => access_value}
-          end
-          params['personas'] = perms_array
-        end
-        if options[:vdi_pool_permissions]
-          perms_array = []
-          options[:vdi_pool_permissions].each do |k,v|
-            vdi_pool_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if vdi_pool_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => vdi_pool_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => vdi_pool_id, "access" => access_value}
-            end
-          end
-          params['vdiPools'] = perms_array
-        end
-        if options[:report_type_permissions]
-          perms_array = []
-          options[:report_type_permissions].each do |k,v|
-            report_type_code = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            perms_array << {"code" => report_type_code, "access" => access_value}
-          end
-          params['reportTypes'] = perms_array
-        end
-        if options[:task_permissions]
-          perms_array = []
-          options[:task_permissions].each do |k,v|
-            task_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if task_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => task_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => task_id, "access" => access_value}
-            end
-          end
-          params['tasks'] = perms_array
-        end
-        if options[:workflow_permissions]
-          perms_array = []
-          options[:workflow_permissions].each do |k,v|
-            workflow_id = k
-            access_value = v.to_s.empty? ? "none" : v.to_s
-            if workflow_id =~ /\A\d{1,}\Z/
-              perms_array << {"id" => workflow_id.to_i, "access" => access_value}
-            else
-              perms_array << {"name" => workflow_id, "access" => access_value}
-            end
-          end
-          params['taskSets'] = perms_array
-        end
-        if options[:reset_permissions]
-          params["resetPermissions"] = true
+        if options[:cloud_permissions] && role['roleType'] == 'user'
+          raise_command_error "The --clouds option is only available for user roles, not account roles"
         end
-        if options[:reset_all_access]
-          params["resetAllAccess"] = true
+        if options[:group_permissions] && role['roleType'] == 'account'
+          raise_command_error "The --groups option is only available for account roles, not user roles"
         end
+        # bulk role permissions
+        parse_role_access_options(options, params)
         if params.empty?
           raise_command_error "Specify at least one option to update.\n#{optparse}"
         end
         payload = {"role" => params}
       end
+      query_params = parse_query_options(options)
+      query_params['includeDefaultAccess'] = true if options[:include_default_access]
       @roles_interface.setopts(options)
       if options[:dry_run]
-        print_dry_run @roles_interface.dry.update(account_id, role['id'], payload)
+        print_dry_run @roles_interface.dry.update(account_id, role['id'], payload, query_params)
         return
       end
-      json_response = @roles_interface.update(account_id, role['id'], payload)
+      json_response = @roles_interface.update(account_id, role['id'], payload, query_params)
       render_response(json_response, options, "role") do
         role = json_response['role']
         display_name = role['authority'] rescue ''
@@ -2988,18 +2524,299 @@ Update default workflow access for a role.
     has_access
   end
-  def parse_access_csv(output, val, args, optparse)
+  def parse_access_csv(output, val)
     output ||= {}
     val.split(",").each do |value_pair|
       # split on '=' only because ':' is included in the permission name
       k,v = value_pair.include?("=") ? value_pair.strip.split("=") : [value_pair, ""]
-      k.strip!
-      v.strip!
-      if v == ""
-        raise_command_error "permission '#{k}=#{v}' is invalid. The access code must be a value like [none|read|full]", args, optparse
+      next if k.to_s.empty?
+      k = k.to_s.strip
+      v = v.to_s.strip
+      if k.empty?
+        # ignore blank values, extra comma maybe?
+        next
+      end
+      if v == ""
+        raise_command_error "permission '#{k}=#{v}' is invalid. The access value is required eg. [default|none|read|full]"
       end
       output[k] = v
     end
     return output
   end
+  # role permission access options shared by add and update
+  def build_role_access_options(opts, options, params)
+    opts.on('--permissions CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
+      options[:permissions] ||= {}
+      parse_access_csv(options[:permissions], val)
+    end
+    opts.add_hidden_option('--permissions')
+    opts.on('--feature-access CODE=ACCESS', String, "Set feature permission access by permission code. Example: dashboard=read,operations-wiki=full" ) do |val|
+      options[:permissions] ||= {}
+      parse_access_csv(options[:permissions], val)
+    end
+    opts.on('--global-group-access ACCESS', String, "Update the global group (site) access: [none|read|full]" ) do |val|
+      params['globalSiteAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-group-access')
+    opts.on('--default-group-access ACCESS', String, "Update the default group (site) access: [none|read|full]" ) do |val|
+      params['globalSiteAccess'] = val.to_s.downcase
+    end
+    opts.on('--groups ID=ACCESS', String, "Set group (site) to a custom access by group id. Example: 1=none,2=full,3=read" ) do |val|
+      options[:group_permissions] ||= {}
+      parse_access_csv(options[:group_permissions], val)
+    end
+    opts.on('--global-cloud-access ACCESS', String, "Update the global cloud (zone) access: [none|read|full]" ) do  |val|
+      params['globalZoneAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-cloud-access')
+    opts.on('--default-cloud-access ACCESS', String, "Update the default cloud (zone) access: [none|read|full]" ) do  |val|
+      params['globalZoneAccess'] = val.to_s.downcase
+    end
+    opts.on('--clouds ID=ACCESS', String, "Set cloud (zone) to a custom access by cloud id. Example: 1=none,2=full,3=read" ) do |val|
+      options[:cloud_permissions] ||= {}
+      parse_access_csv(options[:cloud_permissions], val)
+    end
+    opts.on('--global-instance-type-access ACCESS', String, "Update the global instance type access: [none|full]" ) do  |val|
+      params['globalInstanceTypeAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-instance-type-access')
+    opts.on('--default-instance-type-access ACCESS', String, "Update the default instance type access: [none|full]" ) do  |val|
+      params['globalInstanceTypeAccess'] = val.to_s.downcase
+    end
+    opts.on('--instance-types CODE=ACCESS', String, "Set instance type to a custom access instance type code. Example: nginx=full,apache=none" ) do |val|
+      options[:instance_type_permissions] ||= {}
+      parse_access_csv(options[:instance_type_permissions], val)
+    end
+    opts.on('--global-blueprint-access ACCESS', String, "Update the global blueprint access: [none|full]" ) do  |val|
+      params['globalAppTemplateAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-blueprint-access')
+    opts.on('--default-blueprint-access ACCESS', String, "Update the default blueprint access: [none|full]" ) do  |val|
+      params['globalAppTemplateAccess'] = val.to_s.downcase
+    end
+    opts.on('--blueprints ID=ACCESS', String, "Set blueprint to a custom access by blueprint id. Example: 1=full,2=none" ) do |val|
+      options[:blueprint_permissions] ||= {}
+      parse_access_csv(options[:blueprint_permissions], val)
+    end
+    opts.on('--global-catalog-item-type-access ACCESS', String, "Update the global catalog item type access: [none|full]" ) do  |val|
+      params['globalCatalogItemTypeAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-catalog-item-type-access')
+    opts.on('--default-catalog-item-type-access ACCESS', String, "Update the default catalog item type access: [none|full]" ) do  |val|
+      params['globalCatalogItemTypeAccess'] = val.to_s.downcase
+    end
+    opts.on('--catalog-item-types CODE=ACCESS', String, "Set catalog item type to a custom access by catalog item type id. Example: 1=full,2=none" ) do |val|
+      options[:catalog_item_type_permissions] ||= {}
+      parse_access_csv(options[:catalog_item_type_permissions], val)
+    end
+    opts.on('--default-persona-access ACCESS', String, "Update the default persona access: [none|full]" ) do  |val|
+      params['globalPersonaAccess'] = val.to_s.downcase
+    end
+    opts.on('--personas CODE=ACCESS', String, "Set persona to a custom access by persona code. Example: standard=full,serviceCatalog=full,vdi=full" ) do |val|
+      options[:persona_permissions] ||= {}
+      parse_access_csv(options[:persona_permissions], val)
+    end
+    opts.on('--global-vdi-pool-access ACCESS', String, "Update the global VDI pool access: [none|full]" ) do  |val|
+      params['globalVdiPoolAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-vdi-pool-access')
+    opts.on('--default-vdi-pool-access ACCESS', String, "Update the default VDI pool access: [none|full]" ) do  |val|
+      params['globalVdiPoolAccess'] = val.to_s.downcase
+    end
+    opts.on('--vdi-pools ID=ACCESS', String, "Set VDI pool to a custom access by VDI pool id. Example: 1=full,2=none" ) do |val|
+      options[:vdi_pool_permissions] ||= {}
+      parse_access_csv(options[:vdi_pool_permissions], val)
+    end
+    opts.on('--global-report-type-access ACCESS', String, "Update the global report type access: [none|full]" ) do  |val|
+      params['globalReportTypeAccess'] = val.to_s.downcase
+    end
+    opts.on('--default-report-type-access ACCESS', String, "Update the default report type access: [none|full]" ) do  |val|
+      params['globalReportTypeAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--default-report-type-access')
+    opts.on('--report-types CODE=ACCESS', String, "Set report type to a custom access by report type code. Example: appCost=none,guidance=full" ) do |val|
+      options[:report_type_permissions] ||= {}
+      parse_access_csv(options[:report_type_permissions], val)
+    end
+    opts.on('--global-task-access ACCESS', String, "Set the global task access: [none|full]" ) do  |val|
+      params['globalTaskAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-task-access')
+    opts.on('--default-task-access ACCESS', String, "Set the default task access: [none|full]" ) do  |val|
+      params['globalTaskAccess'] = val.to_s.downcase
+    end
+    opts.on('--tasks ID=ACCESS', String, "Set task to a custom access by task id. Example: 1=none,2=full" ) do |val|
+      options[:task_permissions] ||= {}
+      parse_access_csv(options[:task_permissions], val)
+    end
+    opts.on('--global-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
+      params['globalTaskSetAccess'] = val.to_s.downcase
+    end
+    opts.add_hidden_option('--global-workflow-access')
+    opts.on('--default-workflow-access ACCESS', String, "Set the default workflow access: [none|full]" ) do  |val|
+      params['globalTaskSetAccess'] = val.to_s.downcase
+    end
+    opts.on('--workflows ID=ACCESS', String, "Set workflow to a custom access by workflow id. Example: 1=none,2=full" ) do |val|
+      options[:workflow_permissions] ||= {}
+      parse_access_csv(options[:workflow_permissions], val)
+    end
+    opts.on('--reset-permissions', "Reset all feature permission access to none. This can be used in conjunction with --permissions to recreate the feature permission access for the role." ) do
+      options[:reset_permissions] = true
+    end
+    opts.add_hidden_option('--reset-permissions')
+    opts.on('--reset-feature-access', "Reset all feature permission access to none. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
+      options[:reset_permissions] = true
+    end
+    opts.on('--reset-all-access', "Reset all access to none including permissions, global groups, instance types, etc. This can be used in conjunction with --feature-access to recreate the feature permission access for the role." ) do
+      options[:reset_all_access] = true
+    end
+  end
+  # parse bulk permissions payload
+  def parse_role_access_options(options, params)
+    if options[:permissions]
+      perms_array = []
+      options[:permissions].each do |k,v|
+        perm_code = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        perms_array << {"code" => perm_code, "access" => access_value}
+      end
+      params['permissions'] = perms_array
+    end
+    if options[:group_permissions]
+      perms_array = []
+      options[:group_permissions].each do |k,v|
+        site_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if site_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => site_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => site_id, "access" => access_value}
+        end
+      end
+      params['sites'] = perms_array
+    end
+    if options[:cloud_permissions]
+      perms_array = []
+      options[:cloud_permissions].each do |k,v|
+        zone_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if zone_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => zone_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => zone_id, "access" => access_value}
+        end
+      end
+      params['zones'] = perms_array
+    end
+    if options[:instance_type_permissions]
+      perms_array = []
+      options[:instance_type_permissions].each do |k,v|
+        instance_type_code = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if instance_type_code =~ /\A\d{1,}\Z/
+          perms_array << {"id" => instance_type_code.to_i, "access" => access_value}
+        else
+          perms_array << {"code" => instance_type_code, "access" => access_value}
+        end
+      end
+      params['instanceTypes'] = perms_array
+    end
+    if options[:blueprint_permissions]
+      perms_array = []
+      options[:blueprint_permissions].each do |k,v|
+        blueprint_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if blueprint_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => blueprint_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => blueprint_id, "access" => access_value}
+        end
+      end
+      params['appTemplates'] = perms_array
+    end
+    if options[:catalog_item_type_permissions]
+      perms_array = []
+      options[:catalog_item_type_permissions].each do |k,v|
+        catalog_item_type_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if catalog_item_type_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => catalog_item_type_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => catalog_item_type_id, "access" => access_value}
+        end
+      end
+      params['catalogItemTypes'] = perms_array
+    end
+    if options[:persona_permissions]
+      perms_array = []
+      options[:persona_permissions].each do |k,v|
+        persona_code = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        perms_array << {"code" => persona_code, "access" => access_value}
+      end
+      params['personas'] = perms_array
+    end
+    if options[:vdi_pool_permissions]
+      perms_array = []
+      options[:vdi_pool_permissions].each do |k,v|
+        vdi_pool_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if vdi_pool_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => vdi_pool_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => vdi_pool_id, "access" => access_value}
+        end
+      end
+      params['vdiPools'] = perms_array
+    end
+    if options[:report_type_permissions]
+      perms_array = []
+      options[:report_type_permissions].each do |k,v|
+        report_type_code = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if report_type_code =~ /\A\d{1,}\Z/
+          perms_array << {"id" => report_type_code.to_i, "access" => access_value}
+        else
+          perms_array << {"code" => report_type_code, "access" => access_value}
+        end
+      end
+      params['reportTypes'] = perms_array
+    end
+    if options[:task_permissions]
+      perms_array = []
+      options[:task_permissions].each do |k,v|
+        task_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if task_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => task_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => task_id, "access" => access_value}
+        end
+      end
+      params['tasks'] = perms_array
+    end
+    if options[:workflow_permissions]
+      perms_array = []
+      options[:workflow_permissions].each do |k,v|
+        workflow_id = k
+        access_value = v.to_s.empty? ? "none" : v.to_s
+        if workflow_id =~ /\A\d{1,}\Z/
+          perms_array << {"id" => workflow_id.to_i, "access" => access_value}
+        else
+          perms_array << {"name" => workflow_id, "access" => access_value}
+        end
+      end
+      params['taskSets'] = perms_array
+    end
+    if options[:reset_permissions]
+      params["resetPermissions"] = true
+    end
+    if options[:reset_all_access]
+      params["resetAllAccess"] = true
+    end
+  end
 end