workos 7.1.1 → 8.0.0

data/lib/workos/authorization.rb

@@ -6,6 +6,48 @@ require "json"
 
 module WorkOS
   class Authorization
+    # Identifies the resource target (by id variant).
+    #
+    # @!attribute [r] resource_id
+    #   @return [String]
+    ResourceTargetById = Data.define(:resource_id)
+
+    # Identifies the resource target (by external id variant).
+    #
+    # @!attribute [r] resource_external_id
+    #   @return [String]
+    # @!attribute [r] resource_type_slug
+    #   @return [String]
+    ResourceTargetByExternalId = Data.define(:resource_external_id, :resource_type_slug)
+
+    # Identifies the parent resource (by id variant).
+    #
+    # @!attribute [r] parent_resource_id
+    #   @return [String]
+    ParentResourceById = Data.define(:parent_resource_id)
+
+    # Identifies the parent resource (by external id variant).
+    #
+    # @!attribute [r] parent_resource_type_slug
+    #   @return [String]
+    # @!attribute [r] parent_resource_external_id
+    #   @return [String]
+    ParentResourceByExternalId = Data.define(:parent_resource_type_slug, :parent_resource_external_id)
+
+    # Identifies the parent (by id variant).
+    #
+    # @!attribute [r] parent_resource_id
+    #   @return [String]
+    ParentById = Data.define(:parent_resource_id)
+
+    # Identifies the parent (by external id variant).
+    #
+    # @!attribute [r] parent_resource_type_slug
+    #   @return [String]
+    # @!attribute [r] parent_external_id
+    #   @return [String]
+    ParentByExternalId = Data.define(:parent_resource_type_slug, :parent_external_id)
+
     def initialize(client)
       @client = client
     end
@@ -13,32 +55,26 @@ module WorkOS
     # Check authorization
     # @param organization_membership_id [String] The ID of the organization membership to check.
     # @param permission_slug [String] The slug of the permission to check.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The slug of the resource type. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationCheck]
     def check(
       organization_membership_id:,
       permission_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
       body = {
-        "permission_slug" => permission_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
-      case resource_target[:type]
-      when "by_id"
-        body["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        body["resource_external_id"] = resource_target[:resource_external_id]
-        body["resource_type_slug"] = resource_target[:resource_type_slug]
+        "permission_slug" => permission_slug
+      }
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        body["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        body["resource_external_id"] = resource_target.resource_external_id
+        body["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       response = @client.request(
         method: :post,
@@ -57,8 +93,9 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param permission_slug [String] The permission slug to filter by. Only child resources where the organization membership has this permission are returned.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
     def list_resources_for_membership(
@@ -67,7 +104,7 @@ module WorkOS
       parent_resource:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -78,12 +115,14 @@ module WorkOS
         "order" => order,
         "permission_slug" => permission_slug
       }.compact
-      case parent_resource[:type]
-      when "by_id"
-        params["parent_resource_id"] = parent_resource[:parent_resource_id]
-      when "by_external_id"
-        params["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
-        params["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+      case parent_resource
+      when WorkOS::Authorization::ParentResourceById
+        params["parent_resource_id"] = parent_resource.parent_resource_id
+      when WorkOS::Authorization::ParentResourceByExternalId
+        params["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        params["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+      else
+        raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
       end
       response = @client.request(
         method: :get,
@@ -118,7 +157,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
     def list_effective_permissions(
@@ -126,7 +165,7 @@ module WorkOS
       resource_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -169,7 +208,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
     def list_effective_permissions_by_external_id(
@@ -178,7 +217,7 @@ module WorkOS
       external_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -220,14 +259,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
-    # @return [WorkOS::Types::ListStruct<WorkOS::RoleAssignment>]
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserRoleAssignment>]
     def list_role_assignments(
       organization_membership_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -256,7 +295,7 @@ module WorkOS
       }
       WorkOS::Types::ListStruct.from_response(
         response,
-        model: WorkOS::RoleAssignment,
+        model: WorkOS::UserRoleAssignment,
         filters: {organization_membership_id: organization_membership_id, before: before, limit: limit, order: order},
         fetch_next: fetch_next
       )
@@ -265,32 +304,26 @@ module WorkOS
     # Assign a role
     # @param organization_membership_id [String] The ID of the organization membership.
     # @param role_slug [String] The slug of the role to assign.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
-    # @return [WorkOS::RoleAssignment]
+    # @return [WorkOS::UserRoleAssignment]
     def assign_role(
       organization_membership_id:,
       role_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
       body = {
-        "role_slug" => role_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
-      case resource_target[:type]
-      when "by_id"
-        body["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        body["resource_external_id"] = resource_target[:resource_external_id]
-        body["resource_type_slug"] = resource_target[:resource_type_slug]
+        "role_slug" => role_slug
+      }
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        body["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        body["resource_external_id"] = resource_target.resource_external_id
+        body["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       response = @client.request(
         method: :post,
@@ -299,7 +332,7 @@ module WorkOS
         body: body,
         request_options: request_options
       )
-      result = WorkOS::RoleAssignment.new(response.body)
+      result = WorkOS::UserRoleAssignment.new(response.body)
       result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
       result
     end
@@ -307,34 +340,28 @@ module WorkOS
     # Remove a role assignment
     # @param organization_membership_id [String] The ID of the organization membership.
     # @param role_slug [String] The slug of the role to remove.
-    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
-    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
-    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param resource_target [WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId] Identifies the resource target.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [void]
     def remove_role(
       organization_membership_id:,
       role_slug:,
       resource_target:,
-      resource_id: nil,
-      resource_external_id: nil,
-      resource_type_slug: nil,
       request_options: {}
     )
-      params = {}.compact
-      case resource_target[:type]
-      when "by_id"
-        params["resource_id"] = resource_target[:resource_id]
-      when "by_external_id"
-        params["resource_external_id"] = resource_target[:resource_external_id]
-        params["resource_type_slug"] = resource_target[:resource_type_slug]
+      params = {}
+      case resource_target
+      when WorkOS::Authorization::ResourceTargetById
+        params["resource_id"] = resource_target.resource_id
+      when WorkOS::Authorization::ResourceTargetByExternalId
+        params["resource_external_id"] = resource_target.resource_external_id
+        params["resource_type_slug"] = resource_target.resource_type_slug
+      else
+        raise ArgumentError, "expected resource_target to be one of: WorkOS::Authorization::ResourceTargetById, WorkOS::Authorization::ResourceTargetByExternalId, got #{resource_target.class}"
       end
       body = {
-        "role_slug" => role_slug,
-        "resource_id" => resource_id,
-        "resource_external_id" => resource_external_id,
-        "resource_type_slug" => resource_type_slug
-      }.compact
+        "role_slug" => role_slug
+      }
       @client.request(
         method: :delete,
         path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
@@ -502,7 +529,7 @@ module WorkOS
     )
       body = {
         "slug" => body_slug
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -529,7 +556,7 @@ module WorkOS
     )
       body = {
         "permissions" => permissions
-      }.compact
+      }
       response = @client.request(
         method: :put,
         path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -594,9 +621,7 @@ module WorkOS
     # @param external_id [String] An identifier you provide to reference the resource in your system.
     # @param name [String, nil] A display name for the resource.
     # @param description [String, nil] An optional description of the resource.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def update_resource_by_external_id(
@@ -605,26 +630,22 @@ module WorkOS
       external_id:,
       name: nil,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
       body = {
         "name" => name,
-        "description" => description,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "description" => description
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -650,7 +671,7 @@ module WorkOS
       organization_id:,
       resource_type_slug:,
       external_id:,
-      cascade_delete: nil,
+      cascade_delete: false,
       request_options: {}
     )
       params = {
@@ -673,7 +694,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param permission_slug [String] The permission slug to filter by. Only users with this permission on the resource are returned.
     # @param assignment [WorkOS::Types::AuthorizationAssignment, nil] Filter by assignment type. Use "direct" for direct assignments only, or "indirect" to include inherited assignments.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
@@ -685,7 +706,7 @@ module WorkOS
       permission_slug:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       assignment: nil,
       request_options: {}
@@ -727,21 +748,75 @@ module WorkOS
       )
     end
 
+    # List role assignments for a resource by external ID
+    # @param organization_id [String] The ID of the organization that owns the resource.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserRoleAssignment>]
+    def list_role_assignments_for_resource_by_external_id(
+      organization_id:,
+      resource_type_slug:,
+      external_id:,
+      before: nil,
+      after: nil,
+      limit: 10,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}/role_assignments",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_role_assignments_for_resource_by_external_id(
+          organization_id: organization_id,
+          resource_type_slug: resource_type_slug,
+          external_id: external_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserRoleAssignment,
+        filters: {organization_id: organization_id, resource_type_slug: resource_type_slug, external_id: external_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
     # List resources
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param organization_id [String, nil] Filter resources by organization ID.
     # @param resource_type_slug [String, nil] Filter resources by resource type slug.
     # @param resource_external_id [String, nil] Filter resources by external ID.
     # @param search [String, nil] Search resources by name.
+    # @param parent [WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, nil] Identifies the parent.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
     def list_resources(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       organization_id: nil,
       resource_type_slug: nil,
@@ -761,12 +836,14 @@ module WorkOS
         "search" => search
       }.compact
       if parent
-        case parent[:type]
-        when "by_id"
-          params["parent_resource_id"] = parent[:parent_resource_id]
-        when "by_external_id"
-          params["parent_resource_type_slug"] = parent[:parent_resource_type_slug]
-          params["parent_external_id"] = parent[:parent_external_id]
+        case parent
+        when WorkOS::Authorization::ParentById
+          params["parent_resource_id"] = parent.parent_resource_id
+        when WorkOS::Authorization::ParentByExternalId
+          params["parent_resource_type_slug"] = parent.parent_resource_type_slug
+          params["parent_external_id"] = parent.parent_external_id
+        else
+          raise ArgumentError, "expected parent to be one of: WorkOS::Authorization::ParentById, WorkOS::Authorization::ParentByExternalId, got #{parent.class}"
         end
       end
       response = @client.request(
@@ -804,9 +881,7 @@ module WorkOS
     # @param description [String, nil] An optional description of the resource.
     # @param resource_type_slug [String] The slug of the resource type.
     # @param organization_id [String] The ID of the organization this resource belongs to.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def create_resource(
@@ -815,9 +890,6 @@ module WorkOS
       resource_type_slug:,
       organization_id:,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
@@ -826,18 +898,17 @@ module WorkOS
         "name" => name,
         "description" => description,
         "resource_type_slug" => resource_type_slug,
-        "organization_id" => organization_id,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "organization_id" => organization_id
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -875,35 +946,29 @@ module WorkOS
     # @param resource_id [String] The ID of the authorization resource.
     # @param name [String, nil] A display name for the resource.
     # @param description [String, nil] An optional description of the resource.
-    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
-    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
-    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource [WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, nil] Identifies the parent resource.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::AuthorizationResource]
     def update_resource(
       resource_id:,
       name: nil,
       description: nil,
-      parent_resource_id: nil,
-      parent_resource_external_id: nil,
-      parent_resource_type_slug: nil,
       parent_resource: nil,
       request_options: {}
     )
       body = {
         "name" => name,
-        "description" => description,
-        "parent_resource_id" => parent_resource_id,
-        "parent_resource_external_id" => parent_resource_external_id,
-        "parent_resource_type_slug" => parent_resource_type_slug
+        "description" => description
       }.compact
       if parent_resource
-        case parent_resource[:type]
-        when "by_id"
-          body["parent_resource_id"] = parent_resource[:parent_resource_id]
-        when "by_external_id"
-          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
-          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        case parent_resource
+        when WorkOS::Authorization::ParentResourceById
+          body["parent_resource_id"] = parent_resource.parent_resource_id
+        when WorkOS::Authorization::ParentResourceByExternalId
+          body["parent_resource_external_id"] = parent_resource.parent_resource_external_id
+          body["parent_resource_type_slug"] = parent_resource.parent_resource_type_slug
+        else
+          raise ArgumentError, "expected parent_resource to be one of: WorkOS::Authorization::ParentResourceById, WorkOS::Authorization::ParentResourceByExternalId, got #{parent_resource.class}"
         end
       end
       response = @client.request(
@@ -925,7 +990,7 @@ module WorkOS
     # @return [void]
     def delete_resource(
       resource_id:,
-      cascade_delete: nil,
+      cascade_delete: false,
       request_options: {}
     )
       params = {
@@ -946,7 +1011,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param permission_slug [String] The permission slug to filter by. Only users with this permission on the resource are returned.
     # @param assignment [WorkOS::Types::AuthorizationAssignment, nil] Filter by assignment type. Use `direct` for direct assignments only, or `indirect` to include inherited assignments.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
@@ -956,7 +1021,7 @@ module WorkOS
       permission_slug:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       assignment: nil,
       request_options: {}
@@ -996,6 +1061,53 @@ module WorkOS
       )
     end
 
+    # List role assignments for a resource
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserRoleAssignment>]
+    def list_role_assignments_for_resource(
+      resource_id:,
+      before: nil,
+      after: nil,
+      limit: 10,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}/role_assignments",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_role_assignments_for_resource(
+          resource_id: resource_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserRoleAssignment,
+        filters: {resource_id: resource_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
     # List environment roles
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::RoleList]
@@ -1102,7 +1214,7 @@ module WorkOS
     )
       body = {
         "slug" => body_slug
-      }.compact
+      }
       response = @client.request(
         method: :post,
         path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -1127,7 +1239,7 @@ module WorkOS
     )
       body = {
         "permissions" => permissions
-      }.compact
+      }
       response = @client.request(
         method: :put,
         path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
@@ -1144,13 +1256,13 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::PermissionsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
     def list_permissions(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )