@tapis/tapis-typescript-sk 0.0.2 → 0.0.3

package/src/apis/RoleApi.ts

@@ -2,9 +2,9 @@
 /* eslint-disable */
 /**
  * Tapis Security API
- * The Tapis Security API provides access to the Tapis Security Kernel authorization and secrets facilities.
+ * The Tapis Security API provides for management of Security Kernel (SK) role-based authorization and secrets resources. 
  *
- * The version of the OpenAPI document: 0.1
+ * The version of the OpenAPI document: 1.8.2
  * Contact: cicsupport@tacc.utexas.edu
  *
  * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
@@ -14,140 +14,156 @@
 
 
 import * as runtime from '../runtime';
+import type {
+  ReqAddChildRole,
+  ReqAddRolePermission,
+  ReqCreateRole,
+  ReqPreviewPathPrefix,
+  ReqRemoveChildRole,
+  ReqRemovePermissionFromAllRoles,
+  ReqRemoveRolePermission,
+  ReqReplacePathPrefix,
+  ReqRolePermits,
+  ReqUpdateRoleDescription,
+  ReqUpdateRoleName,
+  ReqUpdateRoleOwner,
+  RespAuthorized,
+  RespBasic,
+  RespChangeCount,
+  RespName,
+  RespNameArray,
+  RespPathPrefixes,
+  RespResourceUrl,
+  RespRole,
+  RoleTypeEnum,
+} from '../models/index';
 import {
-    ReqAddChildRole,
     ReqAddChildRoleFromJSON,
     ReqAddChildRoleToJSON,
-    ReqAddRolePermission,
     ReqAddRolePermissionFromJSON,
     ReqAddRolePermissionToJSON,
-    ReqCreateRole,
     ReqCreateRoleFromJSON,
     ReqCreateRoleToJSON,
-    ReqPreviewPathPrefix,
     ReqPreviewPathPrefixFromJSON,
     ReqPreviewPathPrefixToJSON,
-    ReqRemoveChildRole,
     ReqRemoveChildRoleFromJSON,
     ReqRemoveChildRoleToJSON,
-    ReqRemoveRolePermission,
+    ReqRemovePermissionFromAllRolesFromJSON,
+    ReqRemovePermissionFromAllRolesToJSON,
     ReqRemoveRolePermissionFromJSON,
     ReqRemoveRolePermissionToJSON,
-    ReqReplacePathPrefix,
     ReqReplacePathPrefixFromJSON,
     ReqReplacePathPrefixToJSON,
-    ReqUpdateRoleDescription,
+    ReqRolePermitsFromJSON,
+    ReqRolePermitsToJSON,
     ReqUpdateRoleDescriptionFromJSON,
     ReqUpdateRoleDescriptionToJSON,
-    ReqUpdateRoleName,
     ReqUpdateRoleNameFromJSON,
     ReqUpdateRoleNameToJSON,
-    ReqUpdateRoleOwner,
     ReqUpdateRoleOwnerFromJSON,
     ReqUpdateRoleOwnerToJSON,
-    RespBasic,
+    RespAuthorizedFromJSON,
+    RespAuthorizedToJSON,
     RespBasicFromJSON,
     RespBasicToJSON,
-    RespChangeCount,
     RespChangeCountFromJSON,
     RespChangeCountToJSON,
-    RespName,
     RespNameFromJSON,
     RespNameToJSON,
-    RespNameArray,
     RespNameArrayFromJSON,
     RespNameArrayToJSON,
-    RespPathPrefixes,
     RespPathPrefixesFromJSON,
     RespPathPrefixesToJSON,
-    RespResourceUrl,
     RespResourceUrlFromJSON,
     RespResourceUrlToJSON,
-    RespRole,
     RespRoleFromJSON,
     RespRoleToJSON,
-} from '../models';
+    RoleTypeEnumFromJSON,
+    RoleTypeEnumToJSON,
+} from '../models/index';
 
 export interface AddChildRoleRequest {
     reqAddChildRole: ReqAddChildRole;
-    pretty?: boolean;
 }
 
 export interface AddRolePermissionRequest {
     reqAddRolePermission: ReqAddRolePermission;
-    pretty?: boolean;
 }
 
 export interface CreateRoleRequest {
     reqCreateRole: ReqCreateRole;
-    pretty?: boolean;
 }
 
 export interface DeleteRoleByNameRequest {
     roleName: string;
     tenant?: string;
-    pretty?: boolean;
+    roleType?: RoleTypeEnum;
 }
 
 export interface GetDefaultUserRoleRequest {
     user: string;
-    pretty?: boolean;
 }
 
 export interface GetRoleByNameRequest {
     roleName: string;
     tenant?: string;
-    pretty?: boolean;
+    roleType?: RoleTypeEnum;
 }
 
 export interface GetRoleNamesRequest {
     tenant?: string;
-    pretty?: boolean;
+    roleType?: RoleTypeEnum;
 }
 
 export interface GetRolePermissionsRequest {
     roleName: string;
     tenant?: string;
     immediate?: boolean;
-    pretty?: boolean;
 }
 
 export interface PreviewPathPrefixRequest {
     reqPreviewPathPrefix: ReqPreviewPathPrefix;
-    pretty?: boolean;
 }
 
 export interface RemoveChildRoleRequest {
     reqRemoveChildRole: ReqRemoveChildRole;
-    pretty?: boolean;
+}
+
+export interface RemovePathPermissionFromAllRolesRequest {
+    reqRemovePermissionFromAllRoles: ReqRemovePermissionFromAllRoles;
+}
+
+export interface RemovePermissionFromAllRolesRequest {
+    reqRemovePermissionFromAllRoles: ReqRemovePermissionFromAllRoles;
 }
 
 export interface RemoveRolePermissionRequest {
     reqRemoveRolePermission: ReqRemoveRolePermission;
-    pretty?: boolean;
 }
 
 export interface ReplacePathPrefixRequest {
     reqReplacePathPrefix: ReqReplacePathPrefix;
-    pretty?: boolean;
+}
+
+export interface RolePermitsRequest {
+    roleName: string;
+    reqRolePermits: ReqRolePermits;
+    immediate?: boolean;
 }
 
 export interface UpdateRoleDescriptionRequest {
     roleName: string;
     reqUpdateRoleDescription: ReqUpdateRoleDescription;
-    pretty?: boolean;
 }
 
 export interface UpdateRoleNameRequest {
     roleName: string;
     reqUpdateRoleName: ReqUpdateRoleName;
-    pretty?: boolean;
 }
 
 export interface UpdateRoleOwnerRequest {
     roleName: string;
     reqUpdateRoleOwner: ReqUpdateRoleOwner;
-    pretty?: boolean;
 }
 
 /**
@@ -156,25 +172,24 @@ export interface UpdateRoleOwnerRequest {
 export class RoleApi extends runtime.BaseAPI {
 
     /**
-     * Add a child role to another role using a request body.  If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
+     * Add a child role to another role using a request body. If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles. 
      */
-    async addChildRoleRaw(requestParameters: AddChildRoleRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.reqAddChildRole === null || requestParameters.reqAddChildRole === undefined) {
-            throw new runtime.RequiredError('reqAddChildRole','Required parameter requestParameters.reqAddChildRole was null or undefined when calling addChildRole.');
+    async addChildRoleRaw(requestParameters: AddChildRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqAddChildRole'] == null) {
+            throw new runtime.RequiredError(
+                'reqAddChildRole',
+                'Required parameter "reqAddChildRole" was null or undefined when calling addChildRole().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -182,40 +197,39 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqAddChildRoleToJSON(requestParameters.reqAddChildRole),
+            body: ReqAddChildRoleToJSON(requestParameters['reqAddChildRole']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
     }
 
     /**
-     * Add a child role to another role using a request body.  If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
+     * Add a child role to another role using a request body. If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles. 
      */
-    async addChildRole(requestParameters: AddChildRoleRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
+    async addChildRole(requestParameters: AddChildRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
         const response = await this.addChildRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Add a permission to an existing role using a request body.  If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html).  This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators.  Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details.  Note that the three reserved characters, [: * ,], cannot appear in the text of any part.  It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Add a permission to an existing role using a request body. If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html). This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators. Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details. Note that the three reserved characters, [: * ,], cannot appear in the text of any part. It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  ### Extended Permissions Tapis extends Shiro permission checking with *path semantics*. Path semantics allows the last part of pre-configured permissions to be treated as hierarchical path names, such as the paths used in POSIX file systems. Currently, only permissions that start with *files:* have their last (5th) component configured with path semantics.  Path semantics treat the extended permission part as the root of the subtree to which the permission is applied recursively. Grantees assigned the permission will have the permission on the path itself and on all its children.  As an example, consider a role that\'s assigned the following permission:      files:iplantc.org:read:stampede2:/home/bud  Users granted the role have read permission on the following file system resources on stampede2:      /home/bud     /home/bud/     /home/bud/myfile     /home/bud/mydir/myfile  Those users, however, will not have access to /home.  When an extended permission part ends with a slash, such as /home/bud/, then that part is interpreted as a directory or, more generally, some type of container. In such cases, the permission applies to the children of the path and to the path as written with a slash. For instance, for the file permission path /home/bud/, the permission allows access to /home/bud/ and /home/bud/myfile, but not to /home/bud.  When an extended permission part does not end with a slash, such as /home/bud, then the permission applies to the children of the path and to the path written with or without a trailing slash. For instance, for the file permission path /home/bud, the permission allows access to /home/bud, /home/bud/ and /home/bud/myfile.  In the previous examples, we assumed /home/bud was a directory. If /home/bud is a file (or more generally a leaf), then specifying the permission path /home/bud/ will not work as intended. Permissions with paths that have trailing slashes should only be used for directories, and they require a trailing slash whenever refering to the root directory. Permissions that don\'t have a trailing slash can represent directories or files, and thus are more general.  Extended permission checking avoids *false capture*. Whether a path has a trailing slash or not, permission checking will not capture similarly named sibling paths. For example, using the file permission path /home/bud, grantees are allowed access to /home/bud and all its children (if it\'s a directory), but not to the file /home/buddy.txt nor the directory /home/bud2.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
      */
-    async addRolePermissionRaw(requestParameters: AddRolePermissionRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.reqAddRolePermission === null || requestParameters.reqAddRolePermission === undefined) {
-            throw new runtime.RequiredError('reqAddRolePermission','Required parameter requestParameters.reqAddRolePermission was null or undefined when calling addRolePermission.');
+    async addRolePermissionRaw(requestParameters: AddRolePermissionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqAddRolePermission'] == null) {
+            throw new runtime.RequiredError(
+                'reqAddRolePermission',
+                'Required parameter "reqAddRolePermission" was null or undefined when calling addRolePermission().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -223,40 +237,39 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqAddRolePermissionToJSON(requestParameters.reqAddRolePermission),
+            body: ReqAddRolePermissionToJSON(requestParameters['reqAddRolePermission']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
     }
 
     /**
-     * Add a permission to an existing role using a request body.  If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html).  This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators.  Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details.  Note that the three reserved characters, [: * ,], cannot appear in the text of any part.  It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Add a permission to an existing role using a request body. If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html). This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators. Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details. Note that the three reserved characters, [: * ,], cannot appear in the text of any part. It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  ### Extended Permissions Tapis extends Shiro permission checking with *path semantics*. Path semantics allows the last part of pre-configured permissions to be treated as hierarchical path names, such as the paths used in POSIX file systems. Currently, only permissions that start with *files:* have their last (5th) component configured with path semantics.  Path semantics treat the extended permission part as the root of the subtree to which the permission is applied recursively. Grantees assigned the permission will have the permission on the path itself and on all its children.  As an example, consider a role that\'s assigned the following permission:      files:iplantc.org:read:stampede2:/home/bud  Users granted the role have read permission on the following file system resources on stampede2:      /home/bud     /home/bud/     /home/bud/myfile     /home/bud/mydir/myfile  Those users, however, will not have access to /home.  When an extended permission part ends with a slash, such as /home/bud/, then that part is interpreted as a directory or, more generally, some type of container. In such cases, the permission applies to the children of the path and to the path as written with a slash. For instance, for the file permission path /home/bud/, the permission allows access to /home/bud/ and /home/bud/myfile, but not to /home/bud.  When an extended permission part does not end with a slash, such as /home/bud, then the permission applies to the children of the path and to the path written with or without a trailing slash. For instance, for the file permission path /home/bud, the permission allows access to /home/bud, /home/bud/ and /home/bud/myfile.  In the previous examples, we assumed /home/bud was a directory. If /home/bud is a file (or more generally a leaf), then specifying the permission path /home/bud/ will not work as intended. Permissions with paths that have trailing slashes should only be used for directories, and they require a trailing slash whenever refering to the root directory. Permissions that don\'t have a trailing slash can represent directories or files, and thus are more general.  Extended permission checking avoids *false capture*. Whether a path has a trailing slash or not, permission checking will not capture similarly named sibling paths. For example, using the file permission path /home/bud, grantees are allowed access to /home/bud and all its children (if it\'s a directory), but not to the file /home/buddy.txt nor the directory /home/bud2.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
      */
-    async addRolePermission(requestParameters: AddRolePermissionRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
+    async addRolePermission(requestParameters: AddRolePermissionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
         const response = await this.addRolePermissionRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Create a role using a request body.  Role names are case sensitive, alpha-numeric strings that can also contain underscores.  Role names must start with an alphbetic character and can be no more than 58 characters in length.  The desciption can be no more than 2048 characters long.  If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
+     * Create a role using a request body. Role names are case sensitive, alpha-numeric strings that can also contain underscores. Role names must start with an alphbetic character and can be no more than 58 characters in length. The desciption can be no more than 2048 characters long. If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant. 
      */
-    async createRoleRaw(requestParameters: CreateRoleRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespResourceUrl>> {
-        if (requestParameters.reqCreateRole === null || requestParameters.reqCreateRole === undefined) {
-            throw new runtime.RequiredError('reqCreateRole','Required parameter requestParameters.reqCreateRole was null or undefined when calling createRole.');
+    async createRoleRaw(requestParameters: CreateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespResourceUrl>> {
+        if (requestParameters['reqCreateRole'] == null) {
+            throw new runtime.RequiredError(
+                'reqCreateRole',
+                'Required parameter "reqCreateRole" was null or undefined when calling createRole().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -264,46 +277,49 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqCreateRoleToJSON(requestParameters.reqCreateRole),
+            body: ReqCreateRoleToJSON(requestParameters['reqCreateRole']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespResourceUrlFromJSON(jsonValue));
     }
 
     /**
-     * Create a role using a request body.  Role names are case sensitive, alpha-numeric strings that can also contain underscores.  Role names must start with an alphbetic character and can be no more than 58 characters in length.  The desciption can be no more than 2048 characters long.  If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
+     * Create a role using a request body. Role names are case sensitive, alpha-numeric strings that can also contain underscores. Role names must start with an alphbetic character and can be no more than 58 characters in length. The desciption can be no more than 2048 characters long. If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant. 
      */
-    async createRole(requestParameters: CreateRoleRequest, initOverrides?: RequestInit): Promise<RespResourceUrl> {
+    async createRole(requestParameters: CreateRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespResourceUrl> {
         const response = await this.createRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Delete the named role. A valid tenant and user must be specified as query parameters.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Delete the named role. A valid tenant and user must be specified as query parameters.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
      */
-    async deleteRoleByNameRaw(requestParameters: DeleteRoleByNameRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling deleteRoleByName.');
+    async deleteRoleByNameRaw(requestParameters: DeleteRoleByNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling deleteRoleByName().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.tenant !== undefined) {
-            queryParameters['tenant'] = requestParameters.tenant;
+        if (requestParameters['tenant'] != null) {
+            queryParameters['tenant'] = requestParameters['tenant'];
         }
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        if (requestParameters['roleType'] != null) {
+            queryParameters['roleType'] = requestParameters['roleType'];
         }
 
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'DELETE',
             headers: headerParameters,
             query: queryParameters,
@@ -313,31 +329,34 @@ export class RoleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Delete the named role. A valid tenant and user must be specified as query parameters.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Delete the named role. A valid tenant and user must be specified as query parameters.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
      */
-    async deleteRoleByName(requestParameters: DeleteRoleByNameRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
+    async deleteRoleByName(requestParameters: DeleteRoleByNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
         const response = await this.deleteRoleByNameRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name.  This implies the maximum length of a user name is 58 since role names are limited to 60 characters.  
+     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t  already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name. This implies the maximum length of a user name is 58 since role names are limited to 60 characters. 
      */
-    async getDefaultUserRoleRaw(requestParameters: GetDefaultUserRoleRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespName>> {
-        if (requestParameters.user === null || requestParameters.user === undefined) {
-            throw new runtime.RequiredError('user','Required parameter requestParameters.user was null or undefined when calling getDefaultUserRole.');
+    async getDefaultUserRoleRaw(requestParameters: GetDefaultUserRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespName>> {
+        if (requestParameters['user'] == null) {
+            throw new runtime.RequiredError(
+                'user',
+                'Required parameter "user" was null or undefined when calling getDefaultUserRole().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+        }
+
         const response = await this.request({
-            path: `/security/role/defaultRole/{user}`.replace(`{${"user"}}`, encodeURIComponent(String(requestParameters.user))),
+            path: `/security/role/defaultRole/{user}`.replace(`{${"user"}}`, encodeURIComponent(String(requestParameters['user']))),
             method: 'GET',
             headers: headerParameters,
             query: queryParameters,
@@ -347,39 +366,42 @@ export class RoleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name.  This implies the maximum length of a user name is 58 since role names are limited to 60 characters.  
+     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t  already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name. This implies the maximum length of a user name is 58 since role names are limited to 60 characters. 
      */
-    async getDefaultUserRole(requestParameters: GetDefaultUserRoleRequest, initOverrides?: RequestInit): Promise<RespName> {
+    async getDefaultUserRole(requestParameters: GetDefaultUserRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespName> {
         const response = await this.getDefaultUserRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Get the named role\'s definition.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s definition. A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRoleByNameRaw(requestParameters: GetRoleByNameRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespRole>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling getRoleByName.');
+    async getRoleByNameRaw(requestParameters: GetRoleByNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespRole>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling getRoleByName().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.tenant !== undefined) {
-            queryParameters['tenant'] = requestParameters.tenant;
+        if (requestParameters['tenant'] != null) {
+            queryParameters['tenant'] = requestParameters['tenant'];
         }
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        if (requestParameters['roleType'] != null) {
+            queryParameters['roleType'] = requestParameters['roleType'];
         }
 
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'GET',
             headers: headerParameters,
             query: queryParameters,
@@ -389,31 +411,31 @@ export class RoleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Get the named role\'s definition.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s definition. A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRoleByName(requestParameters: GetRoleByNameRequest, initOverrides?: RequestInit): Promise<RespRole> {
+    async getRoleByName(requestParameters: GetRoleByNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespRole> {
         const response = await this.getRoleByNameRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Get the names of all roles in the tenant in alphabetic order.  Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the names of all roles in the tenant in alphabetic order. Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRoleNamesRaw(requestParameters: GetRoleNamesRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespNameArray>> {
+    async getRoleNamesRaw(requestParameters: GetRoleNamesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespNameArray>> {
         const queryParameters: any = {};
 
-        if (requestParameters.tenant !== undefined) {
-            queryParameters['tenant'] = requestParameters.tenant;
+        if (requestParameters['tenant'] != null) {
+            queryParameters['tenant'] = requestParameters['tenant'];
         }
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        if (requestParameters['roleType'] != null) {
+            queryParameters['roleType'] = requestParameters['roleType'];
         }
 
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -427,43 +449,42 @@ export class RoleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Get the names of all roles in the tenant in alphabetic order.  Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the names of all roles in the tenant in alphabetic order. Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRoleNames(requestParameters: GetRoleNamesRequest, initOverrides?: RequestInit): Promise<RespNameArray> {
+    async getRoleNames(requestParameters: GetRoleNamesRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespNameArray> {
         const response = await this.getRoleNamesRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Get the named role\'s permissions.  By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned.  Set the immediate query parameter to only retrieve permissions directly assigned to the role.  A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s permissions. By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned. Set the immediate query parameter to only retrieve permissions directly assigned to the role. A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRolePermissionsRaw(requestParameters: GetRolePermissionsRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespNameArray>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling getRolePermissions.');
+    async getRolePermissionsRaw(requestParameters: GetRolePermissionsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespNameArray>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling getRolePermissions().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.tenant !== undefined) {
-            queryParameters['tenant'] = requestParameters.tenant;
-        }
-
-        if (requestParameters.immediate !== undefined) {
-            queryParameters['immediate'] = requestParameters.immediate;
+        if (requestParameters['tenant'] != null) {
+            queryParameters['tenant'] = requestParameters['tenant'];
         }
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        if (requestParameters['immediate'] != null) {
+            queryParameters['immediate'] = requestParameters['immediate'];
         }
 
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/{roleName}/perms`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/{roleName}/perms`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'GET',
             headers: headerParameters,
             query: queryParameters,
@@ -473,33 +494,32 @@ export class RoleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Get the named role\'s permissions.  By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned.  Set the immediate query parameter to only retrieve permissions directly assigned to the role.  A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s permissions. By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned. Set the immediate query parameter to only retrieve permissions directly assigned to the role. A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async getRolePermissions(requestParameters: GetRolePermissionsRequest, initOverrides?: RequestInit): Promise<RespNameArray> {
+    async getRolePermissions(requestParameters: GetRolePermissionsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespNameArray> {
         const response = await this.getRolePermissionsRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * This read-only endpoint previews the transformations that would take place if the same input was used on a replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * This read-only endpoint previews the transformations that would take place if the same input was used on a  replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async previewPathPrefixRaw(requestParameters: PreviewPathPrefixRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespPathPrefixes>> {
-        if (requestParameters.reqPreviewPathPrefix === null || requestParameters.reqPreviewPathPrefix === undefined) {
-            throw new runtime.RequiredError('reqPreviewPathPrefix','Required parameter requestParameters.reqPreviewPathPrefix was null or undefined when calling previewPathPrefix.');
+    async previewPathPrefixRaw(requestParameters: PreviewPathPrefixRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespPathPrefixes>> {
+        if (requestParameters['reqPreviewPathPrefix'] == null) {
+            throw new runtime.RequiredError(
+                'reqPreviewPathPrefix',
+                'Required parameter "reqPreviewPathPrefix" was null or undefined when calling previewPathPrefix().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -507,40 +527,39 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqPreviewPathPrefixToJSON(requestParameters.reqPreviewPathPrefix),
+            body: ReqPreviewPathPrefixToJSON(requestParameters['reqPreviewPathPrefix']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespPathPrefixesFromJSON(jsonValue));
     }
 
     /**
-     * This read-only endpoint previews the transformations that would take place if the same input was used on a replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * This read-only endpoint previews the transformations that would take place if the same input was used on a  replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service. 
      */
-    async previewPathPrefix(requestParameters: PreviewPathPrefixRequest, initOverrides?: RequestInit): Promise<RespPathPrefixes> {
+    async previewPathPrefix(requestParameters: PreviewPathPrefixRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespPathPrefixes> {
         const response = await this.previewPathPrefixRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Remove a child role from a parent role using a request body.  A valid tenant and user must be specified in the request body.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
+     * Remove a child role from a parent role using a request body. A valid tenant and user must be specified in the request body. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role. 
      */
-    async removeChildRoleRaw(requestParameters: RemoveChildRoleRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.reqRemoveChildRole === null || requestParameters.reqRemoveChildRole === undefined) {
-            throw new runtime.RequiredError('reqRemoveChildRole','Required parameter requestParameters.reqRemoveChildRole was null or undefined when calling removeChildRole.');
+    async removeChildRoleRaw(requestParameters: RemoveChildRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqRemoveChildRole'] == null) {
+            throw new runtime.RequiredError(
+                'reqRemoveChildRole',
+                'Required parameter "reqRemoveChildRole" was null or undefined when calling removeChildRole().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -548,81 +567,159 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqRemoveChildRoleToJSON(requestParameters.reqRemoveChildRole),
+            body: ReqRemoveChildRoleToJSON(requestParameters['reqRemoveChildRole']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
     }
 
     /**
-     * Remove a child role from a parent role using a request body.  A valid tenant and user must be specified in the request body.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
+     * Remove a child role from a parent role using a request body. A valid tenant and user must be specified in the request body. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role. 
      */
-    async removeChildRole(requestParameters: RemoveChildRoleRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
+    async removeChildRole(requestParameters: RemoveChildRoleRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
         const response = await this.removeChildRoleRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Remove a permission from a role using a request body.  A valid role, roleTenant and permission must be specified in the request body.  Only the role owner or administrators are authorized to make this call.
+     * Remove an extended permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the extended permission string and, where found, that permission is removed. The matching algorithm is string comparison with wildcard semantics on the path component. This is the same as an exact string match for all parts of the permission specification up to the path part. A match on the path part, however, occurs when its path is a prefix of a role permission\'s path. Consider the following permission specification:      files:mytenant:read:mysystem:/my/dir  which will match both of the following role permissions:      files:mytenant:read:mysystem:/my/dir/subdir/myfile     files:mytenant:read:mysystem:/my/dir33/yourfile  Note that a match to the second role permission might be a *false capture* if the intension was to remove all permissions to resources in the /my/dir subtree, but not those in other directories. To avoid this potential problem, callers can make two calls, one to this endpoint with a permSpec that ends with a slash (\"/\") and one to the removePermissionFromeAllRoles endpoint with no trailing slash. The former removes all children from the directory subtree, the latter removes the directory itself.  Only the Files service is authorized to make this call. 
      */
-    async removeRolePermissionRaw(requestParameters: RemoveRolePermissionRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.reqRemoveRolePermission === null || requestParameters.reqRemoveRolePermission === undefined) {
-            throw new runtime.RequiredError('reqRemoveRolePermission','Required parameter requestParameters.reqRemoveRolePermission was null or undefined when calling removeRolePermission.');
+    async removePathPermissionFromAllRolesRaw(requestParameters: RemovePathPermissionFromAllRolesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqRemovePermissionFromAllRoles'] == null) {
+            throw new runtime.RequiredError(
+                'reqRemovePermissionFromAllRoles',
+                'Required parameter "reqRemovePermissionFromAllRoles" was null or undefined when calling removePathPermissionFromAllRoles().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+        }
+
+        const response = await this.request({
+            path: `/security/role/removePathPermFromAllRoles`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: ReqRemovePermissionFromAllRolesToJSON(requestParameters['reqRemovePermissionFromAllRoles']),
+        }, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
+    }
+
+    /**
+     * Remove an extended permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the extended permission string and, where found, that permission is removed. The matching algorithm is string comparison with wildcard semantics on the path component. This is the same as an exact string match for all parts of the permission specification up to the path part. A match on the path part, however, occurs when its path is a prefix of a role permission\'s path. Consider the following permission specification:      files:mytenant:read:mysystem:/my/dir  which will match both of the following role permissions:      files:mytenant:read:mysystem:/my/dir/subdir/myfile     files:mytenant:read:mysystem:/my/dir33/yourfile  Note that a match to the second role permission might be a *false capture* if the intension was to remove all permissions to resources in the /my/dir subtree, but not those in other directories. To avoid this potential problem, callers can make two calls, one to this endpoint with a permSpec that ends with a slash (\"/\") and one to the removePermissionFromeAllRoles endpoint with no trailing slash. The former removes all children from the directory subtree, the latter removes the directory itself.  Only the Files service is authorized to make this call. 
+     */
+    async removePathPermissionFromAllRoles(requestParameters: RemovePathPermissionFromAllRolesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
+        const response = await this.removePathPermissionFromAllRolesRaw(requestParameters, initOverrides);
+        return await response.value();
+    }
+
+    /**
+     * Remove a permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the *exact* permission string and, where found, that permission is removed. The matching algorithm is simple, character by character, string comparison.  Permissions are not interpreted. For example, a permission that contains a wildcard (*) will only match a role\'s permission when the same wildcard is found in the exact same position. The same rule applies to permission segments with multiple, comma separated components: a match requires the exact same ordering and spacing of components.  Only services are authorized to make this call. 
+     */
+    async removePermissionFromAllRolesRaw(requestParameters: RemovePermissionFromAllRolesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqRemovePermissionFromAllRoles'] == null) {
+            throw new runtime.RequiredError(
+                'reqRemovePermissionFromAllRoles',
+                'Required parameter "reqRemovePermissionFromAllRoles" was null or undefined when calling removePermissionFromAllRoles().'
+            );
         }
 
+        const queryParameters: any = {};
+
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/removePerm`,
+            path: `/security/role/removePermFromAllRoles`,
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqRemoveRolePermissionToJSON(requestParameters.reqRemoveRolePermission),
+            body: ReqRemovePermissionFromAllRolesToJSON(requestParameters['reqRemovePermissionFromAllRoles']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
     }
 
     /**
-     * Remove a permission from a role using a request body.  A valid role, roleTenant and permission must be specified in the request body.  Only the role owner or administrators are authorized to make this call.
+     * Remove a permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the *exact* permission string and, where found, that permission is removed. The matching algorithm is simple, character by character, string comparison.  Permissions are not interpreted. For example, a permission that contains a wildcard (*) will only match a role\'s permission when the same wildcard is found in the exact same position. The same rule applies to permission segments with multiple, comma separated components: a match requires the exact same ordering and spacing of components.  Only services are authorized to make this call. 
      */
-    async removeRolePermission(requestParameters: RemoveRolePermissionRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
-        const response = await this.removeRolePermissionRaw(requestParameters, initOverrides);
+    async removePermissionFromAllRoles(requestParameters: RemovePermissionFromAllRolesRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
+        const response = await this.removePermissionFromAllRolesRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Replace the text in a permission specification when its last component defines an *extended path attribute*.  Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name.  This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted.  Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests.  Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value.  Replacement only occurs on permissions that also match the schema and oldSystemId parameter values.  The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found.  If a roleName is provided, then replacement is limited to permissions defined only in that role.  Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request.  The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
+     * Remove a permission from a role using a request body. A valid role, roleTenant and permission must be specified in the request body.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
      */
-    async replacePathPrefixRaw(requestParameters: ReplacePathPrefixRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespChangeCount>> {
-        if (requestParameters.reqReplacePathPrefix === null || requestParameters.reqReplacePathPrefix === undefined) {
-            throw new runtime.RequiredError('reqReplacePathPrefix','Required parameter requestParameters.reqReplacePathPrefix was null or undefined when calling replacePathPrefix.');
+    async removeRolePermissionRaw(requestParameters: RemoveRolePermissionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqRemoveRolePermission'] == null) {
+            throw new runtime.RequiredError(
+                'reqRemoveRolePermission',
+                'Required parameter "reqRemoveRolePermission" was null or undefined when calling removeRolePermission().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+        }
+
+        const response = await this.request({
+            path: `/security/role/removePerm`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: ReqRemoveRolePermissionToJSON(requestParameters['reqRemoveRolePermission']),
+        }, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
+    }
+
+    /**
+     * Remove a permission from a role using a request body. A valid role, roleTenant and permission must be specified in the request body.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator. 
+     */
+    async removeRolePermission(requestParameters: RemoveRolePermissionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
+        const response = await this.removeRolePermissionRaw(requestParameters, initOverrides);
+        return await response.value();
+    }
+
+    /**
+     * Replace the text in a permission specification when its last component defines an *extended path attribute*. Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name. This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted. Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests. Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value. Replacement only occurs on permissions that also match the schema and oldSystemId parameter values. The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found. If a roleName is provided, then replacement is limited to permissions defined only in that role. Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request. The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service. 
+     */
+    async replacePathPrefixRaw(requestParameters: ReplacePathPrefixRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespChangeCount>> {
+        if (requestParameters['reqReplacePathPrefix'] == null) {
+            throw new runtime.RequiredError(
+                'reqReplacePathPrefix',
+                'Required parameter "reqReplacePathPrefix" was null or undefined when calling replacePathPrefix().'
+            );
         }
 
+        const queryParameters: any = {};
+
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
@@ -630,36 +727,42 @@ export class RoleApi extends runtime.BaseAPI {
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqReplacePathPrefixToJSON(requestParameters.reqReplacePathPrefix),
+            body: ReqReplacePathPrefixToJSON(requestParameters['reqReplacePathPrefix']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespChangeCountFromJSON(jsonValue));
     }
 
     /**
-     * Replace the text in a permission specification when its last component defines an *extended path attribute*.  Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name.  This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted.  Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests.  Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value.  Replacement only occurs on permissions that also match the schema and oldSystemId parameter values.  The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found.  If a roleName is provided, then replacement is limited to permissions defined only in that role.  Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request.  The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
+     * Replace the text in a permission specification when its last component defines an *extended path attribute*. Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name. This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted. Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests. Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value. Replacement only occurs on permissions that also match the schema and oldSystemId parameter values. The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found. If a roleName is provided, then replacement is limited to permissions defined only in that role. Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request. The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service. 
      */
-    async replacePathPrefix(requestParameters: ReplacePathPrefixRequest, initOverrides?: RequestInit): Promise<RespChangeCount> {
+    async replacePathPrefix(requestParameters: ReplacePathPrefixRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespChangeCount> {
         const response = await this.replacePathPrefixRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Update an existing role\'s decription using a request body.  The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Check to see if the specified role allows the specified permission.  Any authenticated user may make this request.   
      */
-    async updateRoleDescriptionRaw(requestParameters: UpdateRoleDescriptionRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespBasic>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling updateRoleDescription.');
+    async rolePermitsRaw(requestParameters: RolePermitsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespAuthorized>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling rolePermits().'
+            );
         }
 
-        if (requestParameters.reqUpdateRoleDescription === null || requestParameters.reqUpdateRoleDescription === undefined) {
-            throw new runtime.RequiredError('reqUpdateRoleDescription','Required parameter requestParameters.reqUpdateRoleDescription was null or undefined when calling updateRoleDescription.');
+        if (requestParameters['reqRolePermits'] == null) {
+            throw new runtime.RequiredError(
+                'reqRolePermits',
+                'Required parameter "reqRolePermits" was null or undefined when calling rolePermits().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        if (requestParameters['immediate'] != null) {
+            queryParameters['immediate'] = requestParameters['immediate'];
         }
 
         const headerParameters: runtime.HTTPHeaders = {};
@@ -667,114 +770,165 @@ export class RoleApi extends runtime.BaseAPI {
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/updateDesc/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/{roleName}/permits`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqUpdateRoleDescriptionToJSON(requestParameters.reqUpdateRoleDescription),
+            body: ReqRolePermitsToJSON(requestParameters['reqRolePermits']),
         }, initOverrides);
 
-        return new runtime.JSONApiResponse(response, (jsonValue) => RespBasicFromJSON(jsonValue));
+        return new runtime.JSONApiResponse(response, (jsonValue) => RespAuthorizedFromJSON(jsonValue));
     }
 
     /**
-     * Update an existing role\'s decription using a request body.  The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Check to see if the specified role allows the specified permission.  Any authenticated user may make this request.   
      */
-    async updateRoleDescription(requestParameters: UpdateRoleDescriptionRequest, initOverrides?: RequestInit): Promise<RespBasic> {
-        const response = await this.updateRoleDescriptionRaw(requestParameters, initOverrides);
+    async rolePermits(requestParameters: RolePermitsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespAuthorized> {
+        const response = await this.rolePermitsRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Update an existing role\'s name using a request body.  Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character.  The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Update an existing role\'s decription using a request body. The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator. 
      */
-    async updateRoleNameRaw(requestParameters: UpdateRoleNameRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespBasic>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling updateRoleName.');
+    async updateRoleDescriptionRaw(requestParameters: UpdateRoleDescriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespBasic>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling updateRoleDescription().'
+            );
         }
 
-        if (requestParameters.reqUpdateRoleName === null || requestParameters.reqUpdateRoleName === undefined) {
-            throw new runtime.RequiredError('reqUpdateRoleName','Required parameter requestParameters.reqUpdateRoleName was null or undefined when calling updateRoleName.');
+        if (requestParameters['reqUpdateRoleDescription'] == null) {
+            throw new runtime.RequiredError(
+                'reqUpdateRoleDescription',
+                'Required parameter "reqUpdateRoleDescription" was null or undefined when calling updateRoleDescription().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
+        const response = await this.request({
+            path: `/security/role/updateDesc/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: ReqUpdateRoleDescriptionToJSON(requestParameters['reqUpdateRoleDescription']),
+        }, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => RespBasicFromJSON(jsonValue));
+    }
+
+    /**
+     * Update an existing role\'s decription using a request body. The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator. 
+     */
+    async updateRoleDescription(requestParameters: UpdateRoleDescriptionRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespBasic> {
+        const response = await this.updateRoleDescriptionRaw(requestParameters, initOverrides);
+        return await response.value();
+    }
+
+    /**
+     * Update an existing role\'s name using a request body. Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character. The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator. 
+     */
+    async updateRoleNameRaw(requestParameters: UpdateRoleNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespBasic>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling updateRoleName().'
+            );
+        }
+
+        if (requestParameters['reqUpdateRoleName'] == null) {
+            throw new runtime.RequiredError(
+                'reqUpdateRoleName',
+                'Required parameter "reqUpdateRoleName" was null or undefined when calling updateRoleName().'
+            );
+        }
+
+        const queryParameters: any = {};
+
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/updateName/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/updateName/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqUpdateRoleNameToJSON(requestParameters.reqUpdateRoleName),
+            body: ReqUpdateRoleNameToJSON(requestParameters['reqUpdateRoleName']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespBasicFromJSON(jsonValue));
     }
 
     /**
-     * Update an existing role\'s name using a request body.  Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character.  The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Update an existing role\'s name using a request body. Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character. The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator. 
      */
-    async updateRoleName(requestParameters: UpdateRoleNameRequest, initOverrides?: RequestInit): Promise<RespBasic> {
+    async updateRoleName(requestParameters: UpdateRoleNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespBasic> {
         const response = await this.updateRoleNameRaw(requestParameters, initOverrides);
         return await response.value();
     }
 
     /**
-     * Update an existing role\'s owner using a request body. Required parameters in the payload are the *roleTenant*, which is the tenant of named role, and *newOwner*, which is the user to which role ownership is being transferred. The *newTenant* payload parameter is optional and only needed when the new owner resides in a different tenant than that of the current owner.  This request is authorized if the requestor is the role owner or an administrator. If a new tenant is specified, then the requestor must also be allowed to act in the new tenant.
+     * Update an existing role\'s owner using a request body. Required parameters in the payload are the *roleTenant*, which is the tenant of named role, and *newOwner*, which is the user to which role ownership is being transferred. The *newTenant* payload parameter is optional and only needed when the new owner resides in a different tenant than that of the current owner.  This request is authorized if the requestor is the role owner or an administrator. If a new tenant is specified, then the requestor must also be allowed to act in the new tenant. 
      */
-    async updateRoleOwnerRaw(requestParameters: UpdateRoleOwnerRequest, initOverrides?: RequestInit): Promise<runtime.ApiResponse<RespBasic>> {
-        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-            throw new runtime.RequiredError('roleName','Required parameter requestParameters.roleName was null or undefined when calling updateRoleOwner.');
+    async updateRoleOwnerRaw(requestParameters: UpdateRoleOwnerRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RespBasic>> {
+        if (requestParameters['roleName'] == null) {
+            throw new runtime.RequiredError(
+                'roleName',
+                'Required parameter "roleName" was null or undefined when calling updateRoleOwner().'
+            );
         }
 
-        if (requestParameters.reqUpdateRoleOwner === null || requestParameters.reqUpdateRoleOwner === undefined) {
-            throw new runtime.RequiredError('reqUpdateRoleOwner','Required parameter requestParameters.reqUpdateRoleOwner was null or undefined when calling updateRoleOwner.');
+        if (requestParameters['reqUpdateRoleOwner'] == null) {
+            throw new runtime.RequiredError(
+                'reqUpdateRoleOwner',
+                'Required parameter "reqUpdateRoleOwner" was null or undefined when calling updateRoleOwner().'
+            );
         }
 
         const queryParameters: any = {};
 
-        if (requestParameters.pretty !== undefined) {
-            queryParameters['pretty'] = requestParameters.pretty;
-        }
-
         const headerParameters: runtime.HTTPHeaders = {};
 
         headerParameters['Content-Type'] = 'application/json';
 
         if (this.configuration && this.configuration.apiKey) {
-            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
+            headerParameters["X-Tapis-Token"] = await this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
         }
 
         const response = await this.request({
-            path: `/security/role/updateOwner/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters.roleName))),
+            path: `/security/role/updateOwner/{roleName}`.replace(`{${"roleName"}}`, encodeURIComponent(String(requestParameters['roleName']))),
             method: 'POST',
             headers: headerParameters,
             query: queryParameters,
-            body: ReqUpdateRoleOwnerToJSON(requestParameters.reqUpdateRoleOwner),
+            body: ReqUpdateRoleOwnerToJSON(requestParameters['reqUpdateRoleOwner']),
         }, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) => RespBasicFromJSON(jsonValue));
     }
 
     /**
-     * Update an existing role\'s owner using a request body. Required parameters in the payload are the *roleTenant*, which is the tenant of named role, and *newOwner*, which is the user to which role ownership is being transferred. The *newTenant* payload parameter is optional and only needed when the new owner resides in a different tenant than that of the current owner.  This request is authorized if the requestor is the role owner or an administrator. If a new tenant is specified, then the requestor must also be allowed to act in the new tenant.
+     * Update an existing role\'s owner using a request body. Required parameters in the payload are the *roleTenant*, which is the tenant of named role, and *newOwner*, which is the user to which role ownership is being transferred. The *newTenant* payload parameter is optional and only needed when the new owner resides in a different tenant than that of the current owner.  This request is authorized if the requestor is the role owner or an administrator. If a new tenant is specified, then the requestor must also be allowed to act in the new tenant. 
      */
-    async updateRoleOwner(requestParameters: UpdateRoleOwnerRequest, initOverrides?: RequestInit): Promise<RespBasic> {
+    async updateRoleOwner(requestParameters: UpdateRoleOwnerRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<RespBasic> {
         const response = await this.updateRoleOwnerRaw(requestParameters, initOverrides);
         return await response.value();
     }