@tapis/tapis-typescript-sk 0.0.2 → 0.0.3

package/dist/apis/RoleApi.js

@@ -3,9 +3,9 @@
 /* eslint-disable */
 /**
  * Tapis Security API
- * The Tapis Security API provides access to the Tapis Security Kernel authorization and secrets facilities.
+ * The Tapis Security API provides for management of Security Kernel (SK) role-based authorization and secrets resources.
  *
- * The version of the OpenAPI document: 0.1
+ * The version of the OpenAPI document: 1.8.2
  * Contact: cicsupport@tacc.utexas.edu
  *
  * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
@@ -13,30 +13,36 @@
  * Do not edit the class manually.
  */
 var __extends = (this && this.__extends) || (function () {
-    var extendStatics = Object.setPrototypeOf ||
-        ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
-        function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
     return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
         extendStatics(d, b);
         function __() { this.constructor = d; }
         d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
     };
 })();
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
         function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
         function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
 var __generator = (this && this.__generator) || function (thisArg, body) {
-    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
-    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
     function verb(n) { return function (v) { return step([n, v]); }; }
     function step(op) {
         if (f) throw new TypeError("Generator is already executing.");
-        while (_) try {
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
             if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
             if (y = 0, t) op = [op[0] & 2, t.value];
             switch (op[0]) {
@@ -58,8 +64,9 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
     }
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleApi = void 0;
 var runtime = require("../runtime");
-var models_1 = require("../models");
+var index_1 = require("../models/index");
 /**
  *
  */
@@ -69,42 +76,43 @@ var RoleApi = /** @class */ (function (_super) {
         return _super !== null && _super.apply(this, arguments) || this;
     }
     /**
-     * Add a child role to another role using a request body.  If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
+     * Add a child role to another role using a request body. If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
      */
     RoleApi.prototype.addChildRoleRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqAddChildRole === null || requestParameters.reqAddChildRole === undefined) {
-                            throw new runtime.RequiredError('reqAddChildRole', 'Required parameter requestParameters.reqAddChildRole was null or undefined when calling addChildRole.');
+                        if (requestParameters['reqAddChildRole'] == null) {
+                            throw new runtime.RequiredError('reqAddChildRole', 'Required parameter "reqAddChildRole" was null or undefined when calling addChildRole().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/addChild",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqAddChildRoleToJSON(requestParameters.reqAddChildRole),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/addChild",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqAddChildRoleToJSON)(requestParameters['reqAddChildRole']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Add a child role to another role using a request body.  If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
+     * Add a child role to another role using a request body. If the child already exists, then the request has no effect and the change count returned is zero. Otherwise, the child is added and the change count is one. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if the user owns both the parent and child roles.
      */
     RoleApi.prototype.addChildRole = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -121,42 +129,43 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Add a permission to an existing role using a request body.  If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html).  This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators.  Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details.  Note that the three reserved characters, [: * ,], cannot appear in the text of any part.  It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Add a permission to an existing role using a request body. If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html). This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators. Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details. Note that the three reserved characters, [: * ,], cannot appear in the text of any part. It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  ### Extended Permissions Tapis extends Shiro permission checking with *path semantics*. Path semantics allows the last part of pre-configured permissions to be treated as hierarchical path names, such as the paths used in POSIX file systems. Currently, only permissions that start with *files:* have their last (5th) component configured with path semantics.  Path semantics treat the extended permission part as the root of the subtree to which the permission is applied recursively. Grantees assigned the permission will have the permission on the path itself and on all its children.  As an example, consider a role that\'s assigned the following permission:      files:iplantc.org:read:stampede2:/home/bud  Users granted the role have read permission on the following file system resources on stampede2:      /home/bud     /home/bud/     /home/bud/myfile     /home/bud/mydir/myfile  Those users, however, will not have access to /home.  When an extended permission part ends with a slash, such as /home/bud/, then that part is interpreted as a directory or, more generally, some type of container. In such cases, the permission applies to the children of the path and to the path as written with a slash. For instance, for the file permission path /home/bud/, the permission allows access to /home/bud/ and /home/bud/myfile, but not to /home/bud.  When an extended permission part does not end with a slash, such as /home/bud, then the permission applies to the children of the path and to the path written with or without a trailing slash. For instance, for the file permission path /home/bud, the permission allows access to /home/bud, /home/bud/ and /home/bud/myfile.  In the previous examples, we assumed /home/bud was a directory. If /home/bud is a file (or more generally a leaf), then specifying the permission path /home/bud/ will not work as intended. Permissions with paths that have trailing slashes should only be used for directories, and they require a trailing slash whenever refering to the root directory. Permissions that don\'t have a trailing slash can represent directories or files, and thus are more general.  Extended permission checking avoids *false capture*. Whether a path has a trailing slash or not, permission checking will not capture similarly named sibling paths. For example, using the file permission path /home/bud, grantees are allowed access to /home/bud and all its children (if it\'s a directory), but not to the file /home/buddy.txt nor the directory /home/bud2.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
      */
     RoleApi.prototype.addRolePermissionRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqAddRolePermission === null || requestParameters.reqAddRolePermission === undefined) {
-                            throw new runtime.RequiredError('reqAddRolePermission', 'Required parameter requestParameters.reqAddRolePermission was null or undefined when calling addRolePermission.');
+                        if (requestParameters['reqAddRolePermission'] == null) {
+                            throw new runtime.RequiredError('reqAddRolePermission', 'Required parameter "reqAddRolePermission" was null or undefined when calling addRolePermission().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/addPerm",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqAddRolePermissionToJSON(requestParameters.reqAddRolePermission),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/addPerm",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqAddRolePermissionToJSON)(requestParameters['reqAddRolePermission']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Add a permission to an existing role using a request body.  If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html).  This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators.  Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details.  Note that the three reserved characters, [: * ,], cannot appear in the text of any part.  It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Add a permission to an existing role using a request body. If the permission already exists, then the request has no effect and the change count returned is zero. Otherwise, the permission is added and the change count is one.  Permissions are case-sensitive strings that follow the format defined by Apache Shiro (https://shiro.apache.org/permissions.html). This format defines any number of colon-separated (:) parts, with the possible use of asterisks (*) as wildcards and commas (,) as aggregators. Here are two example permission strings:      system:MyTenant:read,write:system1     system:MyTenant:create,read,write,delete:*  See the Shiro documentation for further details. Note that the three reserved characters, [: * ,], cannot appear in the text of any part. It\'s the application\'s responsibility to escape those characters in a manner that is safe in the application\'s domain.  ### Extended Permissions Tapis extends Shiro permission checking with *path semantics*. Path semantics allows the last part of pre-configured permissions to be treated as hierarchical path names, such as the paths used in POSIX file systems. Currently, only permissions that start with *files:* have their last (5th) component configured with path semantics.  Path semantics treat the extended permission part as the root of the subtree to which the permission is applied recursively. Grantees assigned the permission will have the permission on the path itself and on all its children.  As an example, consider a role that\'s assigned the following permission:      files:iplantc.org:read:stampede2:/home/bud  Users granted the role have read permission on the following file system resources on stampede2:      /home/bud     /home/bud/     /home/bud/myfile     /home/bud/mydir/myfile  Those users, however, will not have access to /home.  When an extended permission part ends with a slash, such as /home/bud/, then that part is interpreted as a directory or, more generally, some type of container. In such cases, the permission applies to the children of the path and to the path as written with a slash. For instance, for the file permission path /home/bud/, the permission allows access to /home/bud/ and /home/bud/myfile, but not to /home/bud.  When an extended permission part does not end with a slash, such as /home/bud, then the permission applies to the children of the path and to the path written with or without a trailing slash. For instance, for the file permission path /home/bud, the permission allows access to /home/bud, /home/bud/ and /home/bud/myfile.  In the previous examples, we assumed /home/bud was a directory. If /home/bud is a file (or more generally a leaf), then specifying the permission path /home/bud/ will not work as intended. Permissions with paths that have trailing slashes should only be used for directories, and they require a trailing slash whenever refering to the root directory. Permissions that don\'t have a trailing slash can represent directories or files, and thus are more general.  Extended permission checking avoids *false capture*. Whether a path has a trailing slash or not, permission checking will not capture similarly named sibling paths. For example, using the file permission path /home/bud, grantees are allowed access to /home/bud and all its children (if it\'s a directory), but not to the file /home/buddy.txt nor the directory /home/bud2.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
      */
     RoleApi.prototype.addRolePermission = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -173,42 +182,43 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Create a role using a request body.  Role names are case sensitive, alpha-numeric strings that can also contain underscores.  Role names must start with an alphbetic character and can be no more than 58 characters in length.  The desciption can be no more than 2048 characters long.  If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
+     * Create a role using a request body. Role names are case sensitive, alpha-numeric strings that can also contain underscores. Role names must start with an alphbetic character and can be no more than 58 characters in length. The desciption can be no more than 2048 characters long. If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
      */
     RoleApi.prototype.createRoleRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqCreateRole === null || requestParameters.reqCreateRole === undefined) {
-                            throw new runtime.RequiredError('reqCreateRole', 'Required parameter requestParameters.reqCreateRole was null or undefined when calling createRole.');
+                        if (requestParameters['reqCreateRole'] == null) {
+                            throw new runtime.RequiredError('reqCreateRole', 'Required parameter "reqCreateRole" was null or undefined when calling createRole().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqCreateRoleToJSON(requestParameters.reqCreateRole),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespResourceUrlFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqCreateRoleToJSON)(requestParameters['reqCreateRole']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespResourceUrlFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Create a role using a request body.  Role names are case sensitive, alpha-numeric strings that can also contain underscores.  Role names must start with an alphbetic character and can be no more than 58 characters in length.  The desciption can be no more than 2048 characters long.  If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
+     * Create a role using a request body. Role names are case sensitive, alpha-numeric strings that can also contain underscores. Role names must start with an alphbetic character and can be no more than 58 characters in length. The desciption can be no more than 2048 characters long. If the role already exists, this request has no effect.  For the request to be authorized, the requestor must be either an administrator or a service allowed to perform updates in the new role\'s tenant.
      */
     RoleApi.prototype.createRole = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -225,43 +235,47 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Delete the named role. A valid tenant and user must be specified as query parameters.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Delete the named role. A valid tenant and user must be specified as query parameters.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
      */
     RoleApi.prototype.deleteRoleByNameRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling deleteRoleByName.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling deleteRoleByName().');
                         }
                         queryParameters = {};
-                        if (requestParameters.tenant !== undefined) {
-                            queryParameters['tenant'] = requestParameters.tenant;
+                        if (requestParameters['tenant'] != null) {
+                            queryParameters['tenant'] = requestParameters['tenant'];
                         }
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
+                        if (requestParameters['roleType'] != null) {
+                            queryParameters['roleType'] = requestParameters['roleType'];
                         }
                         headerParameters = {};
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/{roleName}".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'DELETE',
-                                headers: headerParameters,
-                                query: queryParameters,
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/{roleName}".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'DELETE',
+                            headers: headerParameters,
+                            query: queryParameters,
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Delete the named role. A valid tenant and user must be specified as query parameters.  This request is authorized only if the authenticated user is either the role owner or an administrator.
+     * Delete the named role. A valid tenant and user must be specified as query parameters.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
      */
     RoleApi.prototype.deleteRoleByName = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -278,37 +292,41 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name.  This implies the maximum length of a user name is 58 since role names are limited to 60 characters.
+     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t  already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name. This implies the maximum length of a user name is 58 since role names are limited to 60 characters.
      */
     RoleApi.prototype.getDefaultUserRoleRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.user === null || requestParameters.user === undefined) {
-                            throw new runtime.RequiredError('user', 'Required parameter requestParameters.user was null or undefined when calling getDefaultUserRole.');
+                        if (requestParameters['user'] == null) {
+                            throw new runtime.RequiredError('user', 'Required parameter "user" was null or undefined when calling getDefaultUserRole().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/defaultRole/{user}".replace("{" + "user" + "}", encodeURIComponent(String(requestParameters.user))),
-                                method: 'GET',
-                                headers: headerParameters,
-                                query: queryParameters,
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespNameFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/defaultRole/{user}".replace("{".concat("user", "}"), encodeURIComponent(String(requestParameters['user']))),
+                            method: 'GET',
+                            headers: headerParameters,
+                            query: queryParameters,
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespNameFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name.  This implies the maximum length of a user name is 58 since role names are limited to 60 characters.
+     * Get a user\'s default role. The default role is implicitly created by the system when needed if it doesn\'t  already exist. No authorization required.  A user\'s default role is constructed by prepending \'$$\' to the user\'s name. This implies the maximum length of a user name is 58 since role names are limited to 60 characters.
      */
     RoleApi.prototype.getDefaultUserRole = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -325,43 +343,47 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Get the named role\'s definition.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s definition. A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.getRoleByNameRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling getRoleByName.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling getRoleByName().');
                         }
                         queryParameters = {};
-                        if (requestParameters.tenant !== undefined) {
-                            queryParameters['tenant'] = requestParameters.tenant;
+                        if (requestParameters['tenant'] != null) {
+                            queryParameters['tenant'] = requestParameters['tenant'];
                         }
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
+                        if (requestParameters['roleType'] != null) {
+                            queryParameters['roleType'] = requestParameters['roleType'];
                         }
                         headerParameters = {};
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/{roleName}".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'GET',
-                                headers: headerParameters,
-                                query: queryParameters,
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespRoleFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/{roleName}".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'GET',
+                            headers: headerParameters,
+                            query: queryParameters,
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespRoleFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Get the named role\'s definition.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s definition. A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.getRoleByName = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -378,44 +400,49 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Get the names of all roles in the tenant in alphabetic order.  Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the names of all roles in the tenant in alphabetic order. Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.getRoleNamesRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
                         queryParameters = {};
-                        if (requestParameters.tenant !== undefined) {
-                            queryParameters['tenant'] = requestParameters.tenant;
+                        if (requestParameters['tenant'] != null) {
+                            queryParameters['tenant'] = requestParameters['tenant'];
                         }
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
+                        if (requestParameters['roleType'] != null) {
+                            queryParameters['roleType'] = requestParameters['roleType'];
                         }
                         headerParameters = {};
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role",
-                                method: 'GET',
-                                headers: headerParameters,
-                                query: queryParameters,
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespNameArrayFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role",
+                            method: 'GET',
+                            headers: headerParameters,
+                            query: queryParameters,
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespNameArrayFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Get the names of all roles in the tenant in alphabetic order.  Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the names of all roles in the tenant in alphabetic order. Future enhancements will include search filtering.  A valid tenant must be specified as a query parameter. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
-    RoleApi.prototype.getRoleNames = function (requestParameters, initOverrides) {
-        return __awaiter(this, void 0, void 0, function () {
+    RoleApi.prototype.getRoleNames = function () {
+        return __awaiter(this, arguments, void 0, function (requestParameters, initOverrides) {
             var response;
+            if (requestParameters === void 0) { requestParameters = {}; }
             return __generator(this, function (_a) {
                 switch (_a.label) {
                     case 0: return [4 /*yield*/, this.getRoleNamesRaw(requestParameters, initOverrides)];
@@ -428,46 +455,47 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Get the named role\'s permissions.  By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned.  Set the immediate query parameter to only retrieve permissions directly assigned to the role.  A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s permissions. By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned. Set the immediate query parameter to only retrieve permissions directly assigned to the role. A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.getRolePermissionsRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling getRolePermissions.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling getRolePermissions().');
                         }
                         queryParameters = {};
-                        if (requestParameters.tenant !== undefined) {
-                            queryParameters['tenant'] = requestParameters.tenant;
-                        }
-                        if (requestParameters.immediate !== undefined) {
-                            queryParameters['immediate'] = requestParameters.immediate;
+                        if (requestParameters['tenant'] != null) {
+                            queryParameters['tenant'] = requestParameters['tenant'];
                         }
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
+                        if (requestParameters['immediate'] != null) {
+                            queryParameters['immediate'] = requestParameters['immediate'];
                         }
                         headerParameters = {};
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/{roleName}/perms".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'GET',
-                                headers: headerParameters,
-                                query: queryParameters,
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespNameArrayFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/{roleName}/perms".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'GET',
+                            headers: headerParameters,
+                            query: queryParameters,
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespNameArrayFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Get the named role\'s permissions.  By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned.  Set the immediate query parameter to only retrieve permissions directly assigned to the role.  A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * Get the named role\'s permissions. By default, all permissions assigned to the role, whether directly and transitively through child roles, are returned. Set the immediate query parameter to only retrieve permissions directly assigned to the role. A valid tenant must be specified.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.getRolePermissions = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -484,42 +512,43 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * This read-only endpoint previews the transformations that would take place if the same input was used on a replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * This read-only endpoint previews the transformations that would take place if the same input was used on a  replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.previewPathPrefixRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqPreviewPathPrefix === null || requestParameters.reqPreviewPathPrefix === undefined) {
-                            throw new runtime.RequiredError('reqPreviewPathPrefix', 'Required parameter requestParameters.reqPreviewPathPrefix was null or undefined when calling previewPathPrefix.');
+                        if (requestParameters['reqPreviewPathPrefix'] == null) {
+                            throw new runtime.RequiredError('reqPreviewPathPrefix', 'Required parameter "reqPreviewPathPrefix" was null or undefined when calling previewPathPrefix().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/previewPathPrefix",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqPreviewPathPrefixToJSON(requestParameters.reqPreviewPathPrefix),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespPathPrefixesFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/previewPathPrefix",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqPreviewPathPrefixToJSON)(requestParameters['reqPreviewPathPrefix']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespPathPrefixesFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * This read-only endpoint previews the transformations that would take place if the same input was used on a replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body.  This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
+     * This read-only endpoint previews the transformations that would take place if the same input was used on a  replacePathPrefix POST call. This call is also implemented as a POST so that the same input as used on replacePathPrefix can be used here, but this call changes nothing.  This endpoint can be used to get an accounting of existing system/path combinations that match the input specification. Such information is useful when trying to duplicate a set of permissions. For example, one may want to copy a file subtree to another location and assign the same permissions to the new subtree as currently exist on the original subtree. One could use  this call to calculate the users that should be granted permission on the new subtree.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The result object contains an array of transformation objects, each of which contains the unique permission sequence number, the existing permission that matched the search criteria and the new permission if the specified transformations were applied.  A valid tenant and user must be specified in the request body. This request is authorized if the requestor is a user that has access to the specified tenant or if the requestor is a service.
      */
     RoleApi.prototype.previewPathPrefix = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -536,42 +565,43 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Remove a child role from a parent role using a request body.  A valid tenant and user must be specified in the request body.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
+     * Remove a child role from a parent role using a request body. A valid tenant and user must be specified in the request body. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
      */
     RoleApi.prototype.removeChildRoleRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqRemoveChildRole === null || requestParameters.reqRemoveChildRole === undefined) {
-                            throw new runtime.RequiredError('reqRemoveChildRole', 'Required parameter requestParameters.reqRemoveChildRole was null or undefined when calling removeChildRole.');
+                        if (requestParameters['reqRemoveChildRole'] == null) {
+                            throw new runtime.RequiredError('reqRemoveChildRole', 'Required parameter "reqRemoveChildRole" was null or undefined when calling removeChildRole().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/removeChild",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqRemoveChildRoleToJSON(requestParameters.reqRemoveChildRole),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/removeChild",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqRemoveChildRoleToJSON)(requestParameters['reqRemoveChildRole']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Remove a child role from a parent role using a request body.  A valid tenant and user must be specified in the request body.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
+     * Remove a child role from a parent role using a request body. A valid tenant and user must be specified in the request body. Supported only for roles of type *USER*.  The user@tenant identity specified in JWT is authorized to make this request only if that user is an administrator or if they own the parent role.
      */
     RoleApi.prototype.removeChildRole = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -588,42 +618,149 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Remove a permission from a role using a request body.  A valid role, roleTenant and permission must be specified in the request body.  Only the role owner or administrators are authorized to make this call.
+     * Remove an extended permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the extended permission string and, where found, that permission is removed. The matching algorithm is string comparison with wildcard semantics on the path component. This is the same as an exact string match for all parts of the permission specification up to the path part. A match on the path part, however, occurs when its path is a prefix of a role permission\'s path. Consider the following permission specification:      files:mytenant:read:mysystem:/my/dir  which will match both of the following role permissions:      files:mytenant:read:mysystem:/my/dir/subdir/myfile     files:mytenant:read:mysystem:/my/dir33/yourfile  Note that a match to the second role permission might be a *false capture* if the intension was to remove all permissions to resources in the /my/dir subtree, but not those in other directories. To avoid this potential problem, callers can make two calls, one to this endpoint with a permSpec that ends with a slash (\"/\") and one to the removePermissionFromeAllRoles endpoint with no trailing slash. The former removes all children from the directory subtree, the latter removes the directory itself.  Only the Files service is authorized to make this call.
      */
-    RoleApi.prototype.removeRolePermissionRaw = function (requestParameters, initOverrides) {
+    RoleApi.prototype.removePathPermissionFromAllRolesRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        if (requestParameters['reqRemovePermissionFromAllRoles'] == null) {
+                            throw new runtime.RequiredError('reqRemovePermissionFromAllRoles', 'Required parameter "reqRemovePermissionFromAllRoles" was null or undefined when calling removePathPermissionFromAllRoles().');
+                        }
+                        queryParameters = {};
+                        headerParameters = {};
+                        headerParameters['Content-Type'] = 'application/json';
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
+                    case 1:
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/removePathPermFromAllRoles",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqRemovePermissionFromAllRolesToJSON)(requestParameters['reqRemovePermissionFromAllRoles']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
+                }
+            });
+        });
+    };
+    /**
+     * Remove an extended permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the extended permission string and, where found, that permission is removed. The matching algorithm is string comparison with wildcard semantics on the path component. This is the same as an exact string match for all parts of the permission specification up to the path part. A match on the path part, however, occurs when its path is a prefix of a role permission\'s path. Consider the following permission specification:      files:mytenant:read:mysystem:/my/dir  which will match both of the following role permissions:      files:mytenant:read:mysystem:/my/dir/subdir/myfile     files:mytenant:read:mysystem:/my/dir33/yourfile  Note that a match to the second role permission might be a *false capture* if the intension was to remove all permissions to resources in the /my/dir subtree, but not those in other directories. To avoid this potential problem, callers can make two calls, one to this endpoint with a permSpec that ends with a slash (\"/\") and one to the removePermissionFromeAllRoles endpoint with no trailing slash. The former removes all children from the directory subtree, the latter removes the directory itself.  Only the Files service is authorized to make this call.
+     */
+    RoleApi.prototype.removePathPermissionFromAllRoles = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var response;
             return __generator(this, function (_a) {
                 switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.removePathPermissionFromAllRolesRaw(requestParameters, initOverrides)];
+                    case 1:
+                        response = _a.sent();
+                        return [4 /*yield*/, response.value()];
+                    case 2: return [2 /*return*/, _a.sent()];
+                }
+            });
+        });
+    };
+    /**
+     * Remove a permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the *exact* permission string and, where found, that permission is removed. The matching algorithm is simple, character by character, string comparison.  Permissions are not interpreted. For example, a permission that contains a wildcard (*) will only match a role\'s permission when the same wildcard is found in the exact same position. The same rule applies to permission segments with multiple, comma separated components: a match requires the exact same ordering and spacing of components.  Only services are authorized to make this call.
+     */
+    RoleApi.prototype.removePermissionFromAllRolesRaw = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqRemoveRolePermission === null || requestParameters.reqRemoveRolePermission === undefined) {
-                            throw new runtime.RequiredError('reqRemoveRolePermission', 'Required parameter requestParameters.reqRemoveRolePermission was null or undefined when calling removeRolePermission.');
+                        if (requestParameters['reqRemovePermissionFromAllRoles'] == null) {
+                            throw new runtime.RequiredError('reqRemovePermissionFromAllRoles', 'Required parameter "reqRemovePermissionFromAllRoles" was null or undefined when calling removePermissionFromAllRoles().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/removePerm",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqRemoveRolePermissionToJSON(requestParameters.reqRemoveRolePermission),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
+                    case 1:
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/removePermFromAllRoles",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqRemovePermissionFromAllRolesToJSON)(requestParameters['reqRemovePermissionFromAllRoles']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
+                }
+            });
+        });
+    };
+    /**
+     * Remove a permission from all roles in a tenant using a request body. The tenant and permission must be specified in the request body.  Each role in the tenant is searched for the *exact* permission string and, where found, that permission is removed. The matching algorithm is simple, character by character, string comparison.  Permissions are not interpreted. For example, a permission that contains a wildcard (*) will only match a role\'s permission when the same wildcard is found in the exact same position. The same rule applies to permission segments with multiple, comma separated components: a match requires the exact same ordering and spacing of components.  Only services are authorized to make this call.
+     */
+    RoleApi.prototype.removePermissionFromAllRoles = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var response;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.removePermissionFromAllRolesRaw(requestParameters, initOverrides)];
                     case 1:
                         response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        return [4 /*yield*/, response.value()];
+                    case 2: return [2 /*return*/, _a.sent()];
+                }
+            });
+        });
+    };
+    /**
+     * Remove a permission from a role using a request body. A valid role, roleTenant and permission must be specified in the request body.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
+     */
+    RoleApi.prototype.removeRolePermissionRaw = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        if (requestParameters['reqRemoveRolePermission'] == null) {
+                            throw new runtime.RequiredError('reqRemoveRolePermission', 'Required parameter "reqRemoveRolePermission" was null or undefined when calling removeRolePermission().');
+                        }
+                        queryParameters = {};
+                        headerParameters = {};
+                        headerParameters['Content-Type'] = 'application/json';
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
+                    case 1:
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/removePerm",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqRemoveRolePermissionToJSON)(requestParameters['reqRemoveRolePermission']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Remove a permission from a role using a request body.  A valid role, roleTenant and permission must be specified in the request body.  Only the role owner or administrators are authorized to make this call.
+     * Remove a permission from a role using a request body. A valid role, roleTenant and permission must be specified in the request body.  For roles of type USER the request is authorized only if the requestor is the role owner, a tenant administrator or a site administrator. For roles of type TENANT_ADMIN the requestor must a tenant or site administrator. For roles of type RESTRICTED_SVC the requestor must a site administrator.
      */
     RoleApi.prototype.removeRolePermission = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -640,42 +777,43 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Replace the text in a permission specification when its last component defines an *extended path attribute*.  Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name.  This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted.  Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests.  Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value.  Replacement only occurs on permissions that also match the schema and oldSystemId parameter values.  The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found.  If a roleName is provided, then replacement is limited to permissions defined only in that role.  Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request.  The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
+     * Replace the text in a permission specification when its last component defines an *extended path attribute*. Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name. This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted. Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests. Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value. Replacement only occurs on permissions that also match the schema and oldSystemId parameter values. The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found. If a roleName is provided, then replacement is limited to permissions defined only in that role. Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request. The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
      */
     RoleApi.prototype.replacePathPrefixRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.reqReplacePathPrefix === null || requestParameters.reqReplacePathPrefix === undefined) {
-                            throw new runtime.RequiredError('reqReplacePathPrefix', 'Required parameter requestParameters.reqReplacePathPrefix was null or undefined when calling replacePathPrefix.');
+                        if (requestParameters['reqReplacePathPrefix'] == null) {
+                            throw new runtime.RequiredError('reqReplacePathPrefix', 'Required parameter "reqReplacePathPrefix" was null or undefined when calling replacePathPrefix().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/replacePathPrefix",
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqReplacePathPrefixToJSON(requestParameters.reqReplacePathPrefix),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespChangeCountFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/replacePathPrefix",
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqReplacePathPrefixToJSON)(requestParameters['reqReplacePathPrefix']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespChangeCountFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Replace the text in a permission specification when its last component defines an *extended path attribute*.  Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name.  This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted.  Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests.  Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value.  Replacement only occurs on permissions that also match the schema and oldSystemId parameter values.  The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found.  If a roleName is provided, then replacement is limited to permissions defined only in that role.  Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters.  When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request.  The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
+     * Replace the text in a permission specification when its last component defines an *extended path attribute*. Extended path attributes enhance the standard Shiro matching algorithm with one that treats designated components in a permission specification as a path name, such as a posix file or directory path name. This request is useful when files or directories have been renamed or moved and their authorizations need to be adjusted. Consider, for example, permissions that conform to the following specification:        files:tenantId:op:systemId:path  By definition, the last component is an extended path attribute whose content can be changed by replacePathPrefix requests. Specifically, paths that begin with the oldPrefix will have that prefix replaced with the newPrefix value. Replacement only occurs on permissions that also match the schema and oldSystemId parameter values. The systemId attribute is required to immediately precede the path attribute, which must be the last attribute.  Additionally, the oldSystemId is replaced with the newSystemId when a match is found. If a roleName is provided, then replacement is limited to permissions defined only in that role. Otherwise, permissions in all roles that meet the other matching criteria will be considered.  The optional parameters are roleName, oldPrefix and newPrefix. No wildcards are defined for the path prefix parameters. When roleName is specified then only permissions assigned to that role are considered.  When the oldPrefix parameter is provided, it\'s used to filter out permissions whose paths do not begin with the specified string; when not provided, no path prefix filtering occurs.  When the newPrefix parameter is not provided no new characters are prepended to the new path, effectively just removing the oldPrefix from the new path. When neither oldPrefix nor newPrefix are provided, no path transformation occurs, though system IDs can still be transformed.  The previewPathPrefix request provides a way to do a dry run using the same input as this request. The preview call calculates the permissions that would change and what their new values would be, but it does not actually change those permissions as replacePathPrefix does.  The input parameters are passed in the payload of this request. The response indicates the number of changed permission specifications.  The path prefix replacement operation is authorized if the user@tenant in the JWT represents a tenant administrator or the Files service.
      */
     RoleApi.prototype.replacePathPrefix = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -692,45 +830,105 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Update an existing role\'s decription using a request body.  The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Check to see if the specified role allows the specified permission.  Any authenticated user may make this request.
      */
-    RoleApi.prototype.updateRoleDescriptionRaw = function (requestParameters, initOverrides) {
+    RoleApi.prototype.rolePermitsRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling updateRoleDescription.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling rolePermits().');
                         }
-                        if (requestParameters.reqUpdateRoleDescription === null || requestParameters.reqUpdateRoleDescription === undefined) {
-                            throw new runtime.RequiredError('reqUpdateRoleDescription', 'Required parameter requestParameters.reqUpdateRoleDescription was null or undefined when calling updateRoleDescription.');
+                        if (requestParameters['reqRolePermits'] == null) {
+                            throw new runtime.RequiredError('reqRolePermits', 'Required parameter "reqRolePermits" was null or undefined when calling rolePermits().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
+                        if (requestParameters['immediate'] != null) {
+                            queryParameters['immediate'] = requestParameters['immediate'];
                         }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/updateDesc/{roleName}".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqUpdateRoleDescriptionToJSON(requestParameters.reqUpdateRoleDescription),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
+                    case 1:
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/{roleName}/permits".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqRolePermitsToJSON)(requestParameters['reqRolePermits']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespAuthorizedFromJSON)(jsonValue); })];
+                }
+            });
+        });
+    };
+    /**
+     * Check to see if the specified role allows the specified permission.  Any authenticated user may make this request.
+     */
+    RoleApi.prototype.rolePermits = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var response;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0: return [4 /*yield*/, this.rolePermitsRaw(requestParameters, initOverrides)];
                     case 1:
                         response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespBasicFromJSON(jsonValue); })];
+                        return [4 /*yield*/, response.value()];
+                    case 2: return [2 /*return*/, _a.sent()];
                 }
             });
         });
     };
     /**
-     * Update an existing role\'s decription using a request body.  The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Update an existing role\'s decription using a request body. The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     */
+    RoleApi.prototype.updateRoleDescriptionRaw = function (requestParameters, initOverrides) {
+        return __awaiter(this, void 0, void 0, function () {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling updateRoleDescription().');
+                        }
+                        if (requestParameters['reqUpdateRoleDescription'] == null) {
+                            throw new runtime.RequiredError('reqUpdateRoleDescription', 'Required parameter "reqUpdateRoleDescription" was null or undefined when calling updateRoleDescription().');
+                        }
+                        queryParameters = {};
+                        headerParameters = {};
+                        headerParameters['Content-Type'] = 'application/json';
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
+                    case 1:
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/updateDesc/{roleName}".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqUpdateRoleDescriptionToJSON)(requestParameters['reqUpdateRoleDescription']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespBasicFromJSON)(jsonValue); })];
+                }
+            });
+        });
+    };
+    /**
+     * Update an existing role\'s decription using a request body. The size limit on a description is 2048 characters.  This request is authorized if the requestor is the role owner or an administrator.
      */
     RoleApi.prototype.updateRoleDescription = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -747,45 +945,46 @@ var RoleApi = /** @class */ (function (_super) {
         });
     };
     /**
-     * Update an existing role\'s name using a request body.  Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character.  The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Update an existing role\'s name using a request body. Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character. The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
      */
     RoleApi.prototype.updateRoleNameRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling updateRoleName.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling updateRoleName().');
                         }
-                        if (requestParameters.reqUpdateRoleName === null || requestParameters.reqUpdateRoleName === undefined) {
-                            throw new runtime.RequiredError('reqUpdateRoleName', 'Required parameter requestParameters.reqUpdateRoleName was null or undefined when calling updateRoleName.');
+                        if (requestParameters['reqUpdateRoleName'] == null) {
+                            throw new runtime.RequiredError('reqUpdateRoleName', 'Required parameter "reqUpdateRoleName" was null or undefined when calling updateRoleName().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/updateName/{roleName}".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqUpdateRoleNameToJSON(requestParameters.reqUpdateRoleName),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespBasicFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/updateName/{roleName}".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqUpdateRoleNameToJSON)(requestParameters['reqUpdateRoleName']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespBasicFromJSON)(jsonValue); })];
                 }
             });
         });
     };
     /**
-     * Update an existing role\'s name using a request body.  Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character.  The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
+     * Update an existing role\'s name using a request body. Role names are case sensitive, alphanumeric strings that can contain underscores but must begin with an alphabetic character. The limit on role name is 58 characters.  This request is authorized if the requestor is the role owner or an administrator.
      */
     RoleApi.prototype.updateRoleName = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
@@ -806,35 +1005,36 @@ var RoleApi = /** @class */ (function (_super) {
      */
     RoleApi.prototype.updateRoleOwnerRaw = function (requestParameters, initOverrides) {
         return __awaiter(this, void 0, void 0, function () {
-            var queryParameters, headerParameters, response;
-            return __generator(this, function (_a) {
-                switch (_a.label) {
+            var queryParameters, headerParameters, _a, _b, response;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
                     case 0:
-                        if (requestParameters.roleName === null || requestParameters.roleName === undefined) {
-                            throw new runtime.RequiredError('roleName', 'Required parameter requestParameters.roleName was null or undefined when calling updateRoleOwner.');
+                        if (requestParameters['roleName'] == null) {
+                            throw new runtime.RequiredError('roleName', 'Required parameter "roleName" was null or undefined when calling updateRoleOwner().');
                         }
-                        if (requestParameters.reqUpdateRoleOwner === null || requestParameters.reqUpdateRoleOwner === undefined) {
-                            throw new runtime.RequiredError('reqUpdateRoleOwner', 'Required parameter requestParameters.reqUpdateRoleOwner was null or undefined when calling updateRoleOwner.');
+                        if (requestParameters['reqUpdateRoleOwner'] == null) {
+                            throw new runtime.RequiredError('reqUpdateRoleOwner', 'Required parameter "reqUpdateRoleOwner" was null or undefined when calling updateRoleOwner().');
                         }
                         queryParameters = {};
-                        if (requestParameters.pretty !== undefined) {
-                            queryParameters['pretty'] = requestParameters.pretty;
-                        }
                         headerParameters = {};
                         headerParameters['Content-Type'] = 'application/json';
-                        if (this.configuration && this.configuration.apiKey) {
-                            headerParameters["X-Tapis-Token"] = this.configuration.apiKey("X-Tapis-Token"); // TapisJWT authentication
-                        }
-                        return [4 /*yield*/, this.request({
-                                path: "/security/role/updateOwner/{roleName}".replace("{" + "roleName" + "}", encodeURIComponent(String(requestParameters.roleName))),
-                                method: 'POST',
-                                headers: headerParameters,
-                                query: queryParameters,
-                                body: models_1.ReqUpdateRoleOwnerToJSON(requestParameters.reqUpdateRoleOwner),
-                            }, initOverrides)];
+                        if (!(this.configuration && this.configuration.apiKey)) return [3 /*break*/, 2];
+                        _a = headerParameters;
+                        _b = "X-Tapis-Token";
+                        return [4 /*yield*/, this.configuration.apiKey("X-Tapis-Token")];
                     case 1:
-                        response = _a.sent();
-                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return models_1.RespBasicFromJSON(jsonValue); })];
+                        _a[_b] = _c.sent(); // TapisJWT authentication
+                        _c.label = 2;
+                    case 2: return [4 /*yield*/, this.request({
+                            path: "/security/role/updateOwner/{roleName}".replace("{".concat("roleName", "}"), encodeURIComponent(String(requestParameters['roleName']))),
+                            method: 'POST',
+                            headers: headerParameters,
+                            query: queryParameters,
+                            body: (0, index_1.ReqUpdateRoleOwnerToJSON)(requestParameters['reqUpdateRoleOwner']),
+                        }, initOverrides)];
+                    case 3:
+                        response = _c.sent();
+                        return [2 /*return*/, new runtime.JSONApiResponse(response, function (jsonValue) { return (0, index_1.RespBasicFromJSON)(jsonValue); })];
                 }
             });
         });