feat: Add resource role assignments methods

[atainter]

Description

Adds two new methods on Authorization for listing every role assignment granted on a resource.

• GET /authorization/resources/:resource_id/role_assignments
• GET /authorization/organizations/:organization_id/resources/:resource_type_slug/:external_id/role_assignments
  Both return the same shape as listOrganizationMembershipRoleAssignments. The RoleAssignment response object now also includes organizationMembershipId so callers can identify the membership a given assignment belongs to without an extra lookup.

Changes

• Authorization.listRoleAssignmentsForResource(options) — lists role assignments by internal resourceId, supports pagination.
• Authorization.listResourceRoleAssignments(options) — lists role assignments by organizationId + resourceTypeSlug + externalId, supports pagination.
• Added organizationMembershipId to RoleAssignment (and organization_membership_id to RoleAssignmentResponse) and updated deserializeRoleAssignment to map it.
• Added ListRoleAssignmentsForResourceOptions and ListRoleAssignmentsForResourceByExternalIdOptions interfaces.
• Updated role-assignment.json and list-role-assignments.json fixtures with the new field.

---

Summary by CodeRabbit

• New Features

  • Added two new role-assignment listing methods: by resource ID and by organization + external resource ID. Both support cursor-based pagination.
  • Role assignment objects now include organization membership ID.

• Tests

  • Expanded test coverage for the new listing methods, validating returned list structure, organization membership ID presence, and pagination behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bc530538-684e-4b1e-a643-dbb3a946fb60

📥 Commits

Reviewing files that changed from the base of the PR and between cf7219f and 20f918a.

📒 Files selected for processing (3)

• src/authorization/fixtures/list-role-assignments.json
• src/authorization/fixtures/role-assignment.json
• src/authorization/interfaces/list-role-assignments-for-resource-by-external-id-options.interface.ts

✅ Files skipped from review due to trivial changes (1)

• src/authorization/fixtures/list-role-assignments.json

🚧 Files skipped from review as they are similar to previous changes (2)

• src/authorization/interfaces/list-role-assignments-for-resource-by-external-id-options.interface.ts
• src/authorization/fixtures/role-assignment.json

---

📝 Walkthrough

Walkthrough

Adds two Authorization methods to list role assignments (by resourceId and by organizationId/resourceTypeSlug/externalId), extends RoleAssignment types/serializer to include organizationMembershipId, updates fixtures and tests to assert the new field and pagination behavior.

Changes

Cohort / File(s)	Summary
Core API Methods src/authorization/authorization.ts	Adds listRoleAssignmentsForResource() and listResourceRoleAssignments() that build /role_assignments queries and return paginated RoleAssignment results.
Type Definitions src/authorization/interfaces/index.ts, src/authorization/interfaces/list-role-assignments-for-resource-options.interface.ts, src/authorization/interfaces/list-role-assignments-for-resource-by-external-id-options.interface.ts, src/authorization/interfaces/role-assignment.interface.ts	Exports new list-options interfaces; adds organizationMembershipId to RoleAssignment and organization_membership_id to API response type.
Data Serialization src/authorization/serializers/role-assignment.serializer.ts	Deserializer now maps organization_membership_id -> organizationMembershipId.
Tests & Fixtures src/authorization/authorization.spec.ts, src/authorization/fixtures/...	Tests extended to cover the two new listing methods, assert endpoint URLs, pagination query params (limit, after, before, order with default desc), response list structure and presence of organizationMembershipId; fixtures updated to include organization_membership_id.

Possibly related PRs

• feat!: standardize authorization list endpoint pagination #1553 — Modifies authorization listing endpoints and tests with similar pagination and role-assignment listing changes.

Suggested reviewers

• cmatheson

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding two new methods for listing resource role assignments, which is the core feature of this PR.
Description check	✅ Passed	The PR description provides a clear explanation of the changes, including the new methods, API endpoints, model updates, and fixtures modified. However, the documentation template section is not filled out.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch at-list-resource-role-assignments

---

_{Review rate limit: 3/5 reviews remaining, refill in 13 minutes and 7 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[greptile-apps]

Greptile Summary

This PR adds two new methods to the Authorization class — listRoleAssignmentsForResource (by internal resource ID) and listResourceRoleAssignments (by org + resource type + external ID) — both returning AutoPaginatable<RoleAssignment>. It also extends RoleAssignment and RoleAssignmentResponse with organizationMembershipId/organization_membership_id. The implementation faithfully mirrors the existing listOrganizationMembershipRoleAssignments pattern and all fixtures, serializers, interfaces, and tests are updated consistently.

Confidence Score: 5/5

This PR is safe to merge — the implementation is clean, consistent with existing patterns, and all previously raised concerns have been addressed by the author.

No new P0 or P1 issues found. The two new methods faithfully mirror the existing listOrganizationMembershipRoleAssignments pattern, the serializer correctly maps the new field, and test coverage is solid. All previously flagged concerns (organizationMembershipId optionality, externalId URL-encoding) were confirmed as deliberate API design choices by the author.

No files require special attention.

Important Files Changed

Filename	Overview
src/authorization/authorization.ts	Adds listRoleAssignmentsForResource and listResourceRoleAssignments following the exact same AutoPaginatable pattern as the existing listOrganizationMembershipRoleAssignments method.
src/authorization/interfaces/role-assignment.interface.ts	Adds organizationMembershipId to RoleAssignment and organization_membership_id to RoleAssignmentResponse; typing aligns with the deployed API contract confirmed by the author.
src/authorization/serializers/role-assignment.serializer.ts	Correctly maps organization_membership_id → organizationMembershipId in deserializeRoleAssignment.
src/authorization/authorization.spec.ts	Good test coverage for both new methods: URL path construction, organizationMembershipId presence, and forward/backward pagination parameters all verified.
src/authorization/interfaces/list-role-assignments-for-resource-options.interface.ts	New interface extending PaginationOptions with resourceId; clean and minimal.
src/authorization/interfaces/list-role-assignments-for-resource-by-external-id-options.interface.ts	New interface extending PaginationOptions with organizationId, resourceTypeSlug, and externalId; correct shape for the external-ID endpoint.
src/authorization/fixtures/list-role-assignments.json	Updated fixture to include organization_membership_id and reformatted to 2-space indentation consistent with role-assignment.json.
src/authorization/fixtures/role-assignment.json	Updated fixture to include organization_membership_id.
src/authorization/interfaces/index.ts	Exports the two new option interfaces correctly.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant Authorization
    participant WorkOS API

    Caller->>Authorization: listRoleAssignmentsForResource({ resourceId, ...pagination })
    Authorization->>WorkOS API: GET /authorization/resources/:resourceId/role_assignments
    WorkOS API-->>Authorization: { object: "list", data: RoleAssignmentResponse[] }
    Authorization-->>Caller: AutoPaginatable<RoleAssignment>

    Caller->>Authorization: listResourceRoleAssignments({ organizationId, resourceTypeSlug, externalId, ...pagination })
    Authorization->>WorkOS API: GET /authorization/organizations/:orgId/resources/:typeSlug/:externalId/role_assignments
    WorkOS API-->>Authorization: { object: "list", data: RoleAssignmentResponse[] }
    Authorization-->>Caller: AutoPaginatable<RoleAssignment>

Loading

_{Reviews (3): Last reviewed commit: "prettier" | Re-trigger Greptile}

[greptile-apps]

organizationMembershipId typed as required but may be nullable

organizationMembershipId is declared as a non-optional string, but the new resource-level listing endpoints return assignments across all org memberships. If the API can ever return a null organization_membership_id (e.g., for roles granted at an org level without a specific membership, or for legacy records), callers reading assignment.organizationMembershipId will get undefined at runtime while TypeScript guarantees it's a string. Consider typing it as string | null to match the JSON wire type accurately.

Suggested change

	/** The ID of the organization membership the role is assigned to. */
	organizationMembershipId: string;
	/** The ID of the organization membership the role is assigned to. */
	organizationMembershipId: string | null;

[atainter]

Deployed API with non-optional response parameter

[greptile-apps]

Response interface also typed as required

RoleAssignmentResponse.organization_membership_id is declared as a non-optional string. If the API omits or nulls the field on any existing or future record, the deserializer will silently propagate undefined while TypeScript believes the field is always a string. This should stay in sync with whatever optionality is chosen for organizationMembershipId on RoleAssignment.

Suggested change

	organization_membership_id: string;
	organization_membership_id: string | null;

[atainter]

Deployed API with non-optional response parameter

[greptile-apps]

externalId is not URL-encoded in the path

externalId is interpolated directly into the URL path. If a caller passes a value containing /, ?, #, or other URL-special characters (e.g. "docs/2024", "proj #5"), the resulting URL will be malformed and the request will hit the wrong endpoint or fail. The same pattern exists in getOrganizationResource and other methods, but this new endpoint exposes the same pre-existing gap. Consider wrapping each path segment with encodeURIComponent.

Suggested change

	),
	(params) =>
	const endpoint = `/authorization/organizations/${encodeURIComponent(organizationId)}/resources/${encodeURIComponent(resourceTypeSlug)}/${encodeURIComponent(externalId)}/role_assignments`;

[linear-code]

ENT-5699 ListRoleAssignmentsForResource Node SDK updates (user role assignments)