Summary

  • Added setFields to EnvironmentObject and EnvironmentObjectLink responses, and unsetFields to environment object link update overrides. Together they let clients distinguish a set-but-masked secret from an unset field, and clear a link override so it falls back to its parent value.
  • Changed the permission required to update Team roles from the org-wide organization.teams.update to organization.teamRoles.access. This fixes a regression where callers with only deployment-scoped team permissions received 403 errors when assigning a Team to a Deployment.

Added

  • Properties
    • setFields (array of strings, required): added to EnvironmentObject and EnvironmentObjectLink. Names the value and override fields that currently hold a value, including masked secrets. Map members are reported as dotted paths (for example extra.aws_secret).
    • unsetFields (array of strings, maximum 100 items): added to UpdateEnvironmentObjectOverridesRequest. Names override fields to unset on a link so it inherits the parent value. A field can’t be both set and listed in unsetFields in the same request.

Changed

  • POST /organizations/{organizationId}/teams/{teamId}/roles (UpdateTeamRoles) now requires the organization.teamRoles.access permission instead of organization.teams.update. Individual role changes in the request are still authorized against their own scope (organization, workspace, or deployment).