Enumerating object-level access roles (Use/Edit/Own) via API — they don't appear in GET /api/v2/roles

💬 Account & User Management
1

Current plan level (Free, Team, Business, or Enterprise: Retool | Pricing): Team (exploring via internal APIs)
Monthly/Annual (if Team or Business):
Version of Retool (if self-hosted):

Question / Description:
What I see: GET /api/v2/roles returns only organization roles — every one has isObjectRole: false, a populated organizationScopes array, and an empty objectScopes: . Example:

{
"id": "",
"name": "Editor Role",
"isObjectRole": false,
"objectScopes": ,
"organizationScopes": ["query_library:edit", "user_list:view", "draft_apps:manage", ...]
}

The gap: When I read roleGrants (on users/groups), I see a different set of roleIds that are never returned by GET /api/v2/roles — the ones that grant access to apps/workflows/resources/agents. e.g. a grant like:

{ "roleId": "", "subjectType": "group",
"objectId": "", "objectType": "app" }

By cross-referencing the object's access list I can tell corresponds to an Own (or Edit/Use) access level, and the same roleId is reused across many objects/groups. There are also objectId: null variants that appear to mean "all apps" / "all workflows" / "all resources" / etc.

My questions:

  1. Is there an API to enumerate these object-access roles? GET /api/v2/roles excludes them. Is there a filter/param (e.g. for isObjectRole: true), or a separate endpoint?
  2. Are these object-role roleId UUIDs stable across organizations/Spaces, or are they per-org? I need to know whether I can rely on a fixed mapping or must resolve them per-org at runtime.
  3. What is objectScopes, and how do I get a role where it's populated? It's empty on every org role I have. What scope strings live there for object roles (e.g. apps:use?)?
  4. What's the canonical way to resolve a roleGrant.roleId → its access level (Use/Edit/Own)? Right now I'm joining each grant against the object's access-list endpoint to read the accessLevel label. Is there a more direct mapping?
  5. For the objectId: null "All-*" grants — how do I programmatically determine which object type each one covers (apps vs workflows vs resources vs agents)?

Trying to reconstruct effective access programmatically, so any pointer to the intended API path here would help. Thanks!