Remove an organization role from a user
Use remove_user_role to revoke an organization role a user currently
holds directly. Like the other write tools in this plugin, this mutates
permissions across every repo the role’s definition covers — read
the confirm-echo contract
before your first call if you haven’t used one of this plugin’s write tools
before.
Prerequisites
Section titled “Prerequisites”github-org-identityinstalled.- A GitHub token resolvable via
GITHUB_TOKENorgh auth token, with the org’sadmin:orgscope or App-installationmembers/organization_administrationpermission. - The numeric
roleIdand the user’susername. Confirm the user actually holds the role first with list_role_users — this tool does no pre-check of current state before calling the GitHub API. - Note: if a user holds the role only through team membership (not a direct grant), this call targets the direct-assignment endpoint and will not remove a role that’s only inherited via a team — remove it from the team instead with remove_team_role.
-
Ask for the tool, passing the role id twice — once as
roleId, once asconfirmRoleId— plus the username:Use
remove_user_rolefor orgmy-org, roleId8132, confirmRoleId8132, usernameoctocat.The two role-id fields must be identical, or the call throws
confirmation_mismatchbefore any GitHub API request is made. -
On success you get back
{ "org": "my-org", "roleId": 8132, "username": "octocat" }. -
Confirm the removal took effect with list_role_users — the user should no longer appear as a direct holder of that role.
If the call fails
Section titled “If the call fails”confirmation_mismatch—roleIdandconfirmRoleIddidn’t match; no API call was made.missing_scope— no resolvable token.github_api_error— theroleIddoesn’t exist, theusernameisn’t an org member, or the identity lacks org-roles write access.
Assign a role to a user, or the equivalent team-scoped tools: assign_team_role / remove_team_role.