Set Access Permissions for landing.site.setRights

If you are developing integrations for Bitrix24 using AI tools (Codex, Claude Code, Cursor), connect to the MCP server so that the assistant can utilize the official REST documentation.

Scope: landing

Who can execute the method: administrator or user with "full access" permission to the "Sites and Stores" section

The method landing.site.setRights sets access permissions in the advanced permission model for the specified site.

This method only works in the advanced permission model. If the role model is enabled in the "Sites and Stores" section, the call will return true, but the saved permissions will not be applied. To enable the advanced permission model, use the method landing.role.enable with the value mode: 0.

Method Parameters

Required parameters are marked with *

Name
type

Description

id*
integer | string

Site identifier.

The site identifier can be obtained using the method landing.site.getList or from the result of the method landing.site.add.

The special value 0 allows saving a separate set of permissions. Individual permissions for a specific site are set by its id

rights
object | array

Object format:

{
            "access_code_1": ["operation_1", "operation_2"],
            "access_code_2": ["operation_1"]
        }

where:

  • access_code_n — access code
  • operation_n — operation code

The list of access codes and operations is described below. The method completely replaces previously saved individual permissions for the site.

If the parameter is not passed, an empty object {} or an empty array [] is passed, the method will clear the individual permissions for the site

Parameter rights

Name
type

Description

<ACCESS_CODE>
string[]

List of operations for a single access code.

Possible values:
denied - deny access
read - allow viewing the site
edit - allow editing the site pages
sett - allow changing site settings
public - allow publishing the site
delete - allow moving the site to the trash and restoring it

If denied is present in the set, all other operations for this access code are ignored.

If read is not present in the set and denied is absent, the method will automatically add read. Unknown operation codes are ignored without error

Use Bitrix24 access codes as keys for the rights object. Common options include:

  • U<ID> - user
  • G<ID> - user group
  • DR<ID> - department along with sub-departments
  • UA - all users, including guests
  • AU - all authorized users
  • SG<ID> - working group

If access is needed only for authorized users, use AU. The code UA opens access to all users, including guests. The method does not check the format of the access code when saving. If an unsupported code is passed, the request will complete without error, but such a code will not provide working access.

Code Examples

How to Use Examples in Documentation

curl -X POST \
          -H "Content-Type: application/json" \
          -d '{
            "id": 645,
            "rights": {
              "AU": ["read"],
              "U3": ["read", "edit", "sett", "public"]
            }
          }' \
          "https://**put.your-domain-here**/rest/**user_id**/**webhook_code**/landing.site.setRights.json"
        
curl -X POST \
          -H "Content-Type: application/json" \
          -d '{
            "id": 645,
            "rights": {
              "AU": ["read"],
              "U3": ["read", "edit", "sett", "public"]
            },
            "auth": "**put_access_token_here**"
          }' \
          "https://**put.your-domain-here**/rest/landing.site.setRights.json"
        
try
        {
            const response = await $b24.callMethod(
                'landing.site.setRights',
                {
                    id: 645,
                    rights: {
                        AU: ['read'],
                        U3: ['read', 'edit', 'sett', 'public']
                    }
                }
            );
        
            const result = response.getData().result;
            console.info(result);
        }
        catch (error)
        {
            console.error(error);
        }
        
try {
            $response = $b24Service
                ->core
                ->call(
                    'landing.site.setRights',
                    [
                        'id' => 645,
                        'rights' => [
                            'AU' => ['read'],
                            'U3' => ['read', 'edit', 'sett', 'public'],
                        ],
                    ]
                );
        
            $result = $response
                ->getResponseData()
                ->getResult();
        
            echo 'Success: ' . var_export($result, true);
        } catch (Throwable $e) {
            error_log($e->getMessage());
            echo 'Error setting site rights: ' . $e->getMessage();
        }
        
BX24.callMethod(
            'landing.site.setRights',
            {
                id: 645,
                rights: {
                    AU: ['read'],
                    U3: ['read', 'edit', 'sett', 'public']
                }
            },
            function(result)
            {
                if (result.error())
                {
                    console.error(result.error());
                }
                else
                {
                    console.info(result.data());
                }
            }
        );
        
require_once('crest.php');
        
        $result = CRest::call(
            'landing.site.setRights',
            [
                'id' => 645,
                'rights' => [
                    'AU' => ['read'],
                    'U3' => ['read', 'edit', 'sett', 'public'],
                ],
            ]
        );
        
        if (isset($result['error']))
        {
            echo 'Error: ' . $result['error_description'];
        }
        else
        {
            echo '<pre>';
            print_r($result['result']);
            echo '</pre>';
        }

Response Handling

HTTP Status: 200

{
            "result": true,
            "time": {
                "start": 1775055086,
                "finish": 1775055086.8533,
                "duration": 0.8533000946044922,
                "processing": 0,
                "date_start": "2026-04-01T17:51:26+02:00",
                "date_finish": "2026-04-01T17:51:26+02:00",
                "operating_reset_at": 1775055686,
                "operating": 0
            }
        }

Returned Data

Name
type

Description

result
boolean

Result of saving permissions.

  • true — permissions successfully saved or cleared
  • false — site with such id not found or already in the trash

The method does not return the final list of permissions.

After the call, check the applied permissions using the method landing.site.getRights

time
time

Information about the request execution time

Error Handling

HTTP Status: 400

{
            "error": "MISSING_PARAMS",
            "error_description": "Not enough call parameters, missing: id"
        }

Name
type

Description

error
string

String error code. It may consist of digits, Latin letters, and underscores

error_description
error_description

Textual description of the error. The description is not intended to be shown to the end user in its raw form

Possible Error Codes

Code

Description

ACCESS_DENIED

User does not have access to the "Sites and Stores" section

IS_NOT_ADMIN

Administrator rights or "full access" permission to the "Sites and Stores" section are required for the method

FEATURE_NOT_AVAIL

Permission settings are not available on the current plan. To work with permissions, switch to another plan

MISSING_PARAMS

Required parameter id not passed

Statuses and System Error Codes

HTTP Status: 20x, 40x, 50x

The errors described below may occur when calling any method.

Status

Code
Error Message

Description

500

INTERNAL_SERVER_ERROR
Internal server error

An internal server error has occurred. Please contact the server administrator or Bitrix24 technical support

500

ERROR_UNEXPECTED_ANSWER
Server returned an unexpected response

An internal server error has occurred. Please contact the server administrator or Bitrix24 technical support

503

QUERY_LIMIT_EXCEEDED
Too many requests

The request intensity limit has been exceeded

405

ERROR_BATCH_METHOD_NOT_ALLOWED
Method is not allowed for batch usage

The current method is not permitted for calls using batch

400

ERROR_BATCH_LENGTH_EXCEEDED
Max batch length exceeded

The maximum length of parameters passed to the batch method has been exceeded

401

NO_AUTH_FOUND
Wrong authorization data

Invalid access token or webhook code

400

INVALID_REQUEST
Https required

The HTTPS protocol is required for method calls

503

OVERLOAD_LIMIT
REST API is blocked due to overload

The REST API is blocked due to overload. This is a manual individual block; please contact Bitrix24 technical support to lift it

403

ACCESS_DENIED
REST API is available only on commercial plans

The REST API is only available on commercial plans

403

INVALID_CREDENTIALS
Invalid request credentials

The user associated with the access token or webhook used to call the method lacks the necessary permissions

404

ERROR_MANIFEST_IS_NOT_AVAILABLE
Manifest is not available

The manifest is not available

403

insufficient_scope
The request requires higher privileges than provided by the webhook token

The request requires higher privileges than those provided by the webhook token

401

expired_token
The access token provided has expired

The provided access token has expired

403

user_access_error
The user does not have access to the application

The user does not have access to the application. This means that the application is installed, but the portal administrator has restricted access to this application to specific users only

500

PORTAL_DELETED
Portal was deleted

The public part of the site is closed. To open the public part of the site on an on-premise installation, disable the "Temporary closure of the public part of the site" option. Path to the setting: Desktop > Settings > Product Settings > Module Settings > Main Module > Temporary closure of the public part of the site

Continue Learning

Previous
Obtain Access Permissions
Next
Overview of Methods