From 03bc7888b1542735182871cf53f0562778e8b048 Mon Sep 17 00:00:00 2001
From: Darcy Ye <darcyye@silverhand.io>
Date: Sat, 7 Oct 2023 17:54:14 +0800
Subject: [PATCH] chore: add M2M RBAC changeset for @logto/core and update
 changelog (#4618)

---
 .changeset/early-squids-cheat.md | 31 +++++++++++++++++++++++++++++++
 packages/console/CHANGELOG.md    |  4 +---
 2 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/early-squids-cheat.md

diff --git a/.changeset/early-squids-cheat.md b/.changeset/early-squids-cheat.md
new file mode 100644
index 000000000..95b53da0b
--- /dev/null
+++ b/.changeset/early-squids-cheat.md
@@ -0,0 +1,31 @@
+---
+"@logto/core": minor
+---
+
+machine-to-machine (M2M) role-based access control (RBAC)
+
+### Summary
+
+This feature enables Logto users to apply role-based access control (RBAC) to their machine-to-machine (M2M) applications.
+
+With the update, Logto users can now effectively manage permissions for their M2M applications, resulting in improved security and flexibility.
+
+Following new APIs are added for M2M role management:
+
+**Applications**
+- `POST /applications/:appId/roles` assigns role(s) to the M2M application
+- `DELETE /applications/:appId/roles/:roleId` deletes the role from the M2M application
+- `GET /applications/:appId/roles` lists all roles assigned to the M2M application
+
+**Roles**
+- `POST /roles/:roleId/applications` assigns the role to multiple M2M applications
+- `DELETE /roles/:roleId/applications/:appId` removes the M2M application assigned to the role
+- `GET /roles/:roleId/applications` lists all M2M applications granted with the role
+
+Updated following API:
+
+**Roles**
+- `POST /roles` to specify the role type (either `user` or `machine-to-machine` role)
+
+**Users**
+- `POST /users/:userId/roles` to prevent assigning M2M roles to end-users
diff --git a/packages/console/CHANGELOG.md b/packages/console/CHANGELOG.md
index 62bfce49a..6baae25c2 100644
--- a/packages/console/CHANGELOG.md
+++ b/packages/console/CHANGELOG.md
@@ -10,9 +10,7 @@
 
   This feature enables Logto users to apply role-based access control (RBAC) to their machine-to-machine (M2M) applications.
 
-  In Logto, we have enabled Logto users to utilize RBAC to manage their own end-users. However, the methods for M2M connections and authorization are even more prevalent and critical across various use cases than end-user access management.
-
-  From now on, Logto enables it's users to manage their M2M applications using RBAC.
+  With the update, Logto users can now effectively manage permissions for their M2M applications, resulting in improved security and flexibility.
 
   #### New role type: machine-to-machine