Activity codes in UserInfo response

When calling the userInfo for a user (either in Separate or Combined CIS2) we get back a list of activity codes. In the docs:

This is described as:

An array of Activity Codes assigned to the End-User’s job role e.g. B0021. Only Activity Codes explicitly granted to the job role are listed, the full set of activities that the End-User can perform must be determined by reference to the [National RBAC Database (Excel spreadsheet) [Archive Content]]

Can you clarify what “Only Activity Codes explicitly granted to the job role are listed” means?
I’ve taken it as meaning that if my user has a permission that includes another it will only include the directly granted one and will not list the included one.

If a user role has a baseline set of activities I’ve been assuming that these are included in the response explicitly and we’re not meant to assume that a user always has the baseline RBAC activities of their role.

Can I confirm if the above assumptions are correct please?
Thank you,


Hi Liam - please could I ask which API you’re looking to onboard with?