Working with Permissions
Deciding who’s allowed to do what.
Oftentimes, you need fine-grained control over who is able to do what with your content. Ensuring writers don’t publish unfinished drafts, letting the outside world read your data (but not alter it), giving your development team full access without the ability to make breaking changes, the list goes on and on.
In this article, we’ll take a quick look on how to setup these granular permissions across the platform.
Users and Groups
Directus’ permissions system is based on user groups. You can set the permissions on a per-table-basis for every group and assign users to these groups. To do this, head over to the “Group Permissions” page within Settings.
Directus ships with two default permission groups: ‘Administrator’ and ‘Public’. As the names suggest, the ‘Administrator’ group has full access to everything, while the ‘Public’ group allows you to configure what data can be accessed without authentication.
There’s no need to alter the permissions of the ‘Administrator’ group as it always maintains system-wide access to everything — even when you extend your schema. This is because altering these could result in locking yourself out of the platform.
For this demo, I’ll be creating an Editor group which grants its users the ability to submit new items in a ‘Projects’ table. Additionally, each user will only be able to delete and update items they’ve created themselves.
To create a new group, click the + button in the top right and enter a name for this group.
Group options
Every user group has several options you can use to control what the users of a group can do and see in the admin panel. Arguably the most important being the actual table permissions:
Permissions
The permissions settings table allows you to pick which actions (view/add/edit/delete) are allowed on which table for this user group. In the example screenshot above, I’ve set it up to allow this user group to view and add projects, view offices and site_settings and edit projects the user has added. This means a user in this user group can view all projects, but can only edit projects the user has created.
The checkboxes for view, edit, and delete all cycle through “Not Allowed” (empty), “Their Items” (dash/orange), and “Any Items” (check/blue).
Next to setting permissions on a “global” table-level, it’s also possible to block individual columns from being read or written to. To do this, click on the “Choose Columns” link in either the “Column Read Blacklist” or “Column Write Blacklist” for setting read and write permissions respectively.
This will open an overlay allowing you to pick and choose which columns should be readable/writable.
Users
This field allows you to add users to this user group from within the permissions settings page. It’s also possible to change an individual user’s group from their User Detail page, but adding multiple people to a group at once would be quite cumbersome that way.
There is also a button here for inviting new users to Directus. With this feature you can send invites to several email addresses and let users set up their account details and credentials themselves.
IP Whitelist
The IP Whitelist setting allows you to specify from which IP addresses users are allowed to access Directus. You can use this as an extra measure of security to ensure people can only login from a trusted place, like the office.
Nav Override
This setting allows you to override the default left-menu sidebar with your own custom links. The setting is in JSON and uses the following format:
{
"Category Name": {
"Link Title": "/link-url"
}
}As an alternative to this option, you can also opt to use the default menu, and hide some items by using the “Nav Blacklist” option:
Nav Blacklist
The Nav Blacklist option allows you to create a comma separated value of table names to exclude from the navigation for this specific user group.
What types of user groups do you use within your Directus instance? We’d love to know in the comments below!
Happy coding!
Your friends at Directus
🐰
PS: Have a good idea on a topic for following articles? Let us know in the comments or join us over on our public Slack channel!
