Directus Spotlight: Permissions and Access ControlBy Rijk van Zanten on August 2, 2022
When you’re creating a data-driven project, such as a digital experience, internal tool or SaaS app, flexibility and control are essential. Directus strives to provide maximum flexibility through its various configuration options, but nowhere is that more crucial than within our open-ended users permissions for controlling data access.
Directus provides granular permissions and rule-based access control (RBAC), enabling Administrators to define any desired combination of access privileges. You can quickly and easily assign permissions to a role, define the permissions with rules (i.e. filters) at an extremely granular level, and maintain complete control over who can access and act on data within a project or app.
Let’s dive into the details.
Setting Permissions and Roles
Configuring Permissions and Roles in your Directus project is simple. When you set up a project, go to Settings > Permissions and Roles. If you’re starting with a blank project, you’ll see that Directus has included two pre-configured roles: Public and Administrator. The Public role defines what API data is available without needing to authenticate, and the Administrator role provides unrestricted access to the App/API for project owners.
To properly configure the project, Administrator roles always have all permissions enabled. As the Owner/Admin of the project, you can create any number of new roles, and allow various levels of access for those roles based on the standard CRUD+S operations (create, read, update, delete and share).
To create a new role, simply click the plus sign in the upper right-hand corner of the Roles and Permissions page, then set any combination of access rules for users who are assigned that role. As you can see, Directus enables you to set access rules at a very granular level:
These permissions can be set by simply turning them on or off, or you can create completely custom configurations. If you choose “Use Custom,” a drawer will appear with options based on the given operation. For the example below, we’re setting which fields can be updated within the Articles collection by the Staff role:
Underneath the Collection rules is a toggle for “System Collections.” Clicking this will expand the list of collections to include the Directus-specific permissions, such as:
Here you can override the permissions for all system data based on your specific project needs. If you make a mistake or want to lock things down, you can always reset permissions to App Access Minimum or Recommended Default settings by clicking the shortcut buttons at the bottom of the table:
Creating Access Tokens
In addition to creating user roles, you can also create roles to define the programmatic access via the API. Every user has the potential to use their credentials to authenticate via the API, and they can also be assigned a static token to make that authentication even easier.
Assigning Roles to Users
Once you’ve created all of your roles and defined access rules for each, you can start adding users to them. Simply click the “Invite Users” icon at the top right-hand corner of the screen, and enter the new user’s email. The rules that you’ve set for a particular role will determine what a user assigned to that role can see and do within your project.
Below the permission rules, there are a number of other fields that can further tailor the role’s access, including:
- App Access: Whether or not a user can use the app interface
- Admin Access: Gives the role full data permissions and access to settings
- IP Access: Limits the IP addresses where users can access the project
- Two-Factor Authentication: Requires users to configure multi-factor authentication
To help keep things organized, you can also enter a description for the role, choose an icon to represent the role, and add users:
Maximum Flexibility and Control
The beauty of Directus is that you can set very specific permissions and access rules using simple, easy-to-understand controls. The ability to set an unlimited number of combinations for an unlimited number of roles provides ultimate flexibility and control. What’s more, Directus offers full revision control, so you can see what’s been changed in the system over time as well as who made the changes.
In the current version of Directus, each user can only be assigned to one role, however we are looking into expanding that functionality to enable permissions for multiple rules to be combined for a given user. Stay tuned for updates on this useful tool!
To find out about all the cool things you can do with Directus, check out more of our spotlights. If you're new to Directus, get started with Directus Cloud.