The headline feature of Directus 11 is the brand new permissions system based on policies. This is a big shift in how Directus handles access control, giving you more power and flexibility than ever before.
Policies are essentially sets of rules that determine what users can and can't do in your Directus projects. They can be attached to users or roles, allowing for incredibly fine-grained control over permissions.
Here's what makes policies special:
- Granular Control. You can now set permissions for specific fields, items, or even combinations of conditions.
- Inheritance. Policies don’t override each other, instead they are additive, with permissions coming from all applied policies. That means that policies, be it from a role or a user, are added together and you get the combination of all the permissions set in each of the policies.
- Dynamic Variables. Policies can use dynamic variables like
$CURRENT_USERor$CURRENT_ROLE, making it easy to create context-aware permissions that adapt to who's making the request. - Simplified Management. Despite their power, policies are designed to be easier to manage than the old permissions system. You can create, edit, and assign them through both the API and the Data Studio interface.
A Real-Life Example of Policies in Action
Let’s say you’re a content manager for a international ecommerce site. You need to restrict editors' access to product information based on their geographical region, while still allowing them to view but not edit global brand information.
Here's how policies in Directus 11 could solve this:
- Create a policy that grants full access to product information for a specific region.
- Attach this policy to roles corresponding to each regional team.
- Create another policy that allows read-only access to the global brand information collection.
- Attach this policy to all editor roles.
- Use dynamic variables like
$CURRENT_USERto limit the visible sales figures to the users office location that is stored in the Directus user item.
This setup allows you to:
- Maintain data integrity by ensuring editors only modify products relevant to their region
- Share global brand information across all teams without risk of unauthorized changes
- Easily adjust permissions as your team’s structure or needs change
We've put a lot of work into making the transition to policies as smooth as possible. The upgrade process includes a migration that will convert your existing permissions to the new policy-based system.
This new system opens up a world of possibilities for access control in Directus. Whether you're running a simple blog or a complex multi-tenant application, policies give you the tools to implement exactly the permission structure you need.
What else is in Directus 11?
While policies steal the spotlight, Directus 11 packs in several other noteworthy updates:
- We've switched to mysql2 for MySQL/MariaDB connections, boosting performance.
- New GraphQL queries and SDK functions for policies are now available.
- We've added a new clear method to cache implementations.
We've also squashed a few bugs from our 11 RC, including fixes for groupBy behavior, aggregation queries, and permissions checks for related fields.
Directus 11 is available now!
Directus 11 is ready for action. You can pull the latest version from Docker Hub or install it via npm right now. As always, we recommend backing up your database before upgrading, especially given the significant changes in this release.
Check out the complete release notes on GitHub for an in-depth look at all the changes, improvements, and fixes in Directus 11.
We can't wait to see what you'll build with these powerful new features. Dive in and let us know what you think in our Discord community at https://directus.chat.