Auth

Access Control

Manage user and role permissions and policies for interacting with data in Directus.

Access control is a critical part of managing data - what different users in their various roles should be able to create, read, update, delete, and share.

You can find Access Control in the Settings module.

A diagram showing the relationship between permissions, policies, roles, and users.

Users

A user is an item in the directus_users collection and typically referring to a person, application, or service that needs access to a Directus project.

Permissions

A single permission set for a collection. The collection is posts, and the actions are create, read, update, delete, and share.

A permission is set on a collection and an action. The available actions in Directus are create, read, update, delete, and share. Permissions can provide all access, no access, or use custom permissions.

Custom Permissions

Custom permissions provide more granularity than 'all' or 'none'. They impact what items and fields a user can access, and have permission-level validation and presets.

Item Permissions

Item permissions with a filter rule that limits access to update items where user_created equals the current user.

Use filter rules to define which items in a collection a user can access.

Field Permissions

Field permissions with limited update access to only the content field.

Define which fields the role is included in this permission. As a permission is scoped to both a collection and an action, a different set of fiends can be provided to each action.

Field Validation

Field validation with some fields not empty and are at least 3 characters long via a regular expression.

Use filter rules to validate field values when an item is created or updated.

Field Presets

Field presets with a default value for the visibility field.

Define default field values when an item is created or updated. The value will appear in Editor, and can later be updated.

Conflicting Permissions & the API
When using the Directus API, only fields you have permission to see will be returned. However, if multiple permissions allow for varying access to the same field, it will always be returned with the value null if not allowed in the given context.You must treat null as both a value and an indication of restricted permissions.

Policies are a group of permissions that can be applied to users or roles.

As a user starts with no permissions, and multiple policies can set a permission on the same collection and actions. Applying policies is additive - each policy can add to existing permissions, but not take them away.

Roles

Roles are an organizational tool that define a user's position within a project. A role can have any number of policies attributed to it, and be applied to any number of users. Roles can also have any number of policies and child roles.

Administrator Role

An administrator role provides complete, unrestricted control over the project, including the data model and all data. This cannot be limited, as by definition it would no longer be an administrator role. You need at least one user in an administrator role.

Public Role

A public role defines access permissions for unauthenticated requests to the database. That means that if you enable an access permission for this role, everybody has that permission enabled. All public permissions are off by default. It is up to the administrators to re-configure these and define exactly what the public role has access to.

Statuses

A policy can toggle access to the App (Data Studio). If you only want a user to access the project via API, leave this disabled.

An admin can set the user status. Only the active state is able to authenticate, with all others being descriptive inactive states.

  • Draft: an incomplete user item.
  • Invited: has a pending invite to the Directus project.
  • Unverified: registered but has not yet verified their email address.
  • Active: access to the Directus project via API or the Data Studio.
  • Suspended: a User that has been temporarily disabled.
  • Archived: a soft-deleted user.

Limiting to Specific IP Addresses

A policy can also have a specific allowlist of IP addresses, IP ranges, and CIDR blocks which allow access. Leave this empty to allow all IP addresses.

Specify both IPv4 and IPv6
IPv4 and IPv6 are different ways devices are identified on the internet.Specifying both the IPv4 and IPv6 addresses ensures uninterrupted access to your Directus project by accommodating various network configurations and preventing potential connectivity issues arising from disabling either protocol.

Studio Users

Studio Users in Directus are used in the context of licensing and billing for Directus Cloud. A studio user meets at least one of the following criteria:

  1. At least one policy with 'Admin Access' enabled.
  2. At least one policy with 'App Access' enabled, allowing access to the Data Studio.

Access Tokens

Learn how to authenticate requests & explore standard, session, and static token types.

Creating Users

Learn about creating users in directus, including API creation, inviting users, and seamless invites.