# Permissions

Permissions are attached directly to a Role, and define what data that Role's Users can create, read, update, and delete within the platform.

Directus includes an extremely granular, filter-based permissions system for controlling access. There are several layers to this access control, including:

  • Collection — The Collection scope of this permission
  • Action — Create, Read, Update, or Delete
  • Item Permissions — Filters actionable Items using Filter Rules
  • Field Permissions — Toggles which fields can be accessed
  • Validation — Filters Item values using Filter Rules
  • Presets — Controls the default values for the action
  • Limit — Sets a maximum number of items that are actionable

There are also other access control features that are tied directly to the Role. These include:

  • IP Access — Restricts user access based on IP Address
  • App Access — Restricts user access to the App
  • Admin Access — Enables Settings and unrestricted user access

# Example

You could set the permissions such that a user can only Update (Action) the Title, Body, Date Published, and Category (Field Permissions) within Articles (Collection) that they created and are still unpublished (Item Permissions) one item at a time (Limit) if they are currently at the NYC office (IP Access). Additionally, the default Category will be "Opinon" (Preset), and the Date Published must be in the future (Validation).

And this is actually just a simple example. Permissions and Validation support a comprehensive list of Filter Operators, Relational Filtering, Logical Operators, and Dynamic Variables.

# Relevant Guides