Directus permissions are extremely granular and powerful, but don't feel overwhelmed, you don't need to use or even understand the more advanced features to setup basic roles.
Directus supports the standard Create, Read, Update, and Delete (CRUD) permissions, and adds additional support for Comments and Explanations. Furthermore, some privileges have the ability to be scoped to the current user or other their role. Below are all of the collection-level permissions:
NULL, default) Can not create any items
fullCan create items
NULL, default) Can not view any items
mineCan only view their items
roleCan only view items created by members of this role
fullCan view all items
NULL, default) Can not update any items
mineCan only update their items
roleCan only update items created by members of this role
fullCan update all items
NULL, default) Can not delete any items
mineCan only delete their items
roleCan only delete items created by members of this role
fullCan delete all items
noneCan not comment
readCan only see comments
createCan add comments
NULL, default) Can add, edit and delete their comments
fullCan add, edit and delete any comments (including other users)
NULL, default) Never requires "commit" comment
createRequires a "commit" comment on Create
updateRequires a "commit" comment on Update
alwaysRequires a "commit" comment on Create and Update
role permission options are only available when the parent collection contains a
created_by field type. See below for setup.
Hover over of each row to access an "All/None" shortcut per collection, or click the column header to toggle that permission for all collections.
To enforce the
role permissions described above, Directus needs to know who created an item. Additionally, you may want to track when an item was created, or when it was last updated. This can all happen automatically, but you first must include a few system fields.
There are dedicated interfaces available to make it easier to set up the above fields.
Clicking "Fields" allows you to blacklist certain fields for either read and write. This allows you to control which fields are visible or editable within the collection. By default, fields are both readable and writable.
Clicking "Allowed Statuses" allows you to blacklist certain status options. This allows you to control which status options a user can choose – for example, not allowing an Intern to publish items. By default, all statuses are available.
Workflows are one of the most powerful features of Directus, allowing for all permissions to be controlled per status. Workflow is enabled by clicking the arrows at the far right to expand the collection into Workflow mode and show dedicated permission rows for each status.
In addition to the custom options set within your status interface, there is always a "On Creation" option that sets permissions for when an item is being created. This is useful because when an item is being created it doesn't yet have a status set.
This feature enables absolute control over the most fluid workflows, but it can be difficult to fully understand its potential, so let's explore an example with all the bells and whistles:
Not shown in the diagram, but worth noting: the Admin role always has full permissions and is not required to explain anything.
Below the permissions interface is a toggle to show the Directus system collections. These permissions are automatically generated when new roles are created and can be used to control certain system pages, such as: File Library, User Directory, and My Activity.
Changing the default system permissions can result in unexpected behavior or a completely broken platform. The API and App rely on certain data. For example, full read permission for
directus_users is required. Only update these values if you know exactly what you're doing.
You can also control access to Directus based on a user's IP address. This is useful if you need to limit access to specific offices or locations, provided they have a static IP address. Simply add a CSV of IP addresses to limit, or leave blank to not limit.