Docs

Roles and Permissions

The Appwrite API roles and permissions allows you to manage read and write access across your app different resources such as database documents and storage files.

While roles define access to entire services or API endpoints, permissions are user to manage read and write access to specific resources such as database documents or storage files.

Roles

Appwrite currently have 6 different roles aimed to handle access control to specific API endpoint or entire services.

You can review Appwrite API references to see which role is needed in order to gain access to a specific API endpoint or service.

For example: only users with a guest role can access authentication endpoint while access to member users is denied.

You can change your project members roles from your project settings in the Appwrite console.

ID Name Description
0 Guest Any user that has not been authenticated is given this role.
1 Member Any user that has successfully authenticated using one of the authentication endpoints is given this role.
2 Admin Referred to a user granted this with this role in your Appwrite project console. This role is only available in admin mode
3 Developer Referred to a user granted this with this role in your Appwrite project console. This role is only available in admin mode
4 Owner Referred to a user granted this with this role in your Appwrite project console. This role is only available in admin mode
5 App This role is given to your API key. This role is only available in admin mode

Permissions

Appwrite permissions are more specific than its roles. Permissions are aimed to help you manage read and write access control to specific resource rather than entire endpoints or services.

Using permissions you can decide that only users X and Y will have read access to a specific database document, while user Z will be the only one with write access.

Permission can be given to specific users, entire teams or only to a specific group of users inside a team.

Type Description
* Wildcard permission. Gives anyone read or write access.
user:[USER_ID] Access to a specific user by his UID.
team:[TEAM_ID] Access to any member of the specific team. To gain access to this permission, user must be the team creator (owner), or receive and accept an invitation from a team member to join this team.
member:[MEMBER_ID] Access to a specific member of a team. This permission will only be valid while user is still an active member of a team. To view user member ID fetch the team members list.
role:[ROLE_ID] Access to a user with a specific role. For Example: 'role:4' will give access only to project owners. View the roles table above to learn more about different roles in the platform.