Docs

Permissions

Appwrite permission mechanism offers a simple and yet flexible way to manage which users, teams, or roles can access a specific resource of your project, like documents and files.

Using permissions, you can decide that only user A and user B will have read access to a specific database document, while user C and team X will be the only ones with write access.

As the name suggests, read permission will give allow users and teams to have access to view a resource while with write permission, they will be able to both update or delete it.

Read and write permissions can be given to specific users, entire teams, or only to a particular group of role members inside a team.

A project user can only grant a resource with permissions he or she owns. For example, if a user is trying to share a document with a team he or she are not members of they will encounter a 401 not authorized error.

Appwrite Resource

An Appwrite resource can be a database collection, database document, or a storage file. Each resource has both read and write permissions to define who can access it.

Using the Appwirte permissions mechanism, you can share resources between users, teams, and members with different roles.

Default Values

When not providing a resource with read or write permissions, the default value will be empty. When a read or write permissions is missing, no one will be granted access control to the resource.

Server Integration

A server or admin integration can be used for increased flexibility. When using a server integration in combination with the proper API scopes, you can have both read and write access to any of your project resources regardless of their permissions.

Using the server integration flexibility, you can change resources permissions, share resources between different users and teams, or edit and delete resources with no limitations.

Permission Types

Type Description
* Wildcard permission. Gives anyone read or write access.
user:[USER_ID] Access to a specific user by his UID.
team:[TEAM_ID] Access to any member of the specific team. To gain access to this permission, user must be the team creator (owner), or receive and accept an invitation to join this team.
team:[TEAM_ID]/[ROLE] Access to any member who possesses a specific role in a team. To gain access to this permission, the user must be a member of the specific team and have the given role assigned to him or her. Team roles can be assigned when inviting a user to become a team member.
member:[MEMBER_ID] Access to a specific member of a team. Unlike the basic user permission, this permission will only be valid as long as the user is still an active member of the specific team. To view user member ID, fetch the team members list.

Examples

The examples below will show you how you can use the different Appwrite permissions to manage access control to your project resources.

The following examples are using the Appwrite JS SDK but can be applied similarly to any of the other Appwrite SDKs.

Example #1 - Basic Usage

In the following example, we are creating a document that can be read by everyone and only be edited, or deleted by a user with a UID user:5c1f88b42259e.

let sdk = new Appwrite();

sdk
    .setProject('')
;

let promise = sdk.database.createDocument(
    '[COLLECTION_ID]',
    {'actorName': 'Chris Evans', 'height': 183},
    ['*'], // Anyone can view this document
    ['user:5c1f88b42259e'] // You can only grant permissions you own, this must be the current user UID
);

promise.then(function (response) {
    console.log(response);
}, function (error) {
    console.log(error);
});

Example #2 - Team Roles

In the following example, we are creating a document that can be read only by members of team:5c1f88b87435e and can only be edited or deleted by members of the same team that possesses the role owner.

let sdk = new Appwrite();

sdk
    .setProject('')
;

let promise = sdk.database.createDocument(
    '[COLLECTION_ID]',
    {'actorName': 'Chris Evans', 'height': 183},
    ['team:5c1f88b87435e'], // The user must be a team member to grant this permission
    ['team:5c1f88b87435e/owner']); // The user must be a team owner to grant this permission

promise.then(function (response) {
    console.log(response);
}, function (error) {
    console.log(error);
});