Data Permissions
Required Permission
This feature requires the TEAM_ADMIN_USER_ROLES permission. See User Roles Overview for more about the role system.
Data Permissions control what data a user can access and modify. They are configured at the collection and field level within User Roles, and work alongside Feature Permissions which control access to platform features.
Collection-Level Permissions
For each Data Collection, you can control three access toggles:
| Permission | Description |
|---|---|
| Create Records | Allow creating new records in this collection. Also controls access to CSV Import for this collection. |
| Read Record Metadata | Allow viewing records in this collection. Without this, the collection is completely invisible to the user. |
| Delete Records | Allow removing records from this collection. |
No Collection-Level "Update" Toggle
Unlike traditional CRUD systems, there is no collection-level Update toggle. Update capability is controlled through the Default Field Access setting and per-field permission overrides (see below). This gives you much finer control over which fields users can edit.
Configuring Collection Permissions
- Navigate to Team Administration → User Roles
- Click on a role (see Creating User Roles)
- Go to the Collections tab
- For each collection, toggle the permissions as needed
Field-Level Permissions
Within each collection, you can control access to individual Data Fields with four permission levels:
| Setting | Effect |
|---|---|
| Allow Read | User can see this field's value but cannot modify it |
| Allow Update | User can see and modify this field's value |
| Deny Read | Field is completely hidden from the user — they cannot see the field or its value |
| Deny Update | User can see the field's value but is explicitly prevented from editing it |
Default Field Access
Each collection has a Default Field Access setting that determines the baseline permission for all fields in that collection:
- This sets the starting permission for every field
- Individual field permissions can then override the default
- New fields added to the collection inherit the default access level
For example, if Default Field Access is set to "Allow Read", users can view all fields by default. You can then override specific fields to "Allow Update" for fields they should be able to edit, or "Deny Read" for sensitive fields they shouldn't see.
Configuring Field Permissions
- In the Collections tab of a role, click on a collection name
- You'll see all Data Fields in that collection
- Set the Default Field Access level at the top
- Override specific fields as needed using the dropdown next to each field
Wizard Permissions
Control which Data Wizards a role can execute:
- Navigate to the Wizards tab in a role
- Toggle access for each wizard
Wizard permissions determine whether a user can run a particular Data Wizard from within the application. Note that public/external wizard access is configured separately — see Data Wizard External Access.
Permission Evaluation
When a user has multiple User Roles, permissions are combined using the most permissive rule:
- Feature Permissions — Any role granting a permission enables it
- Collection Permissions — Highest permission level wins
- Field Permissions — Most permissive setting wins
Example
If Role A grants "Read Record Metadata" on Contacts and Role B grants "Read Record Metadata + Create Records", a user with both roles can both read and create records in the Contacts collection. Similarly, if Role A denies a field but Role B allows it, the user will have access.
Impact on Users
- Data Permissions take effect immediately when the role is saved
- Users will only see collections they have Read permission for in their navigation
- Fields with "Deny Read" are completely invisible — the user won't know the field exists
- Fields with "Deny Update" or "Allow Read" appear as read-only in forms
- The Create Records permission also controls whether users can access CSV Import for that collection
- Team Admins bypass all Data Permissions and always have full access
- Users with the Data Full Access feature permission also bypass all collection/field restrictions
Related Topics
- Feature Permissions — Platform feature access controls
- User Roles Overview — Understanding the role-based permission system
- Creating User Roles — Step-by-step role creation
- Data Collections Overview — Understanding data structure
- Managing Data Fields — Field configuration