Access Control

Access control within Payload is extremely powerful while remaining easy and intuitive to manage. Declaring who should have access to what documents is no more complex than writing a simple JavaScript function that either returns a boolean or a query constraint to restrict which documents users can interact with.

Example use cases:

  • Allowing anyone read access to all Posts
  • Only allowing public access to Posts where a status field is equal to published
  • Giving only Users with a role field equal to admin the ability to delete Page(s)
  • Allowing anyone to create ContactSubmissions, but only logged in users to read, update or delete them
  • Restricting a User to only be able to see their own Order(s), but no others
  • Allowing Users that belong to a certain Organization to access only that Organization's Resources

Default Settings

By default, all Collections and Globals require that a user is logged in to be able to interact in any way. The default Access Control function evaluates the user from the Express req and returns true if a user is logged in, and false if not.

Default Access function:

const defaultPayloadAccess = ({ req: { user } }) => {
// Return `true` if a user is found
// and `false` if it is undefined or null
return Boolean(user);

Access Control Types

You can manage access within Payload on three different levels:


Collection Access Control