Simplify your stack and build anything. Or everything.

Schedule a Demo

USE CASES

Headless CMS Enterprise App Builder Headless E-Commerce Digital Asset Management

FEATURES

Multi-Tenancy White Label Localization Access Control Auth

CASE STUDIES

See what others are building with Payload.

Browse Case Studies

Build tomorrow’s web with a modern solution you truly own.

PAYLOAD IS FOR

Developers Marketing teams Enterprise companies Agencies & Consultancies

COMPARE PAYLOAD

Payload vs WordPress Payload vs Contentful Payload vs Sanity Payload vs Strapi Payload vs Directus

AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a Partner Find a Partner

Code-based nature means you can build on top of it to power anything.

Resources

Documentation Examples Templates GitHub Releases Blog

Community

Roadmap Discord Community Help

Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

It’s time to take back your content infrastructure.

Schedule a Demo

Enterprise Features

SSO AI Auto-Embedding Publishing Workflows Visual Editor Static A/B testing AI features

Customer Stories

Microsoft ASICS Blue Origin Hello Bello Tekton

Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study Browse all

Login Get Started

Collection Access Control

You can define Collection-level Access Control within each Collection's access property. All Access Control functions accept one args argument.

Available Controls

Function	Allows/Denies Access
`create`	Used in the `create` operation
`read`	Used in the `find` and `findByID` operations
`update`	Used in the `update` operation
`delete`	Used in the `delete` operation

Auth-enabled Controls

If a Collection supports Authentication, the following Access Controls become available:

Function	Allows/Denies Access
`admin`	Used to restrict access to the Payload Admin panel
`unlock`	Used to restrict which users can access the `unlock` operation

Example Collection config:

1import { CollectionConfig } from 'payload/types';
2
3export const Posts: CollectionConfig = {
4  slug: "posts",
5  access: {
6    create: ({ req: { user } }) => { ... },
7    read: ({ req: { user } }) => { ... },
8    update: ({ req: { user } }) => { ... },
9    delete: ({ req: { user } }) => { ... },
10    admin: ({ req: { user } }) => { ... },
11  },
12};

Create

Returns a boolean which allows/denies access to the create request.

Available argument properties:

Option	Description
`req`	The Express `request` object containing the currently authenticated `user`
`data`	The data passed to create the document with.

Example:

1const PublicUsers = {
slug: 'public-users',
access: {
  // allow guest users to self-registration
  create: () => true,
  ...
},
fields: [ ... ],
9}

Read

Read access functions can return a boolean result or optionally return a query constraint which limits the documents that are returned to only those that match the constraint you provide. This can be helpful to restrict users' access to only certain documents however you specify.

Available argument properties:

Option	Description
`req`	The Express `request` object containing the currently authenticated `user`
`id`	`id` of document requested, if within `findByID`

Example:

1import { Access } from 'payload/config'
2
3const canReadPage: Access = ({ req: { user } }) => {
// allow authenticated users
if (user) {
  return true
}
// using a query constraint, guest users can access when a field named 'isPublic' is set to true
return {
  // assumes we have a checkbox field named 'isPublic'
  isPublic: {
    equals: true,
  },
}
15}

Update

Update access functions can return a boolean result or optionally return a query constraint to limit the document(s) that can be updated by the currently authenticated user. For example, returning a query from the update Access Control is helpful in cases where you would like to restrict a user to only being able to update the documents containing a createdBy relationship field equal to the user's ID.

Available argument properties:

Option	Description
`req`	The Express `request` object containing the currently authenticated `user`
`id`	`id` of document requested to update
`data`	The data passed to update the document with

Example:

1import { Access } from 'payload/config'
2
3const canUpdateUser: Access = ({ req: { user }, id }) => {
4  // allow users with a role of 'admin'
5  if (user.roles && user.roles.some((role) => role === 'admin')) {
6    return true
7  }
8  // allow any other users to update only oneself
9  return user.id === id
10}

Delete

Similarly to the Update function, returns a boolean or a query constraint to limit which documents can be deleted by which users.

Available argument properties:

Option	Description
`req`	The Express `request` object with additional `user` property, which is the currently logged in user
`id`	`id` of document requested to delete

Example:

1import { Access } from 'payload/config'
2
3const canDeleteCustomer: Access = async ({ req, id }) => {
if (!id) {
  // allow the admin UI to show controls to delete since it is indeterminate without the id
  return true
}
// query another collection using the id
const result = await req.payload.find({
  collection: 'contracts',
  limit: 0,
  depth: 0,
  where: {
    customer: { equals: id },
  },
})
17
return result.totalDocs === 0
19}

Admin

If the Collection is used to access the Payload Admin panel, the Admin Access Control function determines whether or not the currently logged in user can access the admin UI.

Available argument properties:

Option	Description
`req`	The Express `request` object containing the currently authenticated `user`

Unlock

Determines which users can unlock other users who may be blocked from authenticating successfully due to failing too many login attempts.

Available argument properties:

Option	Description
`req`	The Express `request` object containing the currently authenticated `user`

Field-level Access Control