Access Control

Access control within Payload is extremely powerful while remaining easy and intuitive to manage. Declaring who should have access to what documents is no more complex than writing a simple JavaScript function that either returns a boolean or a query constraint to restrict which documents users can interact with.

Example use cases:

Allowing anyone read access to all Posts
Only allowing public access to Posts where a status field is equal to published
Giving only Users with a role field equal to admin the ability to delete Page(s)
Allowing anyone to create ContactSubmissions, but only logged in users to read, update or delete them
Restricting a User to only be able to see their own Order(s), but no others
Allowing Users that belong to a certain Organization to access only that Organization's Resources

Default Settings

By default, all Collections and Globals require that a user is logged in to be able to interact in any way. The default Access Control function evaluates the user from the Express req and returns true if a user is logged in, and false if not.

Default Access function:

1const defaultPayloadAccess = ({ req: { user } }) => {
2  // Return `true` if a user is found
3  // and `false` if it is undefined or null
4  return Boolean(user)
5}

Access Control Types

You can manage access within Payload on three different levels:

When Access Control is Executed

As you execute operations

When you perform Payload operations like create, read, update, and delete, your access control functions will be executed before any changes or operations are completed.

Within the Admin UI

The Payload Admin UI responds dynamically to the access control that you define. For example, if you restrict editing a ExampleCollection to only users that feature a role of admin, the Payload Admin UI will hide the ExampleCollection from the Admin UI entirely. This is super powerful and allows you to control who can do what with your Admin UI.

To accomplish this, Payload ships with an Access operation, which is executed when a user logs into the Admin UI. Payload will execute each one of your access control functions, across all collections, globals, and fields, at the top level and return a response that contains a reflection of what the currently authenticated user can do with your application.

Argument Availability

If you use id or data within your access control functions, make sure to check that they are defined first. If they are not, then you can assume that your access control is being executed via the access operation, to determine solely what the user can do within the Admin UI.

Collection Access Control

Access Control

Example use cases:

Allowing anyone read access to all Posts
Only allowing public access to Posts where a status field is equal to published
Giving only Users with a role field equal to admin the ability to delete Page(s)
Allowing anyone to create ContactSubmissions, but only logged in users to read, update or delete them
Restricting a User to only be able to see their own Order(s), but no others
Allowing Users that belong to a certain Organization to access only that Organization's Resources

Default Settings

Default Access function:

1const defaultPayloadAccess = ({ req: { user } }) => {
2  // Return `true` if a user is found
3  // and `false` if it is undefined or null
4  return Boolean(user)
5}

See what others are building with Payload.

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Get the resources you need to start building today

Microsoft chose Payload to tell the world about AI.

Access Control

Default Settings

Access Control Types

When Access Control is Executed

As you execute operations

Within the Admin UI

Argument Availability

Collection Access Control

Access Control

Default Settings

Access Control Types

When Access Control is Executed

As you execute operations

Within the Admin UI

Argument Availability