Role
A Role groups the permissions that govern what a credential can do in a project. The same role definition is applied to collaborators, SSO users, and API tokens alike — design roles around what the credential should be allowed to do, not who is holding it.
Ask "what is the credential allowed to do?" — not "what is this person allowed to do?". For API tokens specifically, the role's permissions are further constrained by the token's API surface flags (can_access_cda, can_access_cda_preview, can_access_cma); see the API token resource for details.
How permissions are computed
Most of the granular permissions on a role come as a positive_<resource>_permissions / negative_<resource>_permissions pair: build triggers, search indexes, records (item_type), uploads. They all follow the same rule:
Effective permissions =
(inherited ∪ positive_*) − negative_*
Positive entries (and entries pulled in via relationships.inherits_permissions_from) grant access. Negative entries always win when they overlap. The idiomatic recipe for "almost everything" is a single action: "all" positive entry plus targeted negative entries to subtract — instead of enumerating each allowed action.
positive_* and negative_* togetherFor each resource family (records, uploads, build triggers, search indexes), the matching positive_* and negative_* arrays must be both present or both absent in a create/update payload. On update, sent arrays replace the stored ones wholesale, so always read the role first and pass back the existing entries on the side you're not changing — sending [] to satisfy the constraint will erase everything that was there. (On create, [] is fine since there's nothing to lose.) The Update endpoint documents an SDK helper that handles this diff for records and uploads.
The computed result is exposed on every role response under meta.final_permissions; the raw declared values stay on attributes.*. See Effective vs declared permissions below.
Project-level permissions
These attributes gate access to project-wide capabilities. They apply uniformly across the whole project; granular control over individual records and uploads lives under Per-environment content permissions.
- Project-wide flags. Boolean attributes named
can_*(can_edit_schema,can_manage_environments,can_manage_access_tokens, …) cover the schema, environments, users, webhooks, and so on — see the property table for the full list. - Environment access.
environments_accesscontrols which environments the credential can enter at all (all,primary_only,sandbox_only, ornone). Usenonewhen the role is meant only to be inherited from. - Build triggers. The role may manually fire the build triggers listed in
positive_build_trigger_permissions, minus those listed innegative_build_trigger_permissions. Usebuild_trigger: nullon an entry to cover every trigger at once. Creating, editing, or deleting trigger definitions is gated separately bycan_manage_build_triggers. - Search indexes. The role may manually re-index the search indexes listed in
positive_search_index_permissions, minus those listed innegative_search_index_permissions. Usesearch_index: nullon an entry to cover every index. Managing the index definitions themselves is gated separately bycan_manage_search_indexes.
Per-environment content permissions
The role's access to records and uploads is governed by two positive/negative array pairs. Every entry is scoped to a single environment via the required environment field — to grant the same permission across multiple environments, repeat the entry once per environment id (or use inherits_permissions_from together with environments_access). The computation is the same (inherited ∪ positive_*) − negative_* rule from How permissions are computed, evaluated per environment.
Records
Permission entries live in positive_item_type_permissions (and the negative_* counterpart). Each entry is a discriminated union keyed by action:
all— every action belowread— read recordscreate— create new recordsupdate— edit existing recordspublish— publish/unpublish recordsduplicate— duplicate recordsdelete— destroy recordsedit_creator— change a record'screatorrelationshiptake_over— wrest a record from another user currently editing itmove_to_stage— move a record between workflow stages
Per entry you can also restrict by:
item_type— restrict to a specific model (null= all models)workflow— restrict to records associated with a workflow (mutually exclusive withitem_type)on_creator—anyone,self(records the credential created), orrole(records created by anyone with this role)localization_scope+locale— forcreate/update/publish/all: restrict to localized vs non-localized content, optionally pinning to one locale (onallthe scope is forced to"all")on_stage/to_stage— for workflow-aware actions: restrict to records currently on a stage, or to moves towards a stage
The shape of each entry depends on the action — see the property tables on each endpoint for which sub-fields are valid per branch.
Workflow-aware permissions — the move_to_stage action and the workflow / on_stage / to_stage restrictors — require Workflows, an Enterprise feature. Per-content-scope restrictions are also gated: only localization_scope: "all" is available on every plan, while "localized" (with its companion locale) and "not_localized" both require Enterprise. Setting any of these on a non-Enterprise project will return an error — check the pricing page before relying on them.
Uploads
Permission entries live in positive_upload_permissions (and the negative_* counterpart). Same discriminated-union shape as records, with the upload-relevant actions (read, create, update, delete, edit_creator, replace_asset, move, all), scoped by upload_collection instead of item_type. The move action also accepts move_to_upload_collection to restrict the destination of the move.
Inheriting from other roles
relationships.inherits_permissions_from accepts a list of role ids whose permissions are unioned into this role's positive set before the negative set is subtracted (per How permissions are computed). This is how built-in roles are typically extended without copying their full permission tree — duplicate the closest built-in role, then add a negative_* entry to take something away, or set inherits_permissions_from and add only the positive entries that differ.
Effective vs declared permissions
Two views of a role's permissions are surfaced on the response:
attributes.*— the permissions declared on this role directly. This is what was sent on create/update; it does not reflect anything inherited fromrelationships.inherits_permissions_from.meta.final_permissions— the effective permissions after walking the inheritance chain and applying the rule from How permissions are computed. This is the set actually enforced when a credential bound to this role makes a request.
When debugging "why can't this user do X?", read meta.final_permissions, not attributes.
Object payload
ID of role
"34"
Must be exactly "role".
The name of the role
"Editor"
Can change project-wide settings (project name, internal subdomain, frontend preview URL, deployment settings)
Can edit favicon, global SEO settings and no-index policy
Can create and edit the project schema: models, block models, fields, fieldsets, validators, and plugins
Can customize content navigation bar
Can create and edit roles and invite/remove collaborators
Can create and edit shared filters (both for models and the media area)
Can create and edit search indexes
Can create and edit upload collections
Can create, fork, and delete sandbox environments. Promotion to primary is gated separately by can_promote_environments.
Can create and edit webhooks
Specifies the environments the user can access
"primary_only"
Grants access to all environments
Grants access exclusively to the primary environment
Grants access exclusively to sandbox environments
No access to any environment. This value is typically used when the role is intended to inherit access settings from other roles
Can manage Single Sign-On settings
Can access Audit Log
Can create and edit workflows
Can edit per-environment settings of the environments this role has access to: locales, timezone, and UI theme. This is not about creating or switching environments — see can_manage_environments for that, and environments_access for which environments this role can enter at all.
Can promote a sandbox environment to primary (atomic swap) and toggle the project's maintenance mode. Distinct from can_manage_environments, which covers creating/forking/deleting sandboxes.
Can create and edit build triggers
Can manage API tokens
Can perform Site Search API calls
Can access the build events log
Can access the search index events log
Allowed actions on a model (or all) for a role.
The shape of each entry depends on the action (discriminated union). Idiomatic recipes:
- To grant every action, use a single
action: "all"entry withlocalization_scope: "all". - To grant a subset (e.g. create+read+update but not delete), prefer a single
action: "all"entry plusnegative_item_type_permissionsentries for the actions to exclude — instead of listing each allowed action separately.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"duplicate"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"delete"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"move_to_stage"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Prohibited actions on a model (or all) for a role. Negative permissions take precedence and are typically paired with a broader positive action: "all" entry to subtract specific actions (e.g. forbid delete).
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"duplicate"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"delete"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"move_to_stage"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Allowed actions on uploads (or all) for a role.
The shape of each entry depends on the action (discriminated union). To grant a subset, prefer a single action: "all" entry plus negative_upload_permissions entries for the actions to exclude.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Localized content in a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"move"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Restricts the destination upload collection of the move action. When null, any destination is allowed.
Prohibited actions on uploads (or all) for a role. Negative permissions take precedence and are typically paired with a broader positive action: "all" entry to subtract specific actions.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Localized content in a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"move"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Restricts the destination upload collection of the move action. When null, any destination is allowed.
Build triggers this role is allowed to manually fire. An entry with build_trigger: null covers every build trigger. Note: this does not control creating/editing build triggers themselves — that is gated by can_manage_build_triggers.
Build triggers this role is forbidden from manually firing. Negative entries take precedence over positive ones; pair with a build_trigger: null positive entry to allow all-but-N.
Search indexes this role is allowed to manually re-index. An entry with search_index: null covers every search index. Note: this does not control creating/editing search indexes themselves — that is gated by can_manage_search_indexes.
Search indexes this role is forbidden from manually re-indexing. Negative entries take precedence over positive ones; pair with a search_index: null positive entry to allow all-but-N.
The final set of permissions considering also inherited roles
Can change project-wide settings (project name, internal subdomain, frontend preview URL, deployment settings)
Can edit favicon, global SEO settings and no-index policy
Can create and edit the project schema: models, block models, fields, fieldsets, validators, and plugins
Can customize content navigation bar
Can create and edit roles and invite/remove collaborators
Can create, fork, and delete sandbox environments. Promotion to primary is gated separately by can_promote_environments.
Can create and edit webhooks
Specifies the environments the user can access
"primary_only"
Grants access to all environments
Grants access exclusively to the primary environment
Grants access exclusively to sandbox environments
No access to any environment. This value is typically used when the role is intended to inherit access settings from other roles
Can manage Single Sign-On settings
Can access Audit Log
Can create and edit workflows
Can edit per-environment settings of the environments this role has access to: locales, timezone, and UI theme. This is not about creating or switching environments — see can_manage_environments for that, and environments_access for which environments this role can enter at all.
Can promote a sandbox environment to primary (atomic swap) and toggle the project's maintenance mode. Distinct from can_manage_environments, which covers creating/forking/deleting sandboxes.
Can create and edit shared filters (both for models and the media area)
Can create and edit search indexes
Can create and edit build triggers
Can create and edit upload collections
Can manage API tokens
Can perform Site Search API calls
Can access the build events log
Can access the search index events log
Allowed actions on a model (or all) for a role.
The shape of each entry depends on the action (discriminated union). Idiomatic recipes:
- To grant every action, use a single
action: "all"entry withlocalization_scope: "all". - To grant a subset (e.g. create+read+update but not delete), prefer a single
action: "all"entry plusnegative_item_type_permissionsentries for the actions to exclude — instead of listing each allowed action separately.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"duplicate"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"delete"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"move_to_stage"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Prohibited actions on a model (or all) for a role. Negative permissions take precedence and are typically paired with a broader positive action: "all" entry to subtract specific actions (e.g. forbid delete).
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Content under a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"duplicate"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"delete"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Permitted action
"move_to_stage"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific model. When null, the permission applies to all models.
Restricts the permission to records associated with a specific workflow. Mutually exclusive with item_type.
Restrict to records currently on a workflow stage.
Restrict to moves towards a specific workflow stage.
Allowed actions on uploads (or all) for a role.
The shape of each entry depends on the action (discriminated union). To grant a subset, prefer a single action: "all" entry plus negative_upload_permissions entries for the actions to exclude.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Localized content in a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"move"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Restricts the destination upload collection of the move action. When null, any destination is allowed.
Prohibited actions on uploads (or all) for a role. Negative permissions take precedence and are typically paired with a broader positive action: "all" entry to subtract specific actions.
Permitted action
"all"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
For action: "all" this must be "all".
"all"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"update"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Permitted content scope
"all"
Any content (localized/unlocalized)
Localized content in a specific locale (locale must be defined)
Non-localized content
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Required (non-null) when localization_scope is "localized"; must be omitted otherwise.
"en"
Permitted action
"create"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"read"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Permitted action
"move"
ID of environment. Can only contain lowercase letters, numbers and dashes
"main"
Permitted creator
"anyone"
Created by anyone
Created by the user itself
Created by a user with the same role
Restricts the permission to a specific upload collection. When null, the permission applies to all collections.
Restricts the destination upload collection of the move action. When null, any destination is allowed.
Build triggers this role is allowed to manually fire. An entry with build_trigger: null covers every build trigger. Note: this does not control creating/editing build triggers themselves — that is gated by can_manage_build_triggers.
Build triggers this role is forbidden from manually firing. Negative entries take precedence over positive ones; pair with a build_trigger: null positive entry to allow all-but-N.
Search indexes this role is allowed to manually re-index. An entry with search_index: null covers every search index. Note: this does not control creating/editing search indexes themselves — that is gated by can_manage_search_indexes.
Search indexes this role is forbidden from manually re-indexing. Negative entries take precedence over positive ones; pair with a search_index: null positive entry to allow all-but-N.
The roles from which this role inherits permissions