Allow and Deny rules
How Allow and Deny rules work
User’s permissions to access and manage content in a space are set with the help of Allow and Deny rules. Allow and Deny rules are used to define which actions a user is explicitly allowed or denied to perform with entries and assets in a space.
NOTE: Allow and Deny rules are set under Content and Media tabs of the role editor page.
Allow rule defines an action a user is able to perform in a space. A user won’t be able to perform any actions that are not explicitly allowed by Allow rules in the user’s role.
Deny rule explicitly defines an action a user is restricted from doing in a space. Deny rules are used to limit the scope of user’s permissions defined by Allow rules.
To better explain how to set up user’s permissions to access and manage content using Allow and Deny rules, let’s consider the following example:
Let’s assume that you would like an editor on your team to be able to edit all content in a space, except blog posts - because those are created and edited only by your team content writer. For this purpose, you will create an Editor role and add an Allow rule in it selecting "Edit" as an action option and "All content" and "All content types" options to define the scope of content. You will then add another Allow rule with "Read" action and the same "All content" and "All content types" options - to make sure your editor is able to access and view the content that they will edit. Then, to restrict your editor from editing blog posts, you will add a Deny rule selecting "Edit" as an action option and "All content" and "Blog post" content type as the scope of content.
Actions defined by Allow and Deny rules
The table below explains what a user will be allowed to do or restricted from doing with each specific action defined in their role:
Viewing the list of entries and opening the entry editor in a read-only mode.
Making changes to content.
Note: To be able to edit content, a user should also be granted a permission to read the content.
Creating new content.
Note: To be able to create entries or assets and fill them with content, a user should also be granted permissions to read and edit the content.
Deleting an entry or asset.
Note: To be able to delete published content, a user should also be granted a permission to publish/unpublish.
Archiving and unarchiving content.
Note: To be able to archive published content, a user should also be granted a permission to publish/unpublish.
Making content publicly available and bringing it back to draft state.
Important! Read permission enables the user to view content. If you are granting a user permissions to edit, create, delete, archive/unarchive and publish/unpublish the content, you should also add a permission to read this content to the user’s role.