- Help center home
- Getting started
- Content model
- Managing content
- Working with entries
- Working with media
- Working with translations
- Managing users
- Account settings
- Content orchestration
- How to get help and support
- Contentful certification
- Contentful glossary
- Cookie consent
- Usage Limit
Allow and Deny rules
How Allow and Deny rules work
User’s permissions to access and manage content in a space are set with the help of Allow and Deny rules. Allow and Deny rules are used to define which actions a user is explicitly allowed or denied to perform with entries and assets in a space.
NOTE: Allow and Deny rules are set under Content and Media tabs of the role editor page.
Allow rule defines an action a user is able to perform in a space. A user won’t be able to perform any actions that are not explicitly allowed by Allow rules in the user’s role.
Deny rule explicitly defines an action a user is restricted from doing in a space. Deny rules are used to limit the scope of user’s permissions defined by Allow rules.
To better explain how to set up user’s permissions to access and manage content using Allow and Deny rules, let’s consider the following example:
Let’s assume that you would like an editor on your team to be able to edit all content in a space, except blog posts - because those are created and edited only by your team content writer. For this purpose, you will create an Editor role and add an Allow rule in it selecting "Edit" as an action option and "All content" and "All content types" options to define the scope of content. You will then add another Allow rule with "Read" action and the same "All content" and "All content types" options - to make sure your editor is able to access and view the content that they will edit. Then, to restrict your editor from editing blog posts, you will add a Deny rule selecting "Edit" as an action option and "All content" and "Blog post" content type as the scope of content.
Actions defined by Allow and Deny rules
The table below explains what a user will be allowed to do or restricted from doing with each specific action defined in their role:
Important! Read permission enables the user to view content. If you are granting a user permissions to edit, create, delete, archive/unarchive and publish/unpublish the content, you should also add a permission to read this content to the user’s role.