Permissions
List Permission Rules
List all permission rules that exist in Directus.
Query Parameters
Control what fields are being returned in the object.
A limit on the number of objects that are returned.
How many items to skip when fetching data.
What metadata to return in the response.
How to sort the returned items. sort is a CSV of fields used to sort the fetched items. Sorting defaults to ascending (ASC) order but a minus sign (-) can be used to reverse this to descending (DESC) order. Fields are prioritized by their order in the CSV. You can also use a ? to sort randomly.
Select items in collection by given conditions.
Filter by items that contain the given search query in one of their fields.
Cursor for use in pagination. Often used in combination with limit.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
JSON structure containing the permissions checks for this permission.
JSON structure containing the validation checks for this permission.
JSON structure containing the preset value for created/updated items.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
Returns the total item count of the collection you're querying.
Returns the item count of the collection you're querying, taking the current filter/search parameters into account.
GET /permissions
import { createDirectus, rest, readPermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(readPermissions(query_object));
POST /graphql/system
type Query {
    permissions: directus_permissions
}
{
  "data": [
    {
      "id": 1,
      "collection": "customers",
      "action": "create",
      "permissions": {},
      "validation": {},
      "presets": {},
      "fields": []
    }
  ],
  "meta": {}
}
Create Multiple Permission Rules
Create multiple new permission rules.
Query Parameters
Control what fields are being returned in the object.
A limit on the number of objects that are returned.
How many items to skip when fetching data.
What metadata to return in the response.
How to sort the returned items. sort is a CSV of fields used to sort the fetched items. Sorting defaults to ascending (ASC) order but a minus sign (-) can be used to reverse this to descending (DESC) order. Fields are prioritized by their order in the CSV. You can also use a ? to sort randomly.
Select items in collection by given conditions.
Filter by items that contain the given search query in one of their fields.
Cursor for use in pagination. Often used in combination with limit.
Request Body
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
JSON structure containing the permissions checks for this permission.
JSON structure containing the validation checks for this permission.
JSON structure containing the preset value for created/updated items.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
JSON structure containing the permissions checks for this permission.
JSON structure containing the validation checks for this permission.
JSON structure containing the preset value for created/updated items.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
Returns the total item count of the collection you're querying.
Returns the item count of the collection you're querying, taking the current filter/search parameters into account.
POST /permissions
import { createDirectus, rest, createPermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(createPermissions(permission_object_array));
POST /graphql/system
type Mutation {
  create_permissions_items(data: [create_directus_permissions_input!]!): [directus_permissions]
}
{
  "data": [
    {
      "id": 1,
      "collection": "customers",
      "action": "create",
      "permissions": {},
      "validation": {},
      "presets": {},
      "fields": []
    }
  ],
  "meta": {}
}
Delete Multiple Permission Rules
Delete multiple existing permission rules.
Responses
DELETE /permissions
import { createDirectus, rest, deletePermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(deletePermissions(permission_id_array));
POST /graphql/system
type Mutation {
    delete_permissions_items(ids: [ID!]!): delete_many
}
Update Multiple Permission Rules
Update multiple permissions at the same time.
Query Parameters
Control what fields are being returned in the object.
A limit on the number of objects that are returned.
What metadata to return in the response.
How many items to skip when fetching data.
How to sort the returned items. sort is a CSV of fields used to sort the fetched items. Sorting defaults to ascending (ASC) order but a minus sign (-) can be used to reverse this to descending (DESC) order. Fields are prioritized by their order in the CSV. You can also use a ? to sort randomly.
Select items in collection by given conditions.
Filter by items that contain the given search query in one of their fields.
Request Body
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
JSON structure containing the permissions checks for this permission.
JSON structure containing the validation checks for this permission.
JSON structure containing the preset value for created/updated items.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
Returns the total item count of the collection you're querying.
Returns the item count of the collection you're querying, taking the current filter/search parameters into account.
PATCH /permissions
import { createDirectus, rest, updatePermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(updatePermissions(permission_id_array, permission_object_panel));
POST /graphql/system
type Mutation {
    update_permissions_items(id: [ID!]!, data: update_directus_permissions_input!): [directus_permissions]
}
{
  "data": [
    {
      "id": 1,
      "collection": "customers",
      "action": "create",
      "permissions": {},
      "validation": {},
      "presets": {},
      "fields": []
    }
  ],
  "meta": {}
}
Create a Permission Rule
Create a new permission rule.
Query Parameters
What metadata to return in the response.
Request Body
What collection this permission applies to.
If the user can post comments.
If the user can create items.
If the user can update items.
If the user is required to leave a comment explaining what was changed.
If the user can read items.
Unique identifier of the role this permission applies to.
Explicitly denies read access for specific fields.
What status this permission applies to.
Explicitly denies specific statuses to be used.
If the user can update items.
Explicitly denies write access for specific fields.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
POST /permissions
import { createDirectus, rest, createPermission } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(createPermission(permission_object));
POST /graphql/system
type Mutation {
    create_permissions_item(data: create_directus_permissions_input!): directus_permissions
}
{
  "data": {
    "id": 1,
    "collection": "customers",
    "action": "create",
    "permissions": {},
    "validation": {},
    "presets": {},
    "fields": []
  }
}
Retrieve a Permission Rule
Retrieve a single permission rules object by unique identifier.
Query Parameters
Identifier for the object.
Control what fields are being returned in the object.
What metadata to return in the response.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
GET /permissions/{id}
import { createDirectus, rest, readPermission } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(readPermission(permission_id, query_object));
POST /graphql/system
type Query {
    permissions_by_id(id: ID!): directus_permissions
}
{
  "data": {
    "id": 1,
    "collection": "customers",
    "action": "create",
    "permissions": {},
    "validation": {},
    "presets": {},
    "fields": []
  }
}
Delete a Permission Rule
Delete an existing permission rule.
Query Parameters
Identifier for the object.
Responses
DELETE /permissions/{id}
import { createDirectus, rest, deletePermission } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(deletePermission(permission_id));
POST /graphql/system
type Mutation {
    delete_permissions_item(id: ID!): delete_one
}
Update a Permission Rule
Update an existing permission rule.
Query Parameters
Identifier for the object.
What metadata to return in the response.
Request Body
What collection this permission applies to.
If the user can post comments. full.
If the user can create items.
If the user can update items.
If the user is required to leave a comment explaining what was changed.
If the user can read items.
Explicitly denies read access for specific fields.
Unique identifier of the role this permission applies to.
What status this permission applies to.
Explicitly denies specific statuses to be used.
If the user can update items.
Explicitly denies write access for specific fields.
Responses
Unique identifier for the permission.
What collection this permission applies to.
What action this permission applies to.
CSV of fields that the user is allowed to interact with.
Policy this permission applies to. Many-to-one to policies.
PATCH /permissions/{id}
import { createDirectus, rest, updatePermission } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(updatePermission(permission_id, partial_permission_object));
POST /graphql/system
type Mutation {
    update_permissions_item(id: ID!, data: update_directus_permissions_input!): directus_permissions
}
{
  "data": {
    "id": 1,
    "collection": "customers",
    "action": "create",
    "permissions": {},
    "validation": {},
    "presets": {},
    "fields": []
  }
}
Get Current User Permissions
Check the current user's permissions across all collections. The response is an object that contains one entry for every collection with at least one permission. Each collection has entries corresponding to the actions the user is able to perform on the collection. The `access` property indicates the level of access the user has for an action for a collection. `"none"` means the user has no access, `"partial"` means the user has access to some items, but may not have access to all items, and `"full"` means the user has access to all items.
Responses
GET /permissions/me
import { createDirectus, rest, readUserPermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
const result = await client.request(readUserPermissions());
POST /graphql/system
query {
    permissions_me
}
Check Permissions for a Specific Item
Check the current user's permissions on a specific item. For a singleton where update access is given, the presets and fields properties from the corresponding update permission are additionally returned. The response structure is maintained in any case, even if the collection or item does not exist. To check for the existence of an item, use the get items endpoint instead.
Query Parameters
Collection of which you want to retrieve the items from.
Identifier for the object.
Responses
GET /permissions/me/{collection}/{id}
import { createDirectus, rest, readItemPermissions } from '@directus/sdk';
const client = createDirectus('directus_project_url').with(rest());
// collection item
const result = await client.request(readItemPermissions(collection_name, item_id));
// singleton
const result = await client.request(readItemPermissions(collection_name));
//Currently not supported in GraphQL.