Permissions

Permissions control what users can do in your organization. Console uses a Group-Based Permission System where users are assigned to groups, and groups define what actions are allowed.

How It Works

User → assigned to → Groups → contain → Permissions → allow → Actions

Simple Example:

User: Alice
Group: Content Editors
Permissions: Can read and edit content (but not delete)
Result: Alice can view and edit content, but cannot delete it

Groups

Groups are named collections of permissions. Instead of giving permissions directly to users, you assign users to groups.

Why Use Groups?

Easier Management

Change permissions for many users at once by updating a group

Consistency

All users in a role have the same permissions

Clarity

Group names make it clear what users can do

Scalability

Add new users without configuring permissions each time

Common Group Examples

Group Name	Purpose	Typical Actions
Administrators	Full control	All actions
Managers	Team management	Read, create, update users
Editors	Content management	Read, create, update content
Viewers	Read-only access	Read only
Support	Customer support	Read users, update tickets

Creating a Group

To create a permission group:

Navigate to Groups
Click Create Group
Fill in the details:
- Name: e.g., "Content Editors"
- Description: "Can create and edit content but not delete"
Add permissions/roles:
- Choose what resources this group can access
- Select which actions are allowed
Click Create

Group Properties

Each group has:

Name: Display name (e.g., "Administrators")
Slug: URL-friendly identifier (e.g., "administrators")
Description: What this group is for
Roles/Permissions: What the group can do
Members: Users assigned to this group

Permissions

Permissions define specific actions that are allowed on resources.

Permission Structure

Each permission has three parts:

Target: What resource it applies to
Actions: What can be done
Scope: Where it applies (typically company-wide)

Actions

Console supports these standard actions:

Action	Description	Example
Read	View resources	See user list
Create	Add new resources	Invite new users
Update	Modify existing resources	Edit user details
Delete	Remove resources	Remove users
*All ()**	Everything	Full administrative access

Targets

Permissions can target different resource types:

Users: User management
Groups: Permission management
Content: Application-specific content
Settings: Configuration and preferences
Billing: Payment and subscription (if applicable)

Setting Up Permissions

Step 1: Plan Your Roles

Before creating groups, plan your organization's roles:

Role	What they do	Permissions needed
Admin	Everything	All resources, all actions
Manager	Manage users	Users (read, create, update)
Editor	Create content	Content (read, create, update)
Viewer	Browse only	All resources (read only)

Step 2: Create Groups

Create a group for each role:

Group: "Managers"
└── Permission: Manage Users
    ├── Target: Users
    └── Actions: read, create, update

Step 3: Assign Users

Add users to the appropriate groups:

Go to Users and select a user
Click Edit
In the Groups section, select relevant groups
Click Save

Changes take effect immediately.

Permission Examples

Example 1: Content Editor

Create a group for users who manage content:

Group: "Content Editors"

Target: Content
Actions: read, create, update
Result: Can create and edit content, but cannot delete

Example 2: Support Team

Create a group for customer support:

Group: "Support Team"

Permissions:
- Users (read) - Can view user information
- Tickets (read, update) - Can view and update support tickets
Result: Can help customers but cannot modify user accounts

Example 3: Department Admin

Create a group for team administrators:

Group: "Department Admins"

Permissions:
- Users (read, create, update) - Can manage users in their department
- Groups (read) - Can see what groups exist
Result: Can manage users but not company-wide settings

Multi-Group Users

Users can belong to multiple groups and inherit all permissions from all groups.

Example:

User: Alice
├── Group: "Content Editors" → Can edit content
└── Group: "User Managers" → Can manage users

Result: Alice can both edit content AND manage users

This is useful for:

Hybrid roles (e.g., Manager who also edits content)
Temporary additional access
Cross-functional team members

Best Practices

1. Use Descriptive Names

❌ Bad:

"Group 1"
"Admin"
"Users"

✅ Good:

"Content Editors"
"Department Administrators"
"Support Team Members"

2. Follow Least Privilege

Give users only the permissions they need:

❌ Bad: Everyone is an Administrator

✅ Good:

Most users: Viewers
Team leads: Managers
Few trusted users: Administrators

3. Create Role-Based Groups

Organize groups by role, not by person:

❌ Bad:

"Alice's Permissions"
"Bob's Access"

✅ Good:

"Marketing Editors"
"Engineering Managers"

4. Document Group Purposes

Add clear descriptions to groups:

Example:

Name: "Content Moderators"
Description: "Can review and approve user-generated content. Cannot delete users or modify billing."

5. Regular Audits

Review permissions regularly:

Monthly: Check who has administrative access
Quarterly: Review all groups and their members
Annually: Re-evaluate permission structure

Common Scenarios

Scenario 1: New Employee

When: Hiring a new content writer

Steps:

Invite user
Assign to "Content Editors" group
They automatically get content editing permissions

Scenario 2: Promotion

When: Promoting an editor to manager

Steps:

Keep them in "Content Editors" group
Add them to "Team Managers" group
They now have both permissions

Scenario 3: Temporary Access

When: Giving temporary admin access

Steps:

Add user to "Temporary Admins" group
Set a calendar reminder to remove them
Remove from group when time expires

Scenario 4: Access Denied Error

When: User says "I can't access X"

Debug:

Check which groups they're in
Review what permissions those groups have
Add them to appropriate group if missing
Or update the group's permissions

Understanding Access Denied

When a user tries to do something they don't have permission for:

Console shows an "Access Denied" message
The action is blocked
No partial access - either they can do it or they can't

As an admin:

Review the user's groups
Check group permissions
Add necessary permissions or reassign groups

Next Steps

Setting Up Permissions Guide - Step-by-step permission setup
Managing Users - Assign users to groups
Security - Security best practices

For Developers

Want to check permissions programmatically? See the Authorization API Guide.

How It Works​

Groups​

Why Use Groups?​

Easier Management

Consistency

Clarity

Scalability

Common Group Examples​

Creating a Group​

Group Properties​

Permissions​

Permission Structure​

Actions​

Targets​

Setting Up Permissions​

Step 1: Plan Your Roles​

Step 2: Create Groups​

Step 3: Assign Users​

Permission Examples​

Example 1: Content Editor​

Example 2: Support Team​

Example 3: Department Admin​

Multi-Group Users​

Best Practices​

1. Use Descriptive Names​

2. Follow Least Privilege​

3. Create Role-Based Groups​

4. Document Group Purposes​

5. Regular Audits​

Common Scenarios​

Scenario 1: New Employee​

Scenario 2: Promotion​

Scenario 3: Temporary Access​

Scenario 4: Access Denied Error​

Understanding Access Denied​

Next Steps​

How It Works

Groups

Why Use Groups?

Common Group Examples

Creating a Group

Group Properties

Permissions

Permission Structure

Actions

Targets

Setting Up Permissions

Step 1: Plan Your Roles

Step 2: Create Groups

Step 3: Assign Users

Permission Examples

Example 1: Content Editor

Example 2: Support Team

Example 3: Department Admin

Multi-Group Users

Best Practices

1. Use Descriptive Names

2. Follow Least Privilege

3. Create Role-Based Groups

4. Document Group Purposes

5. Regular Audits

Common Scenarios

Scenario 1: New Employee

Scenario 2: Promotion

Scenario 3: Temporary Access

Scenario 4: Access Denied Error

Understanding Access Denied

Next Steps