Index
Edit

Access Control

Sanity has preliminary access control for users and groups. Currently, every dataset is automatically populated with the following fixed groups:

  • Administrator: can create, update, delete, and read all documents
  • Read+Write: can create, update, delete, and read all documents
  • Read: can read documents, but only under the root path (so studio drafts and system documents are hidden)
  • Create Session: can create Sanity tokens if you are using third-party login (enterprise plans only).

Unauthenticated users get the special identity everyone, and are automatically members of the read group.

Group memberships and user invitations are managed in the project's management console.

Gotcha

All published documents in a public dataset are publicly available, since the everyone user has read-access to all documents under the root path. The only way to hide these are to set the dataset as private and add custom permissions for everyone. Studio drafts are only available to authenticated users in the read+write or administrator groups, since they are stored under the drafts. path.

Customized access control

Enterprise users can add and modify groups to set up custom access control rules. Groups are stored as regular Sanity documents in each dataset (see details below), and can be modified using mutations like any other document. Only create session tokens have the permission to update and create new group documents.

Group documents

Groups are stored as documents of type system.group under the _.groups. path, and look something like this:

{
  "_id": "_.groups.read",
  "_type": "system.group",
  "_rev": "wzDKrHcEddnCsDSCdb6KHZ",
  "_createdAt": "2017-12-12T11:46:55Z",
  "_updatedAt": "2017-12-12T11:46:55Z",
  "grants": [
    {
      "path": "*",
      "permissions": ["read"]
    }
  ],
  "members": ["everyone"]
}

grants is an array giving a set of permissions (read, create, update, or manage) for documents either matching a path expression given in path, or an filter expression given in filter.

{
  "_id": "_.groups.authors",
  "_type": "system.group",
  "_rev": "wzDKrHcEddnCsDSCdb6KHZ",
  "_createdAt": "2017-12-12T11:46:55Z",
  "_updatedAt": "2017-12-12T11:46:55Z",
  "grants": [
    {
      "filter": "_type == 'categories'",
      "permissions": ["read", "create"]
    },
    {
      "filter": "_type == 'post'",
      "permissions": ["read", "update", "create"]
    }
  ],
  "members": ["e-a-user-id", "e-another-user-id"]
}
Gotcha

Permissions by filter can't include subqueries or joins. For example, "filter": "_type == 'post' && (author._ref in *[_type == 'authors'])" will not work.

Permissions are additive, such that any grant giving a permission to a matching document is sufficient for access.

members lists the IDs of the group's members, where everyone is the special ID given to unauthenticated users. Member IDs can only contain the characters a-zA-Z0-9_-.

The default group documents cannot be modified through the API, use the project's management console instead.

Previous: Migrating DataNext: Third-Party Login (SSO)