Access Control

Sanity has preliminary access control for users and groups. Currently, every dataset is automatically populated with the following fixed groups:

  • Administrator: can create, update, delete, and read all documents
  • Read+Write: can create, update, delete, and read all documents
  • Read: can read documents, but only under the root path (so studio drafts and system documents are hidden)
  • Create Session: can create Sanity tokens if you are using third-party login (enterprise plans only).

Unauthenticated users get the special identity everyone, and are automatically members of the read group.

Group memberships and user invitations are managed in the project's management console.


All published documents are publicly available, since the everyone user has read-access to all documents under the root path. This currently cannot be changed. Studio drafts are only available to authenticated users in the read+write or administrator groups, since they are stored under the drafts. path.

Customized access control

Enterprise Feature

Customized access control is only available for projects on our enterprise plan. Groups in regular projects cannot be modified.

Enterprise users can add and modify groups to set up custom access control rules. Groups are stored as regular Sanity documents in each dataset (see details below), and can be modified using mutations like any other document.

Group documents

Groups are stored as documents of type under the _.groups. path, and look something like this:

  "_id": "",
  "_type": "",
  "_rev": "wzDKrHcEddnCsDSCdb6KHZ",
  "_createdAt": "2017-12-12T11:46:55Z",
  "_updatedAt": "2017-12-12T11:46:55Z",
  "grants": [
      "path": "*",
      "permissions": ["read"]
  "members": ["everyone"]

grants is an array giving a set of permissions (read, create, update, or manage) for documents either matching a path expression given in path, or an arbitrary GROQ expression given in filter. Permissions are additive, such that any grant giving a permission to a matching document is sufficient for access.

members lists the IDs of the group's members, where everyone is the special ID given to unauthenticated users. Member IDs can only contain the characters a-zA-Z0-9_-.

The default group documents cannot be modified through the API, use the project's management console instead.

Enterprise Feature

Enterprise users with our customized access control feature enabled can create and manage group documents via the API.

Previous: Migrating DataNext: Third-Party Login