Easily restore your project to a previous version with our new Instant One-click Backup Recovery
Hygraph
Classic Docs

Management API permissions

#Overview

The same set of Management API permissions is available for both Roles and Permanent Auth Tokens. Some permissions are view permissions, meaning they have an impact on what a user assigned to a role can see in the UI, while other permissions will allow certain actions through the Management API when granted.

Default permissions for both are different. Default role permissions ensure that users can access the UI - mostly read permissions - and for PATs, the defaults cover certain create and read permissions.

Anything beyond the defaults, you can manually add depending on what you need.

If you lack the necessary permissions:

  • Roles: You will not be able to see parts of the UI - such as a button - you will get an error trying to access parts of the UI, or will be logged out.
  • Tokens: You will get an error message indicating you don't have the necessary permissions.

#Roles

Some Management API permissions affect how you can interact with the UI.

The default Management API permissions that you get for a custom role are the basics that you need to view the UI correctly.

All default permissions are UI-related and ensure you can use the webapp. On top of that, you can grant other permissions, depending on what you want the role to be able to do.

Hygraph offers system roles for Admin, Editor, Developer, and Contributor. The permissions configured OOB for these roles show role-based differences that reflect the tasks each should be able to perform in the system. This is why a user under the role of Editor won't be able to see the API Playground in the UI, while a user under the role of Admin or Developer can.

It is possible to grant a role all content permissions and still use the Management API permissions to hide buttons in the UI for all users assigned to that role. However, bear in mind that in this case, if a user has access to the API, they will still be able to take those actions since they have the content permissions granted; it's just that in the UI, they won't be able to because certain buttons and actions are hidden to them.

#Default role permissions

These are the permissions that a user needs to have to view the UI correctly.

PERMISSIONDESCRIPTION
Read existing fieldsIf this permission is not granted, the user cannot see or access the Fields tab in the UI.
Read existing enumerationsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but they won't be able to see the enumerations in it.
Read localesIf this permission is not granted, users will get an error when trying to access the app.
Read public view groupsIf this permission is not granted, users will get an error when trying to access the content editor.
Read existing componentsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but they won't be able to see the components in it.
Read existing entriesIf this permission is not granted, users won't be able to see or access the Content and Assets tabs in the app.
Read public content viewsIf this permission is not granted, users will get an error when trying to access the content editor.
Read existing environmentsIf this permission is not granted, users cannot access the project and will get an error attempting to log in.
Read remote sourcesIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but they won't be able to see the remote sources in it.
Read stagesIf this permission is not granted, users will get an error when trying to access the app.
Read existing modelsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but they won't be able to see the models in it.

#Additional role permissions

PERMISSIONDESCRIPTION
Assign a role to a userIf this permission is not granted, the user cannot see the Assign role option in Project Settings > Team > Members.
Can add app installationsIf this permission is not granted, the Explore apps banner is hidden in the Apps section of the UI. Projects where this permission is not granted to the user do not display on the project selector dropdown for new app installations.
Can create content permissionsIf this permission is not granted, users cannot see the Add permission option in the Public Content API, roles, and PATs sections of the project settings.
Can create new permanent auth tokensThis permission allows users to create new permanent auth tokens. If this permission is not granted, users can't see the + Add Token button at the top of the Permanent Auth Tokens screen in Project Settings.
Can delete app installationsIf this permission is not granted, the user cannot see the Uninstall app option in the app cards context menu.
Can delete content permissionsIf this permission is not granted, users cannot see the Delete option for content permissions in the Public Content API, roles, and PATs sections of the project settings.
Can delete existing permanent auth tokensThis permission allows users to delete permanent auth tokens. If this permission is not granted, users can't see the Delete option inside the context menu of permanent auto tokens in the Access section of Project Settings.
Can read content permissionsIf this permission is not granted, the user cannot see the Content permissions block for roles and PATs.
Can read existing permanent auth tokensThis permission allows users to see the Access section in Project Settings. If you want to give someone access to the API Playground, this permission needs to be granted, along with Can see API Playground, because on the Playground, we load Auth Tokens to show them on the dropdown.
Can see Role & Permissions SettingsIf this permission is not granted, the user cannot see the Roles menu in the project settings.
Can see schema viewView permission that allows a user to see the Schema builder. You can choose to deselect this permission to hide the schema view for roles for which it's not relevant.
Can see Team Member SettingsIf this permission is not granted, the user cannot see the Members tab in Project Settings > Team.
Can update app installationsThis permission grants the user the ability to see the Edit button on app cards.
Can update content permissionsIf this permission is not granted, users cannot see the Edit option for content permissions in the Public Content API, roles, and PATs sections of the project settings.
Can update existing permanent auth tokensThis permission allows users to edit permanent auth tokens. If this permission is not granted, users can't see the Edit option inside the context menu of permanent auto tokens in the Access section of Project Settings.
Can use the playgroundIf this permission is not granted, the users cannot see the API Playground in the top-level menu, and the Preview in playground option in the Content editor and Assets.
Change the name, picture and description of a projectThis permission allows users to edit the project details in Project Settings > General > Project. The whole section will be visible but grayed out and read-only if this permission is not granted.
Create a new environment backupThis permission allows creating a new environment backup.
Create localesThis permission allows users to create new locales in a project. If this permission is not granted, users cannot use the Add button at the top of the existing locales in Project Settings > General > Locales.
Create new componentsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but will not be able to use the + Add button to create new components.
Create new entriesThis permission grants you the ability to create new entries. If you do not select it, the user will not see the + Add entry button at the top right corner of the content editor screen.
Create new enumerationsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but will not be able to use the + Add button to create new enumerations.
Create new environmentIf this permission is not granted, the Clone button in Project Settings > General > Environments is disabled.
Create new fieldsIf this permission is not granted, the user cannot see the Fields side panel in the schema builder.
Create new modelsIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but will not be able to use the + Add button to create new models.
Create new rolesIf this permission is not granted, the user cannot see the option to add a custom role in the UI.
Create new webhooksIf this permission is not granted, the user cannot see the + Add webhook button.
Create public content viewsEnable this permission to allow users to create custom content views in the content editor. If this permission is not granted, users won't see the Add custom view button at the top of the screen.
Create public view groupsThis permission grants users the ability to create view groups.
Create remote sourcesIf this permission is not granted to a user who has the Can see schema view permission, they will be able to access the Schema builder, but will not be able to see the + Add button to create new remote sources.
Create stagesThis permission allows users to see the + Add stage button in Project Settings > General > Content Stages.
Delete an existing environmentIf this permission is not granted, the Delete and Promote to master options in Project Settings > General > Environments are disabled.
Delete an existing environment backupThis permission allows deleting an existing environment backup.
Delete an existing roleIf this permission is not granted, the user cannot see the Delete option for custom roles.
Delete an existing webhookThis permission grants users the ability to see the Delete option for webhooks.
Delete existing componentsIf this permission is not granted, the user cannot see the Delete option inside a component's context menu.
Delete existing entriesThis permission grants you the ability to delete entries. If this is not selected, you will not see the Delete button.
Delete existing enumerationsThis permission allows users to delete enumerations. If this permission is not granted, users can't see the Delete option inside the context menu at the top of the enumeration details screen.
Delete existing fieldsThis permission allows users to see the Delete option inside the context menu of the fields added to a model in the Schema builder and delete the field. Users must be able to read the schema and models to reach this screen.
Delete existing modelsIf this permission is not granted, the user cannot see the Delete option for models in the UI.
Delete localesThis permission allows users to delete locales in a project. If this permission is not granted, users cannot use the Delete button next to locales in Project Settings > General > Locales.
Delete public content viewsThis permission allows the user to delete custom views. If this permission is not granted, users cannot see the Delete custom view option inside the context menu at the top of the custom view screen.
Delete public view groupsIf this permission is not granted, the user will get logged out when attempting to use the Delete button for public view groups.
Delete remote sourcesIf this permission is not granted, users cannot see the Delete option for remote sources.
Delete stagesIf this permission is not granted, the Delete option in Project Settings > General Content Stages will throw an error when the user clicks on it.
Invite a user into an existing projectIf this permission is not granted, the user cannot see the Invite members button in Project Settings > Team > Members.
Promote an existing environmentIf this permission is not granted, the user will get an error when using the Promote to master button in Project Settings > General > Environments.
Publish non-published entriesThis permission allows users to publish entries that exist only in the DRAFT stage (entries that have been saved but never published).
Read audit logsIf this permission is not granted, users cannot see the Audit logs tab in Project Settings.
Read existing environment backups and their detailsThis permission allows reading existing environment backups and their details.
Read existing webhooksIf this permission is not granted, the user cannot see the Webhooks tab in Studio's main navigation
Remove a user from an existing projectThis permission grants users the ability to see the Remove option for users.
Restore an existing environment backup to a standard environmentThis permission allows restoring an existing environment backup to a standard environment.
Update an existing environmentThis permission grants the ability to edit environments through the API.
Update an existing environment backupThis permission allows updating an existing environment backup.
Update existing componentsThis permission grants users the ability to edit the information in the Settings tab of components. To reach this screen, users will need permissions to read the schema and models.
If an entry is in the DRAFT stage, you can update and save it, but as soon as it's updated, if you do not have permission to update published entries, you won't be able to keep working on it.
Update existing enumerationsThis permission grants users the ability to edit enumeration details. To reach this screen, users will need permissions to read the schema and enumerations.
Update existing fieldsThis permission allows users to see the Edit button on the field cards in models, and edit the field details. Users must be able to read the schema and models to reach this screen.
If this permission is not granted, users cannot see the Edit field button, and the drag-and-drop anchor is not displayed.
Update existing modelsThis permission grants users the ability to edit the information in the Settings tab of models. To reach this screen, users will need permissions to read the schema and models.
Update existing non published entriesThis permission allows the user to save a content entry without publishing. If this permission is disabled, the user won't see the Save button at the top-right corner of content entries and will only see the Publish button.
Update existing webhooksIf this permission is not granted, the user cannot see the Edit button for webhooks.
Update published entriesThis permission grants you the ability to update published entries. If this is not selected, when an entry is published, you do not see the Save button.
Update stagesIf this permission is not granted, the user cannot see the Content stages option in their project settings.
Update system content viewsIf this permission is not granted, the user cannot see the Update default view in the Content editor and in Assets.
Update existing rolesIf this permission is not granted, the user can open all existing roles, but all update-related buttons will be hidden, and they will get an error when attempting to edit content permissions.
Update localesThis permission allows users to edit locales in a project. If this permission is not granted, when users go to Project Settings > General > Locales, they will find that the locales are read-only and are grayed out.
Update public content viewsThis permission allows the user to edit custom views. If this permission is not granted, users cannot see the Edit custom view option inside the context menu at the top of the custom view screen.
Update public view groupsIf this permission is not granted, you cannot update view groups.
Update remote sourcesThis permission grants users the ability to edit the information in the Settings tab of remote sources. To reach this screen, users will need permissions to read the schema and remote sources.
If this permission is not granted, the user can reach the Settings screen, but the Save button is hidden.

#Permanent Auth Tokens

If you create a Permanent Auth Token and initialize default permissions, these permissions will let you create models, fields, components, and enumerations, as well as read models, fields, components, enumerations, content stages, locales, and environments.

As a result, if you need to be able to delete or update schema elements, you will have to add those permissions manually.

For instance, to work with the Management SDK, you need to make sure that you have create, update, delete, read Management API permissions on for all the things you may want to update on the schema. Our granular permissions would allow you to grant total or partial access.

#Default PAT permissions

PERMISSIONDESCRIPTION
Create new modelsThis permission is necessary to create models through the API.
Read existing fieldsThis permission is necessary to access fields information through the API.
Read existing enumerationsThis permission is necessary to access enumerations information through the API.
Read localesThis permission is necessary to access locales information through the API.
Create new fieldsThis permission is necessary to create fields through the API.
Create new componentsThis permission is necessary to create components through the API.
Read existing componentsThis permission is necessary to access locales information through the API.
Create new enumerationsThis permission is necessary to create new enumerations through the API.
Read existing environmentsThis permission is necessary to access environments information through the API.
Read remote sourcesThis permission is necessary to access remote sources information through the API.
Read stagesThis permission is necessary to access stages information through the API.
Create remote sourcesThis permission is necessary to create new remote sources through the API.
Read existing modelsThis permission is necessary to access models information through the API.

#Additional PAT permissions

PERMISSIONDESCRIPTION
Assign a role to a userThis permission is necessary to assign roles to users in a project.
Can add app installationsThis permission is necessary to install apps.
Can add new integrations to an existing projectThis permission is necessary to install apps.
Can create content permissionsThis permission is necessary to create content permissions.
Can create new permanent auth tokensThis permission is necessary to create new PATs.
Can delete app installationsThis permission is necessary to delete apps.
Can delete content permissionsThis permission is necessary to delete content permissions.
Can delete existing integrations in an existing projectThis permission is necessary to delete apps.
Can delete existing permanent auth tokensThis permission is necessary to delete existing PATs.
Can read existing permanent auth tokensThis permission is necessary to access existing PATs information through the API.
Can read content permissionsThis permission is necessary to access content permissions information through the API.
Can see Role & Permissions SettingsThis permission is necessary to access roles & permissions information.
Can see schema viewView permission that allows a user to see the Schema builder. You can choose to deselect this permission to hide the schema view for roles for which it's not relevant.
Can see Team Member SettingsView permission that allows users to see the Members tab in Project Settings > Team.
Can update app installationsThis permission is necessary to delete app installations.
Can update content permissionsThis permission is necessary to update content permissions.
Can update existing permanent auth tokensThis permission is necessary to update PATs.
Can use the playgroundView permission that allows users to see the API Playground in the UI.
Change the name, picture and description of a projectThis permission is necessary to update project details.
Create a new environment backupThis permission allows creating a new environment backup.
Create localesThis permission is necessary to create project locales.
Create new entriesView permission that allows the user to see the + Add entry button at the top right corner of the content editor screen.
Create new environmentThis permission is necessary to create new environments in a project.
Create new rolesThis permission is necessary to create new roles through the API.
Create new webhooksThis permission is necessary to create new webhooks.
Create public content viewsThis permission is necessary to create public content views.
Create public view groupsThis permission is necessary to create public view groups.
Create stagesThis permission is necessary to create custom content stages.
Delete an existing environmentThis permission is necessary to delete existing environments.
Delete an existing roleThis permission is necessary to delete existing roles.
Delete an existing webhookThis permission is necessary to delete existing webhooks.
Delete localesThis permission is necessary to delete locales from a project.
Delete an existing environment backupThis permission allows deleting an existing environment backup.
Delete existing componentsThis permission is necessary to delete existing components.
Delete existing entriesView permission that allows user to see the Delete option for entries in the UI.
Delete existing enumerationsThis permission is necessary to delete existing enumerations.
Delete existing fieldsThis permission is necessary to delete existing schema fields.
Delete existing modelsThis permission is necessary to delete existing models.
Delete public content viewsThis permission is necessary to delete public content views.
Delete public view groupsThis permission is necessary to delete public view groups.
Delete remote sourcesThis permission is necessary to delete remote sources from a project.
Delete stagesThis permission is necessary to delete content stages in a project.
Invite a user into an existing projectThis permission is necessary to invite new users to an existing project.
Promote an existing environmentThis permission is necessary to promote an existing environment.
Publish non published entriesView permission that allows users to publish entries that exist only in the DRAFT stage (entries that have been saved but never published).
Read audit logsThis permission is necessary to access audit logs information.
Read existing entriesView permission that allows users to see the Content and Assets tabs in the UI.
Read existing environment backups and their detailsThis permission allows reading existing environment backups and their details.
Read existing webhooksThis permission is necessary to access information about existing webhooks.
Read public content viewsThis permission is necessary to access public content views information.
Read public view groupsThis permission is necessary to access public view groups information through the API.
Remove a user from an existing projectThis permission is necessary to delete users from a project.
Restore an existing environment backup to a standard environmentThis permission allows restoring an existing environment backup to a standard environment.
Update an existing environmentThis permission is necessary to update existing environments.
Update an existing environment backupThis permission allows updating an existing environment backup.
Update existing componentsThis permission is necessary to run update existing components.
Update existing enumerationsThis permission is necessary to update existing enumerations in a project schema.
Update existing non published entriesView permission. If an entry is in the DRAFT stage, you can update and save, but as soon as it's updated, if you do not have the permissions to update published entries, you won't be able to keep working on it.
Update existing fieldsThis permission is necessary to update existing fields in the schema.
Update existing modelsThis permission is necessary to update existing models.
Update existing rolesThis permission is necessary to update existing roles.
Update existing webhooksThis permission is necessary to update existing webhooks.
Update localesThis permission is necessary to update project locales.
Update public content viewsThis permission is necessary to update public content views.
Update public view groupsThis permission is necessary to update public view groups.
Update published entriesView permission that allows a user to see the Save button in the content creation screen.
Update stagesThis permission is necessary to update stages.
Update system content viewsThis permission is necessary to update system content views.
Update remote sourcesThis permission is necessary to update remote sources in a project.