Roles
Roles are named groups that users belong to. Use roles to control who can access your data and perform specific operations.
Built-in Roles
Every API includes these system roles that cannot be modified:
| Role | Description |
|---|---|
_EVERYONE | Public access — no authentication required |
_AUTHENTICATED_USER | Any logged-in user |
_CREATOR | The user who created the record |
Custom Roles
Create custom roles to match your application's permission model.
Creating a Role
- Sign in to the Developer Portal
- Navigate to your API
- Go to Users & Roles → Roles
- Click Create Role
- Enter a role name (e.g., "editor", "viewer", "moderator")
Managing Members
Add users to a role:
- Open the role details
- Go to the Members tab
- Click Add Members
- Select users to add
Remove users from a role:
- Open the role details
- Go to the Members tab
- Click the delete icon next to the user
Role Assignment
Users can have roles at two levels:
Global Roles
Assigned at the API level. Global roles apply across all collections and views.
Use cases:
- Admin users who need full access
- Moderators who need broad permissions
- Service accounts with specific capabilities
Local Roles
Assigned within specific collections through data relationships. Local roles provide row-level access based on user data.
Use cases:
- Project members who can only access their assigned projects
- Team leads who can manage their team's data
- Users who can only access their own records
Role Priority
When evaluating access:
- Global roles are checked first
- If no global role grants access, local roles are checked
- Access is granted if any matching role permits the operation
Best Practices
- Start restrictive — Begin with minimal permissions and add as needed
- Use descriptive names — "content_editor" is clearer than "role1"
- Prefer roles over individual access — Easier to maintain
- Document your roles — Keep track of what each role is meant for