Skip to content

Policies

Policies control access to records in a Resource.

They answer questions like: Which customers can this user see? Can this person update invoices? Should this role see every field, or only a safe subset?

Policies are different from Roles and Permissions. Roles and Permissions describe what someone is allowed to do across the app. Policies describe which records and fields they can access inside one Resource.

Where Policies Live

Policies are configured from the Security area of a Resource.

Use them when access depends on the data itself. For example, a sales rep might be allowed to view Customers, but only the customer records assigned to them.

Use case Policy example
Account ownership Customers can only see records connected to their own account.
Team assignment Sales reps can only update customers assigned to them.
Sensitive finance data Support users can view invoices but cannot edit payment fields.
Education portals Teachers can only see students enrolled in their classes.
Public data Visitors can view published records without logging in.

Access Levels

Every Policy has an access level.

Access level What it means
Protected The policy applies to authenticated users from a selected authenticatable Resource.
Public The policy can apply without a logged-in user.

Protected policies are the most common. They are used when a record belongs to a user, employee, student, customer, partner, or another kind of logged-in person.

Public policies are useful for published content, public directories, intake forms, and other experiences that should be available before login.

Scopes

Scopes define which actions the Policy grants.

Scope group Actions Example
Read List records, view one record, count records, aggregate records. A customer can view their own tickets.
Write Create, update, validate, or bulk-create records. A student can update their profile.
Delete Delete or restore records. A manager can archive tasks in their department.
All access Grant every supported action. System administrators can manage all customer records.

Use the narrowest scope that matches the job. A user who only needs to view invoices should not also receive update access.

Data Tasks and Required Scopes

When a workflow uses Data tasks, the Resource Policy must grant the matching scope for the Resource being used.

Data task What it does Required Policy scope
Create record Creates one record. Store
Create many records Creates multiple records. Store many
Find record Loads one record. Show
Search records Lists or searches records. Index
Count records Counts matching records. Count
Aggregate metrics Calculates totals, averages, or grouped metrics. Aggregate
Validate record Checks record values against the Resource schema. Validate
Update record Changes an existing record. Update
Update or create record Updates a matching record or creates a new one. Update or Store
Delete record Deletes one record. Destroy
Attach, detach, or sync relation Changes a relationship on a record. Update

If a workflow might create or update depending on what it finds, give it both Store and Update access, or use an All Access policy for trusted admin workflows.

Bulk delete workflows first search for the records that match the workflow criteria. Make sure the user can access the records being selected, and use normal delete flows when you need stricter per-record delete controls.

Filters

Filters decide when a Policy applies and which records it grants.

Filter Evaluated against Purpose
Authenticatable filter The signed-in user's record. Decide whether this Policy applies to this user.
Record filter The Resource record being accessed. Decide which records this user can access.

For example, a Customer policy might use the signed-in customer's record as the authenticatable, then only allow records where customer_id matches that user's account.

A Sales policy might apply only to users whose department is Sales, then allow customer records where the owner is the signed-in user.

Field Visibility

Policies can also control which fields are visible.

That means two people can access the same record but see different information.

User type Visible fields
Customer Invoice number, due date, total, payment status.
Support agent Invoice number, status, customer name, notes.
Finance user Invoice number, customer, total, payment status, refunds, internal adjustments.

Field visibility can be unconditional or conditional. Conditional visibility is useful when a field should only appear when a rule matches, such as showing approval notes only after a request has been reviewed.

How Policies Combine

Policies grant access. They do not subtract access from each other.

If more than one Policy matches, Diagonal combines what they grant:

Policy set Result
One policy grants access to assigned records. The user can access assigned records.
Another policy grants access to records in the user's region. The user can access assigned records or regional records.
One matching policy allows all fields. The user can see all fields for records that policy grants.
Multiple matching policies list specific fields. The visible fields are combined.

Be careful with broad policies

If a matching Policy has no record filter, it can grant access to all records for the selected scope. Use clear filters for sensitive Resources.

Common Patterns

Pattern How to model it
Users see their own records Protected policy with a record filter matching the signed-in user's record.
Managers see team records Protected policy with an authenticatable filter for managers and a record filter for their team.
Admins see everything Protected policy for administrators with broad scopes and no record filter.
Public content Public policy with read scopes and a record filter like published status.
Field-level privacy Policy field visibility that hides sensitive fields from non-privileged users.

Policies Versus Page Security

Policies protect Resource data. Page and workflow security protects access to experiences and actions.

Use both together:

Layer Controls
Page security Who can open a page.
Workflow security Who can run a workflow or workflow step.
Resource policies Which records and fields a user can access.

For sensitive apps, do not rely on page visibility alone. Add Policies to the Resources that contain sensitive data.