Skip to main content

Tenant Permissions

The Tenant permissions feature in Contember allows you to fine-tune control over various actions and roles. These permissions are specified under the tenant field when you define a role.

Engine 1.3+ Invite Permissions

The invite permission controls the ability to invite other users to a project. You can use either a simple boolean value or a more advanced membership match rule object. If invite is set to true, the existing rules under manage will apply.

Example: Simple Invite Permission

export const editorRole = acl.createRole('editor', {
  tenant: {
    invite: true,
  },
});
note

Before Engine 1.3, the invite and unmanagedInvite allowed only a boolean value.

Engine 1.3+ Unmanaged Invite Permissions

Similar to invite, the unmanagedInvite field can accept a boolean value or a membership match rule object. This permission allows you to use the unmanagedInvite mutation.

Engine 1.3+ View Permissions

The view field enables you to specify which roles and their associated variables a user can view.

Example: View Permissions

export const editorRole = acl.createRole('editor', {
  tenant: {
    view: {
      editor: {
        variables: {
          language: true,
        },
      },
    },
  },
});

Manage Permissions

The manage field helps you specify the roles and their variables that a user can manage.

Example: Manage Permissions

export const editorRole = acl.createRole('editor', {
  tenant: {
    manage: {
      editor: {
        variables: true,
      },
    },
  },
});

Understanding membership match rules

The membership match rules is an object that enables you to define more granular rules for managing memberships, roles, and variables. It comes into play when you set values for invite, unmanagedInvite, view, and manage fields in the tenant permissions.

This rule allows you to:

  • Define which roles can be managed
  • Specify what variables within those roles can be managed

For example, if you only want to allow a user to manage the editor role and assign any value to the language variable but restrict values for the site variable, your rule would look like this:

{
  editor: {
    variables: {
      language: true,
      site: 'assignable_site',
    },
  },
}