Skip to main content

Cell-level permissions

Privy offers cell-level permissions to let you configure exactly who can access any piece of data via a concept called "access groups". Access groups combine with roles to offer granular permissioning on each cell, i.e. the ability to set custom permissions on a particular user's field, separate from the default read and write permissions for that field.

Access groups describe the mapping of roles to reader and writer permissions, and can be assigned to a particular user's field (i.e. cell) as described below in User Permissioning.

Default Access Groups

While access groups are an advanced concept and is transparent to the user by default, they underlie the default permissioning flow described in the Permissions section. Namely when reader and writer roles are set on a field, an access group is created and assigned as the default access group for that field. This default_access_group is part of the Field interface.

You can use the privy-node client to create and change the default access group for a field via createAccessGroup and updateField:

import {PrivyClient} from '@privy-io/privy-node';

const PRIVY_API_KEY = '<copied from Privy Console>';
const PRIVY_API_SECRET = '<copied from Privy Console>';

const client = new PrivyClient(PRIVY_API_KEY, PRIVY_API_SECRET);
const accessGroup = await client.createAccessGroup({
name: 'custom-access-group',
write_roles: ['self'],
read_roles: ['self', 'admin'],
});
await client.updateField('example-field', {
default_access_group: accessGroup.access_group_id,
});

User permissioning

Aside from setting the default access group on a given field, you can further set cell-level permissions via updateUserPermissions:

import {PrivyClient} from '@privy-io/privy-node';

const PRIVY_API_KEY = '<copied from Privy Console>';
const PRIVY_API_SECRET = '<copied from Privy Console>';

const client = new PrivyClient(PRIVY_API_KEY, PRIVY_API_SECRET);
const userId = '0x123';
// A different custom access group.
const publicReadAccessGroup = await client.createAccessGroup({
name: 'custom-access-group',
write_roles: ['self', 'admin'],
read_roles: ['public'],
});
await client.updateUserPermissions(userId, [
{
field_id: 'example-field',
access_group: publicReadAccessGroup.access_group_id,
},
]);