Fine-Grained Permissions

Most permission systems ask: what can this role do with this object type? Fine-grained permissions ask a more precise set of questions.

Field-Level Visibility

Some fields should only be visible to certain roles. Salary information visible only to HR. Cost data visible only to finance managers. Internal notes visible only to internal users, not to external collaborators with limited portal access.

Field-level visibility is now configurable per object type, per field, per role. A field can be fully visible, read-only, or completely hidden depending on who's viewing it. The hiding is enforced at the data layer — hidden fields don't appear in API responses either, not just in the UI.

Field-Level Edit Control

Separately from visibility, you can control which fields can be edited by which roles. A manager can see a field that a standard user can edit — or vice versa. A field can be editable only by the record's assigned owner. These are independent axes: who sees, who edits.

Record-Level Filters

Users can now be restricted to seeing only records that meet certain conditions based on their own attributes. A regional manager sees only records in their region. A team lead sees only records assigned to their team. The filter is applied automatically — users don't see a filtered view, they see their view.

This is different from a manually applied filter, which users can remove. Record-level filters based on permissions are enforced; users see what they're allowed to see regardless of how they navigate.

Configuration Without Code

All of these permission dimensions are defined in your workspace configuration. Change a permission policy and it takes effect immediately. No deployment, no engineering work.

Permission systems should reflect actual business policies. Fine-grained permissions give you the tools to achieve that.