# Zucms

## Access Policies

> Category: Access & Security

---

## Pages

- [Introduction](https://docs.zucms.co/introduction)

### API

- [RESTful API](https://docs.zucms.co/api/rest)
- [Typescript SDK](https://docs.zucms.co/api/typescript)

### Getting Started

- [Quick Start](https://docs.zucms.co/getting-started/quick-start)
- [Core Concepts](https://docs.zucms.co/getting-started/core-concepts)

### Models

- [Overview](https://docs.zucms.co/models/overview)
- [Field Types](https://docs.zucms.co/models/field-types)
- [Relations](https://docs.zucms.co/models/relations)

### Content

- [Working with Entries](https://docs.zucms.co/content/working-with-entries)
- [Localization](https://docs.zucms.co/content/localization)

### Access & Security

- [Roles](https://docs.zucms.co/access-security/roles)
- [Access Policies](https://docs.zucms.co/access-security/access-policies)

### Organization

- [Members & Roles](https://docs.zucms.co/organization/members-roles)
- [Audit Log](https://docs.zucms.co/organization/audit-log)
- [Billing & Plans](https://docs.zucms.co/organization/billing-plans)

---

# Access Policies

Access policies are named sets of permissions that control what a user or API key can do inside an organization. They operate independently of the member role system and cover content, models, files, and the API.

## The Administrator policy

Every organization has a built-in **Administrator** policy. It grants full access to everything and cannot be modified or deleted. Assign it to trusted users who need complete control over content and models.

## Permission categories

### Tenant permissions

Control access to organization-level management.

| Key | What it allows |
|---|---|
| `tenant.settings.manage` | Update organization name, logo, and settings |
| `billing.manage` | Change plans and payment methods |
| `billing.view` | View billing details |
| `users.manage` | Update user roles |
| `users.invite` | Invite new members |
| `users.remove` | Remove members |
| `accessPolicies.manage` | Create, update, and delete access policies |
| `auditLog.view` | View the audit log |

### Model Builder permissions

| Key | What it allows |
|---|---|
| `modelBuilder.access` | Open the Model Builder |
| `modelBuilder.createModels` | Create new models |
| `modelBuilder.editModels` | Edit model settings |
| `modelBuilder.deleteModels` | Delete models |
| `modelBuilder.createFields` | Add fields to models |
| `modelBuilder.editFields` | Edit existing fields |
| `modelBuilder.deleteFields` | Remove fields |
| `modelBuilder.runAssistedMigrations` | Apply data type migration assistants |

### Files permissions

| Key | What it allows |
|---|---|
| `files.view` | Browse the file manager |
| `files.upload` | Upload new files |
| `files.replace` | Replace an existing file |
| `files.delete` | Delete files |

### API permissions

| Key | What it allows |
|---|---|
| `api.use` | Make requests to the REST API |
| `api.docs.read` | Access the OpenAPI docs |
| `apiKeys.create` | Create new API keys |
| `apiKeys.manage` | Revoke and manage API keys |

### Model permissions

These are set **per model** and control entry operations.

| Key | What it allows |
|---|---|
| `model.view` | See the model in the sidebar |
| `entry.create` | Create new entries |
| `entry.read` | Read entry data |
| `entry.update` | Edit existing entries |
| `entry.delete` | Delete entries |
| `entry.duplicate` | Duplicate entries |
| `entry.bulk` | Perform bulk operations |
| `entry.export` | Export entries as CSV |

### Field permissions

These are set **per field** and override the model-level read/write access.

| Key | What it allows |
|---|---|
| `field.read` | Read the field value |
| `field.write` | Write the field value |
| `field.hideInUi` | Hide the field in the editor UI |
| `field.hideInApi` | Exclude the field from API responses |
| `field.readonly` | Show the field in the UI but prevent edits |

## Creating a policy

1. Go to **Organization Settings → Access Policies**.
2. Click **New Policy**.
3. Enter a name.
4. Enable the permissions you want to grant.
5. For model and field permissions, expand the model section and configure per-model and per-field access.
6. Save.

## Assigning a policy

Policies can be assigned to:
- **Users** — on the member's row in **Organization → Members**.
- **API keys** — when creating or editing a key in **Organization Settings → API Keys**.

A user or API key without any policy assigned has no content access beyond what their role provides.