Groups as permission scopes
Every CoValue has an owner, which can be a Group or an Account.
You can use a Group to grant access to a CoValue to multiple users. These users can
have different roles, such as "writer", "reader" or "admin".
CoValues owned by an Account can only be accessed by that Account. Additional collaborators cannot be added, and the ownership cannot be transferred to another Account. This makes account ownership very rigid.
Creating a Group for every new CoValue is a best practice, even if the Group only has a single user in it (this is the default behavior when creating a CoValue with no explicit owner).
While creating CoValues with Accounts as owners is still technically possible for backwards compatibility, it will be removed in a future release.
Role Matrix
| Role | admin | manager | writer | writeOnly | reader |
|---|---|---|---|---|---|
| Summary | Full control | Delegated management | Standard writer | Blind submissions | Viewer |
| Can add admins* | ✅ | ❌ | ❌ | ❌ | ❌ |
| Can add/remove managers | ✅ | ❌ | ❌ | ❌ | ❌ |
| Can add/remove readers and writers | ✅ | ✅ | ❌ | ❌ | ❌ |
| Can write | ✅ | ✅ | ✅ | ✅* | ❌ |
| Can read | ✅ | ✅ | ✅ | ❌*** | ✅ |
* admin users cannot be removed by anyone else, they must leave the group themselves.
** writeOnly users can only create and edit their own updates/submissions.
*** writeOnly cannot read updates from other users.
Creating a Group
Here's how you can create a Group.
import { Group } from "jazz-tools"; const group = Group.create();
The Group itself is a CoValue, and whoever owns it is the initial admin.
You typically add members using public sharing or invites. But if you already know their ID, you can add them directly (see below).
Adding group members by ID
You can add group members by ID by using co.account().load and Group.addMember.
import { co } from "jazz-tools"; const bob = await co.account().load(bobsId); if (bob.$isLoaded) { group.addMember(bob, "writer"); }
Changing a member's role
To change a member's role, use the addMember method.
if (bob.$isLoaded) { group.addMember(bob, "reader"); }
Bob just went from a writer to a reader.
Note: only admins and managers can change a member's role.
Removing a member
To remove a member, use the removeMember method.
if (bob.$isLoaded) { group.removeMember(bob); }
Rules:
- All roles can remove themselves
- Admins can remove all roles (except other admins)
- Managers can remove users with less privileged roles (writer, writeOnly, reader)
Getting the Group of an existing CoValue
You can get the group of an existing CoValue by using coValue.$jazz.owner.
const owningGroup = existingCoValue.$jazz.owner; const newValue = MyCoMap.create({ color: "red" }, { owner: group });
Checking the permissions
You can check the permissions of an account on a CoValue by using the canRead, canWrite, canManage and canAdmin methods.
const red = MyCoMap.create({ color: "red" }); const me = co.account().getMe(); if (me.canAdmin(red)) { console.log("I can add users of any role"); } else if (me.canManage(red)) { console.log("I can share value with others"); } else if (me.canWrite(red)) { console.log("I can edit value"); } else if (me.canRead(red)) { console.log("I can view value"); } else { console.log("I cannot access value"); }
To check the permissions of another account, you need to load it first:
const blue = MyCoMap.create({ color: "blue" }); const alice = await co.account().load(alicesId); if (alice.$isLoaded) { if (alice.canAdmin(blue)) { console.log("Alice can share value with others"); } else if (alice.canWrite(blue)) { console.log("Alice can edit value"); } else if (alice.canRead(blue)) { console.log("Alice can view value"); } else { console.log("Alice cannot access value"); } }