Skip to main content


Permissions Blueprint#

A Permissions Blueprint is schema representation of your permission model. This defines types of resource types, roles, and actions.

Resource Type#

A type of resource that needs to be protected - typically this is a table name or section of your platform.

Resource {    Name:      String,    Actions:   []String,    Attributes: []String,}

Vista allows defining attributes on Resource Types - think of these as columns on a table. There are 2 types of attributes:

  • scalar (string, number, etc)
  • relationship (foreign-key that refers to another Resource Type)

Resource ID#

An instance of a resource in your application - also known as Resource ID.


A role is a grouping of permissions that can be granted to users/usersets, for a particular object(s). A role consists of a list of action-resourceType pairs, which describes actions that can be taken on the specified Resource Type - notice this does not specify which object ID!

When a user/userset is granted a role, you also specify a target resourceID. This applies the previously specified action-resourceType pair as a grant for the target user/userset and resourceID. Roles can be inherited, where a child role inherits permissions from the parent.

Role {    ID: String,    InheritsFrom: []String,    Grants: []{}String {        Action: String,        Resource: String,        Attribute: String | null,    },}


A group of users that can have permission grants. Usersets can also inherit from each other.

Userset {    ID: String,    Users: []String,    InheritsFrom: []String,}


An instance of an end user. You can add a user to a userset (and inherit the permissions applied to that userset), or grant permissions directly to a user.

User {    ID: String,}


A condition that enables permissions based on a set of preconditions. For example, we can use rules to define "users that have read access to a folder, have read access to the child documents".

Rule {    Pre: {        Action: String,        ResourceType: String,        Attribute: String | null,    },    Post: {        Action: String,        ResourceType: String,        Attribute: String | null,    },}


Branches add version control to your permissions, and represent the state of your blueprint - this includes all Resource Types, Roles, as well as relationships between resource objects. Branches enable you to roll out changes to your permissions blueprint in an iterative way - read the Version Control Guide for more info.