docs/docs/guides/core-concepts/permissions/index.mdx
Permissions are the atomic units of authorization in Vendure. Every API operation is guarded by one or more permissions, and an administrator can only perform an operation if their assigned Roles include the required permission.
Most entities in Vendure are protected by a standard set of four permissions following the Create / Read / Update / Delete pattern. For example, the Product entity is guarded by:
CreateCatalogReadCatalogUpdateCatalogDeleteCatalogThese CRUD permissions are grouped by domain rather than by individual entity. The Catalog
domain covers Products, ProductVariants, Collections, Facets, and Assets — so a role with
ReadCatalog can read all of those entities.
Vendure ships with permissions organized into the following domains:
Each domain has the full set of CRUD permissions, giving fine-grained control over what each role can access.
In addition to the CRUD permissions, Vendure defines several special permissions:
Vendure follows a deny-by-default authorization model. If an API operation does not have an
explicit @Allow() decorator granting access via a specific permission, it is inaccessible. This
ensures that new API operations are secure by default and permissions must be intentionally granted.
Plugins can define their own permissions using the PermissionDefinition class. This is useful
when a plugin introduces new functionality that needs its own authorization controls — for example,
a reporting plugin might define ReadReports and ManageReports permissions.
Custom permissions appear alongside the built-in permissions when defining roles, allowing administrators to control access to plugin functionality in the same way they control access to core features.