canopy-ui

Overview

Permissions define the actions identities can perform in your application. In Canopy, permissions are simple keys written as resource.action, such as invoice.read or invoice.approve. Each Environment in your Application keeps its own permission catalog — you define the keys that match your product, then group them into roles and assign those roles to identities. Permissions are the foundation of access control: every role is just a bundle of permissions, and every authorization decision ultimately resolves to whether the identity holds the permission you're checking.

Scope

Permissions are scoped to an Environment

When you create a permission, you're creating it in the active Environment — the one selected on the Tenant › Applications page. Two Environments in the same Application keep fully independent permission catalogs.

A permission added in Development does not exist in Production until you explicitly promote it

Renaming or removing a permission only affects the Environment you're working in

Every role and assignment is wired to its Environment's permissions, not its siblings'

Use the Promote, Export, and Import actions on the Environment card to move permissions between Environments alongside the rest of the configuration.

View the Environments reference →

Naming Permissions

Key idea

A good way to name permissions is to map the resource to something your application already understands, such as a database table, API resource, or product feature.

For example, if your application has an invoices table or /invoices API, you might define:

invoice.read

invoice.create

invoice.update

However, permissions can also represent higher-level features:

dashboard.view

reports.export

billing.manage

How Permissions Are Used

Permissions define what actions are possible, but they do not grant access on their own. To grant access, permissions are grouped into roles, and roles are assigned to identities.

Environment

API version

On this page