Vadym/obsidian
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian/wiki/tech-patterns/payload-cms-globals-access-control.md
Vadym Samoilenko 0e6a12242c wiki: auto-compile 2026-05-15 (1 log(s), 273 articles)
2026-05-15 15:13:56 +01:00

2.8 KiB
Raw Blame History

title aliases tags sources created updated
Payload CMS — Globals Access Control
payload-globals-access
payload-cms-globals-permissions
payload-cms
access-control
globals
cms
typescript
nextjs
raw/access-control__globals.md
2026-05-15 2026-05-15

Payload CMS — Globals Access Control

Global-level access control in Payload CMS restricts who can read or update Global documents and what they see in the Admin Panel.

See also: wiki/tech-patterns/payload-cms-collection-access-control, wiki/tech-patterns/payload-cms-field-access-control, wiki/tech-patterns/payload-cms-installation.

Config Location

Access is defined in the access property of a GlobalConfig:

import type { GlobalConfig } from 'payload'

export const Header: GlobalConfig = {
  slug: 'header',
  access: {
    read:         ({ req: { user } }) => Boolean(user),
    update:       ({ req: { user }, data }) => Boolean(user),
    readVersions: ({ req: { user } }) => Boolean(user), // versions only
  },
}

Available Functions

Function Operation Args
read findOne req
update update req, data
readVersions version history read req
  • readVersions only available when versions: true is set on the Global.
  • All functions receive req containing the authenticated user.
  • update additionally receives data — the incoming payload.

Return Values

  • boolean — allow or deny outright.
  • Query constraint — limit access based on document properties (row-level).
    • For readVersions: the constraint applies to the versions collection, not the original Global document.

Patterns

Authenticated-only read

read: ({ req: { user } }) => Boolean(user)

Role-based update

update: ({ req: { user } }) => user?.role === 'admin'

Public read, authenticated update

access: {
  read:   () => true,
  update: ({ req: { user } }) => Boolean(user),
}

Key Takeaways

  • Globals have two base operations: read and update (vs. collections which also have create/delete).
  • Add readVersions only when versions is enabled — otherwise it's ignored.
  • Query constraints in readVersions target the versions collection, not the Global itself — can produce unexpected results if misused.
  • Admin Panel visibility is automatically restricted when read denies access.
  • No field-level granularity here — use wiki/tech-patterns/payload-cms-field-access-control for per-field restrictions.

Sources