Permissions

Kizen’s highly configurable permissions engine allows for fine-grained access control to objects, entities, and actions that can be taken. When using the API, it’s important to be aware what permissions the current user has.

To fetch the user’s current permissions, make a GET call to /api/auth/access. This endpoint takes no additional parameters, and simply returns a JSON object with the current user’s permissions:

curl -X GET "https://app.go.kizen.com/api/auth/access" \
 -H 'accept: application/json' 

The JSON response includes a number of fields that describe the user’s permissions:

Section Permissions

The sections value in the JSON has permission information for specific features and parts of the app. These allow or deny access to things like dashboards, homepages, custom object creation, and other core features.

Contact Permissions

The contacts value in the JSON has permission information for accessing, editing, and creating contact records. This information can be used to determine if the current user has permission to create contacts, as well as perform bulk actions on them.

Custom Object Permissions

The custom_objects value in the JSON has permission information for accessing, editing, and creating custom object and their entity records. There is a permission for creating new objects, as well as breakdowns by object ID for more granular control.

The map of objects in custom_object_entities provides permission information about entities for a particular object. Similar to the contact object, each custom object has controls for whether the current user has permission to create entities.

When fetching a custom object, the access property in the response can be used to determine if the current user has view, edit, or remove access. The response includes each value individually:

{
  "view": true,
  "edit": true,
  "remove": true
}