Permissions Overview
App Studio applies access control at two independent layers: who can open the app at all (app-level access), and which pages and widgets each user sees inside it (visibility rules). Both layers derive from the Passport JWT roles present at session start.
Two-Layer Access Model
App Studio separates "can this user enter the app" from "what can they see inside it":
The app defines a required role list. If the user's context.roles does not include at least one of those roles, they receive a 403 before any UI loads. Open access (empty role list) allows all authenticated users.
Each AppPage has an optional requiredRoles list. Pages the user doesn't qualify for are hidden from the sidebar and return 403 if accessed directly by URL.
Individual widgets carry a visibleTo role list or a visibilityExpression token. Widgets that evaluate to hidden are not rendered — no empty space, no disabled state.
The data that a widget loads is filtered server-side per the user's tenant and role claims — App Studio does not rely solely on UI hiding to protect data.
The Role Source: context.roles
All visibility rules evaluate against context.roles — a string array populated from the Passport JWT claims at session start. Roles are set by the IAM layer; App Studio only reads them.
// context object available in all token expressions
context.userId → "user-abc"
context.tenantId → "tenant-acme"
context.roles → ["admin", "sales-manager", "viewer"]
context.displayName → "Jane Smith"
context.email → "jane@acme.com"
Quick Reference
| Layer | Config field | Where | Effect if denied |
|---|---|---|---|
| App access | allowedRoles | App config | 403 page, no UI loads |
| Page visibility | requiredRoles | AppPage config | Hidden from sidebar; 403 on direct URL |
| Widget visibility | visibleTo / visibilityExpression | Widget placement | Widget not rendered |
| Data scoping | Server-side filters | Data service | Empty data set returned |
In This Guide
App-Level Access
Configure which roles can enter the app. Set open vs. restricted access.
Page Visibility
Hide AppPages from users who lack the required role.
Widget Visibility
Show or hide individual widgets based on user role.
Role-Based Expression
Write complex visibility logic with token expressions.
Data Scoping
Ensure widgets only show data the user is authorized to see.
Passport IAM Integration
How context.roles is populated from Passport token claims.
Permissions Audit
View effective permissions for a specific user in the app.