User permissions

Stream Activity Feeds ships with a configurable permission system that allows high resolution control over what users are permitted to do.

Getting Started

There are multiple important terms to understand when it comes to permission management. Each permission check comes down to three things:

  • Subject - an actor which attempts to perform a certain Action. It can be represented by a User, a FeedMember, or a Follower

  • Resource - an item that the Subject attempts to perform an Action against. It can be a Feed, Activity, or another User

  • Action - the exact action that is being performed. For example ReadFeed, AddActivity, DeleteActivity

The purpose of the permission system is to answer the question: is Subject A allowed to perform Action B on Resource C?

Stream Activity Feeds provides several concepts which help to control which actions are available to whom:

  • Permission - an object which represents actions a subject is allowed to perform

  • Role - assigned to a User or to a user's relationship with a feed (as member or follower), and is used to check their permissions

  • Grants - the way permissions are assigned to roles, applicable across the entire application or specific to a feed group (visibility scope).

Also important to know: permission checking only happens on client-side calls. Server-side calls allow everything so long as a valid API key and secret are provided.

Role Management

To make it easy to get started, all Stream applications come with several roles already built in with permissions that represent the most common use cases. These roles can be customized if needed, and new roles can be created specific to your application.

This is the process of assigning a role to users so they can be granted permissions. This represents Subject A in the permissions question. Users have one role which grants them permissions for the entire application. Additionally, users can have feed-level roles when they interact with a specific feed—as a member or as a follower.

By default all users have the built-in role user assigned. Updating a user's role can be done via upsertUsers or updateUsersPartial endpoints:

const user: UserRequest = {
  id: 'userid',
  role: 'user',
  custom: {
    color: 'blue',
  },
  name: 'This is a test user',
  image: 'link/to/profile/image',
};
client.upsertUsers([user]);

// or
client.updateUsersPartial({
  users: [
    {
      id: user.id,
      set: {
        'new-field': 'value',
      },
      unset: ['name'],
    },
  ],
});

When you add a user as a member of a feed, the feed_member role is assigned by default. You can set a different role when adding or updating members:

await client.feeds.feed("user", "community_id").updateFeedMembers({
  operation: "upsert",
  members: [{ user_id: "james_bond", role: "feed_moderator" }],
});

You can also update a follower's role on an existing follow:

await client.feeds.updateFollow({
  source: `timeline:${sourceFeedId}`,
  target: `user:${targetFeedId}`,
  push_preference: "none",
  role: "my_custom_feed_follower_role",
  custom: {
    note: "Updated follow",
  },
});

Changing roles is not allowed client-side. Use server-side SDKs for these operations.

Subject

Subject can be represented by a User, a FeedMember, or a Follower. FeedMember and Follower subjects are used when a user interacts with a feed they are a member or follower of. Both the user-level role and the feed-level role (member or follower role) are taken into account when checking permissions.

Built-in roles

There are some built-in roles in Stream Activity Feeds that cover basic scenarios:

RoleLevelDescription
userUserDefault user role
guestUserGuests are short-lived temporary users that could be created without a token
anonymousUserAnonymous users are not allowed to perform any actions that write data. You should treat them as unauthenticated clients
adminUserRole for users that perform administrative tasks with elevated permissions
moderatorUserRole for users that perform moderation tasks
feed_memberFeedDefault role when a user is added as a member of a feed; has elevated permissions to perform administrative tasks on the feed
feed_member_viewerFeedA read-only feed member role
feed_followerFeedDefault role assigned when a user starts following a feed

You cannot use user-level roles as feed-level roles and vice versa. This restriction only applies to built-in roles.

Ownership

Some Stream Activity Feeds entities have an owner, and ownership can be considered when configuring access permissions. Ownership is supported in these entity types:

  1. Feed - owned by its creator

  2. Activity - owned by its creator (actor)

  3. User - the authenticated user owns themselves

Using the ownership concept, permissions can be set up so that entity owners are allowed to perform certain actions. For example:

  • Update Own Activity - allows activity authors to edit their activities

  • Update Own User - allows users to change their own properties (except role)

  • Add Activity in Own Feed - allows feed owners to add activities to feeds they created even if they are not members

Custom Roles

In more sophisticated scenarios custom roles can be used. A Stream application can have up to 25 custom roles. Roles are simple and require only a name to be created. They do nothing until permissions are assigned to the role. To create a new custom role you can use the CreateRole API endpoint with the activity-feeds server-side SDK:

await client.createRole("special_agent");

To delete a previously created role you can use the DeleteRole API endpoint:

await client.deleteRole("agent_006");

To delete a role, you must remove all permission grants for that role and ensure no non-deleted users have this role assigned. Feed-level roles can be deleted without reassigning them first, although some users may lose access on feeds where that role was used.

Once you have created a role you can start granting permissions to it. You can also grant or remove permissions for built-in roles.

Granting permissions

User access in Activity Feeds is split across multiple scopes.

  • Application permissions: You can grant these using the .app scope. These permissions apply to operations that occur outside of feed groups, such as modifying other users or moderation features.

  • Feed visibility permissions: These apply to all feeds that have a given visibility.

To list all available permissions:

const { permissions } = await client.listPermissions(); // List of Permission objects

Each permission object contains these fields:

FieldTypeDescriptionExample
idstringUnique permission IDadd-activity-owner
namestringHuman-readable permission nameAdd Activity in Owned Feed
descriptionstringHuman-readable permission descriptionGrants AddActivity when…
actionstringAction that this permission grantsAddActivity
ownerbooleanIf true, Subject must be the owner of the Resourcetrue
same_teambooleanIf true, Subject must be part of the same team as the Resourcetrue

To configure granted permissions for a feed visibility (e.g. public, visible, followers, members, private), use the feed visibility API. First get the current configuration with getFeedVisibility, then update role grants with updateFeedVisibility:

// Get current grants for a feed visibility
const response = await client.feeds.getFeedVisibility({ name: "visible" });

// Update "feed_member" role grants for this feed visibility
await client.feeds.updateFeedVisibility({
  name: "visible",
  grants: {
    feed_member: [
      "read-feed",
      "add-activity",
      "update-activity-owner",
      "delete-activity-owner",
    ],
  },
});

This call only changes grants for roles that are mentioned in the request. You can remove all grants for a role by providing an empty array ([]) as the list of permissions:

await client.feeds.updateFeedVisibility({
  name: "visible",
  grants: {
    guest: [],
    anonymous: [],
  },
});

To list all feed visibility configurations use listFeedVisibilities(). If you want to reset a feed visibility to default settings, pass null for the grants field (where supported by the SDK) when calling updateFeedVisibility.

You can manage .app scope grants using the Update App Settings API endpoint in the same way:

await client.updateAppSettings({
  grants: {
    anonymous: [],
    guest: [],
    user: ["search-user", "mute-user"],
    admin: ["search-user", "mute-user", "ban-user"],
  },
});

UI for configuring permissions

Stream Dashboard provides a user interface to edit permission grants.

Client-side permission checks

The own_capabilities array contains the actions a user is allowed to perform in a given feed (for example add-activity). You can use this data to show/hide different parts of the UI based on a user's permissions.

// Get feed from activity context (e.g. current_feed)
const [group, id] = activity.current_feed?.feed.split(":") ?? [];
const feed = group && id ? client.feed(group, id) : undefined;

const unsubscribe = feed?.state.subscribeWithSelector(
  (state) => state.own_capabilities,
  (ownCapabilities) => {
    // Use ownCapabilities for UI or permission checks
  },
);
Previous
Collections
Next
State Layer