# User Permissions
Stream Chat ships with a configurable permission system that allows high resolution control over what users are permitted to do.
## Getting Started
There are multiple important terms to understand when it comes to permission management. Each permission check comes down to three things:
- `Subject` - an actor which attempts to perform certain Action. It could be represented by a User or by a ChannelMember
- `Resource` - an item that Subject attempts to perform an Action against. It could be a Channel, Message, Attachment or another User
- `Action` - the exact action that is being performed. For example `CreateChannel` , `DeleteMessage` , `AddLinks`
The purpose of permission system is to answer a question: **is** `Subject A` **allowed to perform** `Action B` **on** `Resource C` ?
Stream Chat provides several concepts which help to control which actions are available to whom:
- `Permission` - an object which represents actions a subject is allowed to perform
- `Role` - assigned to a User or Channel Member and is used to check their permissions
- `Grants` - the way permissions are assigned to roles, applicable across the entire application, or specific to a single channel type or channel.
Also important to know is permissions checking only happens on the client-side calls. Server-side allows everything so long as a valid API key and secret is provided.
## Role Management
To make it easy to get started, all Stream applications come with several roles already built in with permissions to represent the most common use cases. These roles can be customized if needed, and new roles can be created specific for your application
This is the process of assigning a role to users so they can be granted permissions. This represents `Subject A` in the permissions question. Users will have one role which grants them permissions for the entire application and additionally users can have channel roles which grant permissions for a single channel or for all channels with the same channel type.
By default all users have builtin role `user` assigned. To change the role of the User, you can use UpdateUser API endpoint:
```js label="JavaScript"
await client.partialUpdateUser({
id: "james_bond",
set: { role: "special_agent" },
});
```
```php label="PHP"
$client->updateUsersPartial(new Models\UpdateUsersPartialRequest(
users: [new Models\UpdateUserPartialRequest(
id: "james_bond",
set: (object)["role" => "special_agent"],
)],
));
```
```python label="Python"
from getstream.models import UpdateUserPartialRequest
response = client.update_users_partial(users=[
UpdateUserPartialRequest(id="james_bond", set={"role": "special_agent"})
])
```
```java label="Java"
var reqObj = UpdateUserPartialRequest.builder()
.id("james_bond")
.set(Map.of("role", "special_agent"))
.build();
client.updateUsersPartial(UpdateUsersPartialRequest.builder()
.users(List.of(reqObj))
.build()).execute();
```
```csharp label="C#"
await client.UpdateUsersPartialAsync(new UpdateUsersPartialRequest
{
Users = new List
{
new UpdateUserPartialRequest
{
Id = "user-id",
Set = new Dictionary { { "role", "special_agent" } },
},
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.common.update_users_partial(Models::UpdateUsersPartialRequest.new(
users: [Models::UpdateUserPartialRequest.new(
id: 'james_bond',
set: { role: 'special_agent' }
)]
))
```
```go label="Go"
resp, err := client.UpdateUsersPartial(ctx, &getstream.UpdateUsersPartialRequest{
Users: []getstream.UpdateUserPartialRequest{
{
ID: "james_bond",
Set: map[string]any{
"role": "special_agent",
},
},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
Once you add user to the channel, `channel_member` role will be assigned to user's membership:
```js label="JavaScript"
const result = await channel.addMembers([{ user_id: "james_bond" }]);
console.log(result.members[0].channel_role); // "channel_member"
```
```php label="PHP"
$result = $client->updateChannel("messaging", "channel-id", new Models\UpdateChannelRequest(
addMembers: [new Models\ChannelMemberRequest(userID: "james_bond")],
));
```
```python label="Python"
from getstream.models import ChannelMemberRequest
result = channel.update(add_members=[ChannelMemberRequest(user_id="james_bond")])
print(result.data.members[0].channel_role)
```
```java label="Java"
var resp = chat.channel("channel_type", "channel_id")
.update(UpdateChannelRequest.builder()
.addMembers(List.of(ChannelMemberRequest.builder().userID("james_bond").build()))
.build());
System.out.println(resp.getData().getMembers().get(0).getChannelRole());
```
```csharp label="C#"
var addMembersResponse = await chat.UpdateChannelAsync("channel-type", "channel-id", new UpdateChannelRequest
{
AddMembers = new List
{
new ChannelMemberRequest { UserID = "user-id" },
},
});
Console.WriteLine(addMembersResponse.Members[0].ChannelRole); // channel role is equal to "channel_member"
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
resp = client.chat.update_channel('messaging', 'channel-id', Models::UpdateChannelRequest.new(
add_members: [Models::ChannelMemberRequest.new(user_id: 'james_bond')]
))
puts resp.members[0].channel_role
```
```go label="Go"
channel := client.Chat().Channel("messaging", "channel-id")
_, err = channel.Update(ctx, &getstream.UpdateChannelRequest{
AddMembers: []getstream.ChannelMemberRequest{
{UserID: "james_bond"},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
In order to change channel-level role of the user, you can either add user to the channel with a different role (if the SDK supports it) or update it later by role assignment:
```js label="JavaScript"
// Add user to the channel with role set
await channel.addMembers([
{ user_id: "james_bond", channel_role: "channel_moderator" },
]);
// Assign new channel member role
await channel.assignRoles([
{ user_id: "james_bond", channel_role: "channel_member" },
]);
```
```php label="PHP"
// Add user to the channel with role set
$client->updateChannel("messaging", "general", new Models\UpdateChannelRequest(
addMembers: [new Models\ChannelMemberRequest(userID: "james_bond", channelRole: "channel_moderator")],
));
// Assign new channel member role
$client->updateChannel("messaging", "general", new Models\UpdateChannelRequest(
assignRoles: [new Models\ChannelMemberRequest(userID: "james_bond", channelRole: "channel_member")],
));
```
```python label="Python"
from getstream.models import ChannelMemberRequest
# Add user to the channel with role set
result = channel.update(add_members=[ChannelMemberRequest(user_id="james_bond", channel_role="channel_moderator")])
# Assign new channel member role
result = channel.update(assign_roles=[ChannelMemberRequest(user_id="james_bond", channel_role="channel_member")])
```
```java label="Java"
chat.channel(channel.getType(), channel.getId())
.update(UpdateChannelRequest.builder()
.assignRoles(List.of(ChannelMemberRequest.builder()
.userID("james_bond")
.channelRole("channel_member")
.build()))
.build());
```
```csharp label="C#"
// User must be a member of the channel before you can assign channel role
var resp = await chat.UpdateChannelAsync("channel-type", "channel-id", new UpdateChannelRequest
{
AssignRoles = new List
{
new ChannelMemberRequest { UserID = "user-id", ChannelRole = "channel_moderator" },
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
# Add user to the channel with role set
client.chat.update_channel('messaging', 'channel-id', Models::UpdateChannelRequest.new(
add_members: [Models::ChannelMemberRequest.new(user_id: 'james_bond', channel_role: 'channel_moderator')]
))
# Assign new channel member role
client.chat.update_channel('messaging', 'channel-id', Models::UpdateChannelRequest.new(
assign_roles: [Models::ChannelMemberRequest.new(user_id: 'james_bond', channel_role: 'channel_member')]
))
```
```go label="Go"
channel := client.Chat().Channel("messaging", "channel-id")
_, err = channel.Update(ctx, &getstream.UpdateChannelRequest{
AssignRoles: []getstream.ChannelMemberRequest{
{ChannelRole: getstream.PtrTo("channel_moderator"), UserID: "james_bond"},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
changing channel member roles is not allowed client-side.
Subject
`Subject` can be represented by User or ChannelMember. ChannelMember subject is used only when user interacts with a channel that they are member of. Both User and ChannelMember have Role and permission system takes both roles into consideration when checking permissions.
## Builtin roles
There are some builtin roles in Stream Chat that cover basic chat scenarios:
| Role | Level | Description |
| ----------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| user | User | Default User role |
| guest | User | Used for guest users created by server-side endpoints. Guests are short-lived temporary users that could be created without a token |
| anonymous | User | Anonymous users are not allowed to perform any actions that write data. You should treat them as unathenticated clients |
| admin | User | Role for users that perform administrative tasks with elevated permissions |
| channel_member | Channel | Default role that gets assigned when user is added to the channel |
| channel_moderator | Channel | Role for channel members that perform administrative tasks with elevated permissions |
It's worth noting that you cannot use user-level roles as channel-level roles vice-versa. This restriction only applies to builtin roles
## Ownership
Some Stream Chat entities have an owner and the fact of ownership can be considered when configuring access permissions. Ownership is supported in these entity types:
1. **Channel** - owned by its creator
2. **Message** - owned by its creator (sender)
3. **Attachment** - owned by user who uploaded a file
4. **User** - authenticated user owns itself
Using ownership concept, permissions could be set up in such a way that allows entity owners to perform certain actions. For example:
- **Update Own Message** - allows message senders to edit their messages
- **Update Own User** - allows users to change their own properties (except role and team)
- **Send Message in Own Channel** - allows channel creators to send messages in the channels that they created even if they are not members
## Custom Roles
In more sophisticated scenarios custom roles could be used. One Stream Chat application could have up to 25 custom roles. Roles are simple, and require only a name to be created. They do nothing until permissions are assigned to the role. To create new custom role you can use CreateRole API endpoint:
```js label="JavaScript"
await client.createRole("special_agent");
```
```php label="PHP"
$client->createRole(new Models\CreateRoleRequest(name: "special_agent"));
```
```python label="Python"
client.create_role("special_agent")
```
```java label="Java"
client.createRole(CreateRoleRequest.builder().name("special_agent").build()).execute();
```
```csharp label="C#"
await client.CreateRoleAsync(new CreateRoleRequest { Name = "special_agent" });
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.common.create_role(Models::CreateRoleRequest.new(name: 'special_agent'))
```
```go label="Go"
client.CreateRole(ctx, &getstream.CreateRoleRequest{Name: "special_agent"})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
To delete previously created role you can use DeleteRole API endpoint:
```js label="JavaScript"
await client.deleteRole("agent_006");
```
```php label="PHP"
$client->deleteRole("agent_006");
```
```python label="Python"
client.delete_role("agent_006")
```
```java label="Java"
client.deleteRole("agent_006", DeleteRoleRequest.builder().build()).execute();
```
```csharp label="C#"
await client.DeleteRoleAsync("special_agent");
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.common.delete_role('agent_006')
```
```go label="Go"
client.DeleteRole(ctx, "agent_006", &getstream.DeleteRoleRequest{})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
In order to delete a role, you have to remove all permission grants that this role has and make sure that you don't have non-deleted users with this role assigned. Channel-level roles could be deleted without reassigning them, although, some users could lose access to channels where this role is used.
Once you have a role created you can start granting permissions to it. You can also grant or remove permissions for built in roles.
## Granting permissions
User access in Chat application is split across multiple scopes.
- **Application Permissions** : You can grant these using the .app scope. These permissions apply to operations that occur outside of channel-types including accessing and [modifying other users](/chat/docs/php/update-users/), or [using moderation features](/chat/docs/php/moderation/).
- **Channel-Type Permissions** : These apply permissions to all channels of a particular type.
- **Channel Permissions** : These apply permissions to a single channel and override channel-type permissions.
To list all available permissions you can you ListPermissions API endpoint:
```js label="JavaScript"
const { permissions } = await client.listPermissions(); // List of Permission objects
```
```php label="PHP"
$response = $client->listPermissions();
```
```python label="Python"
response = client.list_permissions()
```
```java label="Java"
var response = client.listPermissions(ListPermissionsRequest.builder().build()).execute();
```
```csharp label="C#"
var response = await client.ListPermissionsAsync();
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
response = client.common.list_permissions
```
```go label="Go"
resp, err := client.ListPermissions(ctx, &getstream.ListPermissionsRequest{})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
You can also find all available permissions on [Permissions Reference](/chat/docs/php/permissions-reference/) page
Each permission object contains these fields:
| Type | Description | Description | Example |
| ----------- | ----------- | ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------- |
| id | string | Unique permission ID | create-message-owner |
| name | string | Human-readable permission name | Create Message in Owned Channel |
| description | string | Human-readable permission description | Grants action CreateMessage which allows to send a new message, user should own a channel |
| action | string | Action which this permission grants | CreateMessage |
| owner | boolean | If true, Subject should be an owner of the Resource | true |
| same_team | boolean | If true, Subject should be a part of the team that Resource is a part of | true |
To manipulate granted permissions for certain channel type, you can use UpdateChannelType API endpoint:
```js label="JavaScript"
// observe current grants of the channel type
const { grants } = await client.getChannelType("messaging");
// update "channel_member" role grants in "messaging" scope
await client.updateChannelType("messaging", {
grants: {
channel_member: [
"read-channel", // allow access to the channel
"create-message", // create messages in the channel
"update-message-owner", // update own user messages
"delete-message-owner", // delete own user messages
],
},
});
```
```php label="PHP"
// observe current grants of the channel type
$response = $client->getChannelType("messaging");
// update "channel_member" role grants in "messaging" scope
$client->updateChannelType("messaging", new Models\UpdateChannelTypeRequest(
grants: [
"channel_member" => ["read-channel", "create-message", "update-message-owner", "delete-message-owner"],
],
));
```
```python label="Python"
# observe current grants of the channel type
response = client.chat.get_channel_type(name="messaging")
print(repr(response.data.grants))
# update "channel_member" role grants in "messaging" scope
client.chat.update_channel_type(
name="messaging",
automod="disabled",
automod_behavior="flag",
max_message_length=5000,
grants={
"channel_member": [
"read-channel", # allow access to the channel
"create-message", # create messages in the channel
"update-message-owner", # update own user messages
"delete-message-owner", # delete own user messages
]
},
)
```
```java label="Java"
// observe current grants of the channel type
var response = chat.getChannelType("messaging", GetChannelTypeRequest.builder().build()).execute();
System.out.println(response.getData().getGrants());
// update "channel_member" role grants in "messaging" scope
var grants = new HashMap>();
grants.put("channel_member", List.of(
"read-channel", // allow access to the channel
"create-message", // create messages in the channel
"update-message-owner", // update own user messages
"delete-message-owner" // delete own user messages
));
chat.updateChannelType("messaging", UpdateChannelTypeRequest.builder()
.automod("disabled")
.automodBehavior("flag")
.maxMessageLength(5000)
.grants(grants)
.build()).execute();
```
```csharp label="C#"
// observe current grants of the channel type
var channelType = await chat.GetChannelTypeAsync("messaging");
Console.WriteLine(channelType.Grants);
// update "channel_member" role grants in "messaging" scope
await chat.UpdateChannelTypeAsync("messaging", new UpdateChannelTypeRequest
{
Grants = new Dictionary>
{
{
// This will replace all existing grants of "channel_member" role
"channel_member", new List
{
"read-channel", // allow access to the channel
"create-message", // create messages in the channel
"update-message-owner", // update own user messages
"delete-message-owner", // delete own user messages
}
},
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
# observe current grants of the channel type
response = client.chat.get_channel_type('messaging')
puts response.grants
# update "channel_member" role grants in "messaging" scope
client.chat.update_channel_type('messaging', Models::UpdateChannelTypeRequest.new(
grants: { 'channel_member' => [
'read-channel', # allow access to the channel
'create-message', # create messages in the channel
'update-message-owner', # update own user messages
'delete-message-owner' # delete own user messages
] }
))
```
```go label="Go"
// observe current grants of the channel type
resp, err := client.Chat().GetChannelType(ctx, "messaging", &getstream.GetChannelTypeRequest{})
fmt.Print(resp.Data.Grants)
// update "channel_member" role grants in "messaging" scope
_, err = client.Chat().UpdateChannelType(ctx, "messaging", &getstream.UpdateChannelTypeRequest{
Grants: map[string][]string{
"channel_member": {
"read-channel", // allow access to the channel
"create-message", // create messages in the channel
"update-message-owner", // update own user messages
"delete-message-owner", // delete own user messages
},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
This call will only change grants of roles that were mentioned in the request. You can remove all role grants with providing empty array ( `[]` ) as list of granted permissions:
```js label="JavaScript"
await client.updateChannelType("messaging", {
grants: {
guest: [], // removes all grants of "guest" role
anonymous: [], // removes all grants of "anonymous" role
},
});
```
```php label="PHP"
$client->updateChannelType("messaging", new Models\UpdateChannelTypeRequest(
grants: [
"guest" => [], // removes all grants of "guest" role
"anonymous" => [], // removes all grants of "anonymous" role
],
));
```
```python label="Python"
client.chat.update_channel_type(
name="messaging",
automod="disabled",
automod_behavior="flag",
max_message_length=5000,
grants={
"guest": [], # removes all grants of "guest" role
"anonymous": [], # removes all grants of "anonymous" role
},
)
```
```java label="Java"
var grants = new HashMap>();
grants.put("guest", Collections.emptyList()); // removes all grants of "guest" role
grants.put("anonymous", Collections.emptyList()); // removes all grants of "anonymous" role
chat.updateChannelType("messaging", UpdateChannelTypeRequest.builder()
.automod("disabled")
.automodBehavior("flag")
.maxMessageLength(5000)
.grants(grants)
.build()).execute();
```
```csharp label="C#"
await chat.UpdateChannelTypeAsync("messaging", new UpdateChannelTypeRequest
{
Grants = new Dictionary>
{
{ "guest", new List() }, // removes all grants of "guest" role
{ "anonymous", new List() }, // removes all grants of "anonymous" role
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.chat.update_channel_type('messaging', Models::UpdateChannelTypeRequest.new(
grants: {
'guest' => [], # removes all grants of "guest" role
'anonymous' => [] # removes all grants of "anonymous" role
}
))
```
```go label="Go"
_, err = client.Chat().UpdateChannelType(ctx, "messaging", &getstream.UpdateChannelTypeRequest{
Grants: map[string][]string{
"anonymous": {}, // removes all grants of "anonymous" role
"guest": {}, // removes all grants of "guest" role
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
If you want to reset the whole scope to default settings, you can explicitly provide `null` to `grants` field:
```js label="JavaScript"
await client.updateChannelType("messaging", {
grants: null, // resets the whole scope to default settings
});
```
```php label="PHP"
$client->updateChannelType("messaging", new Models\UpdateChannelTypeRequest(
grants: null, // resets the whole scope to default settings
));
```
```python label="Python"
# reset the whole scope to default settings
client.chat.update_channel_type(
name="messaging",
automod="disabled",
automod_behavior="flag",
max_message_length=5000,
grants=None,
)
```
```java label="Java"
chat.updateChannelType("messaging", UpdateChannelTypeRequest.builder()
.automod("disabled")
.automodBehavior("flag")
.maxMessageLength(5000)
.grants(Collections.emptyMap())
.build()).execute();
```
```csharp label="C#"
await chat.UpdateChannelTypeAsync("messaging", new UpdateChannelTypeRequest
{
Grants = new Dictionary>(),
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.chat.update_channel_type('messaging', Models::UpdateChannelTypeRequest.new(
grants: nil
))
```
```go label="Go"
_, err = client.Chat().UpdateChannelType(ctx, "messaging", &getstream.UpdateChannelTypeRequest{
Grants: nil,
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
You can manipulate `.app` scope grants using UpdateApp API endpoint in exactly the same way:
```js label="JavaScript"
// update grants of multiple roles in ".app" scope
await client.updateApp({
grants: {
anonymous: [],
guest: [],
user: ["search-user", "mute-user"],
admin: ["search-user", "mute-user", "ban-user"],
},
});
```
```php label="PHP"
// update grants of multiple roles in ".app" scope
$client->updateApp(new Models\UpdateAppRequest(
grants: [
"anonymous" => [],
"guest" => [],
"user" => ["search-user", "mute-user"],
"admin" => ["search-user", "mute-user", "ban-user"],
],
));
```
```python label="Python"
# update grants of multiple roles in ".app" scope
client.update_app(grants={
"anonymous": [],
"guest": [],
"user": [
"search-user",
"mute-user",
],
"admin": [
"search-user",
"mute-user",
"ban-user",
],
})
```
```java label="Java"
var grants = new HashMap>();
grants.put("anonymous", Collections.emptyList());
grants.put("guest", Collections.emptyList());
grants.put("user", List.of("search-user", "mute-user"));
grants.put("admin", List.of("search-user", "mute-user", "ban-user"));
client.updateApp(UpdateAppRequest.builder().grants(grants).build()).execute();
```
```csharp label="C#"
await client.UpdateAppAsync(new UpdateAppRequest
{
Grants = new Dictionary>
{
{ "anonymous", new List() },
{ "guest", new List() },
{ "user", new List { "search-user", "mute-user" } },
{ "admin", new List { "search-user", "mute-user", "ban-user" } },
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.common.update_app(Models::UpdateAppRequest.new(
grants: {
'anonymous' => [],
'guest' => [],
'user' => ['search-user', 'mute-user'],
'admin' => ['search-user', 'mute-user', 'ban-user']
}
))
```
```go label="Go"
_, err := client.UpdateApp(ctx, &getstream.UpdateAppRequest{
Grants: map[string][]string{
"anonymous": {},
"guest": {},
"user": {"search-user", "mute-user"},
"admin": {"search-user", "mute-user", "ban-user"},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
## UI for configuring permissions
Stream Dashboard provides a user interface to edit permission grants. This UI is available on **Chat > Roles & Permissions** page which is available after switching to version 2 of permissions.
## Channel-level permissions
In some cases it makes sense to slightly modify granted permissions for the channel without changing channel-type grants configuration. For this, you can use Grants Modifiers that you can set for each channel individually. Grants Modifiers look almost exactly the same as regular Grants object except it allows to revoke permissions as well as grant new ones. For example, if we want to disallow sending links for users with role "user" in channel "livestream:example" and allow creating reactions, we can do this:
```js label="JavaScript"
await channel.updatePartial({
set: {
config_overrides: {
grants: {
user: ["!add-links", "create-reaction"],
},
},
},
});
```
```php label="PHP"
$client->updateChannelPartial("messaging", "general", new Models\UpdateChannelPartialRequest(
set: (object)["config_overrides" => (object)[
"grants" => ["user" => ["!add-links", "create-reaction"]],
]],
));
```
```python label="Python"
channel.update_channel_partial(set={
"config_overrides": {
"grants": {
"user": ["!add-links", "create-reaction"],
}
}
})
```
```java label="Java"
Map grants = new HashMap<>();
Map overrides = new HashMap<>();
grants.put("user", List.of("!add-links", "create-reaction"));
overrides.put("grants", grants);
chat.channel(channel.getType(), channel.getId())
.updateChannelPartial(UpdateChannelPartialRequest.builder()
.set(Map.of("config_overrides", overrides))
.build());
```
```csharp label="C#"
var grants = new Dictionary { { "user", new List { "!add-links", "create-reaction" } } };
var overrides = new Dictionary { { "grants", grants } };
var resp = await chat.UpdateChannelPartialAsync("channel-type", "channel-id", new UpdateChannelPartialRequest
{
Set = new Dictionary
{
{ "config_overrides", overrides },
},
});
```
```ruby label="Ruby"
require 'getstream_ruby'
Models = GetStream::Generated::Models
client.chat.update_channel_partial('livestream', 'example', Models::UpdateChannelPartialRequest.new(
set: { 'config_overrides' => { 'grants' => { 'user' => ['!add-links', 'create-reaction'] } } }
))
```
```go label="Go"
channel := client.Chat().Channel("livestream", "example")
_, err = channel.UpdateChannelPartial(ctx, &getstream.UpdateChannelPartialRequest{
Set: map[string]any{
"config_overrides": map[string]any{
"grants": map[string]any{
"user": []string{"!add-links", "create-reaction"},
},
},
},
})
```
```csharp label="Unity"
// This is a server-side only feature, choose any of our server-side SDKs to use it
```
Exclamation mark ( `!` ) here means "revoke" and you can combine any number of "revoke" and "grant" modifiers
After modifying the granted channel-level permissions, the API will enrich the channel response with the grants field under data.config.grants
The field `config_overrides` can only be updated using server-side auth
## Broadcast and Reply-only Channels
A common example of changing the permission model of a channel type is to create a Telegram-style broadcast channel where privileged channel members can send messages and other members may have permissions restricted to reading, reactions, or replying.
The three Permission grants to modify these under the scope of the channel type are
- Read Channel
- Create Reaction
- Create Reply
## Multi-Tenancy
For grouping users into teams (or tenants) to keep their data strictly segregated, see [Multi-Tenancy](/chat/docs/php/multi-tenant-chat/).
---
This page was last updated at 2026-05-22T16:32:20.001Z.
For the most recent version of this documentation, visit [https://getstream.io/chat/docs/php/chat-permission-policies/](https://getstream.io/chat/docs/php/chat-permission-policies/).