> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nextedy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Permissions

> Control who can view and edit data in Nextedy POWERSHEET by configuring property-level permissions in your data model, setting administration access, and applying sheet-level read-only mode.

export const LastReviewed = ({date}) => {
  if (!date) return null;
  const formatted = new Date(`${date}T00:00:00Z`).toLocaleDateString("en-US", {
    year: "numeric",
    month: "long",
    day: "numeric",
    timeZone: "UTC"
  });
  return <p className="mt-10 text-sm text-gray-400 dark:text-zinc-500 not-prose">
      Last reviewed on {formatted}
    </p>;
};

## Prerequisites

* Access to the data model YAML file for your project
* **Administration > Nextedy Powersheet > Data Models** permissions to edit configurations
* Basic familiarity with the data model entity type structure

## Set Property-Level Permissions

Property-level permissions control whether individual fields on an entity type are visible or editable. Configure the `readable` and `updatable` flags on each property in your data model.

### Step 1: Open Your Data Model

Navigate to **Administration > Nextedy Powersheet > Data Models** and open the YAML file for your project.

### Step 2: Add Permission Flags to Properties

For each property where you want to restrict access, add `readable` and `updatable` flags:

```yaml theme={null}
domainModelTypes:
  UserNeed:
    polarionType: user_need
    properties:
      title:
        readable: true
        updatable: true
      description:
        readable: true
        updatable: true
      severity:
        readable: true
        updatable: false
      internalNotes:
        readable: false
        updatable: false
```

| Flag        | Type      | Default | Effect                                                                                                                 |
| ----------- | --------- | ------- | ---------------------------------------------------------------------------------------------------------------------- |
| `readable`  | `boolean` | `true`  | When `false`, the property is excluded from the data payload entirely -- it is not loaded or transmitted to the client |
| `updatable` | `boolean` | `true`  | When `false`, the property appears in the sheet but cannot be modified by users                                        |

<Warning title="Hidden properties are not transmitted">
  Setting `readable: false` does more than hide the column in the UI. The property is excluded from the data payload at the server level -- it is never loaded or sent to the client. This provides data-level security, not just visual hiding.
</Warning>

### Step 3: Save and Reload

Save the data model file. Users need to reload any open Powersheet pages to pick up the updated permission settings.

## Configure Administration Access

Powersheet separates administration permissions into two scopes: **document configuration** and **data model configuration**. Each scope has independent read and write flags.

| Permission             | Controls                                 |
| ---------------------- | ---------------------------------------- |
| `document.admin.read`  | View the sheet configuration YAML        |
| `document.admin.write` | Modify the sheet configuration YAML      |
| `model.admin.read`     | View the data model configuration YAML   |
| `model.admin.write`    | Modify the data model configuration YAML |

<Frame>
  <img src="https://mintcdn.com/none-17b4493f/3Zik2OH750CE3kB4/powersheet/diagrams/guides/administration/configure-permissions/diagram-1.svg?fit=max&auto=format&n=3Zik2OH750CE3kB4&q=85&s=05dbefe6d4c2876a909dc9b056763e81" alt="diagram" style={{ width: "500px", maxWidth: "100%" }} width="500" height="200" data-path="powersheet/diagrams/guides/administration/configure-permissions/diagram-1.svg" />
</Frame>

A user with `document.admin.read` but without `document.admin.write` can view the sheet configuration YAML but cannot save changes. The same applies independently to data model configuration.

<Tip title="Separate read and write for safety">
  Grant `model.admin.read` broadly so engineers can inspect the data model for reference, but restrict `model.admin.write` to administrators who understand the impact of model changes on existing data.
</Tip>

## Enable Sheet-Level Read-Only Mode

The entire sheet can be set to read-only using the `isReadOnly` property in the sheet configuration. This prevents all editing regardless of individual property permissions.

### Step 1: Open Your Sheet Configuration

Navigate to **Administration > Nextedy Powersheet > Sheet Configurations** and open the YAML file assigned to your document.

### Step 2: Set the Read-Only Flag

Add `isReadOnly: true` at the root level of your configuration:

```yaml theme={null}
isReadOnly: true
columns:
  title:
    title: Title
    hasFocus: true
  severity:
    title: Severity
```

<Warning title="Three conditions trigger read-only mode">
  The sheet enters read-only mode if **any** of these conditions is true:

  1. The sheet configuration has `isReadOnly: true`
  2. The user has the `readOnly` permission flag set to `true`
  3. The user is viewing a historical revision or baseline

  You do not need to set all three -- any single condition is sufficient.
</Warning>

## Restrict Individual Columns

Beyond property-level permissions in the data model, you can also enforce read-only on specific columns in the sheet configuration using the `isReadOnly` column property:

```yaml theme={null}
columns:
  title:
    title: Title
    hasFocus: true
  severity:
    title: Severity
    isReadOnly: true
  chapter.title:
    title: Chapter Title
    isReadOnly: true
```

This is useful when a property should be editable in one sheet configuration but read-only in another. The data model `updatable` flag applies globally across all sheets, while the column-level `isReadOnly` applies only to the specific sheet configuration.

| Approach                       | Scope                            | Defined In                 |
| ------------------------------ | -------------------------------- | -------------------------- |
| `updatable: false` on property | All sheets using this data model | Data model YAML            |
| `isReadOnly: true` on column   | Single sheet configuration       | Sheet configuration YAML   |
| `isReadOnly: true` at root     | Entire sheet                     | Sheet configuration YAML   |
| `readOnly` user flag           | Per user                         | Server-managed permissions |

## Configure Navigation Property Permissions

Relationships in the data model define navigation properties using `direct` and `back` directions. Each direction can carry its own permission settings, independent of the target entity type:

```yaml theme={null}
relationships:
  - from: UserNeed
    to: SystemRequirement
    cardinality: many-to-many
    storage: linkedWorkItems
    linkRole: decomposes
    direct:
      name: systemRequirements
    back:
      name: userNeeds
```

The `direct` navigation property (from source to target) and `back` navigation property (from target to source) can each have permission settings that control whether users can traverse and modify the relationship from that direction.

<Info title="Verify in application">
  Navigation property permissions are under active development. The exact flags and their behavior may change. Test permission settings in a non-production project before deploying.
</Info>

## Combine Permission Layers

A practical configuration combines multiple permission layers. Here is a complete example that restricts a `SystemRequirement` entity so that `severity` is visible but not editable, and `internalNotes` is completely hidden:

```yaml theme={null}
domainModelTypes:
  UserNeed:
    polarionType: user_need
    properties:
      title:
        readable: true
        updatable: true
      description:
        readable: true
        updatable: true
      severity:
        readable: true
        updatable: true

  SystemRequirement:
    polarionType: sys_req
    properties:
      title:
        readable: true
        updatable: true
      description:
        readable: true
        updatable: true
      severity:
        readable: true
        updatable: false
      internalNotes:
        readable: false
        updatable: false

relationships:
  - from: SystemRequirement
    to: UserNeed
    cardinality: many-to-many
    storage: linkedWorkItems
    linkRole: decomposes
    direct:
      name: userNeeds
    back:
      name: systemRequirements
```

In the sheet configuration for a review-oriented view, you might further lock down columns:

```yaml theme={null}
isReadOnly: false
columns:
  title:
    title: Title
    hasFocus: true
  description:
    title: Description
  severity:
    title: Severity
    isReadOnly: true
  userNeeds.userNeed:
    title: Linked User Needs
    isReadOnly: true
```

In this setup:

* `title` and `description` are fully editable
* `severity` is visible but cannot be changed (enforced by both `updatable: false` in the model and `isReadOnly: true` in the sheet)
* `internalNotes` never appears because `readable: false` prevents it from being loaded
* The linked user needs column is displayed but cannot be modified in this particular sheet view

## Verify Your Configuration

After saving your data model and sheet configuration changes:

1. Open the Powersheet page as a regular user (not an administrator)
2. Verify that columns with `updatable: false` appear greyed out and reject edits
3. Verify that properties with `readable: false` do not appear in the sheet at all
4. If `isReadOnly: true` is set on the sheet, confirm that no cells are editable
5. Check that administration panels respect the `document.admin` and `model.admin` permission flags

You should now see restricted properties rendered as non-editable cells and hidden properties completely absent from the sheet view.

## See Also

* [Configure Read-Only Column](/powersheet/guides/sheet-configuration/configure-read-only-column) -- column-level `isReadOnly` usage
* [Set Entity Permissions](/powersheet/guides/data-model/set-permissions) -- data model property permission reference
* [Add a Custom Property](/powersheet/guides/data-model/add-custom-property) -- adding properties to entity types
* [Install and Manage License](/powersheet/guides/administration/install-manage-license) -- license status and its effect on access
* [Manage Global Configuration](/powersheet/guides/administration/manage-global-config) -- global vs project-level configuration scope

<LastReviewed date="2026-06-24" />
