# Permissions Permissions define granular access rights to apps, services, data, environments and functionality within Appfarm Create. Permissions are granted to [roles](/reference/security/roles.md) which are in turn assigned to [users](/reference/security/users.md). You must configure permissions for each new role that you create so that end-users can access and use your apps. ## Apps Grant access to a given [app](/reference/apps.md). You must assign this permission if you create a new app. ## Services Grant access to a given [service](/reference/services.md). * If a service is run from a [schedule](/reference/operations/schedules.md), the service account that triggers the schedule must have a role with access to the service. * If a service is run via a call from an external application, the [service account](/reference/security/service-accounts.md) holding the [API key](/reference/security/service-accounts.md#api-keys) must have a role with access to the service. * If a user can run a service from within an app, they need a role with access to the service. ## Object classes Select which data operations a role has access to, for each [object class](/reference/data-model/object-classes.md) in your solution. When you create a new object class, only the [built-in roles](/reference/security/roles.md#built-in-roles) have access by default. So you must grant access to the appropriate roles. Additionally, when you add a new role, they have no object class permissions at all, so you must grant the required permissions. These permissions can also be configured when [editing an object class](/reference/data-model/object-classes.md#permissions) in your Global Data Model. {% hint style="success" %} **Best practice** Be restrictive, and don't grant permissions that a role doesn't need. {% endhint %} ## Login access Grant access to a given [environment](/reference/configuration/environments.md). For example, you might have a role for testing which only needs access to the Test environment. {% hint style="info" %} **Good to know** The built-in roles do not have access to Test, Staging, or Production. {% endhint %} If you've created a custom role that needs access to Appfarm Create, that can also be granted under Login access. ## Accounts and Roles Manage permissions for adding, updating, and deleting users, service accounts, and individual roles. This includes assigning and removing roles. If you have functionality in your apps or services for adding, modifying, or deleting users, the appropriate permissions must be granted here. {% hint style="info" %} **Good to know** When performing user management operations from inside an app or service, the built-in role privileges are not valid. {% endhint %} ## Advanced Advanced permissions include privileges within Appfarm Create. Typically, you would only use these if you create a custom role which requires access to Appfarm Create. These permissions allow you to tightly control which parts of Appfarm Create that role has access to. For example, to allow access to only one specific app or restrict deploying to Production. This is also where you can grant a role the permission **Update Secret from Service**. This is required when you have a service run by a schedule that fetches an authentication token from an external API and stores that token in a [secret](/reference/security/secrets.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.appfarm.io/reference/security/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.