Skip to main content

Permissions Setup

policies.json

Every module that contains views must have a policies.json file. This is how Zango's role-based access control knows which roles can reach which views.

Create backend/<your_module>/policies.json:

{
  "policies": [
    {
      "name": "PatientCrudPolicy",
      "description": "Controls access to the Patient CRUD view",
      "statement": {
        "permissions": [
          { "type": "view", "name": "patients.views.PatientCrudView" }
        ]
      }
    }
  ]
}

After creating or editing policies.json, sync it via the App Panel:

  1. Open the App Panel at http://localhost:8000/platform
  2. Navigate to your app and click on the Code section in the left sidebar
  3. Click on the Policies tab
  4. Click the "Sync Policy" button at the top right to sync the policies from your codebase
  5. Once synced, assign the relevant roles to the policy by clicking on it in the policies list

Controlling the Add Button

Use display_add_button_check on the view to control whether the Add button is visible for the current user:

def display_add_button_check(self, request):
    from zango.core.utils import get_current_role
    role = get_current_role()
    if role:
        return role.name in ["Admin", "Manager"]
    return False

Return True to show the button, False to hide it. This does not replace policies.json — it only controls UI visibility.

Controlling Row Actions

Each row action can be gated per-object using can_perform_row_action_<key>:

def can_perform_row_action_delete(self, request, obj):
    # Only allow deleting inactive records
    return not obj.is_active

The method receives the current request and the obj (the record for that row). Return True to show the action, False to hide it for that specific row.

Controlling Features via Policies

In addition to view access, policies can control granular features like Add, Download, and other bulk actions:

  1. Open the App Panel at http://localhost:8000/platform
  2. Navigate to your appCodePolicies
  3. Click on a policy to view and edit its permissions
  4. In the policy details, you'll see a Features section where you can enable/disable:
    • Add — Allow the "Add" button for creating new records
    • Download — Allow bulk download of records
    • Other custom features defined in your CRUD view

Features are role-based — you can assign different feature permissions to different roles through the policy configuration in the App Panel.

Reserved Roles

RoleUsage
AnonymousUsersUnauthenticated users — use only for fully public views
SystemUsersInternal system role — cannot be used in policies.json
Configure it with the Claude pluginEverything on this page can be set up by describing it to the zango-app-developer plugin.Open the plugin guide