/
Permission Naming Guidelines

Permission Naming Guidelines

Overview

FOLIO's permission system requires consistent naming to ensure clarity, maintainability, and proper access control.

Key Naming Conventions

Permission Name Structure

Permission names follow a hierarchical, dot-separated format:

[module-prefix].[resource].[scope].[action]

Components:

Component

Description

Example

Component

Description

Example

Module Prefix

Module name without mod- prefix

finance-storage, users

Resource

The entity being accessed

budgets, loan-types

Scope

Single item or collection

item, collection

Action

The operation performed

get, post, put, delete

Action Verbs

Backend permissions use HTTP-like verbs:

  • get - retrieval

  • post - creation/execution

  • put - full updates

  • patch - partial updates

  • delete - deletion

  • execute - execution

Frontend permissions use user-facing verbs:

  • view, edit, create, delete, enabled, execute, manage

Examples

  • finance-storage.budgets.item.post - Create a single budget

  • inventory-storage.loan-types.collection.get - Retrieve loan types

  • ui-users.view - View users in the UI

Exceptions

The settings permissions should not have action verb. Example: ui-inventory.settings.call-number-types

For broad or general permissions that encompass multiple actions or resources, use a comprehensive term followed by all. Example: funds.all in finance.funds.all indicates a permission that applies to all actions related to funds.

More Information Here

  1. Permissions naming convention - Detailed naming conventions for individual permissions

  2. Permission Set Guidelines - Guidelines for permission set design and composition. Older document mostly relevant for Okapi-based FOLIO.