---
title: Access Control Config
label: Config
order: 10
---

Access can be configured at a Collection-level or field-level within your Collection configuration.

Talk about how you can access the user from the req

Talk about how you can return either a boolean, or in certain access functions, a `where` query constraint. This will be difficult to understand soo we should be very descriptive and low-level.

Can't return a `where` for a create, because it doesn't make sensitive

**Default access control requires a logged in user to do anything.**

Local API skips access control by default, but can be enabled if you pass a user to the operation.

```js
// Collection config
module.exports = {
  slug: 'public-user',
  // highlight-start
  access: {
    create: () => true,
    read: () => true,
    update: () => true,
    delete: () => true,
    admin: () => true,
  },
  // highlight-end
  fields: [
    {
      name: 'lockedDownField',
      label: 'Locked Down',
      type: 'text'
      // highlight-start
      access: {
        create: () => true,
        read: () => true,
        update: () => true,
        delete: () => true,
      },
      // highlight-end
    };
  ],
}
```

### Collections

Talk about collection-level access control here.


### Globals

Talk about global access control here.

### Fields

Talk about field-level access control here.

### Admin

Talk about how to restrict collections' access to the Admin panel here.