Prismic provides a role-based access control system for managing team collaboration on content. Understanding role permissions is essential for secure, efficient content management.
Prismic Role Hierarchy
Prismic has three primary roles with decreasing levels of access:
- Owner - Full control, billing access, repository deletion
- Administrator - Repository management, user invitations, settings
- Writer - Content creation and editing
Detailed Role Permissions
Owner (Highest Privilege)
The Owner has unrestricted access to all Prismic features and is the only role with billing and deletion capabilities.
Core Permissions:
- All Administrator permissions (below)
- Access billing and subscription management
- Delete the entire repository
- Transfer repository ownership to another user
- Manage Prismic plan upgrades/downgrades
- Access dangerous settings (permanent data operations)
- Cancel subscription
Access to:
- Settings → Repository settings (full access)
- Settings → Custom Types (full access)
- Settings → Releases (full access)
- Settings → Users & API (full access)
- Settings → Webhooks (full access)
- Settings → Billing (exclusive)
- All content operations
Limitations:
- Only one Owner per repository
- Owner role cannot be removed, only transferred
- Owner transfer is permanent
Best Practices:
- Reserve Owner for CEO, CTO, or designated technical lead
- Document Owner credentials in secure password manager
- Plan for ownership transfer in case of employee departure
- Never share Owner credentials
When to Use Owner:
- Initial Prismic setup and configuration
- Billing and plan management
- Repository migration or deletion
- Critical infrastructure changes
Administrator
Administrators manage day-to-day operations, users, and repository configuration but lack billing and destructive capabilities.
Core Permissions:
- Invite and manage users (except Owner transfer)
- Modify repository settings
- Create, edit, and delete Custom Types
- Manage Slices in Slice Machine
- Configure webhooks and integrations
- Create and manage Releases
- Publish, edit, and delete all content
- Access Media Library
- Configure locales and languages
Access to:
- Settings → Repository settings (read/write)
- Settings → Custom Types (read/write)
- Settings → Releases (read/write)
- Settings → Users & API (manage users, create API tokens)
- Settings → Webhooks (read/write)
- Settings → Locales (read/write)
- All documents and content
Cannot Access:
- Settings → Billing
- Repository deletion
- Owner transfer
- Subscription changes
Best Practices:
- Assign to technical leads, CMO, or senior content strategists
- Limit to 2-3 trusted administrators
- Document changes in shared team notes
- Review Administrator activity quarterly
When to Use Administrator:
- Managing content team (inviting/removing users)
- Creating and modifying Custom Types
- Configuring webhooks for Next.js/Gatsby builds
- Managing Releases and publication workflows
- Setting up Slice Machine components
Common Administrator Tasks:
Create Custom Type:
- Settings → Custom Types → Create new
- Define fields (UID, title, rich text, images, etc.)
- Configure JSON schema
- Save and publish type
Invite User:
- Settings → Users & API → Users
- Click "Invite a user"
- Enter email and select role
- Send invitation
Configure Webhook:
- Settings → Webhooks → Create a webhook
- Name: "Build Production Site"
- URL:
https://api.vercel.com/v1/integrations/deploy/... - Triggers: Select events (publish, unpublish, etc.)
- Save
Writer
Writers create and manage content but cannot modify repository structure or settings.
Core Permissions:
- Create, edit, and publish documents
- Delete own drafts
- Upload and manage media in Media Library
- Create and manage Releases (if enabled)
- Preview content
- Access all Custom Types (content, not structure)
- Collaborate on documents
- Submit for review (workflow dependent)
Access to:
- Documents (create, edit, publish, delete drafts)
- Media Library (upload, organize, delete)
- Releases (create, assign documents)
- Preview functionality
Cannot Access:
- Settings menu (any section)
- Custom Types (creation or modification)
- User management (cannot invite or remove)
- Webhooks or integrations
- API token creation
- Billing or ownership
- Repository settings
Limitations:
- Cannot modify Custom Type structure
- Cannot invite or remove users
- Cannot access repository settings
- Cannot create webhooks
- May not delete published content (depends on repository configuration)
Best Practices:
- Assign to content creators, writers, marketers
- Ideal for day-to-day content management
- Writers should understand Custom Type fields
- Monitor Writer actions via Prismic activity log
When to Use Writer:
- Creating blog posts, pages, and content
- Managing media assets
- Publishing content to website
- Collaborating on content with team
- Working within established Custom Types
Writer Workflow Example:
- Create new document (e.g., Blog Post)
- Fill in fields (title, body, featured image, etc.)
- Preview content
- Publish or save as draft
- Upload images to Media Library as needed
Guest (Legacy Plans Only)
Note: Guest role is only available on older Prismic Legacy plans and may not be available on newer plans.
Core Permissions:
- Read-only access to content
- View documents
- View Media Library
- Cannot create, edit, or delete
Access to:
- Documents (read-only)
- Media Library (view-only)
Cannot Access:
- Any write operations
- Settings or configuration
- User management
When to Use Guest:
- Stakeholders needing visibility
- External reviewers
- Clients reviewing content
- Developers needing read access
Custom Type Permissions
Prismic Custom Types define content structure. Role-based access applies:
Who Can Create Custom Types
- Owner: Yes
- Administrator: Yes
- Writer: No
Who Can Modify Custom Types
- Owner: Yes
- Administrator: Yes
- Writer: No (can create content based on types, but not modify structure)
Who Can Delete Custom Types
- Owner: Yes
- Administrator: Yes
- Writer: No
Important: Deleting a Custom Type deletes all documents of that type. This action cannot be undone.
Slice Machine Permissions
Prismic Slice Machine enables component-based content modeling.
Who Can Create Slices
- Owner: Yes
- Administrator: Yes
- Writer: No (can use Slices in content, but not create/modify)
Who Can Modify Slice Library
- Owner: Yes
- Administrator: Yes
- Writer: No
Note: Slice changes typically require developer involvement and framework code updates.
Release Permissions
Releases allow content scheduling and coordinated publishing.
Who Can Create Releases
- Owner: Yes
- Administrator: Yes
- Writer: Yes (if repository allows)
Who Can Publish Releases
- Owner: Yes
- Administrator: Yes
- Writer: Yes (if repository allows)
Note: Repository settings may restrict Writer release permissions.
Media Library Permissions
Who Can Upload Media
- Owner: Yes
- Administrator: Yes
- Writer: Yes
Who Can Delete Media
- Owner: Yes
- Administrator: Yes
- Writer: Typically yes (own uploads)
Who Can Organize Media into Tags/Folders
- Owner: Yes
- Administrator: Yes
- Writer: Yes
Webhook and Integration Permissions
Who Can Create Webhooks
- Owner: Yes
- Administrator: Yes
- Writer: No
Who Can Configure Integrations
- Owner: Yes
- Administrator: Yes
- Writer: No
Common Integrations:
- Build webhooks (Vercel, Netlify)
- Preview URLs (Next.js Preview Mode)
- Third-party services (Algolia, Cloudinary)
API Token Permissions
Permanent Access Tokens
Who Can Create:
- Owner: Yes
- Administrator: Yes
- Writer: No
Access Levels:
- Master Ref: Read published content
- Master + Releases: Read published content and releases
Security Note: API tokens provide programmatic access. Treat as passwords and rotate regularly.
Permission Matrix
| Permission | Owner | Admin | Writer | Guest |
|---|---|---|---|---|
| Content Management | ||||
| Create documents | ||||
| Edit all documents | ||||
| Publish documents | ||||
| Delete documents | Drafts only | |||
| Media Library | ||||
| Upload media | ||||
| Delete media | ||||
| Repository Configuration | ||||
| Create Custom Types | ||||
| Modify Custom Types | ||||
| Delete Custom Types | ||||
| Create Slices | ||||
| Configure locales | ||||
| User Management | ||||
| Invite users | ||||
| Remove users | ||||
| Change user roles | ||||
| Transfer ownership | ||||
| Integrations | ||||
| Create webhooks | ||||
| Create API tokens | ||||
| Billing | ||||
| Manage billing | ||||
| Delete repository | ||||
| Releases | ||||
| Create releases | Maybe | |||
| Publish releases | Maybe |
Role Selection Guidelines
Choose Owner When:
- Responsible for billing and subscription
- Managing infrastructure and hosting
- Full accountability for repository
- Performing repository migration or deletion
Choose Administrator When:
- Managing content team and users
- Configuring Custom Types and Slices
- Setting up webhooks and integrations
- Overseeing repository structure
- Not requiring billing access
Choose Writer When:
- Creating content regularly
- Publishing within established structure
- Managing media assets
- Not needing configuration access
Choose Guest (if available) When:
- Read-only access needed
- Stakeholder visibility required
- No content creation needed
Security Best Practices
Role-Based Security
Principle of Least Privilege
- Grant minimum role needed for job function
- Regularly review and downgrade over-privileged users
- Remove unused accounts quarterly
Separate Environments
- Use different repositories for staging and production
- Limit production access to essential users
- Test in staging before production changes
Role Audits
- Monthly review of all users
- Verify roles match current responsibilities
- Document role changes with justification
API Token Management
- Rotate tokens every 90 days
- Use separate tokens per environment
- Revoke tokens immediately upon user departure
- Store tokens securely (environment variables, not code)
Common Role Scenarios
Scenario 1: Small Team (1-3 people)
- 1 Owner - Founder/CTO
- 1 Administrator - Technical lead
- 1-2 Writers - Content creators
Scenario 2: Medium Team (5-10 people)
- 1 Owner - CTO or designated owner
- 2 Administrators - Tech lead, Content strategist
- 5-7 Writers - Content team, marketers
Scenario 3: Large Team (10+ people)
- 1 Owner - CTO
- 2-3 Administrators - Engineering, Content operations
- 10+ Writers - Content team, freelancers, departments
Scenario 4: Agency Model
- 1 Owner - Agency principal
- 2 Administrators - Account managers
- Variable Writers - Per client needs
- Guests - Clients (read-only access)