is an option for CloudObject and related constructs that specifies permissions for classes of users to access or perform operations.


  • Possible settings include:
  • "Public"accessible for primary action by anyone
    "Private"private to the owner
    "unixstring"permissions for everyone specified in Unix string format
    {class1->per1,class2->per2,}different permissions specified for different classes of users or requests
  • The setting "Public" allows execution of APIFunction, FormFunction, and related constructs. It allows reading and interaction for notebook and CDF objects. For other objects, it allows reading only.
  • Possible classes of users or requesters include:
  • Alleveryone
    "Authenticated"everyone signed in with a Wolfram ID
    "Owner"owner of the object
    {user1,user2,}an explicit list of users
    PermissionsGroup["name"]users in a permissions group
    PermissionsKey["key"]requesters with a valid permissions key
    <|"prop1"val1,"prop2"val2,|>requesters for which the propi match vali
  • Users can be referenced by their Wolfram ID names, email addresses, or Wolfram UUID strings of the form "user-uuid".
  • Possible elements in the association to define requesters include:
  • "CloudUserID"formcloud user ID of the requesting user conforms to form
    "GeoLocationCountry"forminferred country of origin conforms to form
    "StartDate"datecurrent date is after the specified date
    "EndDate"datecurrent date is before the specified date
  • Dates are specified using DateObject. Countries are specified as Entity objects, or by their standard names (e.g. "UnitedStates").
  • For "CloudUserID" and "GeoLocationCountry", the following can be used:
  • "prop"valueallow only the specified value
    "prop"{value1,value2,}allow any of the valuei
    "prop""Disallow"{value1,}disallow any of the valuei
    "prop"<|"Allow"aval,"Disallow"dval|>allow the values aval; disallow the dval
  • Values for "CloudUserID" can be given as string patterns that include the wildcard character *.
  • Permissions allowed for particular classes of users are specified by giving lists of capabilities.
  • Core file-related capabilities include:
  • "Read"read content from the object
    "Write"write content permanently to the object
    "Execute"execute code in the object (e.g. via a form or API)
    Automaticallow the primary action on the object
    Allallow all actions on the object
  • File-related capabilities can also be specified as Unix-like permissions strings of the form "rwx" etc.
  • File-related capabilities are the only permissions taken into account for notebooks that have not been explicitly deployed using CloudDeploy and related functions.
  • For APIFunction, FormFunction, and related constructs, the primary action associated with Automatic is "Execute". For deployed notebooks and CDFs, it is "Interact".
  • Additional capabilities related to deployed notebooks and CDFs include:
  • "Edit"allow editing of the notebook document
    "Save"allow saving of the notebook
    "CellEdit"edit content in existing cells
    "CellCreate"create new cells
    "CellDelete"delete existing cells
    "Evaluate"evaluate code in cells
    "Interact"allow interaction with content (e.g. via CDF in the cloud)
  • "Write" allows arbitrary rewriting of a CloudObject. "Save" allows only material generated by saving a notebook view.
  • "Read" and "Write" affect what is permanently stored in a CloudObject.
  • "Edit" allows temporary modification in a notebook view. "Write" is required to allow modifications to be saved permanently.
  • "Write" is possible only for authenticated users.
  • $Permissions gives the default setting for the Permissions option.


open all close all

Basic Examples  (5)

Deploy a cloud object that can be accessed by the world:

Click for copyable input

By default, deployed cloud objects can be accessed only by the owner:

Click for copyable input
Click for copyable input

Make the object accessible by anyone:

Click for copyable input
Click for copyable input

Deploy a 3D contour plot that is only visible to a certain user:

Click for copyable input

Allow anyone with a permissions key ("secret") to access a form:

Click for copyable input

Allow anyone with a cloud user ID all capabilities:

Click for copyable input

Scope  (15)

Applications  (3)

Introduced in 2014
Updated in 2019