Setting Up A Form Permissions Ruleset

Form Permission rulesets allow you to granularly control which parts of Gravity Forms your non-administrator users can access in the WordPress backend.

These rulesets allow you to only give your users access to things they can be trusted to access, making your forms more secure and preventing future headaches when that one client decides to poke around the settings of the complex Gravity Forms form you toiled on for them.

How Do I Add A New Ruleset?

  1. On the form you want to add permissions to, hover over the Settings link (found either in the Forms List or in the toolbar when editing a form) and click Permissions.
  2. Click either the Add Rule by Role or Add Rule by User button depending on what you’d like to target with the ruleset.
  3. Select one or more users/roles in the Rule Target drop down.
  4. Determine how each capability should be applied to the targets.

Each capability has three possible states.

— Disabled (Red) – The user will be unable to access this feature.

— Inherit (Grey) – The user’s access to this capability will be inherited from their globally granted capabilities.

— Enabled (Green) – The user will be able to access this feature.

Then just scroll down past your added rulesets and click the button to save settings and your ruleset(s) will be in place!

Keep in mind, you can also add multiple rulesets here for the same form by clicking the Add New Rule button if you’d like to filter capabilities differently for different users/roles. You can even mix rulesets that target individual users and entire user roles!

What can be filtered?

Form Permission rulesets in Advanced Permissions primarily allow for granularly filtering all of the core Gravity Forms user capabilities that are form specific including:

Form Permissions

Entry Permissions

Entry Notes Permissions

Add-On Permissions

Any add-on that uses the Gravity Forms Feed Add-On Framework, both from first and third-party developers, will be picked up and listed for filtering in the ruleset, this allows you to control which add-ons your users are allowed to access the feed list for on the form and edit the settings of those feeds.

This will purely control just their access to the feed list and not anything else in that add-on, i.e. if you give access to a user to manage Gravity Flow within a Form Permissions ruleset, this is purely limited to them being able to view and modify the workflow settings for the form; it will not filter anything in other locations in Gravity Flow like your workflow inbox, etc.

How Do These Rulesets Work With Global User Capability Plugins?

If you’re using a more global user role management plugin like Members or User Role Editor to manage your user’s and their roles and the aspects of your WordPress install they have access to, Advanced Permissions and Form Permission rulesets will play nicely with that setup.

The default state for each form related capability in any ruleset is to inherit whatever the user currently has access to in your wider user capability configuration setup. So if you’ve globally granted a user role the core gravityforms_view_entries capability to view form entries, they’ll be able to globally access all form entries for all forms, but you can also still go into an individual form you want to block them from seeing the entries on and deny them the View Entries capability at the form level using a Form Permissions ruleset to deny them entry access on just that single form.

If you’re not currently using a global user capability management solution, you don’t have to worry about using one, Advanced Permissions will automagically give access to Gravity Forms to your users provided they’ve been given access to something in Gravity Forms via a Form Permissions ruleset.

In general we would highly recommend allowing Advanced Permissions to solely control your users access to Gravity Forms as it will lead to less management and a better user experience as without an existing global solution in the way to work with, Advanced Permissions can work to the best of its ability to display to users just what they actually have access to in Gravity Forms, and nothing else.