We are introducing 2 new types of permissions as part of the Permission sets feature in our web app and API:

• Permissions for adding items
• Permissions for editing another user’s items

Users can now be restricted from creating new and/or editing existing other users’ entities (deals, leads, persons and organizations). This ensures data reliability and quality for your Pipedrive account.

We will roll the feature out to all companies between June 26 and July 20, 2023.

When a user’s permission for creating entities (e.g., the can_add_deals permission for deals) is disabled, the user will not be able to add new deals, leads, persons and/or organizations via the API. Similarly, the user will not be able to edit other users’ entities when the editing permission is disabled. The deals, leads, persons and organizations that are owned by the user themselves will always remain editable.

If the user does not have the can_add_deals permission, calling the POST /deals and/or POST /deals/{id}/duplicate endpoints will result in a 403 error.

If the user does not have the can_add_leads permission, calling the POST /leads endpoint will result in a 403 error.

If the user does not have the can_add_organizations permission, calling the POST /organizations endpoint will result in a 403 error.

If the user does not have the can_add_people permission, calling the POST /persons endpoint will result in a 403 error.

If the user does not have the can_edit_other_users_deals permission, calling the following endpoints will result in a 403 error:

• POST /deals/{id}/participants
• POST /deals/{id}/products
• PUT /deals/{id}
• PUT /deals/{id}/products/{product_id}
• DELETE /deals/{id}/participants/{deal_participant_id}
• DELETE /deals/{id}/products/{product_attachment_id}

If the user does not have the can_edit_other_users_leads permission, calling the PATCH /leads/{id} endpoint will result in a 403 error.

If the user does not have the can_edit_other_users_organizations permission, calling the PUT /organizations/{id} endpoint will result in a 403 error.

If the user does not have the can_edit_other_users_people permission, calling the following endpoints will result in a 403 error:

• POST /persons/{id}/picture
• PUT /persons/{id}
• DELETE /persons/{id}/picture

{ 
  "success": false, 
  "error": "You do not have permission to do this.", 
  "error_info": "Please check developers.pipedrive.com for more information about Pipedrive API.", 
  "data": null, 
  "additional_data": null 
}

We will be adding all of the above mentioned permission fields to the response of the GET /users/{id}/permissions endpoint, which can be used to find a specific user’s permissions.

If you have any questions or comments, let us know in our Developers' Community.