# Application memberships

Application memberships connect the [membership](https://docs.commercelayer.io/provisioning/api-reference/memberships) of a user of an [organization](https://docs.commercelayer.io/provisioning/api-reference/organizations) to a specific [Dashboard app](https://docs.commercelayer.io/provisioning/getting-started/applications), via the related [API credential](https://docs.commercelayer.io/provisioning/api_credentials#dashboard-apps-api-credentials) with determined permissions granted by the associated [role](https://docs.commercelayer.io/provisioning/api-reference/roles).

You can assign one or more members of an organization a set of application memberships by creating a dedicated [membership profile](https://docs.commercelayer.io/provisioning/api-reference/membership_profiles).

{% hint style="warning" %}
Please note that only *Admins* (i.e. users with an `admin` role) can perform all the CRUD actions on the application memberships of an organization, while *Members* (i.e. users with a `read_only` or `custom` role) are allowed only to [retrieve](https://docs.commercelayer.io/provisioning/api-reference/application_memberships/retrieve) a specific application membership and/or to [fetch a list](https://docs.commercelayer.io/provisioning/api-reference/application_memberships/list) of application memberships.
{% endhint %}

{% hint style="info" %}
When you send a `GET` request to the `application_memberships` endpoint, all your application memberships plus all the organization memberships of the organizations of which you are an admin will be returned.
{% endhint %}

{% content-ref url="../getting-started/applications" %}
[applications](https://docs.commercelayer.io/provisioning/getting-started/applications)
{% endcontent-ref %}

## Permissions

Since each Dashboard app comes with its own set of [permissions](https://docs.commercelayer.io/provisioning/getting-started/applications#permissions) in terms of CRUD actions on the single Core API resources, to get the real permissions of the user on the specific app the permissions associated with the role used to create an application membership must be crossed with the app's ones. For example:

* `admin` roles will get the *Full access* permissions of the related app
* `read_only` roles will get the *Read-only* permissions of the related app
* `custom` roles will get their custom permissions as long as they are a subset of the *Full access* list of permissions of the related app

## Adding restrictions

You can add some restrictions to the default rules above narrowing the scope of an application membership and granting specific users *Partial access* to specific apps (e.g. allowing a user to manage only the shipments identified by an ID included in a specific array, allowing a user to update only the orders belonging to a specific market, etc.) by leveraging the `filters` attribute:

```
...
  "filters": {
    "{{predicate}}": {{value}},
    ...
  }
```

To compose the filter predicate, you just need to follow the [same syntax](https://app.gitbook.com/s/-LgByaSP8eKjad-MIuHE/filtering-data) you use when filtering a collection of Core API resources — `{{attributes}}_{{matcher}}`. You must specify filtering rules as a valid JSON object. List values for the `*_in` matcher need to be expressed as arrays.