A constraint is one of several actions or permissions described in a policy. The constraint describes which user or role may perform the respective action:

|!Constraint|!Bag |!Recipe|h |''read'' |view bag's tiddlers |view bag-filter pairs constituting the recipe| |''write'' |modify bag's tiddlers |//unused// | |''create'' |add tiddlers to bag |//unused// | |''delete'' |remove tiddlers from bag |//unused// | |''manage'' |delete bag, view and modify its policy|delete recipe, view and modify its policy | |''accept'' |skip validation for tiddlers |//unused// |

cf. http://groups.google.com/group/tiddlyweb/msg/e0b3709851565dbe

An empty constraint list means there is no constraint; any user, including the anonymous user {{{GUEST}}}, can perform the action. {{{NONE}}} and {{{ANY}}} are special: {{{NONE}}} means the action may not be done, by anyone; {{{ANY}}} means any authenticated user (i.e. not {{{GUEST}}}) may perform the action.

''If either of {{{NONE}}} or {{{ANY}}} are listed in a constraint, nothing else should be listed.''