Claim
A claim is the core unit of authorization in the Samna platform. Claims represent permissions with specific access levels and are assigned to users, scoped to organizations and locations.
Access Levels
Claims use a numeric access level system where lower numbers grant more access.
| Level | Name | What it grants |
|---|---|---|
| 0 | System | System only operations |
| 1 | Owner | Top level ownership |
| 2 | Admin | Create, update, and delete |
| 3 | Write | Create and update with limited delete |
| 4 | Update | Update with inheritance |
| 5 | Action | Read plus specific actions |
| 6 | Read | Read only access |
| 7 | Member | Claim membership without resource access |
| 8 | Guest | External or temporary read access |
Claim Types
| Type | Purpose |
|---|---|
| System | Built in claims managed by the platform |
| User | Custom claims created by administrators |
| External | Claims originating from external identity providers |
User Claims
A user claim is the assignment of a claim to a user. Assignments can have temporal constraints with start and end dates, allowing time limited access. Each assignment tracks the reason it was granted.
Claim Objects
Claims are scoped to objects like organizations and locations through claim objects. When a claim is linked to a building, the access level cascades down to all floors and rooms within it. This inheritance means a single claim assignment can grant access across an entire location hierarchy.
Evaluation
When a service checks authorization, it evaluates the user's claims against the requested resource. The system resolves inheritance, checks temporal validity, and returns the effective access level. All reads are indexed lookups for performance.