Access Control
Access control determines who can see and act on resources. The model has three parts: a claim, an object binding, and a user assignment.
A claim is a permission template owned by an organization. It defines a name and an access level. On its own it does nothing. Bind it to one or more resources to define what the claim covers, then assign it to one or more users to grant them that access. See Grant Access to a User for the call sequence.
Access levels
access is a bitmask. Each bit grants one permission:
| Bit | Name | Allows |
|---|---|---|
| 0x01 | owner | Full control, including binding new claims and deleting |
| 0x02 | write | Create and modify |
| 0x04 | read | View |
| 0x08 | execute | Trigger actions and book resources |
| 0x10 | deny | Subtracts the masked bits from any other grant on the same resource |
Combine bits with OR. Read and write is 0x06. Full access excluding deny is 0x0F. The API accepts the integer directly, so access: 7 means owner, write and read.
deny removes the masked bits from access calculations regardless of any other claims the user holds. Deny always wins over grant.
Claim types
| Type | Use |
|---|---|
user | Granted to people through user assignments |
service | Granted to service principals such as API integrations |
virtual | Template not directly granted; activated through scope rules on a binding |
How access cascades
Access cascades through three hierarchies:
- Ownership. Claims on an organization cascade to its child organizations and to every resource they own.
- Location. Resources placed at a location inherit access from claims on that location and every parent location above it.
- Parenthood. When a resource type forms its own tree, claims on a parent cascade to every descendant.
A cascade only applies when both the claim and the binding have inherits: true. Setting either to false stops the cascade at that point, which is how you issue a broad claim that applies only to the named resource without flowing further down.
Object bindings
A binding connects a claim to a resource. Each binding carries the target resource, an optional access override that narrows the claim's bits without changing the claim itself, an optional scope that limits the grant to specific fields or conditions, and an inherits flag that controls whether the cascade continues below this object.
A single claim can bind to many resources. A single resource can be covered by many claims.
User assignments
A user assignment grants a claim to a user inside an organization. Each assignment carries optional starts_at and ends_at timestamps. The access is only active while the current time falls within that window and expires automatically.
A single claim can be granted to many users. A user can hold many claims.
API
The Claim tag covers claim creation, object bindings, user assignments and the search across resources reachable through a claim.