Samna

Appearance

Grant Access to a User

A user gains access by holding a claim that is bound to the right object. Three writes do the whole thing.

  1. Create the claim, the template that carries the access bitmask.
  2. Bind the claim to the object the access should reach.
  3. Assign the claim to the user.

See Access Control for the model and the bit values.

1. Create the Claim

POST /claim

json
{
  "name": "Meeting Room Booker",
  "description": "Can read and book the second floor meeting rooms.",
  "access": 6,
  "type": "user",
  "inherits": true,
  "owner_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

access: 6 is read | write (0x04 | 0x02). Use 0x08 to also allow triggering actions, 0x01 for owner.

json
{
  "data": {
    "id": "11111111-2222-3333-4444-555555555555",
    "name": "Meeting Room Booker",
    "access": 6,
    "type": "user",
    "inherits": true,
    "owner_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  },
  "count": 1
}

Capture data.id as claim_id for the next steps.

2. Bind the Claim to an Object

POST /claim/{claim_id}/object

json
{
  "object_type": "claimius.location",
  "object_id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
  "inherits": true,
  "reason": "Second floor meeting rooms"
}

Binding at the location with inherits: true cascades to every bookable in that location and any descendant locations. To restrict the grant to one specific room, bind to public.bookable with the bookable id. To narrow which fields the grant covers, pass scope with field name keys; see Access Control.

3. Assign the Claim to a User

POST /claim/{claim_id}/user

json
{
  "user_id": "e992bfc1-0336-42c5-bd0a-4f4804a9fd24",
  "owner_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "reason": "Onboarding 2026-05",
  "starts_at": "2026-05-12T00:00:00Z",
  "ends_at": "2026-12-31T23:59:59Z"
}

Leave starts_at and ends_at null for an open ended grant. With a time window set, the access is only active while the current time falls within it and expires automatically.

After all three calls the user holds the claim, the claim is bound to the location, and every bookable beneath the location is reachable to them with read and write access.

Revoking

Three levels of revocation are available depending on how much you want to remove.

Remove a user from a claimDELETE /claim/{claim_id}/user/{user_id} removes the assignment for that user only. The claim and its bindings stay intact and remain active for any other users who hold it.

Remove a bindingDELETE /claim/{claim_id}/object/{object_id} removes the binding to a specific resource. The claim stays in place but no longer cascades access to that object or its descendants.

Remove the claim entirelyDELETE /claim/{claim_id} removes the claim along with all its bindings and user assignments.