Access Control
How Atom decides what each entity is allowed to do.
Atom answers one question:
Example:
The Model
Vocabulary
| Term | Meaning |
|---|---|
| Subject | Entity or principal group receiving access. |
| Action | Operation name such as read, publish, subscribe, or manage. |
| Action Applicability | Valid action/object pair, such as publish on resource:channel. |
| Permission Block | Scope, actions, effect, and optional conditions. |
| Assignment Guardrail | Assignment-time rule that allows or blocks an action from being granted to an entity kind. |
| Role | Friendly name for a set of permission blocks. |
| Role Assignment | Gives a role to an entity or principal group. |
| Direct Policy | Gives one permission block directly to an entity or principal group. |
| Principal Group | Who-container. Members receive role assignments through the group. |
| Object Group | Where-container. Permission blocks can target objects inside it. |
Core Rules
- Deny overrides allow.
- No matching allow means denied.
- Tokens do not contain permissions.
- Scope and actions live in permission blocks.
- Role assignments do not define scope.
- Direct policies do not redefine scope.
- Assignment guardrails prevent unsafe access state from being created.
- Groups do not grant access by themselves; assignments and permission blocks do.
Actions And Applicability
Actions are global operation names. Atom uses names such as read, write,
delete, publish, subscribe, execute, manage, create, revoke,
rotate, policy.manage, role.manage, and authz.check.
Do not model object-specific action names such as client_read,
channel_publish, or report_execute. The action stays global; Action
Applicability decides where that action is valid.
Action Applicability validates action/object pairs. It does not grant access by itself.
Examples:
| Action | Valid object kind/type |
|---|---|
publish, subscribe | resource with type resource:channel |
execute | resource with rule or report types |
read, write, delete | common protected objects |
manage, revoke | credential |
create, manage | tenant |
rotate | signing_key |
role.manage, policy.manage | role and policy administration scopes |
Invalid pairs, such as publish on an entity or execute on a channel, are
rejected before permission blocks are evaluated.
Assignment Guardrails
Assignment Guardrails validate whether it is safe to create access state, such as a role assignment, direct policy, role-to-permission-block link, or group membership that would grant inherited access.
They are different from runtime authorization. /authz/check answers whether
the current subject may perform the current action on the current object.
Assignment Guardrails run when access is being assigned or changed.
For example, Atom can allow devices to receive publish on
resource:channel, while denying devices from receiving manage on
resource:channel.
Where To Go Next
Roles
How named roles bundle permission blocks.
Conditions
How JSON conditions narrow a permission block.
Permission Blocks
The source of scope, actions, allow, deny, and conditions.
Assignment Guardrails
How Atom blocks unsafe access from being assigned.
Evaluation
How Atom turns the model into an allow or deny answer.