Admin Hygiene

Detect orphaned access records, unprotected resources, and expiring credentials.

Administrative endpoints surface system health issues. They require management access through Atom's normal permission block model.

Orphan Access Records

Orphan access records are role assignments or direct policies where the referenced subject, role, or permission block no longer exists.

Query parameters

Parameter	Type	Default	Description
`limit`	int	50	Results per page (1-200)
`offset`	int	0	Pagination offset

Response

{
  "items": [
    {
      "id": "p1-...",
      "record_type": "role_assignment",
      "subject_kind": "entity",
      "subject_id": "aaa-...",
      "role_id": "role-...",
      "created_at": "2026-03-15T12:00:00Z",
      "orphan_reason": "subject_not_found"
    }
  ],
  "total": 1
}

`orphan_reason` values

Value	Meaning
`subject_not_found`	The referenced entity or principal group has been deleted
`role_not_found`	The referenced role has been deleted
`permission_block_not_found`	The referenced permission block has been deleted

GET /admin/unprotected-resources

Returns resources that have no permission block coverage through roles or direct policies.

Query parameters

Parameter	Type	Default	Description
`tenant_id`	UUID	—	Filter by tenant
`kind`	string	—	Filter by resource kind
`limit`	int	50	Results per page (1-200)
`offset`	int	0	Pagination offset

Response

{
  "items": [
    {
      "id": "r5-...",
      "kind": "secret",
      "name": "db-password",
      "tenant_id": "t1-...",
      "owner_id": null,
      "created_at": "2026-04-20T14:00:00Z"
    }
  ],
  "total": 1
}

Very broad platform or tenant permission blocks can intentionally cover many resources. Review those before treating a resource as unprotected.

GET /admin/expiring-credentials

Returns active credentials expiring within a specified number of days. Useful for proactive rotation before integrations break.

Query parameters

Parameter	Type	Default	Description
`days`	int	30	Show credentials expiring within this many days
`entity_id`	UUID	—	Filter by entity
`kind`	`password` \| `api_key` \| `certificate`	—	Filter by credential kind
`limit`	int	50	Results per page (1-200)
`offset`	int	0	Pagination offset

Response

{
  "items": [
    {
      "id": "cr1-...",
      "entity_id": "bbb-...",
      "entity_name": "sensor-01",
      "entity_kind": "device",
      "kind": "api_key",
      "status": "active",
      "expires_at": "2026-05-10T00:00:00Z",
      "days_remaining": 16,
      "created_at": "2026-01-10T00:00:00Z"
    }
  ],
  "total": 1
}

Sorted by expires_at ASC (soonest expiration first). The secret_hash and identifier fields are never included.

Use cases

Task	Endpoint
Weekly cleanup of stale policies	`GET /admin/orphan-policies`
Security audit: verify all resources have coverage	`GET /admin/unprotected-resources`
Daily alert: credentials expiring this week	`GET /admin/expiring-credentials?days=7`
Check a specific tenant's unprotected resources	`GET /admin/unprotected-resources?tenant_id=t1`

Admin Hygiene

On this page