Atom

Access Control

How Atom decides what each entity is allowed to do.

Atom answers one question:

Can subject S perform action A on object O?

Example:

Can device meter-001 publish to channel telemetry?

The Model

Subject gets a Role.
Role contains Permission Blocks.
Direct Policy gives a Subject one Permission Block directly.
Permission Block is the only place where scope and actions are defined.

Vocabulary

TermMeaning
SubjectEntity or principal group receiving access.
ActionOperation name such as read, publish, subscribe, or manage.
Action ApplicabilityValid action/object pair, such as publish on resource:channel.
Permission BlockScope, actions, effect, and optional conditions.
RoleFriendly name for a set of permission blocks.
Role AssignmentGives a role to an entity or principal group.
Direct PolicyGives one permission block directly to an entity or principal group.
Principal GroupWho-container. Members receive role assignments through the group.
Object GroupWhere-container. Permission blocks can target objects inside it.

Core Rules

  • Deny overrides allow.
  • No matching allow means denied.
  • Tokens do not contain permissions.
  • Scope and actions live in permission blocks.
  • Role assignments do not define scope.
  • Direct policies do not redefine scope.
  • Groups do not grant access by themselves; assignments and permission blocks do.

Actions And Applicability

Actions are global operation names. Atom uses names such as read, write, delete, publish, subscribe, execute, manage, create, revoke, rotate, policy.manage, role.manage, and authz.check.

Do not model object-specific action names such as client_read, channel_publish, or report_execute. The action stays global; Action Applicability decides where that action is valid.

Action Applicability validates action/object pairs. It does not grant access by itself.

Examples:

ActionValid object kind/type
publish, subscriberesource with type resource:channel
executeresource with rule or report types
read, write, deletecommon protected objects
manage, revokecredential
create, managetenant
rotatesigning_key
role.manage, policy.managerole and policy administration scopes

Invalid pairs, such as publish on an entity or execute on a channel, are rejected before permission blocks are evaluated.

Where To Go Next

Roles

How named roles bundle permission blocks.

Conditions

How JSON conditions narrow a permission block.

Permission Blocks

The source of scope, actions, allow, deny, and conditions.

Evaluation

How Atom turns the model into an allow or deny answer.

Previous

Data Model

Next

Access Control

On this page