Atom
Access Control

Conditions

Attribute checks that narrow when a permission block applies.

Conditions let a permission block apply only when entity, resource, or request context fields match expected values.

They are useful for rules such as:

Allow publish only when the device belongs to Plant-A.
Allow read only when the resource is public.
Deny manage when the request is outside a trusted environment.

Shape

Conditions are a flat JSON object:

{
  "entity.attributes.site": "plant-a",
  "resource.attributes.classification": "public",
  "context.protocol": "mqtt"
}

All fields must match exactly. Empty {} means there are no extra conditions.

Supported Paths

PrefixMeaning
entity.attributes.*Attribute on the subject entity.
resource.attributes.*Attribute on the protected resource.
context.*Extra context supplied by the caller.

Example

Permission Block:
  Scope: channels in tenant factory-a
  Actions: publish
  Effect: allow
  Conditions:
    entity.attributes.site = plant-a

If meter-001 has site = plant-a, it can publish. If it has site = plant-b, this block does not match.

Conditions narrow access. They do not grant anything unless the permission block also covers the requested action and object.

Previous

Roles

Next

Permission Blocks

On this page