Atom
Access Control

Evaluation

How Atom turns an access request into allow or deny.

Runtime services ask Atom:

Can subject S perform action A on object O?

Decision Flow

What this means: Atom loads the subject, object, action, roles, groups, direct policies, and permission blocks. A matching deny wins immediately. If no deny matches, at least one allow must match. Otherwise the answer is deny.

Evaluation Rules

  1. The subject must exist and be active.
  2. The target object must exist.
  3. The requested action must be valid for that object kind/type.
  4. Atom expands role assignments from the subject and its principal groups.
  5. Atom also checks direct policies for the subject and its principal groups.
  6. Atom evaluates scope, actions, effect, and conditions.
  7. Deny wins over allow.
  8. No matching allow means denied.

Conditions

Conditions are flat JSON checks. All keys must match.

Example:

{
  "entity.attributes.site": "plant-a",
  "resource.attributes.env": "prod"
}

This permission block matches only when the subject and object carry those exact attribute values.

Why Online Checks Matter

Permissions are not copied into JWTs. Every authorization decision checks current state in the database. If an admin revokes a role, disables a device, or adds a deny rule, the next runtime check sees it immediately.

Previous

Permission Blocks

Next

Authentication

On this page