Subjects
A subject is any actor that requests access — a user, a service, a device, an IoT sensor, or any other principal.
Properties
| Field | Description |
|---|---|
id | Unique identifier for the subject |
name | Human-readable name |
type | Category (e.g., user, service, device) |
attributes | Key-value pairs for fine-grained decisions (e.g., department, level) |
Subject types
Subjects are not limited to human users:
- Users —
Alice,Bob - Services —
API Gateway,Payment Service - Devices —
IoT Sensor 42,Kiosk Terminal - Machine accounts —
CI/CD Pipeline,Cron Worker - AI agents —
gpt-summarizer,support-agent
Attributes
Subjects can have arbitrary attributes used in ABAC conditions:
{
"id": "user-123",
"name": "Alice",
"type": "user",
"attributes": {
"department": "engineering",
"level": "senior",
"location": "us-west"
}
}
Subject attribute definitions (Schema)
You can define expected attribute schemas for subjects under Schema → Subject Attributes in the console. Attribute definitions specify:
- Key — The attribute name (e.g.,
department) - Type —
string,number,boolean, orstring[] - Description — Human-readable explanation
Attribute definitions are advisory — they help the console auto-suggest attributes when building conditions and validate data entry, but they don't block subject creation if an attribute is missing.
The Schema page also shows observed attributes — attributes that exist on subjects in your tenant but don't have a formal definition yet. You can promote observed attributes to defined attributes with one click.
Subjects and access
Subjects can gain access through four paths:
- Direct — A policy is assigned directly to the subject.
- Role-based — The subject has a role, and the role has policies.
- Group-based — The subject is in a group, and the group has policies.
- Attribute-based — A policy has ABAC conditions that match the subject's attributes.
See Access Paths for details.
Subjects across applications
A subject can belong to multiple applications. Roles and group memberships are per-application — Alice might be an editor in the CRM application and a viewer in the Analytics application.
Related
- ABAC Conditions — Using subject attributes in policy conditions.
- Roles — Assigning roles to subjects.
- Groups — Organizing subjects into groups.