Subjects
A subject is any actor that requests access — a user, a service, a device, an IoT sensor, or any other principal.
Properties
| Field | Description |
|---|---|
id | Unique identifier for the subject |
name | Human-readable name |
type | Category (e.g., user, service, device) |
attributes | Key-value pairs for fine-grained decisions (e.g., department, level) |
Subject types
Subjects are not limited to human users:
- Users —
Alice,Bob - Services —
API Gateway,Payment Service - Devices —
IoT Sensor 42,Kiosk Terminal - Machine accounts —
CI/CD Pipeline,Cron Worker
Attributes
Subjects can have arbitrary attributes used in policy conditions:
{
"id": "user-123",
"name": "Alice",
"type": "user",
"attributes": {
"department": "engineering",
"level": "senior",
"location": "us-west"
}
}
Subjects and access
Subjects can gain access through three paths:
- Direct — A policy is assigned directly to the subject.
- Role-based — The subject has a role, and the role has policies.
- Group-based — The subject is in a group, and the group has policies.
See Access Paths for details.