Atom

Permission Blocks

Reusable scope, effect, action, and condition sets — the core building block of Atom's access model.

Permission Blocks (/permission-blocks) are Atom's central authorization primitive: a named combination of where (scope), what (actions), allow or deny (effect), and optionally under what conditions (ABAC). Roles attach one or more permission blocks to make them assignable; Direct Policies attach a single permission block straight to one subject. See Access Control for the full conceptual model.

Permission Blocks table

Columns: Tenant, Scope, Object kind, Object type, Object ID, Group, Effect, Actions, Created, Updated. Atom seeds four platform/tenant-admin blocks (visible under Platform tenant scope and the acme-corp-style tenant-admin blocks created when a tenant is provisioned).

Permission Blocks list

Create a permission block

Click + Create.

Create button highlighted on the permission blocks list

This is a 5-step wizard: Boundary, Scope, Actions, Conditions, Review.

Step 1 — Boundary

  • Tenant boundaryPlatform (visible everywhere) or a specific tenant. Non-platform blocks must belong to one tenant.
  • Effectallow or deny. A matching deny always overrides a matching allow — Atom is deny-by-default and deny-overrides-allow.

Boundary step

Step 2 — Scope

Scope mode determines what the block applies to. All nine modes:

Scope modeApplies to
Tenant itselfThe selected tenant/domain object.
All objects of a kindEvery object of a kind (for example every resource) in the tenant.
All objects of a typeEvery object of a specific type (for example every resource:channel) in the tenant.
Exact objectOne specific entity, resource, group, tenant, role, or policy, by ID.
Object group itselfThe object group record, not its contents.
Direct objects in object groupEntities/resources directly inside the group.
Objects in subgroupsEntities/resources inside child or deeper groups only.
Direct child object groupsImmediate child groups themselves.
Descendant object groupsChild or deeper group records themselves.

Scope mode dropdown options

Picking Exact object reveals Object kind (Entity, Resource, Object group, Tenant, Role, Policy, Credential, Audit log, or Signing key) and, for most kinds, an Object type free-text field (namespaced, e.g. resource:invoice) plus the Exact object ID (paste the target's UUID — see each object's Inspect view to copy it).

Scope step filled in for an exact resource

Step 3 — Actions

Check every action this block should grant (or deny). The list is filtered to actions with an Action Applicability row matching the object kind/type you selected in Step 2 — if an action you expect is missing, add its applicability row first.

Actions step

Step 4 — Conditions

Optional ABAC conditions as a JSON object. Leave {} for an unconditional grant. See ABAC for the condition schema.

Conditions step

Step 5 — Review

A summary of every field before you commit: TENANT_ID, SCOPE_MODE, OBJECT_KIND, OBJECT_TYPE, OBJECT_ID, GROUP_ID, EFFECT, ACTIONS, CONDITIONS.

Review step

Click Create permission block.

Row actions

  • Inspect — view the full record.
  • Delete — remove the block. Any role or direct policy still referencing it will lose that grant.

Inspect

Shows every field from the wizard as read-only fields, plus the resolved ACTIONS array with each action's own ID.

Permission block inspect view

Where permission blocks are used

  • Roles attach one or more permission blocks, so a single role can carry several distinct grants.
  • Direct Policies attach exactly one permission block to exactly one subject — a narrower, more auditable shortcut than assigning a full role.
  • The Authorization debugger's decision explanation shows the exact permission block(s) that were matched or skipped for a given request.

On this page