Subjects
A subject is any actor that requests access — a user, a service, an AI agent, a device, or any other principal.
Subject types
Subjects are not limited to human users:
- Users —
Alice,Bob - Services —
API Gateway,Payment Service - Devices —
IoT Sensor 42,Kiosk Terminal - Machine accounts —
CI/CD Pipeline,Cron Worker - AI agents —
gpt-summarizer,support-agent
Attributes
Subjects can have arbitrary attributes used in ABAC conditions:
{
"name": "Alice",
"type": "user",
"external_id": "user-123",
"attributes": {
"department": "engineering",
"level": "senior",
"location": "us-west"
}
}
Subject attribute definitions (Schema)
You can define expected attribute schemas for subjects under Schema → Subject Attributes in the console. Attribute definitions specify:
- Key — The attribute name (e.g.,
department) - Type —
string,number,boolean, orstring[] - Description — Human-readable explanation
Attribute definitions are advisory — they help the console auto-suggest attributes when building conditions and validate data entry, but they don't block subject creation if an attribute is missing.
The Schema page also shows observed attributes — attributes that exist on subjects in your tenant but don't have a formal definition yet. You can promote observed attributes to defined attributes with one click.
Subjects and access
Subjects can gain access through four paths:
- Direct — A policy is assigned directly to the subject.
- Role-based — The subject has a role, and the role has policies.
- Attribute-based — A policy has ABAC conditions that match the subject's attributes.
See Access Paths for details.
Related
- ABAC Conditions — Using subject attributes in policy conditions.
- Roles — Assigning roles to subjects.