Skip to main content

Subjects

A subject is any actor that requests access — a user, a service, an AI agent, a device, or any other principal.

Subject types

Subjects are not limited to human users:

  • UsersAlice, Bob
  • ServicesAPI Gateway, Payment Service
  • DevicesIoT Sensor 42, Kiosk Terminal
  • Machine accountsCI/CD Pipeline, Cron Worker
  • AI agentsgpt-summarizer, support-agent

Attributes

Subjects can have arbitrary attributes used in ABAC conditions:

{
"name": "Alice",
"type": "user",
"external_id": "user-123",
"attributes": {
"department": "engineering",
"level": "senior",
"location": "us-west"
}
}

Subject attribute definitions (Schema)

You can define expected attribute schemas for subjects under Schema → Subject Attributes in the console. Attribute definitions specify:

  • Key — The attribute name (e.g., department)
  • Typestring, number, boolean, or string[]
  • Description — Human-readable explanation

Attribute definitions are advisory — they help the console auto-suggest attributes when building conditions and validate data entry, but they don't block subject creation if an attribute is missing.

The Schema page also shows observed attributes — attributes that exist on subjects in your tenant but don't have a formal definition yet. You can promote observed attributes to defined attributes with one click.

Subjects and access

Subjects can gain access through four paths:

  1. Direct — A policy is assigned directly to the subject.
  2. Role-based — The subject has a role, and the role has policies.
  3. Attribute-based — A policy has ABAC conditions that match the subject's attributes.

See Access Paths for details.

  • ABAC Conditions — Using subject attributes in policy conditions.
  • Roles — Assigning roles to subjects.