Act Permissions

Act Permissions are facts that govern whether a calling agent has a valid combination of Login and Delegate.

Permission Basics

By default, the Delegate and Login part of the calling agent must be the same. For some other login to be a Delegate, an Act permission must exist allowing that other login to act on behalf of the login.

Example:

POST /permission {
    "targetNodeId": "00000000FCDF978BA9BFAE5D1DEC365B59A249A6B01E3987",
    "policy": {
        "effect": "Allow",
        "granteeId": "00000000301D1F22157CE46BAAB422C13F0F368218027D50",
        "actions": ["Act"]
    }
}

sets a permission on target node having id "00000000FCDF978BA9BFAE5D1DEC365B59A249A6B01E3987". The permission allows the login with id "00000000301D1F22157CE46BAAB422C13F0F368218027D50" to be used as a Delegate in an agent where the target node id is the Login part of the agent.

The login part of the agent making the permission call must match the the targetNodeId. That is, only logins can set Act permissions on themselves.

Permission Policy Properties

Property Optional Description
effect false Whether to allow or deny permission
actions false The kind of actions the permission is addressing. The value must be Act for act permissions
granteeId true The group, login or entity requesting permission

Permission Effect

Effect Description
Allow Allow the given action
Deny Deny the given action

Permission Checking of the FacternAgent

For any API call, the calling agent is validated. The Login and Delegate parts of the agent must be identical or there must exist an Act permission from the Delegate to the Login.