Primitive
access.grant
BETAShort name: grant
Version: 1.0.0
Issue an access grant on a record (atom/verb/lexeme/pixel). The grant widens access for actors matching its rule. Caller must be able to manage the subject.
Back to primitive libraryInputs
| Key | Type | Required | Description |
|---|---|---|---|
| action | string | true | Action the grant authorizes. |
| effect | string | false | 'allow' (default) widens access; 'deny' overrides everything for matching actors, including owner and admin. |
| expiresAt | string | false | ISO 8601 expiration. Omit for no expiry. |
| fieldTag | string | false | Only for action 'field.read': the ACL tag this grant unlocks ('*' for all tagged fields). |
| public | boolean | false | Required opt-in to issue an ALLOW grant with no rule (grant the action to EVERYONE). Without a rule and without public:true, the grant is rejected so 'public' is never an accident. |
| purpose | string | false | Free-text purpose, carried into the audit trail. |
| rule | object | false | Matcher predicate over the access context (e.g. {"actor.userId":"..."} or {"actor.role":"..."}). Omit only for a deliberate public grant (see `public`). |
| subjectId | objectId | true | Id of the record the grant governs. |
| subjectType | string | true | Kind of record the grant governs. |
Outputs
| Key | Type | Required | Description |
|---|---|---|---|
| grant | object | false | Summary of the created grant: { id, subjectType, subjectId, action }. |