Authorization & access control
Roles, permissions, policies, and relationship-based access in one model.
Raytio Authorization combines role-based permissions, relationship-based access, policy exceptions, and menu visibility into one data-driven model that determines what a user can do, which records they can reach, and what the interface shows them - for humans, integrations and AI agents alike, inside a single tenant boundary.
Capabilities
Roles form a directed acyclic graph; a child role inherits everything its ancestors allow, transitively.
Role assignments carry all-records or own-records scope. This separates internal staff from external users, who see only what they own or what is shared with them.
Rule-based exceptions on top of roles, with forbid taking precedence over permit.
Access is expressed as subject-relation-object tuples, composed with union, intersection and difference. Ownership, membership, sharing and inheritance are resolved recursively.
Tuples can carry typed conditions - a valid time window, an allowed IP range - evaluated at check time.
Menus assigned to roles keep the interface consistent with permissions - users don't see actions they cannot perform.
Assigning a user to a role or creating a record automatically maintains the corresponding membership and ownership relationships.
Notable details
Relationship checks run in batches so list and search screens filter accessible records efficiently.
Roles, permissions, policies and menus are stored as data and customisable without code changes.
Part of Operate · Read the documentation →
Verified customers, protected data, and agents you can hold to account.