Skip to main content

Authorization & access control

Roles, permissions, policies, and relationship-based access in one model.

Raytio Authorization combines role-based permissions, relationship-based access, policy exceptions, and menu visibility into one data-driven model that determines what a user can do, which records they can reach, and what the interface shows them - for humans, integrations and AI agents alike, inside a single tenant boundary.

Capabilities

Typed role hierarchy

Roles form a directed acyclic graph; a child role inherits everything its ancestors allow, transitively.

Scoped permissions

Role assignments carry all-records or own-records scope. This separates internal staff from external users, who see only what they own or what is shared with them.

Permit and forbid policies

Rule-based exceptions on top of roles, with forbid taking precedence over permit.

Relationship-based access

Access is expressed as subject-relation-object tuples, composed with union, intersection and difference. Ownership, membership, sharing and inheritance are resolved recursively.

Attribute conditions

Tuples can carry typed conditions - a valid time window, an allowed IP range - evaluated at check time.

Role menus for UI visibility

Menus assigned to roles keep the interface consistent with permissions - users don't see actions they cannot perform.

Automatic relationship sync

Assigning a user to a role or creating a record automatically maintains the corresponding membership and ownership relationships.

Notable details

Batch evaluation

Relationship checks run in batches so list and search screens filter accessible records efficiently.

Data-driven

Roles, permissions, policies and menus are stored as data and customisable without code changes.

Part of Operate · Read the documentation →

Verified customers, protected data, and agents you can hold to account.