Permission Model

Permissions as verifiable claims

Permissions in Soulverse are expressed as verifiable claims about what an identity is authorized to do. These claims are issued by entities with the authority to grant such permissions.

A permission specifies an action or set of actions, the conditions under which those actions are authorized, and any constraints on execution. Permissions can be scoped to specific contexts, resources, or time periods.

Permission granularity

Permissions can be broad or specific depending on requirements. Coarse-grained permissions authorize general categories of actions. Fine-grained permissions specify precise operations with detailed conditions.

The appropriate level of granularity depends on the use case and the trust relationship between the permission granter and holder. Systems interpret permissions according to their specific requirements.

Delegation

Permission holders can delegate their permissions to other identities when authorized to do so. Delegation creates a verifiable chain showing the original permission grant and subsequent delegations.

Delegation can be constrained in various ways. The original permission may limit whether delegation is allowed, how many delegation levels are permitted, or what subset of permissions can be delegated.

Systems verify the complete delegation chain when evaluating whether a delegated permission is valid. Each step in the chain must satisfy the constraints of the previous step.

Conditional permissions

Permissions can include conditions that must be satisfied for the permission to be valid. Conditions can reference the current time, the state of other systems, or additional credentials that must be presented.

Complex conditions can be expressed through policy languages that support logical operators and references to external data sources. Systems evaluate conditions at the time of verification.

Time-based conditions allow permissions to be valid only during specific periods or to expire after a certain duration. State-based conditions link permission validity to external factors.

Permission verification

Verifying a permission confirms that it was issued by an authorized granter, has not been revoked, and that all conditions are currently satisfied. Verification also checks that the permission is being invoked within its defined scope.

The verifier must determine whether the permission granter had authority to grant the specific permission. This may involve checking the granter's own credentials and permissions.

For delegated permissions, verification includes checking each step in the delegation chain to ensure that delegation was authorized at each level.

Permission composition

Multiple permissions can be required for a single action. Permission composition defines how different permissions combine to authorize complex operations.

Composition rules specify whether all permissions must be satisfied or whether any single permission is sufficient. More complex composition rules can express requirements like requiring specific combinations of permissions.

Systems define their own composition requirements based on their authorization models. Verification confirms that presented permissions satisfy the composition rules for the requested action.

Revocation and updates

Permission granters can revoke permissions when authorization is withdrawn. Revocation must be verifiable by any system that relies on the permission.

Permissions can also be updated to modify their scope or conditions. Updates create a new version of the permission while invalidating the previous version.

The permission model supports both immediate revocation and scheduled revocation where permission validity ends at a predetermined time.

Integration with execution

Verified permissions provide the authorization basis for execution. Systems check permissions before performing actions and record which permissions were verified.

The connection between permission verification and execution creates an audit trail showing what was authorized and what was performed. This supports accountability without requiring centralized record-keeping.

Systems remain responsible for their own enforcement decisions. Permission verification indicates authorization; systems determine whether to proceed with execution based on their own policies and risk assessment.