IAM Permission APIs

This reference covers Eden's explicit control-plane, shared data-plane, and

access helper APIs.

Overview

Eden now enforces control-plane authorization with explicit permission bits,

not the old hierarchical Read / Write / Admin / SuperAdmin runtime

tiers.

To grant permissions to another subject, the caller must already hold G

plus every bit they are trying to grant.

Endpoint Access

Get the authenticated caller's resolved control-plane and data-plane access

for one endpoint.

GET /api/v1/iam/access/endpoints/{endpoint}
Authorization: Bearer <token>

Example

curl http://{host}:8000/api/v1/iam/access/endpoints/production_db \
  -H "Authorization: Bearer $TOKEN"

Response

{
  "status": "success",
  "data": {
    "control_plane": {
      "organization_perms": "RG",
      "endpoint_perms": "RCPA"
    },
    "data_plane": {
      "mode": "shared_rbac",
      "shared_perms": "r",
      "els_assignment": null
    }
  }
}

Control Plane

List Endpoint Subjects

List the explicit control-plane grants on an endpoint.

GET /api/v1/iam/control/endpoints/{endpoint}
Authorization: Bearer <token>

This route requires G.

Set Endpoint Control-Plane Permissions

Set one subject's exact explicit non-empty control-plane bits on an endpoint.

Use DELETE to revoke the grant.

PUT /api/v1/iam/control/endpoints/{endpoint}/subjects/{subject}
Content-Type: application/json
Authorization: Bearer <token>

Request Body

{
  "perms": "RCPA"
}

This route requires G | granted_bits.

Revoke One Endpoint Control-Plane Subject

DELETE /api/v1/iam/control/endpoints/{endpoint}/subjects/{subject}
Authorization: Bearer <token>

This route requires G | current_subject_bits.

Delete All Endpoint Grants

DELETE /api/v1/iam/control/endpoints/{endpoint}
Authorization: Bearer <token>

This route requires G | D.

Shared Data Plane

List Endpoint Shared Runtime Grants

GET /api/v1/iam/data/endpoints/{endpoint}
Authorization: Bearer <token>

This route requires G.

Set Endpoint Shared Runtime Permissions

Set one subject's exact non-empty shared runtime bits on an endpoint.

Use DELETE to revoke the grant.

PUT /api/v1/iam/data/endpoints/{endpoint}/subjects/{subject}
Content-Type: application/json
Authorization: Bearer <token>

Request Body

{
  "perms": "rw"
}

This route requires G.

Organization Control Plane

List Organization Subjects

GET /api/v1/iam/control/organizations
Authorization: Bearer <token>

This route requires G.

Set Organization Permissions

Set one subject's exact non-empty organization control-plane bits.

Use DELETE to revoke the grant.

PUT /api/v1/iam/control/organizations/subjects/{subject}
Content-Type: application/json
Authorization: Bearer <token>

{
  "perms": "RG"
}

This route requires G | granted_bits.

Revoke One Organization Subject

DELETE /api/v1/iam/control/organizations/subjects/{subject}
Authorization: Bearer <token>

This route requires G | current_subject_bits.

Delete All Organization Grants

DELETE /api/v1/iam/control/organizations
Authorization: Bearer <token>

This route requires G | D.

Subject Views

List a Subject's Endpoint Grants

GET /api/v1/iam/control/subjects/{subject}/endpoints
Authorization: Bearer <token>

List a Subject's Organization Grants

GET /api/v1/iam/control/subjects/{subject}/organizations
Authorization: Bearer <token>

List a Subject's Template Grants

GET /api/v1/iam/control/subjects/{subject}/templates
Authorization: Bearer <token>

List a Subject's Workflow Grants

GET /api/v1/iam/control/subjects/{subject}/workflows
Authorization: Bearer <token>

These routes require G.

Notes

• Control-plane permissions are independent from data-plane r/w/x access.
• Endpoint-Level Security (ELS) affects runtime credential isolation, not

these RBAC APIs.

• Older compatibility surfaces may still display a derived label like

Read or Admin, but the authoritative API model is the bitset above.