DocsBlogChangelog

Documentation

Edit on GitHub

Humans

Humans in Eden are organization-scoped IAM accounts. Human metadata lives on the account record, and organization access is expressed with exact control-plane permission bits in the perms field.

Permission Bits

perms is an ordered string made from these control-plane bits:

BitMeaning
RRead configuration and metadata
CConfigure resources and draft changes
PPromote or roll back versioned changes
GGrant or revoke permissions
DPerform destructive or irreversible operations
AView audit history and decision records

Examples:

  • R = read-only configuration access
  • RCA = read + configure + audit
  • RCPGA = broad admin-style access without destroy
  • RCPGDA = full control-plane access

Create a Human

POST /api/v1/iam/humans

bash
curl -X POST http://localhost:8080/api/v1/iam/humans \
  -u admin:password \
  -H "Content-Type: application/json" \
  -d '{
    "username": "jane.doe",
    "password": "SecurePassword123!",
    "description": "Application developer",
    "email": "jane@company.com",
    "display_name": "Jane Doe",
    "perms": "RCA"
  }'

Fields:

FieldRequiredDescription
usernameYesHuman login name
passwordYesInitial password
descriptionNoFree-form notes
emailNoEmail address
display_nameNoFriendly display name
permsNoExact organization control-plane permission bits. Defaults to R.

The caller must already hold G plus every bit being granted.

Get a Human

GET /api/v1/iam/humans/{username}

bash
curl http://localhost:8080/api/v1/iam/humans/jane.doe \
  -u admin:password

Update a Human

PATCH /api/v1/iam/humans/{username}

bash
curl -X PATCH http://localhost:8080/api/v1/iam/humans/jane.doe \
  -u admin:password \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "Jane D.",
    "description": "Staff engineer",
    "bio": "Owns the API platform.",
    "perms": "RCPGA"
  }'

Patchable fields:

FieldEffect
usernameRename the human
passwordReplace the password
descriptionUpdate free-form notes
emailUpdate email
display_nameUpdate friendly name
bioUpdate profile bio
permsReplace the exact organization permission-bit set

Rules:

  • Humans can update their own profile metadata.
  • Updating another human requires current organization C.
  • Changing another human's permissions requires G plus the target's current bits and the new bits being assigned.
  • Changing another human's password requires D.

Delete a Human

DELETE /api/v1/iam/humans/{username}

bash
curl -X DELETE http://localhost:8080/api/v1/iam/humans/jane.doe \
  -u admin:password

Deleting a human removes the account and its organization-scoped grants.

Recommended Patterns

  • Use the smallest perms set that lets the human do their job.
  • Prefer RCA for most day-to-day builders and operators.
  • Add G only for people who manage IAM grants.
  • Add D only for trusted break-glass or platform-owner paths.
Last updated: October 20, 2018
Size: 3.13 KB
    Eden