[{"data":1,"prerenderedAt":37},["ShallowReactive",2],{"arch-deep-/architecture/engines/permissions":3},{"id":4,"title":5,"body":6,"category":23,"deepPage":24,"description":25,"extension":26,"layer":27,"meta":28,"navigation":29,"path":24,"relatedFlows":30,"replaces":31,"seo":34,"stem":35,"__hash__":36},"architecture/architecture/engines/permissions.md","Permissions engine",{"type":7,"value":8,"toc":19},"minimark",[9,13,16],[10,11,12],"p",{},"The permissions engine answers a single question, evaluated millions of times across the building's lifetime: is this principal allowed to do this thing in this place at this moment. The principal can be a resident, a guest, a staff member, a contractor, a service technician, or another system. The thing can be opening a door, booking an amenity, raising an issue, retrieving a delivery, or invoking an internal workflow. The model is one model — there is no parallel matrix per vendor, per amenity, or per floor.",[10,14,15],{},"Permissions are declarative and time-bound. Each grant carries a scope (which spaces, which actions), a window (when it is valid), and an origin (who issued it and on what authority). The engine evaluates grants in real time, including transitive grants — a guest invited by a resident inherits the resident's spatial scope minus a defined exclusion list, with a window the resident cannot extend beyond the policy ceiling.",[10,17,18],{},"The permissions engine is the single source of truth that the access orchestration engine, the booking engine, the issue engine, and the staff console all consult before acting. When a building swaps an access vendor or a property management system, permissions are not migrated — the engine continues to hold the truth, and the new vendor consumes it through the integration layer.",{"title":20,"searchDepth":21,"depth":21,"links":22},"",2,[],"engine","/architecture/engines/permissions","A single declarative model of who can do what, where, and for how long — across residents, guests, staff, contractors, and systems.","md","4",{},true,null,[32,33],"vendor-specific-permission-matrices","ad-hoc-key-management",{"title":5,"description":25},"architecture/engines/permissions","fv8JN5vs3HVpQFOsM7-juvKuN1FqssyihT32tZHJ-gs",1779718756836]