A subject is any entity that can be granted permissions in Aritma IAM. Every resource-based access decision starts with identifying who or what is making the request.
There are three types of subjects:
| Type | Description | Authentication |
|---|---|---|
| User | A human identity linked to an Aritma ID account | Interactive login via Aritma ID or an SSO provider |
| Client | A machine-to-machine service identity | OAuth 2.0 client_credentials grant |
| Group | A named collection of users and clients | N/A — groups are not principals, they aggregate subjects |
A user subject represents a person. Users authenticate interactively and receive an access token after login. There are two ways a user subject can exist in your tenant:
- Invited — you send an invitation to an email address; the user accepts and creates or links their Aritma ID account.
- Directly created — if your organization has verified ownership of an email domain, you can create user subjects without the invitation step.
Users can also be provisioned by SCIM (pre-created by the IdP before their first login) or just-in-time via auto-provisioning when they sign in through an SSO provider.
A client subject represents a non-human identity — a service, scheduled job, or integration. Clients authenticate using a client ID and secret and receive an access token directly, with no user interaction.
Clients are defined as OIDC clients with the client_credentials grant type. Each client has one or more secrets that can be rotated independently.
Clients are assigned policies just like users and can be members of groups.
A group is a named collection of subjects. Groups exist to simplify access management at scale: instead of assigning a policy to each subject individually, you assign a single policy to the group and all members inherit it automatically.
Groups can contain users, clients, or other groups. When a subject is added to a group, it immediately inherits all policies assigned to that group. When it is removed, those inherited permissions are revoked instantly.
Every subject — regardless of type — is identified by a subjectId. This is the value you use as the subject field when creating policies. You can retrieve the subject ID for a user or client through the respective list or lookup endpoints.
- User Management — create, invite, and manage user subjects
- Groups — manage group membership and group-level policies
- OIDC Clients — create and manage client subjects
- Policies — how to grant permissions to subjects