{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Subjects","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"subjects","__idx":0},"children":["Subjects"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["subject"]}," is any entity that can be granted permissions in Aritma IAM. Every resource-based access decision starts with identifying who or what is making the request."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["There are three types of subjects:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Authentication"},"children":["Authentication"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A human identity linked to an Aritma ID account"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Interactive login via Aritma ID or an SSO provider"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A machine-to-machine service identity"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OAuth 2.0 ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_credentials"]}," grant"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Group"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A named collection of users and clients"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["N/A — groups are not principals, they aggregate subjects"]}]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"users","__idx":1},"children":["Users"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A user subject represents a person. Users authenticate interactively and receive an access token after login. There are two ways a user subject can exist in your tenant:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Invited"]}," — you send an invitation to an email address; the user accepts and creates or links their Aritma ID account."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Directly created"]}," — if your organization has verified ownership of an email domain, you can create user subjects without the invitation step."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Users can also be provisioned by SCIM (pre-created by the IdP before their first login) or just-in-time via auto-provisioning when they sign in through an SSO provider."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"clients","__idx":2},"children":["Clients"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A client subject represents a non-human identity — a service, scheduled job, or integration. Clients authenticate using a client ID and secret and receive an access token directly, with no user interaction."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Clients are defined as OIDC clients with the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_credentials"]}," grant type. Each client has one or more secrets that can be rotated independently."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Clients are assigned policies just like users and can be members of groups."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"groups","__idx":3},"children":["Groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A group is a named collection of subjects. Groups exist to simplify access management at scale: instead of assigning a policy to each subject individually, you assign a single policy to the group and all members inherit it automatically."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Groups can contain users, clients, or other groups. When a subject is added to a group, it immediately inherits all policies assigned to that group. When it is removed, those inherited permissions are revoked instantly."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"subject-ids","__idx":4},"children":["Subject IDs"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Every subject — regardless of type — is identified by a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subjectId"]},". This is the value you use as the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["subject"]}," field when creating policies. You can retrieve the subject ID for a user or client through the respective list or lookup endpoints."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related","__idx":5},"children":["Related"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/guides/user-management"},"children":["User Management"]}," — create, invite, and manage user subjects"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/guides/groups"},"children":["Groups"]}," — manage group membership and group-level policies"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/clients/overview"},"children":["OIDC Clients"]}," — create and manage client subjects"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/concepts/policies"},"children":["Policies"]}," — how to grant permissions to subjects"]}]}]},"headings":[{"value":"Subjects","id":"subjects","depth":1},{"value":"Users","id":"users","depth":2},{"value":"Clients","id":"clients","depth":2},{"value":"Groups","id":"groups","depth":2},{"value":"Subject IDs","id":"subject-ids","depth":2},{"value":"Related","id":"related","depth":2}],"frontmatter":{"title":"Subjects","seo":{"title":"Subjects"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/concepts/subjects","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}