Permissions & security

Who sees what, who changes what — enforced at runtime.

Take a sales organization: reps see only their team’s accounts, the cost field is masked for them, managers see the whole region, and audit wants to know who changed that discount. In ObjectOS that boundary is one reviewable definition — enforced on every query, API call, and AI tool call.

ObjectOS product surface connecting business data, applications, and AI agents
AI Writes metadata Objects, permissions, workflows, tools
Human Reviews diff Business authority, data access, approvals
Runtime Enforces policy UI, APIs, audit, MCP, actions
3 layers
Object, record, and field-level control in one model
Per user
AI agents inherit the signed-in user’s permissions
Immutable
Audit trail for reads, writes, grants, and tool calls

Authority as metadata

Permissions a reviewer can actually read.

This is that sales scenario: cases readable and creatable, accounts read-only, payout read-only and SSN invisible, and a row rule that scopes reps to their own team. The runtime enforces it everywhere — UI, API, and AI tools.

export const SupportPermissionSet = {
  name: 'support_agent',
  label: 'Support Agent',
  objects: {
    support_case: { allowRead: true, allowCreate: true, allowEdit: true, allowDelete: false },
    crm_account: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
  },
  // Field-level security
  fields: {
    payout: { readable: true, editable: false },
    ssn: { readable: false, editable: false },
  },
  // Row-level security — CEL predicates enforced on every query
  rowLevelSecurity: [
    {
      name: 'case_own_team',
      label: 'Own Team Cases Only',
      object: 'support_case',
      operation: 'select' as const,
      using: 'team == current_user.team',
      roles: ['support'],
      enabled: true,
      priority: 10,
    },
  ],
};

Access model

Lay the sales org’s boundaries down layer by layer

One model covers the whole spectrum — from broad role grants to a single shared record — so exceptions do not turn into custom code.

Roles & permission sets

“Sales rep” is a permission set: accounts readable and creatable, orders editable, quotes never deletable. Secure by default — nothing is readable until a definition says so.

Row-level rules

One expression — team == current_user.team — and reps see only their team; switch it to the manager hierarchy and a manager sees the region. Filtering happens inside the query engine, so there is nothing to bypass.

Field-level security

Cost is read-only for reps, SSN invisible entirely — a masked field stays masked in the UI, the API, exports, and every AI response.

Record sharing

Two teams collaborating on one big account? Share that single record with the collaborator instead of widening a whole role — the exception is stored, visible, and revocable.

Tenant isolation

Organizations and workspaces stay isolated at the runtime layer, so multi-team and multi-client deployments share nothing by accident.

The admin surfaces

Checked off in a matrix, answered from a log

The permission definition your agent writes opens as a familiar matrix in the open-source console — and when something looks wrong, the audit viewer answers it line by line.

The permission matrix editor

A Salesforce-style layout: object-level create/read/edit/delete and View All / Modify All checkboxes on top; click an object and the lower half switches to its field-level read/write matrix.

Assignments in plain sight

Every permission set page lists who it is assigned to — reviewing authority never means cross-referencing another screen.

The audit log viewer

Filter by action, object, actor, and date; open any entry and a side drawer shows the full event with old → new value diffs — “who changed that discount” is three clicks to an answer.

AI calls, side by side

AI tool calls appear in the same log as human activity — same filters, same diffs — so reviewing the AI is the same job as reviewing people.

AI under the same rules

Agents get your permission model, not a service account

The fastest way to lose control of AI is to give it superuser access. ObjectOS never does: every agent action runs as the signed-in user who asked for it.

User-scoped execution

A rep asks the AI “which of my accounts are likely to renew” — the AI sees that rep’s team’s accounts, with cost still masked. Nothing more.

Approval-gated writes

Structural changes and sensitive actions queue for human sign-off before they execute, with the full diff attached.

Everything audited

Record changes, permission grants, session revocations, approval decisions, and AI tool calls all land in the immutable audit log.

Decision surface

What changes, who reviews it, what runs

A reviewer asksAI writesRuntime enforces
Who can read this object?Roles and permission sets in metadataChecks on every query, API call, and tool call
Which rows can a rep see?A row rule scoped by owner or teamFilters applied inside the query engine
Can AI see the cost field?Field rules with maskingMasked fields in UI, API, exports, and AI answers
Who changed that discount?Nothing — audit ships with the runtimeOld → new diffs, entry by entry, in the audit viewer

Review checklist

A security review should confirm

  • Every object has an explicit read and write policy.
  • Row rules match the org hierarchy, not a copy of it.
  • Sensitive fields are masked for every consumer, including AI.
  • Structural changes cannot ship without an approval record.
  • The audit log captures tool calls, not just record writes.

FAQ

Questions this page should answer

Do AI agents get their own service account?

No. Agents act as the signed-in user and inherit that user’s object, row, and field permissions. There is no privileged AI identity to leak or misuse.

Are the permission matrix and audit viewer in the open-source edition?

Yes. The permission matrix editor and the audit log viewer ship in the open-source console — alongside roles, row rules, field security, sharing, tenant isolation, and the audit log itself, all of which apply equally to MCP tool access.

Next pages

Keep building the evaluation packet.