CROSS-APPLICATION PERMISSION MANAGEMENT
Technical Architecture for Integrating Applications
RnD Ventures — Permission Architecture v3.0
====================================
EXECUTIVE SUMMARY
This document describes a shared permission management ontology designed for applications that need to integrate seamlessly. The architecture moves away from the traditional admin-centric model where all resources belong to a company account controlled by super admins.
Instead, resources can belong to individual users who may share them across multiple spaces and organizations. Users maintain a persistent identity across companies rather than receiving company-issued credentials.
Target use case: Networked organizations, freelancers, contractors, agents, and any environment where collaboration crosses organizational boundaries.
Design principles:
- Zanzibar-compatible for migration from existing systems
- Governance-first: configurable decision mechanisms beyond simple ownership
- Agent-ready: AI agents as first-class subjects alongside humans and spaces
- Compliance-ready: GDPR and data protection built into the architecture
====================================
THE PARADIGM SHIFT
Traditional Model
- Resources belong to a company account
- Users are added to company accounts via company-issued emails
- Super admins control all permissions
- Collaboration outside org boundaries requires workarounds
New Model
- Resources can belong to individual users or spaces
- Users keep their identity across multiple organizations and apps
- Permissions are governed by configurable mechanisms (not just owner decides)
- The same resource can be shared with multiple spaces simultaneously
- Agents can hold permissions and participate in governance
====================================
CORE CONCEPTS
Subjects
Three types of subjects can hold permissions, propose changes, and participate in governance decisions:
- Users: Human individuals with a Master ID
- Spaces: Organizational containers (companies, teams, projects)
- Agents: AI agents with their own identity and permission scope
Identity (Users)