Skip to main content
SLang has a built-in security model based on Subjects, Permissions, and Roles.

Defining permissions

Permissions are defined on relationships between a resource (e.g., Clinic) and a user link (e.g., Membership). 
permissions Clinic -> Membership
  "patients:read"
  "patients:write"
  "clinic:admin"
This tells the system that specific roles defined in the Membership entity will dictate access to Clinic resources.

Enforcing auth

The auth block in a Trigger acts as a firewall. Logic is not executed unless the condition passes.

Permission checks

Check if the authenticated user (@subject) has a specific permission. 
trigger ListPatients on HttpRequest
  endpoint GET /patients
  auth
    @subject can "patients:read"

Role checks

You can also check for specific roles directly, though permissions are preferred for flexibility. 
auth
  @subject is "admin"

Complex logic

Auth rules can be combined with and / or. 
auth
  (@subject can "patients:write") or (@subject is "superuser")

The @subject

The keyword @subject refers to the currently authenticated user (derived from the Bearer token or session). It is available in:
  1. Triggers: For auth checks.
  2. Actions: To assign ownership (e.g., Owner := @subject).