Skip to main content

Projects

The Projects module provides multi-tenant namespaces in SOAT. Every resource (document, file, actor, conversation) belongs to a project. Projects are identified by an id prefixed with proj_.

Overview

A Project is a top-level container that scopes all resources. Users access projects through policy-based authorization — there is no separate membership table. Whether a user can access a project is determined entirely by the policies attached to their account and the SRN patterns those policies contain.

See the Permissions Reference for the IAM action strings for this module.

Data Model

FieldTypeDescription
idstringPublic identifier prefixed with proj_
namestringHuman-readable project name
created_atstringISO 8601 creation timestamp
updated_atstringISO 8601 last-updated timestamp

Key Concepts

Project Access via Policies

Users no longer need to be explicitly added to a project as members. Access is granted by attaching a Policy to the user (or their API key) that contains an Allow statement covering the relevant project's SRN pattern:

{
  "statement": [
    {
      "effect": "Allow",
      "action": ["projects:GetProject", "files:ListFiles", "files:GetFile"],
      "resource": ["soat:proj_ABC:*:*"]
    }
  ]
}

To grant a user access to all projects, use a wildcard project segment:

{ "resource": ["soat:*:*:*"] }

Visibility Rules

  • Admin users see all projects.
  • API key callers scoped to a project see only that project.
  • Regular users see only the projects covered by the SRN patterns in their attached policies.

Authorization Model

Authorization is policy-only — there is no Layer 1 membership gate. All access decisions are evaluated through the policy engine against the requested action and the resource SRN. See IAM for details.

Examples

Create a project

soat create-project --name "My Project"

Get a project

soat get-project --project-id proj_ABC