Develop
EngineVersion 1iamClasses

iam:Role

iam:Role from the iam matrix.

Extends: matrix:Resource, iam:Assumable

Roles are assigned to principals via iam:hasRole. Identity policies are attached to roles via iam:hasPolicy. Trust policies control which consumers can assume the role.

Properties

iam:hasPolicy (optional)

Attaches a policy to a role or action.

Policies attached to a Role must be IdentityPolicy

When attached to a Role, must be an IdentityPolicy. When attached to an Action, must be a ResourcePolicy. Enforced via SHACL.

label (required, min 1)

Validation shape for role label. Roles must have a human-readable label.

Role must have an rdfs:label with a language tag

Named Individuals

iam:FullAccessRole

Grants complete access to all workspace actions.

Auto-assigned to workspace owners. Provides unrestricted access to all matrix actions. System resource writes are controlled by resource policies on the system classes themselves.

iam:SystemAdminRole

Grants full read, write, and invocation access to all system-defined resources.

Reserved for the system agent os:Kleo. No other agent or principal should hold this role.

iam:SystemReadRole

Grants read access and action invocation on system-defined resources.

Assign to agents and external matrices that need to read system resources and invoke system actions. Does not grant write access to system resources.

iam:ResourcePolicy

A policy attached to an action defining who can execute it.

iam:TrustPolicy

A policy attached to an assumable resource controlling which consumers can assume it.

On this page

Propertiesiam:hasPolicy (optional)label (required, min 1)Named Individualsiam:FullAccessRoleiam:SystemAdminRoleiam:SystemReadRole