Telescope access grants
A TelescopeAccessGrant delegates authority over a telescope record
to another entity — a user, an organization, or a group. It's the
mechanism by which a telescope owner brings collaborators into
operating, configuring, or simply viewing a telescope without
transferring ownership.
The umbrella for this and the rest of the access model is Telescope access; this page goes deeper on grants specifically.
What a grant authorizes
Each grant carries an independent read / update / delete permission trio. The intent maps roughly to:
- Read — see the telescope record, its devices, status, and live feeds. Grantees with read but no update can monitor but not change anything.
- Update — edit telescope configuration, settings, queues, devices, and policy.
- Delete — remove the telescope record. Almost always reserved for the owner; granting delete to anyone else is unusual.
The trio gives you common useful intermediates:
- Read-only "monitor" grants for partner organizations who want visibility but no edit rights.
- Read+update "operator" grants for the team that runs the telescope day-to-day without owning it.
- Owner-equivalent grants (read+update+delete) for a second org that the owner wants to share full authority with.
Grants on the telescope record itself are independent of queue access
grants — a collaborator can be allowed to operate the telescope
(TelescopeAccessGrant) without being allowed to consume time on
it (ObservingQueueAccessGrant), and vice versa.
Grants vs. ownership
Ownership is a single owner_id on the telescope record. Grants are
additive — multiple grants can exist for the same telescope and the
effective permissions for a given user are the union of:
- The user's own grants on the telescope.
- Grants on the telescope held by any organization the user is a member of (filtered through the user's RBAC roles in that org).
- Grants on the telescope held by any group the user is a member of.
Ownership is not just "the highest grant" — owners retain authority
to issue and revoke grants themselves, and to flip top-level controls
like controlAuthority and isAvailable that grant-holders can't
touch.
Issuing and revoking grants
The owner-facing surface for grants is in the React port at
org-telescope-access-grants.tsx
(list/create/revoke), with Angular equivalents under
apps/website/src/app/features/entity/telescopes/telescope-access-grants/.
In the API, grants are managed through the
telescope_access_grants router:
GET /v1/telescope-access-grants
POST /v1/telescope-access-grants
PATCH /v1/telescope-access-grants/{id}
DELETE /v1/telescope-access-grants/{id}
Grants can be created in invited state — see the
TelescopeAccessGrantInvitation companion record. The grantee accepts
the invitation, at which point the grant becomes active. This lets
you provision a grant for a user who hasn't joined Skynet yet, or to
formally negotiate sharing terms with a partner organization.
Reference
TelescopeAccessGrant Schema
Properties
| Name | Type | Description |
|---|---|---|
| id | Integer |
No description |
| telescope_id | Integer |
No description |
| entity_id | Integer |
The entity (user or organization) granted access to the telescope. |
| shares | Float |
The number of shares this access grant has. This is used to determine how much time the entity can use the telescope. |
| time_used | Float |
No description |
| time_contested | Float |
No description |
| time_waiting | Float |
No description |
| revoked | Boolean |
Whether this access grant has been revoked. If true, the access grant is no longer valid. |
Relationships
| Relationship Name | Type |
|---|---|
| telescope | Telescope |
| entity | Entity |
| invitation | TelescopeAccessGrantInvitation |
| queue_access_grants | ObservingQueueAccessGrant |
TelescopeAccessGrantInvitation Schema
Properties
| Name | Type | Description |
|---|---|---|
| id | UUID |
No description |
| telescope_access_grant_id | Integer |
No description |
| invitation_type | Enum(organization_invitation, registration_invitation, group_invitation, telescope_access_grant_invitation, externally_managed_observing_grant_invitation) |
No description |
String(100) (Optional) |
No description | |
| entity_id | Integer (Optional) |
No description |
| created_on | DateTime |
No description |
| last_sent_on | DateTime (Optional) |
No description |
| expires_in | Integer |
No description |
| email_sent | Boolean |
No description |
| used | Boolean |
No description |
| status | Enum(accepted, awaiting_response, declined) |
No description |
Relationships
| Relationship Name | Type |
|---|---|
| telescope_access_grant | TelescopeAccessGrant |
| entity | Entity |