Most platforms force you into predefined roles or rigid permission systems. Canopy lets you define your own permission vocabulary. Canopy stores, enforces, and evaluates it without hardcoding access rules into your application.
You define your own permission keys, like invoice.read, report.export, or identity.manage. Canopy doesn't interpret them. It enforces them consistently across your hierarchy. Each account defines its own model, completely isolated from every other tenant.
Without dynamic permissions, access checks live in your codebase. Every new feature requires new conditionals. Changing access rules requires deployments.
Permissions follow a simple resource.action pattern, invoice.create, report.export, user.deactivate. Unlimited depth is supported for complex domains like billing.invoice.approve. Group permissions by category for dashboard organization. The structure is yours to define.
Permissions are never assigned directly to users. You define permissions, bundle them into roles, then assign roles at nodes. A 'Regional Manager' role might include report.view, report.export, and identity.manage. Change the role's permissions and every holder is updated instantly.
At runtime, your application asks Canopy: does this user have permission X at node Y? Canopy evaluates direct role assignments, inherited roles through the hierarchy, and active time windows, then returns a deterministic answer in a single API call.
Grant access that starts in the future, expires automatically, or supports temporary roles for contractors. No cleanup required, expired access is ignored automatically at evaluation time.
Check multiple permissions or identities in one request. Build permission-aware UIs that show or hide features based on real access. Filter data based on scope. Avoid repeated API calls. Designed for real-time applications.