Capabilities are the means through which DTaaS determines whether or not an action may be performed.

Capability Types

There are seven different types of capabilities that exist. Some Capabilities have no effect on some object types, and the exact semantics depend on the object type.

In general, objects have all Capabilities on objects they create, and Users are allowed to CREATE Prototypes and DISCOVER other Users. When a User runs a Servable, DTaaS will prompt for Capabilities that the Servable requires and the User will be able to delegate Capabilities that they have to the Servable. :class:``s can be used to explicitly delegate Capabilities to other Users.


The DISCOVER Capability is generally used to indicate knowledge that an object exists. This will allow access to only the most basic information about an object, its type and ID.


The CREATE Capability is generally needed when using an object to create something new.


The READ capability allows seeing the full information about an object in DTaaS. For some objects this is used in place of DISCOVER.


The UPDATE capability is needed for modifying the state of an object.


The DELETE capability is what grants the ability to completely remove an object.


The MANAGE capability is the ability to manipulate Capabilities on the object itself. Having MANAGE capabilities on an object means you can grant new capabilities on it or revoke existing capabilities.

Users typically have this Capability on objects that they create and own.


The REQUEST Capability is applied to Servables allowing the ability to make HTTP requests to the Servable.


Trusts are used to allow Users to explicitly delegate Capabilities on objects they have, to other Users that they want to grant those Capabilities to. The User that creates a Trust is referred to as a Trustee, which grants them MANAGE on the Trust and on objects in the Trust. Trustees can add other Users as Trustees.

Trustees control the content of a Trust and membership of the Trust. Members are Users and contents are other objects. When a Trust is created, it is defined with a set of Capabilities and ensures that all members have that set of Capabilities on all contents of the Trust. Members and contents can be removed, which will cease the delegation.


When a DTaaS node is in a dtDomain, Users on different nodes will be able to Discover each other. This allows adding users to Trusts that exist on other nodes in the Domain. Once a remote User is added, they will have Capabilities on remote objects, and they will be able to interact with those objects via their own DTaaS node as though the object existed locally. DTaaS handles the proxying of access.