Skip to main content
Version: 2.0.0


Here you'll find a quick reference for all the Permit and otherwise permission, authorization, and IAM buzzwords.

Permit Terms

  • MAU

  • Tenant

    • Tenant a silo of resources and users; which in policy terms means only users within a tenant can act on the resources within the tenant
    • Often a tenant would represent an end-customer of yours, but sometimes you'd want multiple tenants to represent a single logical customer tenant (for example if you have multiple departments within each logical tenant).
    • Read more about tenants here
  • Workspace

    • Your Permit organizational account - under which all of your configurations, projects, and environments reside.
    • Workspaces are completely siloed from one another.
    • You can have multiple workspaces and switch between them - but usually you'd only need one.
    • Billing is done based on MAU and tenants per Workspace.
  • Project

    • a collection of environments. Contained within a workspace.
    • Usually corresponds to an end application or services
  • Environment

    • A silo of policy and data.
    • Usually represents a specific deployment (E.g. dev, prod, staging) of a project.
    • Environment can be cloned (Selectively) via the API
    • Each PDPs is synced to a specific environment via the secret environment API key
  • Permit Element

    • An embedable UI component presenting a permissions flow to end-users
    • e.g. user-management, audit-logs

General Terms


  • RBAC

    • Role Based Access Control - A permissions model in which all permissions for an identity are derived from a role (e.g. Admin, Viewer) that is assigned to it
  • ABAC

    • Attribute Based Access Control - A permissions model in which permissions are deduced from conditions on a sets of attributes. ABAC is the most comprehensive model - most other model can be described as subsets of ABAC.
  • ReBAC

    • Relationship Based Access Control - A Permissions model in which permissions are deduced from the relationships between identities and various nested groups and resources (e.g. ). ReBAC is most common for nested hierarchies (e.g. org charts, file directories)


  • PDP

    • Policy Decision Point - a network node in responsible for answering authorization queries (using a policy and contextual data)
    • In a PDP is provided as a container - meant to act as your microservice for authorization - often deployed as a sidecar to your own services.
    • AKA : Authorizer, Permitter, Microservice for authorization, sidecar
    • Full article
  • PEP

    • Policy Enforcement Point - a point which enforces access to resources, usually queries a PDP for the decisions to enforce.
    • In - PEPs can be created across the stack in code vai the SDK( single line, function, route, middleware), or outside your code via plugins (Reverse Proxy, API Gateway)