Skip to main content
Version: 2.0.0

URL Mapping Permissions Check

The URL Mapping Permissions Check is a feature that allows you to check whether a particular URL is mapped to a resource within your application. This feature is useful for URL based permissions checks, where you want to ensure that a user has permission to access a particular URL/Endpoint with a specific HTTP method and custom parameters.

Currently, this feature is available using the FoAz UI & a PDP. You can access the FoAz UI inside the Permit App here.


Mapping Rules

The mapping rules feature in the FoAz UI links HTTP URLs to particular resources and actions within the platform. These rules are essential for controlling access and permissions on your website or application. Each rule defines the association between an incoming HTTP request and the corresponding resource within your application that the request should interact with.

Mapping Rules Example

By correctly setting up mapping rules, you can ensure that requests are correctly routed and that users only have access to the resources that they are authorized to view or modify.

Proxy Request URL

In FoAz UI, you can set variables as part of the URL using the following syntax: {var1}. This feature is called templating the URL, and it's beneficial to reduce the overall number of mapping rules required.

For example, you might set up a URL like this:{customer_id}/payments.

In this case, {customer_id} is a placeholder that will be replaced with the actual customer ID during the request. This strategy allows you to use a single mapping rule for all customers, rather than needing a separate rule for each customer.

Setting up the PDP

To use the URL Mapping Permissions Check, you must first set up the PDP. You must deploy the following version of the PDP that supports the URL Mapping Check: permitio/pdp-v2:0.2.19-rc.2.

Checking Permissions Using URL Mapping

Currently, checking permissions using URL Mapping is available through the endpoint /allowed_url on the PDP. The SDKs will be updated to support this feature soon. Here's an example of a payload to localhost:7766/allowed_url (assuming you're running the PDP locally)

"user": {
"key": ""
"url": "",
"http_method": "POST",
"tenant": "default"

You can see more details about the payload in the Redoc that the PDP hosts here - http://localhost:7766/redoc#tag/Authorization-API/operation/is_allowed_url_allowed_url_post - assuming you're running the PDP locally.