Skip to main content
Version: 2.0.0

Get resource authorized users ( EAP )

To get all users who have access to a resource, you can use the permit.authorized_users function. This function returns a list of users who have access to perform a specific action on a resource.

The permit.authorized_users function accepts an action and a resource as input, and returns a list of users who have access to perform the given action on the given resource, including the user's role assignments that granted the access:

PDP Version

Please note that the permit.authorized_users function is available starting from PDP version 0.4.0.

EAP

This feature is in EAP stage - please contact if us if you want to try it out.

Simple Usage

from permit import AuthorizedUsersResult

authorized_users: AuthorizedUsersResult = permit.authorized_users(
    "read", "repo",
)

The schema of the response in the code above is as follows:

{
    "resource": "repo:*",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "__tenant:default",
                "role": "admin"
            }
        ]
    }
}

Instance Specific Usage

Similar to the permit.check function, you can also pass the instance of the resource to the permit.authorized_users function. This will return a list of users who have access to perform the given action on the specific given instance.

from permit import AuthorizedUsersResult

authorized_users: AuthorizedUsersResult = permit.authorized_users(
    "read", "repo:OPAL",
)

The schema of the response in the code above is as follows:

{
    "resource": "repo:OPAL",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "repo:OPAL",
                "role": "admin"
            }
        ]
    }
}

If the user also has access to the resource granted by a tenant level role assignment, the response will also contain the tenant level role assignment, and will look as follows:

{
    "resource": "repo:OPAL",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "repo:OPAL",
                "role": "admin"
            },
            {
                "user": "user1",
                "tenant": "default",
                "resource": "__tenant:default",
                "role": "admin"
            }
        ]
    }
}
info

Currently, using "authorized_users" works only for RBAC & ReBAC.

Contents