Skip to main content
Version: 2.0.0

Get resource authorized users 🚧

To get all users who have access to a resource, you can use the permit.authorized_users function. This function returns a list of users who have access to perform a specific action on a resource.

The permit.authorized_users function accepts an action and a resource as input, and returns a list of users who have access to perform the given action on the given resource, including the user's role assignments that granted the access:

PDP Version

Please note that the permit.authorized_users function is available starting from PDP version 0.4.0.

EAP

This feature is in EAP stage - please contact with us if you want to try it out.

Simple Usage

from permit import AuthorizedUsersResult

authorized_users: AuthorizedUsersResult = permit.authorized_users(
    "read", "repo",
)

The schema of the response in the code above is as follows:

{
    "resource": "repo:*",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "__tenant:default",
                "role": "admin"
            }
        ]
    }
}

Instance Specific Usage

Similar to the permit.check function, you can also pass the instance of the resource to the permit.authorized_users function. This will return a list of users who have access to perform the given action on the specific given instance.

from permit import AuthorizedUsersResult

authorized_users: AuthorizedUsersResult = permit.authorized_users(
    "read", "repo:OPAL",
)

The schema of the response in the code above is as follows:

{
    "resource": "repo:OPAL",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "repo:OPAL",
                "role": "admin"
            }
        ]
    }
}

If the user also has access to the resource granted by a tenant level role assignment, the response will also contain the tenant level role assignment, and will look as follows:

{
    "resource": "repo:OPAL",
    "tenant": "default",
    "users": {
        "user1": [
            {
                "user": "user1",
                "tenant": "default",
                "resource": "repo:OPAL",
                "role": "admin"
            },
            {
                "user": "user1",
                "tenant": "default",
                "resource": "__tenant:default",
                "role": "admin"
            }
        ]
    }
}

ABAC Usage

danger
That feature is performance-intensive and is disabled by default.
Assuming localhost:7766 is the PDP address relative to the caller:
curl --location 'http://localhost:7766/authorized_users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <api key>' \
--data '{   
    "action": "read",
    "resource": {
        "type": "Document",
        "tenant":"default",
        "attributes": {
            "cost":500,
            "create_at": 2024
      },
    "context": {
        "enable_abac_authorized_users": true
    }  
 }
}'

Contents