Get resource authorized users 🚧
To get all users who have access to a resource, you can use the permit.authorized_users
function.
This function returns a list of users who have access to perform a specific action on a resource.
The permit.authorized_users
function accepts an action and a resource as input,
and returns a list of users who have access to perform the given action on the given resource,
including the user's role assignments that granted the access:
Please note that the permit.authorized_users
function is available starting from PDP version 0.4.0.
This feature is in EAP stage - please contact if us if you want to try it out.
Simple Usage
- Python
from permit import AuthorizedUsersResult
authorized_users: AuthorizedUsersResult = permit.authorized_users(
"read", "repo",
)
The schema of the response in the code above is as follows:
{
"resource": "repo:*",
"tenant": "default",
"users": {
"user1": [
{
"user": "user1",
"tenant": "default",
"resource": "__tenant:default",
"role": "admin"
}
]
}
}
Instance Specific Usage
Similar to the permit.check
function, you can also pass the instance of the resource to the permit.authorized_users
function.
This will return a list of users who have access to perform the given action on the specific given instance.
- Python
from permit import AuthorizedUsersResult
authorized_users: AuthorizedUsersResult = permit.authorized_users(
"read", "repo:OPAL",
)
The schema of the response in the code above is as follows:
{
"resource": "repo:OPAL",
"tenant": "default",
"users": {
"user1": [
{
"user": "user1",
"tenant": "default",
"resource": "repo:OPAL",
"role": "admin"
}
]
}
}
If the user also has access to the resource granted by a tenant level role assignment, the response will also contain the tenant level role assignment, and will look as follows:
{
"resource": "repo:OPAL",
"tenant": "default",
"users": {
"user1": [
{
"user": "user1",
"tenant": "default",
"resource": "repo:OPAL",
"role": "admin"
},
{
"user": "user1",
"tenant": "default",
"resource": "__tenant:default",
"role": "admin"
}
]
}
}
Currently, using "authorized_users" works only for RBAC & ReBAC.