Get user permissions
To get all user permissions irrespective of the tenant, you can use the permit.GetUserPermissions function.
This function determines all user permissions for every registered resource across all tenants.
Simple Usage
The permit.GetUserPermissions function accepts a "User" as input and optionally a list of tenants to filter,
and returns an object containing the details about the request for each assigned tenant,
including the assigned tenant's attributes, and the allowed permissions:
- Node.js
- Java
- GoLang
const { Permit } = require("permitio");
const permit = new Permit({token: "<YOUR_API_KEY>", ...});
const userPermissions = await permit.getUserPermissions("john@doe.com");
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
import io.permit.sdk.enforcement.*;
import java.util.Arrays;
Permit permit = new Permit(
new PermitConfig.Builder("[YOUR_API_KEY]").build()
);
UserPermissions permissions = permit.getUserPermissions(
new GetUserPermissionsQuery(
User.fromString("john@doe.com")
)
);
package main
import (
"encoding/json"
"fmt"
)
import p "github.com/permitio/permit-golang/pkg/permit"
import "github.com/permitio/permit-golang/pkg/config"
import "github.com/permitio/permit-golang/pkg/enforcement"
func main() {
// Create permit client
permitConfig := config.NewConfigBuilder("<YOUR_API_TOKEN>").Build()
permit := p.New(permitConfig)
// Create user and resource variables
user := enforcement.UserBuilder("john@doe.com").Build()
var userPermissions enforcement.UserPermissions
// List user permissions
userPermissions, err := permit.GetUserPermissions(
user,
// Optionally, you can specify a list of tenants to filter
"tenant-1",
"tenant-2",
)
if err != nil {
fmt.Printf("Error getting user permissions: %s", err)
} else if len(userPermissions) > 0 {
fmt.Println("John has a role assigned to some tenant in the environment")
for tenant, permissionsInTenant := range userPermissions {
attributes, _ := json.MarshalIndent(permissionsInTenant.Tenant.Attributes, "", "\t")
fmt.Printf("Allowed Tenant is '%s', attributes are:\n%s\nAllowed permissions are:\n%+q",
tenant, attributes, permissionsInTenant.Permissions,
)
}
} else {
fmt.Println("John is NOT PERMITTED to perform any action in any tenant in the environment")
}
}
EAP: Enabling ABAC in user permissions
The permit.GetUserPermissions function can also find all permitted objects based on
attribute-based rules (ABAC condition sets), however this calculation is a bit more
expensive to run performance wise. For that reason, you have to manually turn on
this capabality when needed.
Not all SDKs are supporting this feature at this point in time, you can directly call the PDP API if your SDK is not supporting it yet.
- cURL
- Java
Assuming localhost:7766 is the PDP address relative to the caller:
curl --location 'http://localhost:7766/user-permissions' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <api key>' \
--data '{
"user": {
"key": "eddie"
},
"resource_types": [
"document",
"__tenant"
],
"context": {
"enable_abac_user_permissions": true
}
}'
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
import io.permit.sdk.enforcement.*;
import io.permit.sdk.util.Context;
import java.util.Arrays;
Permit permit = new Permit(
new PermitConfig.Builder("[YOUR_API_KEY]").build()
);
Context context = new Context();
context.put("enable_abac_user_permissions", new Boolean(true));
UserPermissions permissions = permit.getUserPermissions(
new GetUserPermissionsQuery(
User.fromString("john@doe.com"), // user key
null, // tenants filter is not required for ABAC
Arrays.asList("document", "__tenant"), // resource types is always required for ABAC, __tenants is required to not ignore RBAC-based permissions
null, // resources not required
context,
)
);
Get user permissions directly from opa
This feature is not supported when using FactDB and should not be used with FactDB enabled on the PDP
When experiencing high load, it may be more efficient to call the OPA engine directly from the SDK. Please note that to enable this, you will need to expose the OPA port (8181).
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
import io.permit.sdk.enforcement.*;
import io.permit.sdk.util.Context;
import java.util.Arrays;
Permit permit = new Permit(
new PermitConfig.Builder("[YOUR_API_KEY]").build()
);
UserPermissions permissions = permit.getUserPermissionsFromOPA(
new GetUserPermissionsQuery(
User.fromString("john@doe.com")
)
);
Filtering out the results
You can filter the results by any one of the following:
- tenants - returns only the permissions for instances or globally for the specified tenants
- resource_types - returns only the permissions for instances of the specified resource types
- To get only top level accesses, please use the
__tenantresource type
- To get only top level accesses, please use the
- resources - returns only the permissions for the specified resource instances, format should be
resource_type:resource_key
- Node.js
- Java
const { Permit } = require("permitio");
const permit = new Permit({token: "<YOUR_API_KEY>", ...});
const userPermissions = await permit.getUserPermissions(
"john@doe.com",
["tenant-1", "tenant-2"], // tenants
["document:doc-1", "document:doc-2"] // resources
["document", "__tenant"], // resource_types
);
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
import io.permit.sdk.enforcement.*;
import java.util.Arrays;
Permit permit = new Permit(
new PermitConfig.Builder("[YOUR_API_KEY]").build()
);
UserPermissions permissions = permit.getUserPermissions(
new GetUserPermissionsQuery(
User.fromString("john@doe.com"),
Arrays.asList("tenant-1", "tenant-2"), // tenants
Arrays.asList("document", "__tenant") // resource_types
Arrays.asList("document:doc-1", "document:doc-2"), // resources
)
);