Run your First Policy Check
Performing your first policy check is a key step in understanding and validating the policies you’ve configured. The policy decision point (PDP) lies at the heart of Permit’s Authorization system, determining whether a user is authorized to perform specific actions on a resource. This ensures that your access control model is working as intended.
Before we start: Understanding the check function
The check function acts as a guard at the heart of your application’s access control system. It evaluates whether a specific user
has the necessary permissions to perform an action on a resource, ensuring that only authorized users can proceed. By taking key
parameters such as the user ID, action, and resource, the check function queries the policy engine to return a decision.
What exactly are the arguments passed into the
permit.check()function?
user: a unique string id or object that identifies the user performing the action.action: the action performed.resource: the resource (object) the action is performed on. Can be a string or an object.
This guard mechanism is critical for enforcing your configured policies and seamlessly integrating authorization into your application’s workflows.
The check function can accept various arguments beyond the user and resource.
Using the cloud PDP to run our first check
To perform our first policy check, we need to identify an enforcement point in our code—this is where the check function comes into play. For this example, we’ll build up on the policy configured in our first walkthrough.
Below is the policy we’ll be working with. As shown, the Admin role has permissions to create, delete, publish, and read,
but notably, it does not have permission to update.
We also have two users in our setup, but only one of them has the Admin role assigned. For this example, we’ll focus on checking the permissions assigned to Macy Smith, who holds the Admin role.
Our Permit enforcement point in the code will look like this:
Let's run it.
Now let's alter our permissions, and lets give Macy the permissions to update the Document.
Hurray, Macy can now perform all the actions!
Cloud PDP is limited to RBAC policies only, with 1MB data restriction. For ABAC / ReBAC policies, you need to deploy a local PDP.
For production deployments, we recommend deploying a local PDP to minimize network latency and ensure high availability.
Running a local PDP
A Policy Decision Point (PDP) is the component responsible for making authorization decisions based on defined policies. While the default Cloud PDP provides a seamless, managed experience, performing a local policy check unlocks additional benefits like speed, security, and extensibility.
Running a local policy check is almost identical to using the Cloud PDP. The key difference lies in the Permit object initialization, which connects to your locally hosted PDP instead of the cloud service.
Pull the PDP Docker Container
Permit.io provides the PDP as a ready-to-use Docker container. Start by pulling the latest version from Docker Hub:
docker pull permitio/pdp-v2:latest
If Docker is not yet installed on your system, click here to install Docker.
Run the Docker Container
Once the container is pulled, you can run the PDP locally. Replace <YOUR_API_KEY> with the Secret Key you obtained from Permit.io.
docker run -it -p 7766:7000 --env PDP_DEBUG=True --env PDP_API_KEY=<YOUR_API_KEY> permitio/pdp-v2:latest
The container will expose the PDP on
localhost:7766, ready to handle authorization requests.
Initialize the Permit object
After setting up the Local PDP, you can integrate it into your application to handle authorization checks. The process is almost identical to using the Cloud PDP, with one key difference: pointing to the local PDP URL during initialization.
When initializing the Permit object in your application, point it to the locally hosted PDP:
Perform the authorization check
Perform authorization checks as you normally would. The Local PDP will seamlessly handle policy validation. We will use the same policy configuration as in our first policy check from the previous walkthrough.
We have a policy configured for the Admin role.
We have Macy Smith as our user for this policy check. She has been assigned the Admin role.
We have identified the enforcement point where we will check if Macy has the permission to create a document.
const permitted = permit.check("user|987654321", "create", "document");
What did you learn?
By configuring the Cloud PDP for policy checks, you’ve learned how to:
- Import and initialize the Permit SDK in your project.
- Set up an enforcement point in your code using the check function.
- Validate user permissions against your configured policies in real time.
- Leverage the flexibility of the Cloud PDP to handle RBAC policy decisions seamlessly.
Did you know that modern policy checks can process thousands of decisions per second?
Companies like Netflix use similar mechanisms to authorize every single request in their systems—whether it’s playing a movie or accessing account settings.
What's next? 🎉
- Create user and resource attributes
- Define your first User and Resource Sets
- Create your ABAC policy rules
Amazing. You're almost an expert.