Skip to main content

Run your First Policy Check

Performing your first policy check is a key step in understanding and validating the policies you've configured. The policy decision point (PDP) lies at the heart of Permit's Authorization system, determining whether a user is authorized to perform specific actions on a resource. This ensures that your access control model is working as intended.

Before we start: Understanding the check function

The check function acts as a guard at the heart of your application's access control system. It evaluates whether a specific user has the necessary permissions to perform an action on a resource, ensuring that only authorized users can proceed. By taking key parameters such as the user ID, action, and resource, the check function queries the policy engine to return a decision.

What exactly are the arguments passed into the permit.check() function?

  • user: a unique string id or object that identifies the user performing the action.
  • action: the action performed.
  • resource: the resource (object) the action is performed on. Can be a string or an object.
No files found in the specified folder path.

This guard mechanism is critical for enforcing your configured policies and seamlessly integrating authorization into your application's workflows.

note

The check function can accept various arguments beyond the user and resource.

1

Understanding Your Policy Configuration

Let's examine the policy we'll be working with. As shown below, the Admin role has permissions to create, delete, publish, and read, but notably, it does not have permission to update.

Admin role permissions
2

Reviewing User Assignments

We have two users in our setup, but only one of them has the Admin role assigned. For this example, we'll focus on checking the permissions assigned to Macy Smith, who holds the Admin role.

User roles and assignments
3

Setting Up the Enforcement Point

Our Permit enforcement point in the code will look like this:

No files found in the specified folder path.

This code snippet:

  • Identifies the user making the request
  • Specifies the action being attempted
  • Names the resource being accessed
  • Returns a boolean indicating whether the action is permitted
4

Testing Initial Permissions

Let's run our first check with the current permissions:

Failed permission check

As expected, the check fails because Macy doesn't have update permissions.

5

Updating Permissions

Now let's alter our permissions and give Macy the ability to update the Document.

Updated permissions
6

Testing Updated Permissions

Let's run the check again with the updated permissions:

No files found in the specified folder path.
Successful permission check

Success! Macy can now perform all the actions, including updates.

warning

Cloud PDP is limited to RBAC policies only, with 1MB data restriction. For ABAC / ReBAC policies, you need to deploy a local PDP.

For production deployments, we recommend deploying a local PDP to minimize network latency and ensure high availability. Learn more in our Local Authorization Microservice guide.

What did you learn?

By configuring the Cloud PDP for policy checks, you've learned how to:

  • Import and initialize the Permit SDK in your project
  • Set up an enforcement point in your code using the check function
  • Validate user permissions against your configured policies in real time
  • Leverage the flexibility of the Cloud PDP to handle RBAC policy decisions seamlessly
FUN FACT!

Did you know that modern policy checks can process thousands of decisions per second?

Companies like Netflix use similar mechanisms to authorize every single request in their systems—whether it's playing a movie or accessing account settings.

What's next? 🎉

  • Set up a local PDP for enhanced performance
  • Configure your application for local authorization
  • Learn about monitoring and debugging your PDP

Amazing! You've mastered cloud policy checks.