Python SDK Examples

Init the SDK

from permit import Permit

permit = Permit(
    # the API key to the Permit environment you wish to connect to
    token="<YOUR_API_KEY>",
    # the url in which the SDK can connect to the PDP container
    pdp="http://localhost:7766",
    # use this to turn on sdk logs:
    log={"level": "debug", "enable": True},
)

Resources

Create a resource

from permit import ResourceRead

document: ResourceRead = await permit.api.resources.create(
    {
        "key": "document",
        "name": "Document",
        "urn": "prn:gdrive:document",
        "description": "google drive document",
        "actions": {
            "create": {},
            "read": {},
            "update": {},
            "delete": {},
        },
        "attributes": {
            "private": {
                "type": "bool",
                "description": "whether the document is private",
            },
        },
    }
)

Update a resource

from permit import ResourceRead

resource_after_changes: ResourceRead = await permit.api.resources.update(
    # the key of the resource
    "document",
    # updated fields
    {
        "description": "wat",
        "actions": {
            "find": {}
        }
    },
)

List all resources

from permit import ResourceRead

resources: List[ResourceRead] = await permit.api.resources.list()

Get a resource

Get a resource with key document:

from permit import ResourceRead

resource: ResourceRead = await permit.api.resources.get("document")

Error handling

from permit import Permit, PermitApiError

permit = Permit(...)

# handle not found error
try:
    await permit.api.resources.get("nosuchresource")
except PermitApiError as e:
    if e.status_code == 404:
        print("not found")
    else:
        ...

# handle cannot create object due to key conflict:
try:
    await permit.api.resources.create(
        {"key": "document", "name": "document2", "actions": {}}
    )
except PermitApiError as e:
    if e.status_code == 409:
        print("already exists!")
    else:
        ...

Roles

Create a role

from permit import RoleRead

admin: RoleRead = await permit.api.roles.create(
    {
        "key": "admin",
        "name": "Admin",
        "description": "an admin role",
        "permissions": ["document:create", "document:read"],
    }
)

Tenants

Create a tenant

from permit import TenantRead

tenant: TenantRead = await permit.api.tenants.create(
    {
        "key": "tesla",
        "name": "Tesla Inc",
        "description": "The car company",
    }
)

Users

Create or update a user (sync user)

from permit import UserRead

user: UserRead = await permit.api.users.sync(
    {
        "key": "auth0|elon",
        "email": "elonmusk@tesla.com",
        "first_name": "Elon",
        "last_name": "Musk",
        "attributes": {
            "age": 50,
            "favorite_color": "red",
        },
    }
)

Role Assignments

Assign a role to a user in a tenant

ra = await permit.api.users.assign_role(
    {
        # the user key
        "user": "auth0|elon",
        # the role key
        "role": "viewer",
        # the tenant key
        "tenant": "tesla",
    }
)

Checking Permissions

from permit import Permit

permit = Permit(...)

# in order to be permitted according to the RBAC policy, a few conditions must be met:
# 1) the user must exist in the permit system (you called sync user before)
# 2) the checked resource belongs to tenant X
# 3) the user has an assigned role in tenant X (the user must have at
# least one assigned role in the tenant that contains the resource)
# 4) the role assigned to the user must have the permission to perform
# the checked action on the checked resource
permitted = await permit.check(
    # the user key
    "auth0|elon",
    # the action
    "create",
    # the resource
    {
        # the type of the resource (resource.key)
        "type": "document",
        # the tenant that contains the resource
        "tenant": "tesla"
    },
)

if permitted:
    print("permitted")
else:
    print("denied")