Skip to main content
Version: 2.0.0

Python SDK Examples

Init the SDK

from permit import Permit

permit = Permit(
# the API key to the Permit environment you wish to connect to
token="<YOUR_API_KEY>",
# the url in which the SDK can connect to the PDP container
pdp="http://localhost:7766",
# use this to turn on sdk logs:
log={"level": "debug", "enable": True},
)

Resources

Create a resource

from permit import ResourceRead

document: ResourceRead = await permit.api.resources.create(
{
"key": "document",
"name": "Document",
"urn": "prn:gdrive:document",
"description": "google drive document",
"actions": {
"create": {},
"read": {},
"update": {},
"delete": {},
},
"attributes": {
"private": {
"type": "bool",
"description": "whether the document is private",
},
},
}
)

Update a resource

from permit import ResourceRead

resource_after_changes: ResourceRead = await permit.api.resources.update(
# the key of the resource
"document",
# updated fields
{
"description": "wat",
"actions": {
"find": {}
}
},
)

List all resources

from permit import ResourceRead

resources: List[ResourceRead] = await permit.api.resources.list()

Get a resource

Get a resource with key document:

from permit import ResourceRead

resource: ResourceRead = await permit.api.resources.get("document")

Error handling

from permit import Permit, PermitApiError

permit = Permit(...)

# handle not found error
try:
await permit.api.resources.get("nosuchresource")
except PermitApiError as e:
if e.status_code == 404:
print("not found")
else:
...

# handle cannot create object due to key conflict:
try:
await permit.api.resources.create(
{"key": "document", "name": "document2", "actions": {}}
)
except PermitApiError as e:
if e.status_code == 409:
print("already exists!")
else:
...

Roles

Create a role

from permit import RoleRead

admin: RoleRead = await permit.api.roles.create(
{
"key": "admin",
"name": "Admin",
"description": "an admin role",
"permissions": ["document:create", "document:read"],
}
)

Tenants

Create a tenant

from permit import TenantRead

tenant: TenantRead = await permit.api.tenants.create(
{
"key": "tesla",
"name": "Tesla Inc",
"description": "The car company",
}
)

Users

Create or update a user (sync user)

from permit import UserRead

user: UserRead = await permit.api.users.sync(
{
"key": "auth0|elon",
"email": "elonmusk@tesla.com",
"first_name": "Elon",
"last_name": "Musk",
"attributes": {
"age": 50,
"favorite_color": "red",
},
}
)

Role Assignments

Assign a role to a user in a tenant

ra = await permit.api.users.assign_role(
{
# the user key
"user": "auth0|elon",
# the role key
"role": "viewer",
# the tenant key
"tenant": "tesla",
}
)

List role assignments

assignments = await permit.api.role_assignments.list(
tenant="tesla",
role="viewer",
)

You can also filter for multiple roles:

assignments = await permit.api.role_assignments.list(
tenant="tesla",
role=["viewer", "editor"],
)

Checking Permissions

from permit import Permit

permit = Permit(...)

# in order to be permitted according to the RBAC policy, a few conditions must be met:
# 1) the user must exist in the permit system (you called sync user before)
# 2) the checked resource belongs to tenant X
# 3) the user has an assigned role in tenant X (the user must have at
# least one assigned role in the tenant that contains the resource)
# 4) the role assigned to the user must have the permission to perform
# the checked action on the checked resource
permitted = await permit.check(
# the user key
"auth0|elon",
# the action
"create",
# the resource
{
# the type of the resource (resource.key)
"type": "document",
# the tenant that contains the resource
"tenant": "tesla"
},
)

if permitted:
print("permitted")
else:
print("denied")