Skip to main content
Version: 2.0.0

Basic Checks

There are many ways to use the permit.check() function within permit to enforce permissions. This can depend on the policy you are checking against and the granularity of the enforcement you need. Below we will talk about the different ways to compose the check function.

Simple check

The most basic enforcement you can create within your app is a simple Role-based Access Control (RBAC) policy.

The function accepts three parameters, a unique user id, and action and a resource.

const permitted = await permit.check("john@permit.io", "create", "document");

if (permitted) {
    console.log("John is PERMITTED to create a document");
} else {
    console.log("John is NOT PERMITTED to create a document");
}

Simple check with tenant definition

Tenants are silos or resources and users. You can pass a tenant as part of the resource object inside the permit.check() function.

const permitted = await permit.check("john@permit.io", "create", {
    type: "document",
    tenant: "companyA",
});
An illustrative use-case

You create two tenats. Tenant A and Tenant B. You can have the same user john@permit.io in both tenants, but the user might have a different role. John may be an Administrator in Tenant A, but he could be an Admin in Tenant B.

Enforce with attributes

As your company grows, you permissions will need to get much more granular, and you might have to check for specific attributes on a user or a resource to determine the conditions for which you will allow an authorization check to pass.

If you will need to check for conditions as you perform an enforcement, you will be working with the Attribute-based access control policy. Here, you can define extra attributes as part of the user id or resource by passing in a whole object.

If you want to learn about the different ways you can load data into Permit, check out the guide here.

const permitted = await permit.check(
    // the user object
    {
        // the user key
        key: "john@permit.io",
        // just-in-time attributes on the user
        attributes: {
            location: "England",
            department: "Engineering",
        },
    },
    // the action the user is trying to do
    "create",
    // Resource
    {
        // the type of the resource (the resource key)
        type: "document",
        // just-in-time attributes on the resource
        attributes: {
            hasApproval: "true",
        },
        // the tenant the resource belong to
        tenant: "companyB",
    }
);

Enforce based on relationships

As your system complexity increases, you will need to levarage Relationship-Based Access Control (ReBAC) to incorporate relationship checks into your enforcement. Unlike ABAC, ReBAC evaluates relationships between entities, enhancing the granularity of access controls.

You can configure all the relationships and their structure by following the UI guide or via the API guide.

In the code example below, we are checking if John has the assign permissions on a member group resource (that we defined in Permit beforehand).

await permit.check(userId, "assign", `member_group:${group}`);

Contents