#permify-help-archived

1 messages · Page 1 of 1 (latest)

proper hinge
#

Hi devs, I am planning to build saas app and have following requirements:
Team/collaborator feature and access to specific members?
App is similar to this one: https://www.cloudcampaign.com/plans
App can have multiple workspaces and admin can give access to user to specific workspace or all workspaces. Admin add/remove users from workspace. Any pointers or suggestion how can I get started?
Note: I am using MERN stack for app development

Plans | Cloud Campaign

White-labeled SMM software shouldn't cost a lot - and with Cloud Campaign it doesn't! Our pricing plans rewards thriving agencies, not punish them with fees.

autumn oxide
#

Hey @proper hinge ,

Thanks for sharing. You can start with installing Permify, then model your authorization logic. Considering about what you mentioned above, you can model your user and workspace relations like below:

#

entity user {}

entity organization {

relation admin @user     `rel:custom`

}

entity workspace {

relation org @organization  `rel:custom`

action add_user = org.admin 
action remove_user = .org.admin

}

#

If you could give more detail about rest of the application I’d love to help to structure it. Likewise if you struggle anywhere on installation or implementation we can quickly help on that or maybe hop on a call for it. Here is my calender https://calendly.com/ege-permify/30min

proper hinge
#

Lets say I have MERN stack app. How do I integrate permify? Do I need to make use of docker image? Without docker not possible?

autumn oxide
#

Yes, you need to run Permify on docker. SDKs (including Nodejs ) coming soon, but for now I can help you on your implementation.

proper hinge
proper hinge
autumn oxide
#

Thank you for the issue @proper hinge, we're on it.

proper hinge
#

Thanks a lot 🙂 🙏 Actually this requirement/use-case came to me when I was trying to onboard few agencies who are serving B2B companies. This is very basic requirement without this many companies try to stay away from product. This is what I have observed and experienced when I was giving product demo to few agencies. Let me know what do you think about this idea

autumn oxide
open geyser
#

hi everyone, does anyone created an rest api using nodejs and express I have some doubts ?
I'm making the rest api using nodejs and express
doubts I have

  1. how we can record and display the ratio of 200 OK vs errors I'm abele to show the 200 OK but not able to record it.
  2. how to use generate chaincode (an doc will be helpful)

thank you.

autumn oxide
open geyser
small drift
#

Hey everyone, I have an application that requires content & sharing access controls. We have content owners, content contributors, and team members who will have different permissions. I surfed around on permify docs for a while and it seems it can cover my needs. But it would be awesome to if I could get any help or suggestions for the system that I planned.

autumn oxide
small drift
#

Thanks @autumn oxide , just scheduled

ashen breach
#

Hey everyone, I am trying to pull the latest image of permify using command "docker pull permify/permify" but it is giving me this error Using default tag: latest
Error response from daemon: manifest for permify/permify:latest not found: manifest unknown: manifest unknown - is there something that I might be doing wrong here? I am following this link https://docs.permify.co/docs/installation

autumn oxide
#

"docker pull permify/permify:0.0.0-alpha1" command

#

Apart from this. If you struggle anywhere, we'd love to hear your use case and help on structuring your authorization model 🤗

ashen breach
#

Thanks Man I am trying to use this locally for a POC first if I face some issues I'll let you know about the same. 😄

weak hull
#

Hi Permify. I'm trying to learn how to model a use case where the entity being protected is being protected based on an attribute of the entity, and not the ID of the entity itself. Example would be I only want some users to be able to eat apples that are red, and some to be able to eat apples that are green. Then, what if I only want users to be able to eat apples that are red and big, and another group to be able to eat apples that are green and small. Any ideas to point me in the right direction?

autumn oxide
#

You can implement attributes by simply creating a relationship like:

apple:green#eat@user:2

This basically points user 2 can eat green apples.

autumn oxide
sacred fern
#

Hi, We're in the process of establishing the infrastructure for an MVP of a social-ish platform. Currently we're using Hasura as the main backend but we're sure we're facing the issue of a lack of an advanced access policy management rather sooner than later and are looking into solutions. Is it possible or even on the roadmap to easily integrate with hasura?

autumn oxide
#

Hi @sacred fern 👋

autumn oxide
inner cypress
#

I wanna know is it possible to give time based access staying in Permify

autumn oxide
velvet acorn
#

Hi Guys
how can I Convert uintptr to []byte also []byte to uintptr in golang?

errant whale
velvet acorn
subtle mortar
#

Hi, I'm exploring Permify and I was following this step (https://docs.permify.co/docs/Installation#configuring-permify-schema-on-api) but I was unable to upload the schema. I tried with GUI client (Insomnia) and with cURL without success. Does someone know what do I do wrong?

curl --request POST \
  --url http://localhost:3476/v1/schemas/write \
  --header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
  --data '-----011000010111000001101001
Content-Disposition: form-data; name="schema"

entity user {}

entity organization {
    relation admin @user
    relation member @user

    action view_files = admin or member
    action edit_files = admin
}
-----011000010111000001101001--
'

I get this error:

{"errors":{"schema":"http: no such file"}}

Thanks

autumn oxide
icy tulip
#

Good morning, I am evaluating several Zanzibar based implementations but none of them seem to have the idea of bulk permission checks when dealing with a large number of resources. I have seen that the data filtering endpoint will return a SQL statement. This would assume that the system of record for the data (not the authorizations) is SQL compliant - is there a way to have the endpoint return all the entities store/id instead of a SQL statement?

autumn oxide
# icy tulip Good morning, I am evaluating several Zanzibar based implementations but none of...

Hey @icy tulip, good morning

Actually we’re trying to adopt the authorization model compliant with SQL not the data itself. We mentioned it on our docs - you probably seen it - and you can also see how we do that in “bulk permission check” example on Permify Playground.
https://play.permify.co/?sample=bulk-permission-check

About the last question, the reason that we select returning SQL rather than actual entities itself: using bulk permission check in large resource lists with pagination and sorting. Because returning entities is non scalable if you have thousand of listed data that any user X can authorized. Still, we’ll add the endpoint that returns just ids of entities. Hope it solve your problem.

Apart from this, we’re aware lack of bulk permission check on Zanzibar and trying to conduct solution around it. We’d love to hear your thoughts, needs about it and discuss with you as well 😊

icy tulip
#

I tried the playground but get a cores issue on anything but GitHub examples

autumn oxide
#

Thanks for sharing, we recently move to GRPC and this error related with that - we’ll solve it within couple days.

#

@icy tulip I’ll let you know when its resolved 👍🏻other than that we’d love to meet and discuss on data filtering & your needs. 🤗

icy tulip
#

The gRPC bit seems to be resolved (playing with it tonight) but found this to be interesting.

It would be interesting to allow other root "user" entities like an alias of sorts since "user" isn't always clear in different companies

unknown.png
#

Member is an alias to the notion of a User but when User is an orphaned object in the visual graph, it may put people off since it is not connected to anything

unknown.png
#

Hence why I tried to change it to a "member" instead so the graph would be fully connected

#

I will have to play with the bulk checking a bit more outside the playground since I need to check the scenario of CRUD where a person can do a GET call on a collection which may have 10,000 records but pull back what they implicitly have access too and explicitly have access too

#

I am curious, don't recall it being said in Zanzibar, - What is the permission model when conflicting? Implicit permissions vs an explicit permission being applied - maybe the internal workings when creating a new User or User#Team relationship auto generates all the appropriate permissions that exist for anyone that is a User or a User on the Team

autumn oxide
#

Hi @icy tulip

Thanks for feedback, the user represents the one and only entity that every application has commonly stored. That is why its default, and cannot be replaceble. You can create member relation in accout/organization, which has relation type as user with @user, to get fully connected graph with members. Most of the cases user hangs on the graph without any connection (because its not having a relation inside it) and we might make a change to not show this non-connected entities in graph. Could you open an issue about all of these user suggestions, great topic to think and discuss.

Actually, we designed the data filtering to solve the case you mentioned: being able check tousands of resources permissions. We thought that most of the case these records can be paginated and sorted (basically break down ) to check permissions. For example showing those resources listed in UI etc. Thats why we returning a SQL to fetch these resources from your database with adding needed operations such as pagination and sorting. Is this the case similar to your usage ?

About the last question you have, we actually manage conflicted implicit and explicit permissions with: “or”, “and”, “or not”, “and not” operators. As an example user can edit a document because of he/she owner of this doc as well as he/she one of the members of the organization that doc belongs to, and we model this with or operator.

silver sparrow
#

Where can I find an example of replicating data from my application database into permify?

autumn oxide
silver sparrow
#

I am trying to run the service locally and I am getting the following error when running the migrations
type "xid8" does not exist

#

do I need to configure postgres in a certain way beforehand?

#

ohh looks like I need postgres 13+

autumn oxide
hasty reef
#

Hello everyone how to use permify/react-role using react class ?????
Please help me

autumn oxide
hasty reef
jade flare
#

Hello I got error while writing a schema

autumn oxide
#

Hi @jade flare could you send the string here so we can examine it

jade flare
# 
"entity user {}\n\nentity organization {\n\n    // organizational roles\n    relation admin @user\n    relation member @user\n    \n}\n\nentity repository {\n\n    // represents repositories parent organization\n    relation parent @organization\n    \n    // represents owner of this repository\n    relation owner  @user\n    \n    // permissions\n    action edit   = parent.admin or owner\n    action delete = owner\n    \n} "
#

@autumn oxide

autumn oxide
#

@jade flare It looks the schema the you sent worked on my local, which permify version do you use right now? latest is v0.0.0-alpha9

Screen_Shot_2022-12-01_at_14.38.34.png
jade flare
autumn oxide
# jade flare

@jade flare I looked the first image again, and I guess it throwing error because of the field typo "shcema"

jade flare
#

@autumn oxide thanks! silly me 😄 my bad

#

now let me write my relationships

autumn oxide
jade flare
#

I got this error while writing a relationships

autumn oxide
#

Hey, we'll publish updated docs today some body params changed on couple endpoints, so in here you need to use this raw body:

#

{
“schema_version”: “”,
“tuples”: [
{
“entity”: {
“type”: “”,
“id”: “”
},
“relation”: “”,
“subject”:{
“type”: “”,
“id”: “”,
“relation”: “”
}
}
]
}

jade flare
#

okay! so tuples is in array now

autumn oxide
#

yes from now relations can be added in bulk with tuples array []

jade flare
#

yes working got the snap token

autumn oxide
#

{
“snap_token”: “”,
“schema_version”: “”,
“entity”: {
“type”: “”,
“id”: “”
},
“permission”:“”,
“subject”: {
“type”:“”,
“id”:“"
},
“depth”:
}

jade flare
#

yes snap token is missing in swagger documentation

#

let me check with this body

autumn oxide
#

yep sorry for that, docs will be updated in 1-2 hours max 🙂

jade flare
#

now I got this error for permision check

Screenshot_2022-12-01_at_6.09.08_PM.png
autumn oxide
#

Do you have edit action in organization entity ? It looks edit action related to repository

jade flare
# 
"entity user {}\n\nentity organization {\n\n    // organizational roles\n    relation admin @user\n    relation member @user\n    \n}\n\nentity repository {\n\n    // represents repositories parent organization\n    relation parent @organization\n    \n    // represents owner of this repository\n    relation owner  @user\n    \n    // permissions\n    action edit   = parent.admin or owner\n    action delete = owner\n    \n} "
#

this is my schema

autumn oxide
jade flare
#

okay! understood

jade flare
#

Hello, @autumn oxide do you have an example docker-compose file for setup permify with PostgreSQL database setup within the container? so I can setup with database also

autumn oxide
jade flare
#

okay! do let me know so I can check with nginx and caddy server also behind reverse proxy

#

coz there is some issue with nginx with grpc proxy pass.

autumn oxide
autumn oxide
jade flare
#

sorry was not well yesterday will deploy it today and let you know

flint solstice
#

Hello guys, I m planning use permify and grpc service my nestjs application, I have created .proto file. for creating schema, it works fine, but while getting schema error: ERROR [ExceptionsHandler] 13 INTERNAL: Response message parsing error: invalid wire type 4 at offset 608

autumn oxide
#

Hi @flint solstice , you're getting this error while using the writeSchema API right ? if thats the case, I have couple of questions to better understand the problem in here:

  1. Where and how do you test your grpc service (via Postman, in nestJS side, etc.)
  2. which version you’re using (latest is v0.0.0-alpha9)
flint solstice
#

Thanks @autumn oxide for quick reply

  1. I am testing grpc service using nestjs code
  2. I am using latest verion i.e v0.0.0-alpha9

Schema service's Write() works fine, getting issue with Read()

autumn oxide
#

We'll look at it and come up with an answer as soon as possible 🙂

flint solstice
#

Sure @autumn oxide can you please confirm what is url_type here?
{
type_url: '\n\x04user\x12\x06\n\x04user',
value: <Buffer 0a 12 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 23 61 67 65 6e 74 12 17 0a 05 61 67 65 6e 74 12 06 0a 04 75 73 65 72 1a 06 0a 04 75 73 65 72>
}

autumn oxide
flint solstice
#

it is response, from Read() of Schema service

autumn oxide
silver wyvern
#

hi, we are benchmarking authorization tools for our saas application. we have found several alternatives which are implementing zanzibar. can anyone help me to understand the pros of permify among those such as Authzed and Ory Keto? @autumn oxide @sleek flicker

autumn oxide
#

Hi @silver wyvern, you can find the pros & cons from below table. There are also approach differences in some features - such as data filtering, modeling, logging etc.

Screen_Shot_2022-12-08_at_15.49.42.png
#

@silver wyvern Other than technical aspects, the main difference is we’re fairly focused on to developer experience and easy-to-start deployment process. We’re always building tools and workflows for your authorization lifecycle rather than just focusing on scalability.

silver wyvern
#

okay thanks a lot. we have tried a use-case on the playground. it was easy to use esp when compared to others.
i also have another question here, how do we handle testing in permify? let's say i want to change the model, how can i validate the new authorization model and unit test the authorization logic?

#

also the scalability is not our concern for now as well but it will be 🙂

autumn oxide
#

So the workflow is: when you update the model and push to github, this action will trigger and validate the updated model and if testing result is successful then it pushes and set the model.

autumn oxide
silver wyvern
#

thanks, i haven't checked this repo. 💯

silver wyvern
bright shard
#

hi everyone? i`m have a question, have a web interface admin panel permify?
mb some external product?

autumn oxide
river fossil
#

Hello guys, i'm new using react-role by permify and have a question, using the component <HasAccess/> i'm trying to use role and permission, and only work with the first element match, ex. i have in the component... role=admin, permission=create, so... if my user have role=admin and permission=delete but no "create", the function don't hide the UI element, somebody khow why this happening? please, thanks for yours support.

autumn oxide
#

Hi @river fossil welcome to our community, thanks for sharing issue. Does the admin role have access to the component you're trying to hide ? If so that causes the issue. In particular, the HasAccess component checks whether the logged-in users' roles and permission include the given parameters - basically roles and permissions parameters.

Screen_Shot_2022-12-23_at_00.49.10.png
river fossil
#

thanks for your prompt support, so.. props roles and permissions its like a OR (||), if one of both match with user data will show the UI element, that's right?

autumn oxide
#

yess basically, if you say component A can be accessible if the user has an admin role. You can't hide it with other permissions or roles if the user has one role that makes it accessible.

river fossil
#

ok dear thanks a lot

flint solstice
#

Hi @autumn oxide I am trying to use postgres as my database for running permify, I have added following config.yaml file, along with other config.

database:
engine: 'postgres'
database: 'postgres'
uri: 'postgres://postgres:postgres@localhost:5432'
pool_max: 20

But it gives me error
{"level":"info","time":"2022-12-26T09:41:10Z","caller":"/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.0/command.go:916","message":"🚀 starting permify service..."}
{"level":"info","time":"2022-12-26T09:41:10Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:71","message":"failed to connect to host=localhost user=postgres database=postgres: dial error (dial tcp [::1]:5432: connect: cannot assign requested address)"}

please help me here

#

I m using Permify v0.0.0-alpha9, and Postgres 15

autumn oxide
#

Hi @flint solstice, thanks for sharing. It seems like problem related with the connection of the database. Can you check the connection credentials (db name, user name, password, etc) again ? By the way Permify latest version is v0.2.0, I’m suggesting to use that.

flint solstice
#

thanks @autumn oxide it works now

north crest
#

Hi , How can I connect to mongodb ? When I try to give mongodb details in config it throws an error saying "mongo connection is not supported"

autumn oxide
#

Hi @north crest, we’re not supporting mongoDB right now. We’re supporting it for a while but we deprecated it. However we’d love to listen your use case and activate the mongo support again.

north crest
#

As of now there is no use case as such. I am exploring on permify and wondering whether it's supports nosql. Thanks for the reply . Will keep on exploring and if any help needed will reach out for sure. thanks again

north crest
#

Hi @autumn oxide , I am trying to connect postgres. but getting the following error. panic: maxSize is less than 1

goroutine 1 [running]:
github.com/jackc/puddle.NewPool(...)
/home/runner/go/pkg/mod/github.com/jackc/puddle@v1.3.0/pool.go:135
github.com/jackc/pgx/v4/pgxpool.ConnectConfig({0x10220e0, 0xc000048090}, 0xc0006940c0)
/home/runner/go/pkg/mod/github.com/jackc/pgx/v4@v4.17.2/pgxpool/pool.go:208 +0x41f
github.com/Permify/permify/pkg/database/postgres.New({0xc00047fad0, 0x2b}, {0xc000524120, 0x8}, {0xc0005cda50, 0x1, 0x678101?})
/home/runner/work/permify/permify/pkg/database/postgres/postgres.go:49 +0x1aa
github.com/Permify/permify/internal/factories.DatabaseFactory({{0xc000524110, 0x8}, {0xc000524120, 0x8}, {0xc00047fad0, 0x2b}, 0x0})
/home/runner/work/permify/permify/internal/factories/database.go:17 +0x213
github.com/Permify/permify/pkg/cmd.serve.func1(0xc0000ee600?, {0x1687318?, 0x0?, 0x0?})
/home/runner/work/permify/permify/pkg/cmd/serve.go:75 +0x21d
github.com/spf13/cobra.(*Command).execute(0xc0000ee600, {0x1687318, 0x0, 0x0})
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:916 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0xc0000ee000)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968
main.main()
/home/runner/work/permify/permify/cmd/permify/permify.go:27 +0x185 my config server:
http:
enabled: true
port: 3476

grpc:
port: 3478

logger:
level: 'debug'

authn:
enabled: false
keys: []

database:
engine: 'postgres'
database: 'postgres'
uri: 'postgres://postgres:postgres@localhost:5432'
pool_max: 20

autumn oxide
north crest
north crest
#

Hi @autumn oxide /v1/permissions/check api is not giving any output . its loading forever without any error or an output.
i verified the use case in playground. it works fine there. but /permissions/check api is not responding . could you please help me understand what I am doing wrong here?

north crest
# north crest Hi <@519933344088064021> /v1/permissions/check api is not giving any output . i...

this is my **schema **{
"schema": "entity user {}\n\n entity organization {\n\n relation admin @user\n relation member @user\n\n action create_repository = (admin or member)\n action delete = admin\n }\n\n entity repository {\n\n relation owner @user\n relation parent @organization\n\n action push = owner\n action read = (owner and (parent.admin and parent.member))\n action delete = (parent.member and (parent.admin or owner))\n }"
}

north crest
# north crest this is my **schema **{ "schema": "entity user {}\n\n entity organization...

relationship tuples {
"metadata":{
"schema_version": "cf02o90t3ife7mtc7ln0"
},
"tuples": [
{
"entity": {
"type": "repository",
"id": "1"
},
"relation": "owner",
"subject":{
"type": "user",
"id": "1",
"relation": ""
}
},
{
"entity": {
"type": "organization",
"id": "1"
},
"relation": "member",
"subject":{
"type": "user",
"id": "1",
"relation": ""
}
},{
"entity": {
"type": "organization",
"id": "1"
},
"relation": "admin",
"subject":{
"type": "user",
"id": "1",
"relation": ""
}
},
{
"entity": {
"type": "organization",
"id": "1"
},
"relation": "admin",
"subject":{
"type": "user",
"id": "2",
"relation": ""
}
},
{
"entity": {
"type": "repository",
"id": "1"
},
"relation": "parent",
"subject":{
"type": "organization",
"id": "1",
"relation": "..."
}
}
]
} and permission check is for {
"metadata":{
"snap_token": "7AIAAAAAAAA=",
"schema_version": "cf02o90t3ife7mtc7ln0",
"depth": 20
},
"entity": {
"type": "organization",
"id": "1"
},
"permission": "delete",
"subject": {
"type": "user",
"id": "1",
"relation": ""
}
}

autumn oxide
north crest
errant whale
north crest
autumn oxide
#

If you have questions related, let us know 🙂

north crest
molten narwhal
#

Hey guys, I know a CLI doesn't exist at the moment but how are you handling getting the schema .perm file into the database initially or when changes are made? I was thinking of setting up a npm script that when ran posts to the Permify schema endpoint but wasn't sure if there was a better or preferred way.

autumn oxide
#

Hi @molten narwhal, you can do it manually with our clients or raw API requests. But CLI is in our roadmap. We are going to launch beginning of the March.

mystic canyon
#

I'm evaluating Permify as it seems to fit the exact use case for our app. I just want to clarify that I can do domain based authorization and add the same user to say multiple organizations but with different roles.

autumn oxide
#

Hi @mystic canyon , actually we’re almost finished building a multi tenancy support, which you can create custom schema and permissions for different apps/tenants and manage them in single place. We’ll launch it on next tuesday.

mystic canyon
#

@autumn oxide nice!

#

Is there some pre-release code I could test?

autumn oxide
mystic canyon
hallow mirage
#

Hi @autumn oxide , I have been trying this small usecase. But seems like I am doing something wrong. could someone help me understand the issue here? entity user {}
entity organization {
relation member @user
}
entity parent{
relation member @user
}
entity repo {
relation org @organization
relation parent @parent

action push =  org.member and not parent.member

} data as follows : user:1 is member of organization:1
user:2 is member of organization:1
user:1 is member of parent:1
organization:1 is org of repo:1
parent:1 is parent of repo:1
check : 1. can user:2 push repo:1 2. can user:1 push repo:1 .the first one gives me false which is believe is correct and the second check is also giving me false. please help me identify the issue here. Thanks in advance

autumn oxide
#

Since the user1 is member of parent:1 and parent:1 is parent of the repo:1, the result is user:1 acts as parent member in repo:1. And thats why its not authorized

hallow mirage
#

@autumn oxide Sorry my doubt was about user 2. why user:2 push repo:1 gives false? Eventhough user 2 is not a member of parent1.

autumn oxide
#

By the way I might ask are you using our playground for this case ?

hallow mirage
autumn oxide
hallow mirage
autumn oxide
# hallow mirage Yes

@hallow mirage Creating the use case in playground right now, I’ll be back to you in couple minutes

autumn oxide
#

@hallow mirage Hi again, we tested this case both with playground and with serving the API via docker. And we're currently trying to identify the reason of it and will fix it asap. Again thanks for sharing this, If you could open an issue about this we can track this on there: https://github.com/Permify/permify/issues

hallow mirage
hallow mirage
autumn oxide
neat adder
#

Hi I am unable to open playground. It's just loading for a while my bad

hallow mirage
runic pagoda
#

Hi Does permify support multi-tenant? Basically ability to create a database per tenant to provide isolation. Are the APIs tenant aware? It looks like the zanzibar consensus is to not support multiple databases and have all tenants in one system/database and use different namespaces.

autumn oxide
#

Hi @runic pagoda, we completed development of our multi tenancy support we're in the test phase right now. Probably it will released soon as today/tomorrow. After this support all the APIs will be tenant aware as well as you can create custom schema and permissions for different tenants and manage them in single place.

neat adder
#

Hi, with # we can reach entity relation. I tried to reach relation like @team#project#tenant but it is not working. Is it not supported or I am doing something wrong?

autumn oxide
#

Hi @neat adder, its not working because of the @ team#project#tenant syntax is wrong. I'm assuming that the above syntax is in form of @entity#relation_1#relation_2, if this is the case, you cannot reach more than one relation of an entity with # symbol. The only proper form is: @entity#relation

neat adder
autumn oxide
#

@neat adder No its not possible, you cannot make more than one relation call with # symbol. Another thing you're saying team is relation however in above syntax: "@ team#project#tenant" team looks like an entity so I'm confused about what do you want to achieve here. Could you send me the schema you created so I can better understand the situation and help out.

neat adder
molten narwhal
#

Hey guys, had a question on security that wasn't entirely clear/detailed from the docs.

We are setting up a Next.js app in Vercel. We plan on using Permify with serverless API endpoints and hosting the auth server and Permify database in docker at another host (likely Cloud 66, but possibly AWS). I see authn: false listed for the docker container config file. Is this the preferred method for securing the api endpoints to communicating with the auth server running in docker? Looks like private/public key pairings is how this is used?

autumn oxide
molten narwhal
#

@autumn oxide Yeah that makes sense that we would enable authn: true. So this will prevent anything from posting to the docker/auth server unless that token is passed along. Where in the Permify client in node would we pass this in or are you expecting an HTTP header with it included to each endpoint?

e.g) When I look at the POST write schema endpoint to permify auth server in docs I don't see a token being something we pass along as an HTTP header.

autumn oxide
#

But if you're planning to use REST/HTTP you need to pass it with header as Bearer. We only have a gRPC client for now.

molten narwhal
#

Gotcha, okay. I appreciate the clarification. We will try using the GRPC client first then as that seems simpler.

autumn oxide
neat adder
autumn oxide
autumn oxide
#

@neat adder I think I solved the situation, can you check it https://play.permify.co/?s=ej. So basically you can give action reference to actions. In this scenario, repository edit action looks and depends on team action which depends project and project also depends the rule org.admin.

Screen_Shot_2023-01-24_at_14.29.33.png
#

I created the following relation tuples in the playground link:

organization:1#admin@user:1
project:1#org@organization:1#...
repository:1#team@team:1#...
team:1#project@project:1#...

neat adder
#

@autumn oxide This works , but this doesn't seem to be a simple solution, since I am working on a project where I have many level hierarchies and I need to give this kind of access more often. But thanks for your help.

autumn oxide
# neat adder <@519933344088064021> This works , but this doesn't seem to be a simple solution...

No worries @neat adder, if you have solution suggestions related with this kind of deep nested hierarchies we'd love to discuss. This solution seems us the most easy and readable one without changing the schema syntax much. Apart from this, if you could share your full use case we'd love to discuss this topic according to that. Feel free to schedule a call: https://meetings-eu1.hubspot.com/ege-aytin

bronze plover
#

Hello everyone, how are you?

I'm evaluating open-source authorization services and I found Permify!
I read the documentation and I have some questions, I will be grateful if you can help me!

1. Am I able to get all the users and their permissions to a specific resource?
Example:
in organization:1
user:1 is owner
user:2 is member
user:3 is member

I would like something like this:
Request: which users have access to organization:1
Response: [ "user:1#owner", "user:2#member", "user:3#member" ]

2. About high availability, how can we achieve this with postgress?
Maybe a cluster with a master (write) and N replicas (read) and many permify replicas behind a LB.
However, I couldn't see a way to configure the read replicas to work as read-only.

3. About the cache, do we have a distributed cache like Redis, or does each instance have its own in-memory cache? How often is it updated?

4. About snap tokens, we have the following in the docs:

One way of doing that is storing snap token in the additioanl column in your relational database.
Then this snap token can be used in endpoints. For example it can be used in access control check with sending via snap_token field to ensure getting check result as fresh as previous request.

I don't know if I missing something, but I can't see it working well in a microservice architecture.
Example:

  • I have a dashboard service to manage the permission, basically, this front-end will write tuples in permify.
  • I have other services app1, app2, etc. These apps will check the permission in permify every time a user tries to do some action.
  • So, will I need to store the snap token in app1 or app2 every time a change is performed in the dashboard?
runic pagoda
#

Hi edgardorobles 9326 we completed

languid relic
#

Hi @everyone. Is it possible to have ABAC in Permify? any example pls

autumn oxide
bronze plover
autumn oxide
# bronze plover Hello everyone, how are you? I'm evaluating open-source authorization services...

Hello @bronze plover , we’re fine thank you, hope everything is fine on your side too.

Thanks for sharing your questions, I’ll be trying to answer each of them briefly, correct me if I misunderstand something 🙂

  1. We don’t have a specific endpoint that achieves that at the moment, but you can probably achieve the same thing with Expand API (https://permify.co/docs/api-overview/permission/expand-api). Which you can give entity and permissions and it returns all subjects (users and usersets) that have a specific relationship with that entity and permissions.

  2. About this topic we can do this configuration with adding “database-readonly” field in our config yaml file, if you could open an issue about it we’ll develop and launch within as soon as end of this week.

  3. We don’t have distributed cache, currently we’re using in memory cache only. About updation frequency of this cache, we’re applying MVCC technique (http://mbukowicz.github.io/databases/2020/05/01/snapshot-isolation-in-postgresql.html) with that we store check requests/decisions according to their schema version, tenant_id and snap token. So in particular we don’t update the cache, cache returns the fresh data when needed according to given snap token.

  4. Firstly we’re suggesting to do write operations on the server side particularly on database transactions where you write to your application databases, writing them on client side can cause inconsistency problems at scale. You can see the suggested workflow of writing tuples in here —> https://permify.co/docs/api-overview/relationship/write-relationships#suggested-workflow

#

About the case you mentioned: basically the snap tokens stored in writeDB and it should be stored in your application databases as well. So yes you should store snap tokens on the database which app1 and app2 interpolates. Its important to note that snap tokens are designed for avoid data inconsistencies and improve performance at scale, so it’s not mandatory to use. So you can get fresh data without using the snap tokens if performance is not that big issue for you.

Apart from those, we’d love to learn your use case and have a chat about these issues and as well as discuss how we can help on authorization in general: So feel free to schedule a call from here: https://meetings-eu1.hubspot.com/ege-aytin

bronze plover
# autumn oxide Hello <@1067634340017733682> , we’re fine thank you, hope everything is fine on ...

I would like to follow the second model (not store relationships on my app side), this is the main idea of having an authorization service.
https://permify.co/docs/api-overview/relationship/write-relationships#relationships-that-not-stored-in-application-database

That is the reason for question 1: be able to get all resources that a user has access, because I won't have relationships on my app side.

bronze plover
autumn oxide
bronze plover
#

Hello guys, how are you?

Another question ...
If I don't use a snap token, how long does a change (write operation adding a new tuple) take to be reflected in check permission?

Is there documentation about the algorithm/strategy used to process the tuples in the database?

autumn oxide
#

Snap token comparision

bronze plover
#

@autumn oxide you talked about https://permify.co/docs/api-overview/permission/expand-api to get all user with a relation with a resource. But the documentation says the action is required.
Am I able to use a wildcard in action field?

    "entity": {
        "type": "repository",
        "id": "1"
    },
    "action": "*"
}```instead of 
```{
    "entity": {
        "type": "repository",
        "id": "1"
    },
    "action": "read"
}```
I would like to get all users, doesn't matter the action/relation.
autumn oxide
#

[Q] Expand API fields

bronze plover
#

Hello, how are you guys? 🤘

Based on this schema:

entity user {}
entity course {
    relation owner @user
    relation member @user
    action read = owner or member
    action write = owner
}
entity program {
    relation owner @user
    relation member @user
    action read = owner or member
    action write = owner
}

We can have:
For alice user:
1. course:1#owner@user:alice
2. course:2#member@user:alice

For alex user:
1. program:1#owner@user:alex
2. program:2#member@user:alex

Question:
How can I have a admin user who will be able to manage all resources?
This would be an application and not resource level permission. I only want to set/check if the user has a role (admin), without having to add a permission to each resource type as below:
course:*#owner@user:admin and program:*#owner@user:admin

runic pagoda
#

HI, does permify provide a similar API to the watch api in zanzibar and other?

autumn oxide
#

[Q] Watch API

molten narwhal
#

Hey, does anyone know if permify/react-role is the preferred method for getting permify going in React and communicating with WriteDb?

It isn't really mentioned in the docs. It almost looks standalone but the components and hooks look useful if they would hook into our permify instance.

onyx stirrup
autumn oxide
molten narwhal
#

Hey @autumn oxide, do you know what the best approach you recommend for seeding initial relations/permissions data into writeDb? e.g) add a system admin account that is authorized to start creating users.

autumn oxide
#

Initial Data Implementation

molten narwhal
#

I assume so, the docs just weren't showing it.

autumn oxide
#

@molten narwhal Yes, since we moved to a tenancy based infra, almost all endpoints has tenant id - including deleteAPI to, thanks for letting us know we’re fixing it.

zenith torrent
#

@autumn oxide we are trying to deploy Permify to Cloud66, but get the following error when the service tries to start

zenith torrent
neat adder
#

Hi @autumn oxide I am trying to test permify on my local,
few queries:

  1. How can I configure DB and which DB would be most performant?
  2. After writing schema using schema api , can we change it , if yes then how?
autumn oxide
#
  1. You can’t change existing schema but you can create new one. We provide schema versions to use it on APIs. If you do not prefer to use schema_version params Permify automatically gets the latest schema on API calls.
waxen hamlet
#

Hi @autumn oxide I hope you are doing well. I am exploring permify for a couple of days. I am not sure if it covers all my use cases. Need your input.

In our app we need to have different access policies. Think of it like an AWS IAM like policies.
There is an admin panel on the web app where admins can create/update/delete policies or assign/remove polices to resources.
As our growing use cases, we need to have schema/policies as much flexible as possible i.e. we are able to update/create policies at any time.

Let me know if that makes sense. I am here to clarify anything further if needed. Please respond to your earliest.

We are using Node.js and Next.js as our main tech-stack.

autumn oxide
waxen hamlet
autumn oxide
#

If you struggle anywhere ping me anytime ✌🏻

dense totem
#

Hi, I'm modeling using the playground and getting the following error: "ERROR CODE NOT SUPPORTED RELATION WALK"

dense totem
# dense totem Hi, I'm modeling using the playground and getting the following error: "ERROR CO... 
entity user {
    relation org @org
    relation trainer @org#trainer
}

entity org {
    relation parent @org
    relation admin @user
    relation clerk @user
    relation trainer @user

    action invite_user = admin or parent.admin
}

entity user_profile {
    relation owner @user

    action edit = owner
    action view = owner or owner.trainer
}

entity training_session {
    relation client @user

   action view = client or client.trainer or client.org.admin
}
dense totem
dense totem
autumn oxide
autumn oxide
waxen hamlet
# autumn oxide You can look at modeling and the common use cases sections, respectively: https:...

@autumn oxide thanks for your response. As said earlier I am not really interested in RBAC schema modeling. I want to have PBAC. Meaning I am able to create/update/delete/assign/remove polices to users based on their roles/groups/attributes from an ADMIN panel. I dont find such support in the docs. Can you plz confirm if permify support this. If so plz point me to the docs where I can learn more about creating/updating and assigning policies.

Hi @Ussama, thanks for sharing, so you can create different schemas as policies and use them with various groups of resources.

autumn oxide
waxen hamlet
neat adder
#

hi @autumn oxide
can you explain the permission read api's body?
{ "metadata": { "snap_token": "string" }, "filter": { "entity": { "type": "string", "ids": [ "string" ] }, "relation": "string", "subject": { "type": "string", "ids": [ "string" ], "relation": "string" } }, "page_size": 0, "continuous_token": "string" }

autumn oxide
#

[Q] Read API

surreal musk
autumn oxide
#

About ABAC

frigid marten
#

Hello, I'm trying to run a local permify server and I used permify-gorm to initialize the database tables in mysql but I would like to add a prefix to the table names and there's no such option in permify-gorm. I looked at the server configuration page, https://docs.permify.co/docs/reference/configuration, and it doesn't show a way either under the database configuration. A version of permify-gorm, https://pkg.go.dev/github.com/galexrt/go-role#Options, has the TablePrefix field but I cant import it.

#

How do I setup a local permify server connected to mysql and have it create the needed tables with a prefix?

errant whale
#

Hey @frigid marten , looks like the current version of go-role doesn't have the TablePrefix feature you're looking for. But we're here to help! Just open an issue on our GitHub page at https://github.com/Permify/go-role/issues and we'll get right on it. Thanks.

frigid marten
icy tulip
#

Is there a verbose mode on the Validator command line tool?

This error message in a 100+ line file is not very useful

image.png
autumn oxide
#

Verbose Mode in Validator

errant whale
#

Table Prefix Feature

icy tulip
#

I started a thread on Hierarchical relations with most explicit permissions. Trying to find the best way to model the scenario #1092143723191750747 - If you know of a way, please let me know

autumn oxide
icy tulip
#

I could be missing something by why are these 2 equivalent?

 relation viewer @organization#member @system#member @company#viewer
 action view = viewer

 relation company @company // assume company has a viewer action
 relation viewer @organization#member
 action view = viewer or company.viewer
autumn oxide
#

[Q] Equal Modeling Cases

frigid marten
#

How do you do pagination in permify? You can stream or get all the resources at once but can you paginate like mysql, giving a limit and an offset?

topaz plaza
#

Hi !
I am trying to build an authorization system with a few advanced features.
I am benchmarking different solutions. I would love to use Permify because it's open source, but I am not sure if it can handle all my requirements.
Can you give me a hint how can I implement those features with Permify?

  • Custom roles (role created by the users at runtime)
  • Assign a role to user in a team (a user can have different roles in different teams)
tropic pagoda
#

hi im ali
can i talk to anyone who has experience in handling permission and privilege management with premify ?
i mean permify by defualt is handling authorization with user id and entity id but i need to handle it by just entity types
i would appreciate a voice chat with anyone is experienced with this
tnx in-advance

autumn oxide
autumn oxide
errant whale
#

Lookup Entity Pagination

tropic pagoda
dire wagon
#

Hi a silly question just wanted to know if i understand correctly
so we use firebase for authentication and were using customClaims for authorisation now we wanted to switch to permify so basically when we create user on our organisation (on firebase) we need to create relations on that auth id and for user to give access to resources
Thanks in advance

autumn oxide
tropic pagoda
#

@autumn oxide hi i think permify`s doc needs a search functionality

icy tulip
#

So you can create a tenant with the name "foo-bar" but when you use the tenant ID in another call it fails validation of tenant ID

errant whale
#

Tenant ID Validation

dire wagon
#

Hi I have setup the permify on kubernetes how can I ensure that only service on the eks ckuster can access the permify how can I setup basic auth like system for it?

autumn oxide
#

API Authentication

icy tulip
#

How do you set the path for the config file? or where is the default path that it is picking up a config file? using 3.5

errant whale
icy tulip
#

What about running it locally without docker?

#

I have the binary available - is the config expected to be next to the binary? Is there a roadmap item to allow a flag like -c <config file path>

errant whale
#

You can do it using flags. We don't have a solution for using a file with the binary yet, but we can add it to our roadmap.

dire wagon
#

Hi I am not able to connect with postgres locally getting
{"level":"info","time":"2023-04-13T11:49:04Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:83","message":"failed to connect to host=localhost user=nonroot database=test: dial error (dial tcp [::1]:5432: connect: cannot assign requested address)"}
this error

# including whether or not TLS is enabled and the certificate and
# key file locations.
server:
  http:
    enabled: true
    port: 3476
  grpc:
    port: 3478

# The logger section sets the logging level for the service.
logger:
  level: 'debug'

# The authn section specifies the authentication method for the service.
authn:
  enabled: true
  method: preshared
  preshared:
    keys: ["abc"]
# The database section specifies the database engine and connection settings,
# including the URI for the database, whether or not to auto-migrate the database,
# and connection pool settings.
database:
  engine: 'postgres'
  uri: 'postgres://localhost:5432/test'
  auto_migrate: true
  max_open_connections: 20
  max_idle_connections: 1
  max_connection_lifetime: 300s
  max_connection_idle_time: 60s
  garbage_collection:
    enable: true
    interval: 3m
    timeout: 3m
    window: 30d
    number_of_threads: 1```
autumn oxide
#

Issue on Connecting Postgres

dire wagon
#

@errant whale db uri does not take special character password ?

errant whale
#

Hello @dire wagon , we are using Viper (github.com/spf13/viper) to unmarshal the config.yaml file. We haven't written any validation for the URI yet. If you provide special characters you're using, I can test it for you.

dire wagon
#

I am using XXXX:&XXX like password in URI

#

example Test:&sa213

errant whale
#

Hi @dire wagon , I tried but didn't get any error. If there are any logs available, could you please share them with me?

dire wagon
#

@errant whale I made a mistake in uri

sacred apex
#

Hi, is Permify not support upper case permission value? I use the upper case action in the schema, I got this error when I trying to lookup an entity:

rpc error: code = InvalidArgument desc = invalid PermissionLookupEntityRequest.Permission: value does not match regex pattern "^([a-z][a-z0-9_]{1,62}[a-z0-9])$"
BTW: Permify playground is worked

autumn oxide
#

Upper Case Permission Error

tropic pagoda
#

hi everyone
while writing new relationship what is subject realtion

sleek flicker
#

Hey @tropic pagoda,

Subject relations defines relationships defines nested relation between entity and it's relation.

For instance, you have a repository maintainer which is defined as organization member so in that case

{ "entity": { "type": "document", "id": "1", }, "relation": "maintainer", "subject": { "type": "organization", "id": "2", "relation": "member" },
In your example subject relation is "..."

“...” used when subject type is different from user entity. #… represents a relation that does not affect the semantics of the tuple.

Simply, the usage of ... is straightforward: if you're use user entity as an subject, you should not be using the ... If you're using another subject rather than user entity then you need to use the ...

normal rivet
#

Does Permify support dynamic attributes for permission checks? Ex: If someone is working from the office IP space we'll allow access to a particular sensitive resource, but when at home via the different VPN IP space we'll block it.

autumn oxide
#

Hi @normal rivet, as far I understand you're referring sending the attributes on the check time. We don't have it right now if you could open an issue we'll examine and schedule it. Additionaly, we're currently building a support for attributes (ABAC) you can attach the dynamic requests there too.https://github.com/Permify/permify/issues/255

normal rivet
#

Thanks @autumn oxide for the answer. We're currently evaluating many different ReBAC options for a new project (including purchasing a support contract). Since this functionality will be a foundational component, we want to make sure it's very resilient. Is there any documentation describing how failures are handled, or how to deploy to ensure high availability? Ex: what happens if the DB is down, what happens if an EC2 instance hosting permify goes bad, etc...? Thanks 😃

errant whale
#

Hello @normal rivet ! Unfortunately, we don't have specific documentation on handling this kind of failures. However, you can refer to the errors.proto file (https://github.com/Permify/permify/blob/master/proto/base/v1/errors.proto) on GitHub for a list of possible errors that may occur. Additionally, we would be happy to schedule a meeting to discuss your requirements and concerns in detail. Please use the following link to set up a meeting with Ege Aytin: https://meetings-eu1.hubspot.com/ege-aytin. Thanks

normal rivet
#

Hi team, we noticed the Github example on https://play.permify.co included a relationship like relation owner @user @organization#member. In order to understand what that meant, I was hoping to add some new edges and see how that affected authorization checks. However on macOS with both Firefox and Chrome, I'm unable to add an edge. I assume I'm doing something wrong. From a fresh reload of the Github example I click New in Authorization Data, select the Entity Type user, fill in Entity ID x, and then can't fill in any other field. What's the right way to do this? Thanks 😃

Screenshot_2023-05-02_at_8.53.31_AM.png Screenshot_2023-05-02_at_8.53.35_AM.png
errant whale
#

Hi @normal rivet , it seems like you need to perform operations on an entity in the current scenario. As far as I understand, you want to assign a direct user or a member of an organization as an owner. To do this, you can use the following setup:

Entity: repository - x - owner
Subject: organization - y - member

Entity: repository - x - owner
Subject: user - y

About the relation definition relation owner @user @organization#member , you can use # to represent relationships between entities. When you see @organization#member, it indicates that if a user has a relationship with the team, this relationship can only be as a member. This is called feature locking, as it effectively locks the relationship type according to the prefixed entity.
The primary purpose of feature locking is to allow you to specify the sets of users that can be assigned. For example, consider the following relation:

relation owner @user

When defined this way, you can only add users directly as tuples (you can learn more about relation tuples in the following section):

  • repository:1#owner@user:U1
  • repository:1#owner@user:U2

However, if you define it as:

relation owner @user @organization#member

You will then be able to specify not only individual users but also members of an organization:

  • repository:1#owner@user:U1
  • repository:1#owner@user:U2
  • repository:1#owner@organization:O1#member

You can think of these definitions as a safeguard against creating unwanted user set relationships.

normal rivet
#

Sweet, thank you

tropic pagoda
#

hi what happens if i dont pass snap token to chek api ? it will response by the latest status?

autumn oxide
#

yes @tropic pagoda, if you don't pass the snap token it will automatically fetch the latest one.

toxic mesa
#

Hi, is there an API to fetch info about "what action(s) user:x can perform on object:y"? this is useful when applying frontend permissions controls (e.g. display / hide buttons or pages depending on what user can do) without firing too many api calls to backend

autumn oxide
toxic mesa
#

will do. thanks Ege!

tropic pagoda
#

hi can i create a global schema for all tenants

#

?

autumn oxide
#

Hi @tropic pagoda, all tenants are isolated from each other so unfortunately there is no such thing as global schema for all tenants

tropic pagoda
#

hi does permify support mysql ?

autumn oxide
#

Hi again @tropic pagoda, the only database we support right now is postgresql.

tropic pagoda
#

what about mongo i saw a video in your youtube channel

autumn oxide
toxic mesa
#

Hi, I tried to use config.yaml file but it seems that permify does not respect the value I provided. here is my command:
docker run -p 3476:3476 -p 3478:3478 -v config.yaml:/config ghcr.io/permify/permify serve
is there any thing wrong with it?
thank you!

#

I deliberately put the wrong password of my database, but it is still successfully started 😅

image.png
autumn oxide
#

Deployment in Docker

toxic mesa
#

Hi, I am getting this error

rpc error: code = InvalidArgument desc = ERROR_CODE_UNIQUE_CONSTRAINT

permify logs:

Fine-grained Authorization System v0.4.0
{"level":"info","time":"2023-05-14T17:09:09Z","caller":"/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940","message":"🚀 starting permify service..."}
2023/05/14 17:09:09 goose: no migrations to run. current version: 20230118185622
{"level":"info","time":"2023-05-14T17:09:09Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:312","message":"🚀 grpc server successfully started: 3478"}
{"level":"info","time":"2023-05-14T17:09:09Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:312","message":"🚀 http server successfully started: 3476"}
{"level":"info","time":"2023-05-14T17:09:21Z","caller":"/home/runner/work/permify/permify/internal/servers/tenancyServer.go:42","message":"ERROR_CODE_UNIQUE_CONSTRAINT"}
#

NewPermify function:

// NewPermify creates a new Permify instance
func NewPermify(cfg *config.Config) *Permify {
    // generate new client
    client, err := permify.NewClient(
        permify.Config{Endpoint: fmt.Sprintf("%s:%d", cfg.ThirdParty.Permify.GrpcHostname, cfg.ThirdParty.Permify.GrpcPort)},
        grpc.WithTransportCredentials(insecure.NewCredentials()),
    )
    if err != nil {
        log.Panic().Err(err).Msg("failed to create permify client")
    }

    // Create a new tenant
    _, err = client.Tenancy.Create(context.Background(), &v1.TenantCreateRequest{
        Id:   globals.PermifyTenantID,
        Name: globals.PermifyTenantName,
    })
    if err != nil {
        log.Panic().Err(err).Msg("failed to create permify tenant")
    }

    // Write schema
    sr, err := client.Schema.Write(context.Background(), &v1.SchemaWriteRequest{
        TenantId: globals.PermifyTenantID,
        Schema:   config.PermFile,
    })
    if err != nil {
        log.Panic().Err(err).Msg("failed to write permify schema")
    }

    return &Permify{
        Client:              client,
        SchemaWriteResponse: sr,
    }
}

const (
    // PermifyTenantID holds the tenant id for permify
    PermifyTenantID = "t2"
    // PermifyTenantName holds the tenant name for permify
    PermifyTenantName = "tenant 1"
)

const (
    // PermifyCheckDepth is the depth of the check
    PermifyCheckDepth = 50
)
#

here is my docker-compose:

permify:
    image:  ghcr.io/permify/permify:latest
    command: "serve --database-engine postgres --database-uri postgres://permify_user:somePassword@permify-db:5432/permify --database-max-open-connections 20"
    restart: "always"
    container_name: permify
    networks:
      - intranet
    ports:
      - "3476:3476" # HTTP
      - "3478:3478" # GRPC
    depends_on:
      - permify-db

  permify-db:
    image:  postgres:alpine
    container_name: permify_db
    environment:
      POSTGRES_USER: permify_user 
      POSTGRES_PASSWORD: somePassword 
      POSTGRES_DB: permify
    ports:
      - "5434:5432"
    networks:
      - intranet
    restart: unless-stopped

The problem is occurring only if I use postgres database. Without it, i.e, in in-memory everything works fine

#

for in memory

permify:
    image:  ghcr.io/permify/permify:latest
    command: "serve"
    restart: "always"
    container_name: permify
    ports:
      - "3476:3476" # HTTP
      - "3478:3478" # GRPC
   -
earnest cape
autumn oxide
#

Hello @earnest cape , we support for custom, user-defined roles and the process for implementing them is similar to that in openFGA. This involves updating the schema and setting up the corresponding relations. More specifically, to add a new role and assign it to a user in when using Permify;

  1. Modify the schema by adding the role as a relation. You can find the suggested workflow for schema changes here: https://docs.permify.co/docs/api-overview/schema/write-schema#suggested-workflow-for-schema-changes.

  2. Create relation tuples to establish the relationship between the user and the defined role. You can use our writeAPI at https://docs.permify.co/docs/api-overview/relationship/write-relationships.

  3. Test new authorization model (schema) and the scenarios with permify validate action. You can find the details from here: https://docs.permify.co/docs/getting-started/testing

For now, what we don't have is we don't have any API or more automated way to manage custom roles, especially in the runtime.

earnest cape
#

Oh awesome! I'll definitely be taking a look at this, thanks @autumn oxide 😄

toxic mesa
errant whale
#

Unique Constraint Violation

bronze plover
earnest cape
#

Great question! A few reasons

  1. I just got off of a call with the co-founders and the experience that they brought to the table was amazing. The hospitality was wonderful and I'm definitely sold on the product
  2. I was originally using Auth0 FGA and it added 800ms to every single API request that I had. Running permify, even just through docker compose, only added 7ms
  3. I honestly just like the DSL and DX a little bit more, and the multi tenancy is huge
bronze plover
earnest cape
#

This is likely an incredibly stupid error, but has anyone seen the following

ClientError: /base.v1.Relationship/Write INVALID_ARGUMENT: invalid RelationshipWriteRequest.Metadata: value is required

This happens while trying to write a relation. As far as I knew from the typescript typings, metaData wasn't a required field but this error seems to say otherwise? I then added metadata and it's still not working

earnest cape
errant whale
#

Node.js client

toxic mesa
#

Hi, what is the right way to use http port 80 rather than 3476? i tried the environment variable way (PERMIFY_SERVER_HTTP_PORT=80) it does not seem to work

errant whale
#

Hi @toxic mesa , you can run it as an environment variable like this: PERMIFY_HTTP_PORT=80

toxic mesa
errant whale
humble fern
#

hey, can anyone help explain depth?

#

i asked about snap_token as well, but i found the explanation in an existing thread already

autumn oxide
# humble fern hey, can anyone help explain `depth`?

Hi @humble fern. depth is the limitation value for maximum number of queries that can be performed in access control check. Permify engine evaluates access checks with walking over the graph of each relation to find whether given subject ( user or user set ) is related with the action. And the depth is the limitation for that graph traversal.

humble fern
#

great. one more thing... the exclusion boolean... where can i find info on that?

autumn oxide
#

I’m not 100% sure that I understand the context but if you’re referring the exclusion support usage - and not, or not - you can find it in the getting started->modeling section

humble fern
#

hi, is there any way to avoid duplicate write of a schema that hasn't changed? here, whitespace and line feed shouldn't affect diff

#

Use case:
We keep the schema close to our code and generate C# constants with it.
We write the schema to a fresh permify instance per integration test run, so we also need the schema close to the code for this.
What we'd like to do next is write the schema at startup, to ensure parity with generated code.
The write endpoint seems to create a new version id (ergo new db record) for each call, with the same unchanged schema, which means a new entry whenever we restart the server.
We're looking for a workaround, or maybe a different way to go about it altogether

autumn oxide
#

Duplicate write of a schema

toxic mesa
#

Hi, I am implementing a blocking logic using permify schema, something like this

schema: >-
    entity user {} 

    entity organization {
        relation blocked_carriers @carrier
    }

    entity carrier {
        relation dispatcher @user
        relation admin @user
        relation org @organization

        action create_asset = dispatcher and (not org.blocked_carriers and not org.blocked_carriers.contains(self))
    }

relationships:
    - carrier:1#dispatcher@user:1
    - carrier:2#dispatcher@user:2
    - carrier:1#org@organization:1
    - carrier:2#org@organization:1
    - organization:1#blocked_carriers@carrier:2

assertions:
    - can user:1 create_asset carrier:1: true
    - can user:2 create_asset carrier:2: false

I am wondering what the correct syntax would be to not allow any user(s) from a blocked carrier company to create_asset? any idea would be highly appreciated

errant whale
#

Exclusion Cases

toxic mesa
autumn oxide
#

Contextual Tuples

toxic mesa
#

Hi, is there an example for showing how authn with OIDC provider works? I get the following error when I tried to config it. (I haved tried both PRMIFY_AUTHN_CLIENT-ID and PRMIFY_AUTHN_CLIENT_ID

image.png
toxic mesa
errant whale
#

OIDC

toxic mesa
naive harness
#

Hi 🖐️
Can you send .gitlab-ci.yml file If there is no confidential information?

toxic mesa
#

sure, here is a simplified version of the .gitlab-ci.yml

image: python:3.10.11
default:
  tags: 
    - small-runners-nw
  
stages:
  - build
  - validate
  - deploy

validate_schema:
  stage: validate
  image: 
    name: ghcr.io/permify/permify:v0.4.3
    pull_policy: always
  script:
    - make validate_schema

and here is the validate_schema make command

validate-schema:
    mkdir -p ./.tmp/schema
    # replace placeholder in schema validation file with content of the "schema.perm" file that contains line breaks
    cat $(PWD)/src/schema/__tests__/chartering_validation.yaml | sed 's/SCHEMA_PLACEHOLDER/$(shell cat $(PWD)/src/schema/schema.perm | sed -e ':a' -e 'N' -e '$$!ba' -e 's/\n/\\n    /g')/g' > $(PWD)/.tmp/schema/chartering_validation.yaml
    permify validate $(PWD)/.tmp/schema/chartering_validation.yaml
#

maybe it is better if permify could provide a docker image that contains the permify cli while allowing other bash command to run

#

basically, when I use the default permify docker image in the gitlab pipeline, it hangs there forever without giving any error until timeout

image.png
#

I suspect that it is waiting for the shell environment to start so that it can copy the source code to the container but permify image does not include a shell environment as far as I can see

#

even when I changed the pipeline config to the following it still behaves the same

validate_schema:
  stage: validate
  image: 
    name: ghcr.io/permify/permify:v0.4.3
    pull_policy: always
  script:
    - validate src/schema/__tests__/chartering_validation.yaml
naive harness
#

We will investigate the issue and return as soon as possible.
Thank you for your feedback!

errant whale
#

Gitlab CI/CD

plush moat
#

Hey everyone ?
I'm wondering if there is a way to define a permission such that it would depend on an attribute set at the entity level

for example

entity user {}
entity repository {
  relation admin @user
  relation corporate_developer @user
  
  attribute is_internal_repository // boolean value
  
  action delete_repo = admin or (corporate_developer and is_internal_repository)
}
earnest cape
#

Hey all! Running into a pretty strange error. I have the latest permify installed as well as the latest version of @permify/permify-node. When running the following check

const res = await permify.permission.check({
  metadata: { depth: 3 },
  tenantId,
  entity: {
    id: objectId,
    type: 'test',
  },
  permission: relation,
  subject: {
    id: userId,
    type: 'user',
  },
});

I get the following error

details: 'invalid PermissionCheckRequest.Metadata: embedded message failed validation | caused by: invalid PermissionCheckRequestMetadata.Depth: value must be greater than or equal to 3'

Any idea why this is happening? It looks like my metadata depth is >= 3, not sure what could be causing this

plush moat
#

@earnest cape Did you try with 4
Just to be sure it's not a simple comparison typo ?

errant whale
#

Node Client

earnest cape
#

Yup! Tried it with 4, 1, undefined, and 20

toxic mesa
#

Hi we are getting the following error message when checking the permissions - any idea? {"code":13,"message":"ERROR: function max(xid8) does not exist (SQLSTATE 42883)","details":[]}

toxic mesa
autumn oxide
plush moat
#

I got the following error using the node client for Schema.Read method:

client.schema
      .read({
        tenantId: tenant_id,
        metadata: { schemaVersion: '' },
      })

Got the following error

{"path":"/base.v1.Schema/Read","code":13,"details":"Response message parsing error: index out of range: 763 + 10 > 763"}
#

Did it even happen to you ?

#

Now new error

{"path":"/base.v1.Schema/Read","code":13,"details":"Response message parsing error: invalid wire type 6 at offset 325"}
errant whale
#

Node Client Schema Read

plush moat
#

I was wondering if you have any limitations in the number of tuples we can upload for Relationship.Write operation

errant whale
#

Relationship Write Limitation

jaunty harbor
#

Hello everyone, currently I am attempting to deploy Permify on a Kubernetes infrastructure. I am using the following deployment configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: permify
  namespace: centrifugo-ns
  labels:
    app.kubernetes.io/name: permify
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: permify
  template:
    metadata:
      labels:
        app.kubernetes.io/name: permify
    spec:
      containers:
        - name: permify
          image: ghcr.io/permify/permify
          args:
            - serve
          ports:
            - containerPort: 3476
              protocol: TCP
          envFrom:
            - configMapRef:
                name: permify-env
          imagePullPolicy: Always
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

(ConfigMap has 2 key: PERMIFY_DATABASE_ENGINE and PERMIFY_DATABASE_URI)

#

The logs show the following output:

██████╗ ███████╗██████╗ ███╗   ███╗██╗███████╗██╗   ██╗
██╔══██╗██╔════╝██╔══██╗████╗ ████║██║██╔════╝╚██╗ ██╔╝
██████╔╝█████╗  ██████╔╝██╔████╔██║██║█████╗   ╚████╔╝ 
██╔═══╝ ██╔══╝  ██╔══██╗██║╚██╔╝██║██║██╔══╝    ╚██╔╝  
██║     ███████╗██║  ██║██║ ╚═╝ ██║██║██║        ██║   
╚═╝     ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝╚═╝╚═╝        ╚═╝   
_______________________________________________________
Fine-grained Authorization System v0.4.7
{"level":"info","time":"2023-07-06T17:10:56Z","caller":"/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940","message":"🚀 starting permify service..."}
{"level":"info","time":"2023-07-06T17:10:56Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:295","message":"🚀 grpc server successfully started: 3478"}
{"level":"info","time":"2023-07-06T17:10:56Z","caller":"/home/runner/work/permify/permify/pkg/cmd/serve.go:295","message":"🚀 http server successfully started: 3476"}

However, when I invoke the API:

curl --location '{{host}}/v1/tenants/list' \
--header 'Content-Type: application/json' \
--data '{
    "page_size": 50,
    "continuous_token": ""
}'

it always returns the incorrect result.

{
    "code": 13,
    "message": "ERROR_CODE_EXECUTION",
    "details": []
}
#

Can someone help me with this problem? 😭

errant whale
#

Kubernetes Deployment

plush moat
#

Hey 👋 how are you ?

I have an issue and I wondered if you might have encounter this, but let me explain

I deployed Permify on a Kubernetes cluster as a side car to a Nest.js application. (on one pod I have both containers running: app and permify)

I also had to define my livenessProbe on my app and I check there if my app can access to permify

To do so, in my isHealthy function, I'm making a gRPC request to the permify container (on the localhost) and invoke Tenant.List

here is the code:

async isHealthy({ tenant_list }: { tenant_list: string[] }) {
    const grpcHealth = await this.permifyGrpcClient.client.tenancy
      .list({})
      .then((response) => {
        const retrievedTenants = response.tenants.map((tenant) => tenant.id);
        //  check that all tenants from list are in the retrieved list
        const ret = tenant_list.every((tenant_id) => retrievedTenants.includes(tenant_id));
        if (!ret) {
          this.logger.error({ tenant_list, retrievedTenants }, 'In Health, cannot find all tenancies');
        }
        return ret;
      })
      .catch((error) => {
        this.logger.error(error, 'Failed to check Permify GRPC Health');
        return false;
      });

    return grpcHealth;
  }

At start everything is going well, but after a while permify does not respond anymore and I get Timeout in all my Health request which cause my pods to restart and end in a CrashLoopBackoff

I was wondering if after a while Permify is still able to answer requests using gRPC

plush moat
#

Hi 👋

I was wondering if you could help with the following use case

I have the following schema

entity user {}

entity role {
  relation member @user
}

entity repository {
  relation editor @user @role#member
  relation viewer @user @role#member

  action edit = editor
  action view = edit or viewer
}

And the following data

repository:repo1#editor@user:u1
repository:repo2#viewer@role:role1#member
role:role1#member@user:u1

I would like to retrieve all the repositories where user u1 have access (can be as editor or viewer)

When I use the request

curl --location 'http://localhost:4000:3476/v1/tenants/t1/relationships/read' \
--header 'Content-Type: application/json' \
--header 'Cookie: localSignedIn=1' \
--data '{
    "metadata": {
        "snap_token": ""
    },
    "filter": {
        "entity": {
            "type": "repository",
            "ids": []
        },
        "relation": "",
        "subject": {
            "type": "user",
            "ids": ["u1"],
            "relation": ""
        }
    },
    "page_size": 50,
    "continuous_token": ""
}'

It would only gives me

{
    "tuples": [
        {
            "entity": {
                "type": "repository",
                "id": "repo1"
            },
            "relation": "editor",
            "subject": {
                "type": "user",
                "id": "u1",
                "relation": ""
            }
        }
    ],
    "continuous_token": ""
}

When I would like to retrieve also the repositories accessibles via role entity.
In this case repo2 with relation viewer

I hope it was clear 😅

west plank
#

Hi Team, I have a question about this use case that I am trying to get to work:
here is a simplified verison of the problem that I am trying to solve:
schema:

entity user {}
entity role {
    relation member @user
}
entity document {
    relation reader @role#member
    permission can_read = reader
}

then I add the following relationship tuples

document:1#reader@role:member#member
role:member#member@user:ken
role:admin#member@user:ryu

Now what I want is that any user mapped to the role admin should have read access to any document added without ever needing to explicitly write a relationship like this:

document:2#reader@role:admin#member

how do i achieve this?

elfin vale
#

Hello, I am trying to use Rest api to create relationship based on document, but the server response with 404 error.

#

curl -i --location 'http://localhost:3476/v1/tenants/t1/relationships/read' \ 08:06:34
--header 'Content-Type: application/json'
--header 'Cookie: localSignedIn=1'
--data-raw '{
"metadata": {
"snap_token": ""
},
"filter": {
"entity": {
"type": "repository",
"ids": []
},
"relation": "",
"subject": {
"type": "user",
"ids": ["u1"],
"relation": ""
}
},
"page_size": 50,
"continuous_token": ""
}'
HTTP/1.1 404 Not Found
Content-Type: application/json
Vary: Origin
Date: Fri, 04 Aug 2023 15:06:55 GMT
Content-Length: 47

{"code":5, "message":"Not Found", "details":[]}

#

server started with below command

elfin vale
toxic mesa
#

Hello, I'm trying to use Permify with the following schema:

}

entity farm {
    relation owner @user

    permission edit = owner
}

entity field {
   relation farm @farm

   permission edit = farm.owner
}```

I now want to use the lookup-entity endpoint to find all fields a specific user is the owner of within a specific farm. Is this possible? 

This is working well:
```{
    "metadata": {
        "snap_token": "wPodOWDPeRc=",
        "schema_version": "cj9uvhbjtoj5s6rjv8e0",
        "depth": 100
    },
    "entity_type": "field",
    "permission": "edit",
    "subject": {
        "type": "user",
        "id": "ben",
        "relation": ""
    }
}```
But I would like to understand, how to enhance this query to also specify only for `farm:berlin` if the user is owning multiple farms.
autumn oxide
#

Additional Filter to Lookup Entity

wispy rune
#

Hi team, are you also offering an hosted solution ? - or shall we run our own instance

autumn oxide
candid jasper
#

Hi guys ✌️

I'm currently playing around with the entity filtering API. I figured out, that it doesn't work when the entities have a lot (like 5K) of relations. Is that a local problem and I'm doing something wrong or is your system just not ready to support high numbers?

errant whale
#

Data Filtering

long jacinth
#

Hi guys

I tried to setup permify locally with the following config

# The server section specifies the HTTP and gRPC server settings,
# including whether or not TLS is enabled and the certificate and
# key file locations.
server:
  rate_limit: 100
  http:
    enabled: true
    port: 3476
  grpc:
    port: 3478

# The logger section sets the logging level for the service.
logger:
  level: info


# The service section sets various service-level settings, including whether
# or not to use a circuit breaker, and cache sizes for schema, permission,
# and relationship data.
service:
  circuit_breaker: false
  watch:
    enabled: false
  schema:
    cache:
      number_of_counters: 1_000
      max_cost: 10MiB
  permission:
    bulk_limit: 100
    concurrency_limit: 100
    cache:
      number_of_counters: 10_000
      max_cost: 10MiB
  relationship:

# The database section specifies the database engine and connection settings,
# including the URI for the database, whether or not to auto-migrate the database,
# and connection pool settings.
database:
  engine: postgres
  uri: postgres://root:root@localhost:5432/kuber
  auto_migrate: true
  max_open_connections: 20
  max_idle_connections: 1
  max_connection_lifetime: 300s
  max_connection_idle_time: 60s
  garbage_collection:
    enable: true
    interval: 3m
    timeout: 3m
    window: 720h
    number_of_threads: 1

I am running permify in docker compose

permify:
    image: permify/permify:v0.4.7
    volumes:
      - ./config/:/config
    command: ["serve", "-c=/config/permify_config.yaml"]
    network_mode: host

but the migrations do not get executed and I am getting error code 13 when I try to perform any operation

sleek flicker
#

Migration error

oblique crystal
#

I have an usecase of using it for a lms project with mostly hierarchical permissions. Is this a good tool for this ? There will be multiple tenants.

storm mauve
#

I'm trying the permify with postgres in golang, may I know how to set the schema of postgres for permify?

cerulean bane
#

Hey folks, the playground is not working correctly. There is some issue in the playground. I tested a scenario on a local where it works correctly, but on the playground, it is giving a wrong answer. Attaching the schema file below

📎 odin-temp.yaml
#

@sleek flicker Can you please check this and let me know

sleek flicker
#

Playground Error

slate dirge
#

What do I need to do in order to bootstrap Permify with Postgres? I have a Postgres container running, I have looked at the Postgres URI in example.config.yml file but it doesn't specify anything for username, password or db_name. So I am kind of stuck. Any doc page that outlines this? (I suspect I can create a user and perhaps a database, but it is not clear to me how then Permify will utilize this information ...)

errant whale
#

Bootstrap Permify with Postgres

fossil cliff
#

greetings, folks. I am using Permify for quite a while now, but today for whatever reason the API returns me the same error:

{
  "code": 13,
  "message": "ERROR_CODE_SCHEMA_NOT_FOUND",
  "details": []
}

I haven't done anything to induce that. There are still schemas on the database, but the permify service always returns me this. Any help appreciated!

errant whale
#

Schema Not Found Error

plush moat
#

Hi guys,
I wanted to share my infrastructure use case and some of my concerns regarding performance. Maybe I'm not doing it the right way.

I have a scalable architecture inside k8s where a lot of services need to access authorization service.
Since we need some abstraction, we don't want permify to be accessible directly so we created a NestJS application (NodeJS) called authorization-api where we provide routes adapted to our need. This NodeJS app is basically a proxy to permify
Regarding architecture, every NodeJS pod have a permify sidecar and all the sidecars are connected to the same PostgreSQL database.

I monitored a bit the traffic on this app and it happens that sometimes, Permify is really slow to provide a response (sometime many seconds!!). What can explain that ?
Do you have some best practice for permify to work in such environment ?

lean leaf
#

hey guys, just wondering some things

my company is currently evaluating Permify to replace our bespoke RBAC system and i'm just wondering if it's the right solution for our use case.

we have a bunch of "organisations" which have a slew of roles under them, we also have a dashboard to control what these roles are able to do, "i.e admins can edit the calendar", "Careworker can edit user profiles" etc. and we do this per organisation. from what I can tell I can maybe do all this in permify - the issue being I cant see a way to easily be able to toggle these permissions on and off, or have like a base schema for all orgs (tennants?) that is just different toggled configurations of one schema.

  1. would I have to push a new schema to the create schema endpoint each time?
  2. adding a new role would require I push a new schema to every tennant?
  3. is there like a JSON -> permify schema language converter I could leverage?
  4. even if there is, does the way the schemas are supposed to work easily facilitate like a permission on/off sort of control?
  5. am I thinking about this the wrong way?

any help/guidance you could provide would be great.

sleek flicker
random warren
#

Hey @ashleyConpago ,

surreal bison
#

Hello guys,

Quick question, can I access an attribute from the users entity in another one?

Thanks!

autumn oxide
#

Accessing User Attribute

normal knot
#

Hi guys, is there any golang developers? I found that SnapToken is necessary when make a grpc permission check using permify-go? Am i the only one?

autumn oxide
#

SnapToken in Grpc Request

frank igloo
#

Hi, I've been evaluating Permify to see if it is a viable option for my project, and as a result of that I've also been checking if I could implement resource/entity wildcard relationships in a sensible manner.

Am I missing something, or shouldn't it suffice to add the wildcard to the query filter? Permify's "engine" code is already structured in a decoupled way and the wildcard would only add another implict id for all entities, so no other code modifications should be necessary.

I even modified some check and expand tests to include wildcard relationships and all tests, including the integration test, passed with no problems.

Related issue (https://github.com/Permify/permify/issues/231)

frank igloo
errant whale
#

Wildcard Relationships

glacial hedge
#

here i see we have roles, permissions, and user; it seems simple; but by volume of rules .. it seems a bit confusing. this is the first time i'm working with permify.

tall tinsel
#

Hello, I have been testing Permify for a few hours and I can't solve a problem regarding rules/attributes.
I'm trying to check if a value is in an array of strings but nothing seems to work, the test scenario always returns a FAILED.
Did I make a mistake somewhere?

Sample :

Schema:
  entity repo {
      relation user @user
      
      attribute extended_permissions string[]
      
      permission access = has_perm(request.user_permission, extended_permissions)
  }
Data: 
  relationships:
    - project:project1#user@user:user1

  attributes:
    - project:project1$extended_permissions|string[]:['user1']

Check:
  entity: project:project1
  subject: user:user1
  context:
    data:
      user_permission: "user1"
  assertions:
    access: true
sleek flicker
tall tinsel
#

np, i've time ;)

sleek flicker
#

Hey @tall tinsel ,

schema: >-
    entity user{}

    entity project {
        relation user @user
        attribute extended_permissions string[]
        permission access = has_perm(request.user_permission, extended_permissions)
    }

    rule has_perm(user_permission string, extended_permissions string[]) {
        user_permission in extended_permissions
    }

relationships:
    - "project:project1#user@user:user1"

attributes:
    - "project:project1$extended_permissions|string[]:user1"

scenarios:
  - name: "test"
    checks:
      - entity: "project:project1"
        subject: "user:1"
        context:
           data:
             user_permission: "user1"
        assertions:
          access: true

In essence, you need to have a rule in order to use the given attribute which basically queries for an attribute string.

Here are relevant docs;

Let me know if that helps, and feel free ask if you have any other questions

tall tinsel
#

Oh ok my bad, the issue was in attributes data, string[]:user1, so the correct syntax for a string[] type is a basic comma separator (like string[]:user1,user2,user3) ?

tall tinsel
#

Thanks for help btw, responsiveness is highly appreciated 👌🏻

sleek flicker
#

Yes sorry about to delayed 😅

tall tinsel
#

Haha np bro 😎

earnest pasture
#

Hi there, I'm new to Permify and working on a PoC for it. I'm trying to understand how I would model a specific scenario, where users can define their own custom permissions to a resource. I can model the creation, reading, updating, and deleting of the resource easily enough, but what if the user has additional custom permissions they want to use for it? Hope I explained that reasonably well.

autumn oxide
#

Custom Permissions

glacial hedge
glacial hedge
glacial hedge
#

in-spite of this config ; i'm not able to see any detailed logs for troubleshooting; did i configure it right of logs of config.yaml?

The logger section sets the logging level for the service.

logger:
level: trace

slate dirge
#

Hi, I am trying to use attributes with Go, but having trouble understanding how to marshal values for different data types. Specifically, how to use the code here: https://docs.permify.co/docs/api-overview/data/write-data/ under Creating Attribute Data. How would I marshal the Value, depending on the data type?

        {
            Entity: &v1.Entity{
                Type: "account",
                Id:   "1",
            },
            Attribute: "public",
            Value:     value,
        },
    },
Write Authorization Data | Permify

In Permify, relations between your entities, objects and users stored as [relational tuples] in a [preferred database]. Since relations and authorization data's are live instances these relational tuples can be created with an simple API call in runtime.

glacial hedge
solar sun
#

Hi all, I'm evaluating using Permify for a new project.

The requirements of the system are below:

A permission is tuple of:

user or group
role or scope
resource
schedule

resources optionally have parents, whereby all permission defined for parents are inherited to children.

A role represents multiple scopes

To check, I pass the user, scope, resource, time

I would like role and scope to be user modifiable if possible.

Is such a set of requirements achievable with Permify?

errant whale
#

Write Authorization Data | Permify

#

Read Relationships

autumn oxide
#

User Modification

boreal locust
#

How can I create an attribute using the WriteData endpoint?

#

When I was trying to create an attribute using the WriteData endpoint with the given request, I received the response ERROR_CODE_ATTRIBUTE_DEFINITION_NOT_FOUND.
URL: http://localhost:3476/v1/tenants/t1/data/write

Request:

{
"metadata": {
"schema_version": "cl12p78glhcn02iki6a0"
},
"attributes": [
{
"entity": {
"type": "organization",
"id": "1"
},
"attribute": "private",
"value": {
"@type": "type.googleapis.com/base.v1.BooleanValue",
"data": true
}
}
]
}

Response:

{
"code": 3,
"message": "invalid DataWriteRequest.Metadata: value is required",
"details": []
}

#

Sorry, the response is:

{
"code": 2,
"message": "ERROR_CODE_ATTRIBUTE_DEFINITION_NOT_FOUND",
"details": []
}

boreal locust
oblique crystal
#

how to define that subset of attributes can be edited by specific roles ?

autumn oxide
#

PostgreSQL Configuration

surreal bison
#

Hello, I am trying to see if there is a more efficent way of updating the schema for all tenants using the API.

Currently from what I've seen I would need to iterate the list of tenants and then for each one update the schema. I was trying to see if there is a more efficient method for this? Thanks much

autumn oxide
#

Tenant Update

earnest pasture
#

I know this is probably the world's simplest question, but I'm still learning my way around the API. How exactly would I just get a list of all users?

sleek flicker
# earnest pasture I know this is probably the world's simplest question, but I'm still learning my...

Hey @earnest pasture,

As far as I understand, you’re looking for the API end point for filtering users/subjects?

Lookup Subject endpoint lets you ask questions in form of “Which subjects can do action Y on entity:X?”. As a response of this you’ll get a subject results in a format of string array.

If this is what you’re looking for please refer to this section: https://docs.permify.co/docs/api-overview/permission/lookup-subject/

Subject Filtering | Permify

Lookup Subject endpoint lets you ask questions in form of “Which subjects can do action Y on entity:X?”. As a response of this you’ll get a subject results in a format of string array.

earnest pasture
#

Yup, that's what I was looking for. Thanks!

earnest pasture
#

Another question: With the permissions/check endpoint, is there a way to check multiple permissions at once, rather than once at a time? Or a different endpoint to accomplish the same thing? For example, if I want to know if Joe has write and publish permissions on an entity, do I check both separately, or is ther a way to check them at the same time?

autumn oxide
#

Subject Permission List

oblique crystal
oblique crystal
autumn oxide
#

Reviewing Model

dense void
#

Does permify have a similar admin side? Similar to playground for visualization

fallen spruce
#

What am I doing wrong here? I'm trying to test an individual test but it results in undefined behaviour and crash, thought my test file was broken so I tried with an existing one

image.png
errant whale
#

Postgres Tests

plush moat
#

Hi 👋🏼
Is there any way to format the log message from permify ?
Currently it has a text format and I would like it to be JSON

permify time=2023-12-10T12:07:23.024Z level=DEBUG msg="Executing SQL query: " query="SELECT id, name, created_at FROM tenants ORDER BY id LIMIT 51" arguments=[]
errant whale
#

JSON Output Option for Logger Configuration

plush moat
#

Hi 👋🏼

We are currently trying to migrate our whole old permission system into Permify. To do so we implemented a script that creates tuples out of the old database records and then send it to permify using the operation client.data.writeRelationships

I get a lot of errors during this migration. Here are some of the logs I might get:

level=ERROR msg="Failed to write data to the database. Max retries reached. Aborting operation. " error=ERROR_CODE_ERROR_MAX_RETRIES

level=ERROR msg=ERROR_CODE_EXECUTION

level=ERROR msg=ERROR_CODE_ERROR_MAX_RETRIES

level=ERROR msg="Failed to execute context query: " error="ERROR: duplicate key value violates unique constraint \"uq_relation_tuple\" (SQLSTATE 23505)"
errant whale
#

Database Max Retries

autumn pilot
#

Are there any existing evaluations of permify against other ReBAC solutions (spicedb, keto, openfga)? In terms of feature set and/or performance

#

Another question: I'm trying to understand the consistency guarantees of Permify. How does Permify behave when a Zookie is NOT provided? Does it default to no caching? Or something else?

autumn oxide
#

Differentiation

#

When Zookie is NOT provided

autumn pilot
#

Is it accurate to say that Permify currently does not support bulk checks? I'm not seeing an API for it

autumn oxide
#

Bulk access Checks

autumn pilot
#

(Sorry for all of the questions)

The permify landing page claims 1 trillion rps. Are there any blog posts with more details around this?

Y'all also have some users (disney, stripe, shopify, etc) listed on the same page. Are there any blog posts from these companies or others? I'm not finding them

autumn oxide
#

Benchmark & Usage

icy tulip
#

Is there an easy way (without cherry picking the code) to import Permify into my application and use it inline (i.e. it connects to the database directly, no HTTP/gRPC calls to a permify service)? I have a scenario where I want to have a single binary deployed that include the power of Permify but without the additional infrastructure necessary

void brook
#

@autumn oxide Hello Ege, I would love to pitch some articles. I noticed that Permify made a call for contributions. Also, I would love to contribute to Permify's existing documentation.

autumn oxide
#

Contribution

keen nova
#

Hi guys!

I'm PoCing permify, so have several quesitons:

  • Best practice for transactional creation? (For example, im creating a user in my db, and need to add also to permify - how to ensure that the data will be consistent?)
  • How to perform migrations through the schema and more important through data. Any tutorials, best practices?
  • How to perform periodic cleanup. (For example, user is deleted from main DB, somewhy and somehow, so i want to delete it from permify also, to make data consistent)
unkempt vessel
#

Quick question around recursive ReBAC and indirect uses of it.

TL;DR:

  • I want to model recursive groups, where a user is a member of the group if they are either a direct member of it, or a member of the parent. This is easy to model and there is even an example of how to do it
  • I also want to model documents, where access can be given to either a user or the members of a group (both direct and inherited)

When I try to model the second one, the Playground gives me an error when I do relation reader @user @group#member where member is a permission of group as opposed to a relation.

It seems like the only way to do it would be to separate my reader relation in two, and then use a union rule in my permission:

relation reader @user
relation reader_g @group

permission read = reader or reader_g.member

However this is not ideal and I would really like to stay with only one reader relation. Is there a way to achieve this?

Playground link: https://play.permify.co/?s=REIEQHs8VA7tHggQDgZro

errant whale
#

Quick question around recursive ReBAC

autumn oxide
#

Some Best Practises

proper python
#

Hi 👋🏼
It has come to my attention that the Permify API does not support bulk checking functionality. Could you please clarify the reason behind this limitation? For our process, there is a requirement for executing up to 30 checks concurrently, and the current limitation appears to be a potential bottleneck.

Would you be able to suggest any workaround or best practice that might help us optimize this operation within the bounds of the API’s current functionality?

Thank you in advance for your assistance

quaint nebula
#

Hi everyone!

@runic rampart and I are doing a PoC with Permify and we are a bit stuck on how we could implement an ABAC behavior thats a little more convoluted than the docs/product seem to support. Could we set up a time to chat with an engineer and talk through our use case?

autumn oxide
#

Hi everyone!

noble badger
#

as this issue is closed

errant whale
#

Hello @noble badger , I have approved it. Thanks for your contribution. 🚀

tardy fiber
#

Hello everyone, I am trying to use the permify-go client from https://github.com/Permify/permify-go. However, I am seeing below message, while running go mod tidy

        github.com/Permify/permify-go: module github.com/Permify/permify-go@latest found (v0.4.5), but does not contain package github.com/Permify/permify-go

I followed the instructions from README.md. May I request some help here?

tardy fiber
errant whale
#

Permify Go Client

limber matrix
#

Quick question! Reading your config reference wrt passing configuration via environment variables I see data types like "string array"; does that imply something like this?

PERMIFY_AUTHN_PRESHARED_KEYS="['foo','bar']"
limber matrix
errant whale
#

Authn Preshared Keys

limber matrix
limber matrix
# limber matrix Can I tell permify to store its tables in a postgresql schema (https://www.postg...

Created an issue to track the feature request here - feel free to close if its not wanted: https://github.com/Permify/permify/issues/1058

GitHub
Support postgresql schema for database layout · Issue #1058 · Permi...

Is your feature request related to a problem? Please describe. Postgres supports schemas as an optional way of delegating access, separating logic and so on. It would be great if permify supported ...

fallen spruce
errant whale
#

Permify Env Command

limber matrix
#

How does others using the helm chart pass the secrets for preshared/database_uri? if using kubernetes secrets, these are usually accessed via secretName; but in deployment.yaml they seem to be set via a regular variable.

limber matrix
errant whale
#

Helm Chart Pass the Secrets

nimble anvil
#

Hello Everyone, I’m working on the kind of white label community app where I’m exporting permify for managing all the permissions.
My use cases are :
I have organisation where all the actions are pre defined like creating post, creating event, creating groups, etc.
Also two roles are pre defined super admin and admin( of its own organisation )
Now admin can create roles and assign a few actions they want. And this role is only for one particular organisation.
For example, admin created role ambassador and it allows that role to create post and create event.
So there are multiple roles in every organisations and every role has different actions permissions
I guess for that I need to manage schema changes on the fly.
I’m still exploring permify. I don’t know all limitations and advantages of the permify yet.
I want to know if this is a feasible solution using Permify or I need to create my own solution.
Thanks for reading all this 😅

autumn oxide
#

Exploring Permify

magic roost
#

I see that the only database-engine that is supported is postgres. Is there anything related to the latest version? 16/15? Has permify been tested in-house with cockroachdb for example? Thanks

magic roost
magic roost
#

Unfortunately I have another issue:

{
    "message": "Failed to create tenant",
    "error": "/base.v1.Tenancy/Create INTERNAL: Received RST_STREAM with code 2 triggered by internal client error: Protocol error"
}

I have tls turned off as this is just a single dev instance for now.

magic roost
errant whale
#

Check Access Control | Permify

candid marlin
#

Any support grpc healthcheck. I only see http by default

plush moat
#

Hi 👋🏼
Do you have a workaround to work with opentelemetry ?

errant whale
#

gRPC health check

autumn oxide
#

Opentelemetry workaround

rose vector
#

Does Permify have a uniqueness constraint, such as a team can only have one owner?

autumn oxide
#

Constraint

supple ibex
#

I'm seeing the new Python client code pushed up to the repo. It looks like the code is there, but may be lacking some documentation. I assume this is coming down the pipeline?

autumn oxide
#

Python SDK

worn kernel
#

Hi! Using Permify for all authorizations in our system and experiencing performance issues on the lookup subject/entity endpoint even with a relativ small dataset. Calls are performed via HTTP API and using SnapTokens. Performance is sub-par regardless of wither caching if enabled or not on the different layers. When ever data is written or deleted the next lookup call(s) take around 1-1.5s to respond. Are there any known optimizations and how can I provide useful profiling information for this issue? @unkempt vessel I saw you introduced yourself mentioning interest in the lookup entity performance, so did you encounter similar issues and if so, find solutions? Looking forward to tackle this together! Thanks.

rare dragon
#

I like the way permify api has been structured.
But the fact that the solution requires a separate server to be run, that makes it hard to maintain and also increases time to setup the whole thing, it adds another level of complexity in managing external req. to permify server. I would have chosen it if the solution was a library that runs natively with the codebase where we need authz.
Am I missing anything here?

errant whale
#

lookup subject/entity endpoint

autumn oxide
#

Different Service

rose vector
#

Hi! When we use permify,we face this problem.
Some content can be modified directly in Permify, while other changes need to be made in the database and then synchronized to Permify.

So, what are the ways to synchronize the database, or which method do you think is better?

Use database triggers to directly write content into a PostgreSQL database.

Each time there is a need to modify database data, we insert data into the Permify server through an RPC.

Use a message queue, where the application sends a message to the message queue after inserting data into Database 1. Another service listens to the message queue and executes specific logic when it detects a relevant message.

autumn oxide
#

Data sync

prime stump
#

Hey, how do I configure persistent storage for an open-source permify instance?

For example, I want to store all my relations in in a postgres instance or some other storage sink.

If all the data is stored in-memory: If my server restarted, I'll lose all the relations I've registered correct?

prime stump
autumn oxide
#

Oh, I just found the example

junior ore
#

hi there! out of curiosity, will longer relation walks for permissions (e.g. organization.group.subgroup) be supported in the future?

autumn oxide
#

longer relation walks

severe wraith
#

Hello, does permit allow intersect operation eg., if user and doc are part of orgs, only allow access if doc and user have same orgs

limpid grotto
#

Do you have an example of pointing to a config file?
example permify
docker run -p 3476:3476 -p 3478:3478 -v {YOUR-CONFIG-PATH}:/config ghcr.io/permify/permify serve
docker run -p 3476:3476 -p 3478:3478 -v C:\Users\oscar.zizumbo\Desktop:/permify ghcr.io/permify/permify serve

autumn oxide
#

Intersection Operation

#

Pointing to config file

thorny patrol
#

Hello, currently comparing various Zanzibar-inspired frameworks and trying to figure out which one is best for the company I work for.

I have a question with regard to (audit logging) I want to be able to see when user X accessed document Y and what relationship was used (read/write/...). In a post last month I found that the open source version has "limited access logging" using Open Telemetry.

From what I understand I would have to write something that:

  1. Fetches logs from open telemetry
  2. Parse that data into a POST request to the Expand endpoint and handle the request?
autumn oxide
#

Comparing various Zanzibar-inspired frameworks

rough shale
#

Any possibilty of adding mongodb back as a supported data storage?

#

I understand it was deprecated, but a lot of Saas platforms use mongodb as backend and it would be helpful to use mongodb for an authorization system/framework rather than using a SQL database and maintain two different systems

autumn oxide
#

MongoDB Support

wooden belfry
#

Hi, can someone help me to understand how a snapshot is made? What if a high traffic hits the service before the snapshot is ready?

autumn oxide
#

Hi, can someone help me to understand

thorny patrol
#

Some follow up questions:

Wildcard access:
Is it possible to allow ALL subjects of a certain type permission?

        {
            Entity: &v1.Entity{
                Type: "document",
                Id:   "1",
            },
            Relation: "editor",
            Subject:  &v1.Subject{
                Type: "user",
                Id:   "1",
                Relation: "",
            },
        },
    },

In the above we would only allow user with ID 1 permission to document 1. Is there a way to do something such as:

        {
            Entity: &v1.Entity{
                Type: "document",
                Id:   "1",
            },
            Relation: "editor",
            Subject:  &v1.Subject{
                Type: "user",
                Id:   "*",
                Relation: "",
            },
        },
    },

Blocklists:
If all users of group X have access to document Y, but I want to block a few individuals. Is there an easy way to do this?

Conditional permissions:
Imagine I have a subscription model: users can only processs 10.000 documents. I keep track of the amount of documents they have processed through the backend. Can I:

  1. Send an extra parameter in an API check with the current count.
  2. Define in the model that the check should pass if that specific parameter is below 10.0000?

Do you have model versioning of authorsation models? If I apply changes to a model, is the previous model stored somewhere? Can I continue using the previous model if I set an ID somewhere? Or is this one through the snapshot?

autumn oxide
#

Some follow up questions:

zinc hornet
#

hey guys I am trying to implement permify into my Golang Application and I cant figure out if its better to use their GO SDK or to use their REST API's directly. There isnt much information on the SDK except for their Github repo. Any suggestions for anyone who has done this?

autumn oxide
#

hey guys I am trying to implement

median summit
#

Hey guys, I am playing with models. Lets say I have a user that has a different roles and a resource that accepts different roles. When i query the permission endpoint to see if the user can access to the resource. Is there any way to know why the user can access? like what permission matched ? is it also possible to put like a weight in the permission? for example if the user has Administrator and Viewer, Administrator is more important so we can give him access.

autumn oxide
#

Permissin Check

supple ibex
#

Hi! With the Python SDK, I'm getting the following error when importing permify:

  File "/Users/space/Library/Caches/pypoetry/virtualenvs/user-api-server-VQOxwiTq-py3.11/lib/python3.11/site-packages/permify/__init__.py", line 21, in <module>
    from permify.bundle_api import BundleApi
ModuleNotFoundError: No module named 'permify.bundle_api'
junior ore
#

hi! this might be kind of a silly question, but i’ve been suddenly getting an error out of the blue saying “rpc error: code = Unimplrmented desc = unknown service base.v1.Data”? i’m not sure why it suddenly appeared

heavy hinge
#

Pythin SDK Issue

#

Python sdk issue

oblique crystal
#

Can anyone help me with the below schema ? I want to check check if admin with manage_team attribute to true to create/edit team .

entity user {
    attribute manage_team bool
  }

entity organization {
    relation owner @user
    relation admin @user
    relation member @user
}

entity team {
    relation org @organization
    relation owner @organization#owner
    relation member @organization#member

    permission create = owner or (org.admin and org.admin.manage_team)
}
autumn oxide
#

Can anyone help me with the below schema

tropic pagoda
#

hi everyone
how can i set preshered key for permfy on client side it just has addres and cert:

permifyClient, err := permify.NewClient(
        permify.Config{
            Endpoint: config.Host + ":" + config.Port,
            

        },
        grpc.WithTransportCredentials(insecure.NewCredentials()),
    )
autumn oxide
#

hi everyone

hollow snow
#

@autumn oxide Please keep the protobuf up-to-date on buf.build, as gRPC is more friendly to be generated there. FYI, I know Permify offers SDK, but directly using pure gRPC client is more flexible for our needs.

hollow snow
autumn oxide
#

Outdated Docs

wild sky
#

hi everyone
can anyone help me on this error?
additionally, ghcr.io/permify/permify in docker desktop keep showing restarting status

xsmei@xsmei-MacBook-Pro permify % pnpm permify:migrate  

> mhub-nextjs-app@0.1.1 permify:migrate /Users/xsmei/permify > tsx ./src/lib/permify/permify-schema-migrate.ts

node:internal/process/promises:289
            triggerUncaughtException(err, true /* fromPromise */);
            ^

ClientError: /base.v1.Schema/Write UNAVAILABLE: No connection established. Last error: connect ECONNREFUSED ::1:3478 (2024-05-08T08:42:29.681Z)
    at wrapClientError (/Users/xsmei/permify/node_modules/.pnpm/nice-grpc@2.1.8/node_modules/nice-grpc/lib/client/wrapClientError.js:9:16)
    at Object.callback (/Users/xsmei/permify/node_modules/.pnpm/nice-grpc@2.1.8/node_modules/nice-grpc/lib/client/createUnaryMethod.js:27:66)
    at Object.onReceiveStatus (/Users/xsmei/permify/node_modules/.pnpm/@grpc+grpc-js@1.9.14/node_modules/@grpc/grpc-js/build/src/client.js:192:36)
    at Object.onReceiveStatus (/Users/xsmei/permify/node_modules/.pnpm/@grpc+grpc-js@1.9.14/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:360:141)
    at Object.onReceiveStatus (/Users/xsmei/permify/node_modules/.pnpm/@grpc+grpc-js@1.9.14/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:323:181)
    at /Users/xsmei/permify/node_modules/.pnpm/@grpc+grpc-js@1.9.14/node_modules/@grpc/grpc-js/build/src/resolving-call.js:99:78
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  path: '/base.v1.Schema/Write',
  code: 14,
  details: 'No connection established. Last error: connect ECONNREFUSED ::1:3478 (2024-05-08T08:42:29.681Z)'
}

Node.js v20.12.2
 ELIFECYCLE  Command failed with exit code 1.
errant whale
#

Testing Permify

violet cloud
#

hi guys
I am trying to test permify locally, I was able to setup the server and write an example schema from permify. I also added a couple of relationships. I was trying to check access control, but I can't find the PermissionCheckResponse_Result from the node package which is needed to get the result of the check. I am referencing to https://github.com/Permify/permify-node?tab=readme-ov-file#check.

heavy hinge
#

Sdk Fixes

obsidian lark
#

I need help in understanding-
what happens to my existing relations when i do incremental updates in my schema
How will i update the existing relations and update them ?

autumn oxide
#

I need help in understanding-

junior ore
#

hi y'all, i keep getting rpc error: code = NotFound desc = ERROR_CODE_SCHEMA_NOT_FOUND despite verifying that the schema was written properly & that all the checks i'm performing are in the correct/same tenant. for more context, i also didn't specify a schema version. could someone help me narrow down the issue 😭

autumn oxide
#

hi y'all, i keep getting `rpc error:

magic roost
#

hello. I'm trying to validate a schema using the memory storage. I keep on getting schema not found. Are there any examples in the docs of postman snippets? Thanks

Or a schema + permission check that I could copy and works?

autumn oxide
#

Schema not found

solemn grove
#

Hi everyone. I am researching Relationship Based Access Control(ReBAC). I want to know if there is a way to grant a user access to all resources. For example, I have documents DocA, DocB, DocC, ... How can I define that UserA can view all these documents?

autumn oxide
#

Hi everyone. I am researching

jaunty raven
#

Hello everyone!

We are in the early stages of creating a project that requires defining fine-grained permissions per user. Since this is our first time working with fine-grained permissions, we are seeking to understand the best practices for defining an effective workflow for authentication and authorization. We have a few questions we hope you can help with.

First, some context on our architecture:

  • Users: Belong to one or more organizations and can be part of multiple teams within those organizations.
  • Regions: Similar to AWS regions, locations that might be public, or associated to an user, group, or organization. Each of the regions work autonomously, since they expose an API that can be consumed from the users of the system.
#

Our assumptions:

A. Regarding data storage:

  • We need a database to store all information related to a region (e.g., available services, hardware details, remaining resources).
  • We need to define which users in a team within an organization can deploy in a particular region.

Here we think about two different options:

  • Option A: Storing the relationships between organizations, users, and regions directly in our database (e.g., user X is in organization Y and team Z, and team Z can use region V), and also maintain these relationships in Permify
  • Option B: Storing in the database only the region-specific information and delegate the management of users, organizations, and roles entirely to Permify

For us, it seems like the correct option might be B (in order to separate concerns about permissions and data)

Nevertheless, we have some concerns in regards to Option B when it comes to gather aggregated data, such as listing the regions an user has access to (e.g., via GET /regions). We think the correct approach is:

  • Step 1: Query Permify to get all region IDs the user can access.
  • Step 2: Using each region IDs, retrieve the region information from our database.

Is this a good approach?

B. About authentication:

  • We plan to use Keycloak for authentication, which will provide us JWT tokens containing user ID information.

When a user makes a request (e.g., GET /regions), we will first verify the JWT, extract the user ID, then query Permify to determine the regions accessible to the user. Does this approach seem viable?

TL;DR: We're seeking validation on our proposed security architecture and a general guidance on authentication, authorization, and data storage when integrating ReBAC systems. Any advice or suggestions you could offer would be immensely valuable.

autumn oxide
#

Our assumptions:

cyan nebula
#

Hello Permify Community,

I am currently working on integrating Permify into my project, but I'm encountering an issue with the API endpoints. Here are the details:

Setup:

I have installed Permify using Docker with the following command:
docker run -p 3476:3476 -p 3478:3478 ghcr.io/permify/permify serve

I verified that Permify is running and the health check is passing:
curl localhost:3476/healthz
{"status":"SERVING"}

Issue:
When I try to set policies using the API, I receive a "Not Found" error. Here is the command and the response:
curl -X POST "http://localhost:3476/v1/policies" -H "Content-Type: application/json" -d '{
"role": "admin",
"permissions": [
"create_user",
"delete_user",
"update_user",
"view_logs",
"manage_permissions"
]
}'
{"code":5, "message":"Not Found", "details":[]}

I also tried to access the Swagger documentation and list the available endpoints, but both returned "Not Found":
curl localhost:3476/swagger
{"code":5, "message":"Not Found", "details":[]}

curl -X GET "http://localhost:3476/endpoints" -H "Content-Type: application/json"
{"code":5, "message":"Not Found", "details":[]}

Steps Taken:
Checked the health endpoint and it is serving.
Tried accessing the Swagger documentation endpoint but couldn't find it.
Tried listing available endpoints, but received "Not Found" error.

Logs:
Here are the relevant logs from Permify:
[Include any relevant logs here]

Could you please help me understand why the endpoint is not found and how to resolve this issue?

Thank you for your assistance!

autumn oxide
#

Hello Permify Community,

fallow wharf
#

Hello,

I have a problem with creating relationships. I am using https://github.com/Permify/permify-node

This is my app.perm schema: https://play.permify.co/?s=AldIwDvkpeJOtu9HuAIZk

I create a tenant:

const workspacePermify = await permifyClient.tenancy.create({
id: workspaceId,
name: workspaceSlug,
});

Then I add a schema:

const permSchema = await permifyClient.schema.write({
tenantId: workspacePermify.tenant?.id,
schema: permissionSchema,
})

Next, I try to create a relationship by passing the tenantId, the schema version obtained from permifyClient.schema.write in metadata, and the tuples, but I get an error:
ERROR_CODE_SCHEMA_NOT_FOUND.

const relationships = await permifyClient.data.write({
tenantId: workspaceId,
metadata: {
schemaVersion: schemaVersion,
},
tuples: [
{
entity: {
type: Entity.Folder,
id: folderId,
},
relation: role,
subject: {
type: Subject.User,
id: userId,
},
},
],
});

Do you have any idea where I might be going wrong?

GitHub
GitHub - Permify/permify-node: Permify client for Node.js

Permify client for Node.js. Contribute to Permify/permify-node development by creating an account on GitHub.

autumn oxide
#

GitHub - Permify/permify-node: Permify c...

steep locust
#

Hello there !

I have a question about this relationship, I want to create a simple admin/guest relationship:

admin @user relationship
guest @user relationship

When I put my user ID as admin (using localhost:3476/v1/tenants/tdl/data/write)

            "subject": {
                "type": "user",
                "id": "leandro@test.com"
            }

It works fine, but if I write the same relationship with the same ID as a guest, I have the relationship twice. This is normal? Should I delete the relationship before creating a new one?

        {
            "entity": {
                "type": "project",
                "id": "id"
            },
            "relation": "admin",
            "subject": {
                "type": "user",
                "id": "leandro@test.com",
                "relation": ""
            }
        },
        {
            "entity": {
                "type": "project",
                "id": "id"
            },
            "relation": "guest",
            "subject": {
                "type": "user",
                "id": "leandro@test.com",
                "relation": ""
            }
        },

What happens to all the users I already have in my database? Do I need to create these relationships via API?

Thank you !

autumn oxide
#

Hello there !

steep locust
#

Hello again, I'm trying to create a schema that allows administrators to manage clients and other teams to view clients.

I'm doing something wrong, because it's not possible for me to do it, I can't check my relationship:


    entity team {

        relation admin              @user
        relation account_manager    @user
        relation data_manager       @user
        relation viewer             @user
        relation guest              @user
    }

    entity client {

        relation team            @team

        permission view = team.admin or team.account_manager or team.data_manager or team.viewer or team.guest
        permission manage = team.admin
    }

Relationship:

    "metadata": {
        "schema_version": ""
    },
    "tuples": [
        {
            
            "entity": {
                "type": "client",
                "id": "data"
            },
            
            "relation": "team",
            "subject": {
                "type": "team",
                "id": "leandro@test.com"
            }
        }
    ],
    "attributes": []
}

Check:

    "metadata": {
        "snap_token": "",
        "schema_version": "",
        "depth": 20
    },
    "entity": {
        "type": "client",
        "id": "data"
    },
    "permission": "view",
    "subject": {
        "type": "user",
        "id": "user:leandro@test.com",
        "relation": ""
    }
}

Response:

    "can": "CHECK_RESULT_DENIED",
    "metadata": {
        "check_count": 1
    }
}

Do you know why? Thank you !

autumn oxide
#

Hello again, I'm trying to create a

median musk
#

Hi , i am new to permify

entity user {}
entity organization {
relation admin @user
relation org_memeber @user

action add_member = admin
action delete_member = admin
action give_permission_to_member = admin

}
entity team_ar {

relation parent  @organization
relation ar_lead  @user
relation ar_member @user

action edit_ticket = ar_lead or parent.admin

}
entity ar_revenue_view {
relation parent @team_ar
relation org_admin @organization#admin
action view_ar_revenue_view = parent.ar_lead or org_admin
}

how do i configure my schema such that , action view_ar_revenue_view is accessable to both ar_lead and admin but both can see different columns. I don't want to hard code that logic in the code.

autumn oxide
#

Hi , i am new to permify

amber zinc
novel rune
#

Hello everyone ! We have decided to use permify as central AuthZ server. Here is what code looks like

entity user {}

entity role {
    // Defines a relation where each role can be assigned to a user.
    relation assignee @user
}

entity resource {
    // Represents a relation where users (via their roles) can view all recipes.
    relation view_all @role#assignee
    // Represents a relation where users (via their roles) can edit all recipes\.
    relation owner_view @role#assignee
    // same for edit,create,delete 2 each.
}

entity item {
    // Owner of item
    relation owner @user
    // Which group of resource item belongs to
    relation group @resource
    // view
    action view = group.view_all or (group.owner_view and owner)
    // same for edit,create,delete
}

Test Cases

- name: 1
  description: null
  checks:
    - entity: item:cookbook
      subject: user:2
      context:
        tuples:
          - item:cookbook#owner@user:2
          - item:cookbook#group@resource:recipe
      assertions:
        view: true
    - entity: item:cookbook
      subject: user:2
      context:
        tuples:
          - item:cookbook#owner@user:3
          - item:cookbook#group@resource:recipe
      assertions:
        view: false
    - entity: item:cookbook
      subject: user:1
      context:
        tuples:
          - item:cookbook#owner@user:3
          - item:cookbook#group@resource:recipe
      assertions:
        view: true

Instead of item and resource, I want to freely define entities like recipe BUT since I require resource level permissions like allow access to ALL recipes to a role, I cannot do that because there is no wild-card. How can I achieve that ? Is it possible to fine all recipe entities belong to resource id recipe OR a way to define action by entity id like action view = resource:recipe.view_all

errant whale
#

Integrating Scenario-Specific Relationships and Attributes

autumn oxide
#

Hello everyone ! We have decided to use

novel rune
#

Hello again, a simple question, how to check if an array is empty ? I want to apply rule on attribute only if it has values.

autumn oxide
#

Hello again, a simple question, how to

open kayak
#

Hi all, I just learned about Permify and I am sketching out some example permission schemas and after a prolonged session I am getting this error. After that, I export my schema to make sure I am not losing any information however I need to add all the data manually manually.

So couple things:

  1. Why does the application crash?
  2. Can I import my schema back?
  3. How about browser sesssion cache?

I am not sure if I should file a github ticket directly so posting it here first.

image.png
errant whale
#

Hi all, I just learned about Permify and

zinc hornet
#

Hey ! Is there any permify Admin UI - to visualise the different relationships creted between the entities ?

oblique crystal
#

Can we deploy this on cloud run?

oblique crystal
oblique crystal
#

Where can I find the pricing for cloud offerings?

sleek flicker
#

Cloud Pricing

mossy gust
#

hi everyone

#

im trying to create
entity user {}

entity role {
// Defines a relation where each role can be assigned to a user.
relation assignee @user
}

entity collection {
// Represents a relation where users (via their roles) can read the collection.
relation read @role#assignee
// Represents a relation where users (via their roles) can write the collection.
relation write @role#assignee
// Represents a relation where users (via their roles) can list the collection.
relation list @role#assignee

  action read_record = read
  action write_record = write
  action list_record = list

}
but im getting issue when im trying to add relation between collection and role
_, err = client.Data.WriteRelationships(context.Background(), &v1.RelationshipWriteRequest{
TenantId: "stane-client",
Metadata: &v1.RelationshipWriteRequestMetadata{
SchemaVersion: "cq2112iclaambot7s1j0", // sr --> schema write response
},
Tuples: []*v1.Tuple{
{
Entity: &v1.Entity{
Type: "collection",
Id: "c1",
},
Relation: "read",
Subject: &v1.Subject{
Type: "role",
Id: "1",
},
},
},
})

#

any Ideas ?

#

ERROR_CODE_SUBJECT_TYPE_NOT_FOUND

autumn oxide
#

Schema not found

near rose
#

how do I allow or deny access to endpoints that list objects?

#

For example, I have an endpoint "search for company documents" that displays a list of documents. The use of this endpoint should only be available to employees.

#

Permify is built in such a way that I cannot find out if I have access to a document without specifying its specific ID. The endpoint that displays the list of documents simply does not have a specific ID

near rose
#

How to check subject and object id or another attributes of the same entity?

image.png
autumn oxide
#

How to check subject and object id or

open kayak
#

Hi everyone, today I was doing some kind of backfill and I have realized duplicate writes are not discarded. Does anyone know why this is the case, is this a bug or is it intended for transactions? I had some concerns regarding this for performance concerns.

image.png
autumn oxide
#

Dublicate writes are not discarded

novel rune
autumn oxide
#

Do we have any git issue or thread to

molten egret
#

Hello! I'm trying to use Permify on AWS EKS using a RDS PostgreSQL instance as database.
When the pod try to start, it crashed with the message "server error: FATAL: Feature not supported: RDS Proxy currently doesn’t support the option plan_cache_mode.". I googled it but I found nothing... Do you have any clue of what is happening and what I can do to pass thought this issue ?
Thank you!

autumn oxide
#

Hello! I'm trying to use Permify on AWS

analog sand
#

Hello team!

Planning to use permify on prod.

However getting error when trying to add attributes to the write data function.

ERROR_CODE_SCHEMA_NOT_FOUND

Any help would be appreciated. I am using permify-node library here, however this error was being thrown even if I was directly calling the API

PS: everything works fine if I remove the attributes array:

const write_relationships = () => {
  client.data
    .write({
      tenantId: tenantId,
      metadata: {
        schemaVersion: schemaVersion,
      },
      tuples: [
        {
          entity: {
            type: "role",
            id: "admin",
          },
          relation: "assignee",
          subject: {
            type: "user",
            id: "1",
          },
        },
        {
          entity: {
            type: "role",
            id: "member",
          },
          relation: "assignee",
          subject: {
            type: "user",
            id: "1",
          },
        },
        {
          entity: {
            type: "recipe",
            id: "+",
          },
          relation: "viewer_all",
          subject: {
            type: "role",
            id: "admin",
            relation: "assignee",
          },
        },
        {
          entity: {
            type: "recipe",
            id: "+",
          },
          relation: "viewer_owned",
          subject: {
            type: "role",
            id: "member",
            relation: "assignee",
          },
        },
      ],
      attributes: [
        {
          entity: {
            type: "bake",
            id: "docs+",
          },
          attribute: "usecases",
          value: {
            type: "string[]",
            value: "ai_docs,actions",
          },
        },
      ],
    })
    .then((response) => {
      console.log(response);
    });
};
errant whale
#

Hello team!

limber matrix
#

question: the validate docs states that you can link to a schema in the schema: definition. If I do so, the linked schema seems to be also expected to have the same format as the validation file (containing schema in schema:, relations and so on). I thought the point here was to be able to separate the schema itself so you can pass it to curl / the api. Am I misunderstanding something?

limber matrix
#

another question: do you plan on distributing the python library on pypi?

limber matrix
limber matrix
limber matrix
#

i recall your documentation having a page covering authentication methods (openid, preshared, ..) and how to use them. I can't for instance find how to pass preshared secrets via headers and had to go look in the source code. did it run away?

minor violet
# limber matrix i recall your documentation having a page covering authentication methods (openi...

You can check the Node auth token interceptor implementation at https://github.com/Permify/permify-node/blob/a40925572b6c9088d64497080bd6a4262e4cfa72/src/grpc/interceptors.ts#L15

For py it probably is something similar to that

GitHub
permify-node/src/grpc/interceptors.ts at a40925572b6c9088d64497080b...

Permify client for Node.js. Contribute to Permify/permify-node development by creating an account on GitHub.

silver wyvern
#

Invalid imports in root init.py · Is...

silver wyvern
#

i recall your documentation having a

analog sand
#

I want to use permify within a typescript project.

Is the permify-node SDK supported on TS?

autumn oxide
#

I want to use permify within a

river olive
#

Goodday, is there a guide on installing Permify on Linux environment, i have checked the docs and i can only see docker local setup. I am planning to self host it on one of my linux servers

velvet wind
#

hi there, started looking into Permify yesterday for POC for a centralized authorization service, so far I am really liking the service and it seems like it might fit our use case, however I have quick question about Permify and postgres, can I use managed identity for azure resources to connect to the postgres instance, so that I don't have username + password lying around in a config?

analog sand
#

Hi team,

What exactly does the garbage collector do?

So In my setup, I am not using the snap tokens anywhere so the latest snapshot of data will be used for queries, etc.

Now, if I enable garbage collector, I am assuming it will be deleting the older snapshots of the data?

Or is there anything else the garbage collector does?

autumn oxide
#

garbage Collector

velvet wind
#

hi team,

We have a use case, that I think I have a solution for, but I want to confirm if this is best practice when utilizing Permify.

We are in a multi tenancy environment, however organizations within that tenant should be able to define their own roles based on a set of pre-defined permissions.

Let's say I have this simple schema and I have tenant t1 and organizations o1 and o2:

entity user {}

entity tenant {
relation admin @user
}

entity organization {
relation parent @tenant

relation admin @user

permission manage_organization = admin or parent.admin

}

for organization o1 this schema is fine, but for example, organization o2 does not want organization admins to be able to manage organizations, only tenant admins, so their schema will look like this

entity user {}

entity tenant {
relation admin @user
}

entity organization {
relation parent @tenant

relation admin @user

permission manage_organization = parent.admin

}

The solution I have is to utilize the schema_version provided by the Write Schema endpoint and have mapping table that is managed outside of the Permify service which will link organizations to schemas.

does this seem like good practice when utilizing the Permify service?

#

I have another question about snap tokens, what is the scope of the snap tokens? i.e. does it take a snapshot of all the data in Permify? or is it a snapshot on a tenant level? I want to create a small redis readmodel that will manage the latest snap token, to ensure that I am utilizing the caching mechanism correctly and efficiently, I am just curious about what the best practice would be i.e. is there just one snaptoken that I can put in the readmodel? or should I store snaptokens per tenant for example?

autumn oxide
#

hi team,

autumn oxide
#

I have another question about snap

glass stone
#

Hi, I am testing whether I can use permify for in our production application. There is going to be the concept of page and followers. My questions is a page can have millions of followers and only followers are allowed to view the page. Everytime a user follows a page, do we need to save the same information in permify data store as well? Is there any way around it? Thank in advance. Also, is there any organization which is using permify in their prod?

autumn oxide
#

Hi, I am testing whether I can use

sand rune
#

Hey , I have the following model and need to introduce the concept of active organization membership. This means that only members who are active can view the organisation. What's the best way of doing this? At first I thought to use attributes but it would need to be an attribute of organization#member and this isn't possible AFAIK.

`entity user {}
entity organization {

relation member @user @organization#member

action view = member

}`

autumn oxide
#

Active organization membership

sand rune
#

Hey, given this example that I've exported from a test playground, can someone explain why the entity filtering test is failing?

Query: user:alice view_two organization, Expected: [acme], Actual: []

I expected that I would be able to use active_member in other actions and child entities to remove duplication...

📎 shape_1.yaml
velvet wind
#

so I think I finally have my use case down and how I can use it with Permify, but I want to confirm if this is best practice and will be performant

essentially, we have the following structure:

  1. we are in a multi tenancy environment.

  2. we have the following hierarchy:

tenant
organization
site

  1. and let's say for this example I have two permissions which can be applied on each level of the hierarchy (in real world there will be more):

view_report
manage_site

each of the hierarchy's should be able to define custom roles which are only visible to that tenant, organization or site.

so if I have site s1 and site s2, s1 should be able to define roles which are not visible to s2, I managed to come up with the following schema which seems to work.

for context, we a couple of million users and roughly 100k MAU. so we expect traffic to be high.

velvet wind
# velvet wind so I think I finally have my use case down and how I can use it with Permify, bu... 
schema: "entity user {}\r\n\r\nentity role {\r\n    relation assignee @user\r\n}\r\n\r\nentity tenant {\r\n    relation view_report_role_bucket @role#assignee\r\n    relation manage_role_bucket @role#assignee\r\n\r\n    permission view_report = view_report_role_bucket\r\n    permission manage_site = manage_role_bucket\r\n}\r\n\r\nentity organization {\r\n    relation parent @tenant\r\n\r\n    relation view_report_role_bucket @role#assignee\r\n    relation manage_role_bucket @role#assignee\r\n\r\n    permission view_report = view_report_role_bucket\r\n    permission manage_site = manage_role_bucket\r\n}\r\n\r\nentity site {\r\n    relation parent @organization\r\n\r\n    relation view_report_role_bucket @role#assignee\r\n    relation manage_role_bucket @role#assignee\r\n\r\n    permission view_report = view_report_role_bucket\r\n    permission manage_site = manage_role_bucket\r\n}"
relationships:
  - role:s1_admin#assignee@user:u1
  - role:s2_admin#assignee@user:u2
  - site:s1#manage_role_bucket@role:s1_admin#assignee
  - site:s1#view_report_role_bucket@role:s1_admin#assignee
  - site:s2#manage_role_bucket@role:s2_admin#assignee
attributes: []
scenarios:
  - name: s1_admin_test
    checks:
      - entity: site:s1
        subject: user:u1
        context: null
        assertions:
          manage_site: true
          view_report: true
      - entity: site:s2
        subject: user:u1
        context: null
        assertions:
          manage_site: false
          view_report: false
  - name: s2_admin_test
    checks:
      - entity: site:s2
        subject: user:u2
        context: null
        assertions:
          manage_site: true
          view_report: false
      - entity: site:s2
        subject: user:u1
        context: null
        assertions:
          manage_site: false
          view_report: false
errant whale
#

Hey, given this example that I've

autumn oxide
sand rune
#

Is there any best practices or guidelines on modelling from a performance perspective? E.g. max recommended number of levels in hierarchies, expensive operators and their cheaper alternatives etc? I would like to be confident that there shouldn't be performance issues with the model before writing the authorization data to permify db

sand rune
#

Also the Share button on playground seems to be broken. This is the error shown in the console:

main.97774f44.js:2 Uncaught (in promise) Error: Vercel Blob: No token found. Either configure the `BLOB_READ_WRITE_TOKEN` environment variable, or pass a `token` option to your calls. at main.97774f44.js:2:4679963 at db (main.97774f44.js:2:4680096) at main.97774f44.js:2:4692283

autumn oxide
#

Also the Share button on playground

#

Is there any best practices or

radiant spruce
#

I am not able to bring the Permify server up and running using docker compose. Can anyone help me understand what I am missing, I am not getting any error messages, the container exits without any message. Only log I can see is

2024-08-15 11:55:20 ┌────────────────────────────────────────────────────────┐
2024-08-15 11:55:20 │                    Permify v1.0.1                      │
2024-08-15 11:55:20 │          Fine-grained Authorization Service            │
2024-08-15 11:55:20 │                                                        │
2024-08-15 11:55:20 │    docs: ............... https://docs.permify.co       │
2024-08-15 11:55:20 │    github: .. https://github.com/Permify/permify       │
2024-08-15 11:55:20 │    blog: ............... https://permify.co/blog       │
2024-08-15 11:55:20 │                                                        │
2024-08-15 11:55:20 └────────────────────────────────────────────────────────┘
radiant spruce
# radiant spruce I am not able to bring the Permify server up and running using docker compose. C...

Here is my configuration
my configuration

guard:
    image: ghcr.io/permify/permify
    container_name: permify_guard
    environment:
      PERMIFY_DATABASE_ENGINE: postgres
      PERMIFY_DATABASE_URI: "postgres://username:password@postgres:5432/auth"
      PERMIFY_DATABASE_AUTO_MIGRATE: false
      PERMIFY_DATABASE_MAX_OPEN_CONNECTIONS: 20
      PERMIFY_AUTHN_ENABLED: true
      PERMIFY_AUTHN_METHOD: oidc
      PERMIFY_AUTHN_OIDC_ISSUER: "http://shield:8080/realms/examplerealm"
      PERMIFY_AUTHN_OIDC_AUDIENCE: exampleclientId
      PERMIFY_AUTHN_OIDC_REFRESH_INTERVAL: 10m
      PERMIFY_AUTHN_OIDC_BACKOFF_MAX_RETRIES: 5
      PERMIFY_AUTHN_OIDC_VALID_METHODS: "RS256"
      PERMIFY_LOGGER_LEVEL: info
      PERMIFY_SERVER_RATE_LIMIT: 100
      PERMIFY_SERVER_HTTP_ENABLED: true
      PERMIFY_SERVER_HTTP_PORT: 3476
      PERMIFY_SERVER_HTTP_TLS_ENABLED: false
      PERMIFY_SERVER_GRPS_PORT: 3478
      PERMIFY_SERVER_GRPC_TLS_ENABLED: false
    ports:
      - 3476:3476
      - 3478:3478
    networks:
      - custom_local_network
errant whale
#

Here is my configuration

worn kernel
#

Hi everyone & congratulations to the Permify team for the 1.0.0 release. Wish you a bright future with the product.

I am currently facing issues I can't explain. Using the Data API's write or delete endpoints (using both gRPC and REST) I get MAX_RETRIES_ERROR responses and looking at the Postgres database's log I see a lot of duplicate key violation errors for pk_transaction mostly being the reason for this.

The database was restored from a dump so maybe it is a fault on my side. How does Permify calculate the next transaction ID to insert? It seems this is broken on my end.

errant whale
#

Hi everyone & congratulations to the

spice basin
#

HI everyone, im learing and reading Permify docs, and I dont know how to implement this: Im based on the "custom roles" playground example

entity user {}

entity role {
    // Defines a relation where each role can be assigned to a user.
    relation assignee @user
}

entity task {
    // Represents a relation where users (via their roles) can view the task.
    relation view @role#assignee
    // Represents a relation where users (via their roles) can edit the task.
    relation edit @role#assignee
}

So, the problem that i'm facing is that if i have multiple tasks, I have to add multiple relations identical:
task:t1#view@role:r1:assignee
task:t2#view@role:r1:assignee
task:t3#view@role:r1:assignee
task:t4#view@role:r1:assignee

but for all resources its the same relationship.. It is any way to use some sort of wildcard like task:*#view@role:r1:assignee?

autumn oxide
#

HI everyone, im learing and reading

primal elbow
#

Hey hey Permify, first off love your implementation of Zanzibar!

How are people handling data filtering? For example, you have blog articles. You want all articles that have an active status, that the user has access too.

On one hand, you query the databse, get the IDs back and then ask Permify via lookup if they have access?
The other hand you do the inverse, ask for all the ids back and then scope your filter query.

What kind of solutions have people looked into for these use cases? Is this generally out of the scope of Zanzibar? What about in cases with OpenSearch?

autumn oxide
#

Data Filtering

radiant spruce
#

I have entities user, space, page. page is part of space. I want to ensure owner of page is at least viewer of space. Is that possible?
I am writing something like this

entity space {
    relation owner @user
    relation admin @user
    relation editor @user
    relation commentor @user
    relation viewer @user

    permission delete = owner
    permission edit = owner or admin
    permission view = owner or admin or editor or commentor or viewer
    permission invite_admin = owner
    permission invite_member = owner or admin
}
entity page {
    relation owner @user @space#owner @space#admin @space#editor
    relation parent @page
    relation space @space

    permission edit = space.edit or space.editor
    permission view = space.view
    permission delete = owner or space.owner
}

but this doesn't guarantee owner of page has at-least view permission in space.

violet gazelle
#

Any guides or tips on how to integrate permify with authentik?

autumn oxide
#

Any guides or tips on how to integrate

hardy pike
#

Hello! I've been trying out permify this morning and so far things have been coming along well. I encountered an issue getting it connected to an OIDC authentication source. After it successfully parses the OIDC configuration, I get an error message saying "invalid or missing backoffFrequency". I tried googling the error but didn't find anything, and even checked the history here. Does anyone have any insight into how to address this?

2024-09-02 14:06:32 time=2024-09-02T19:06:32.521Z level=DEBUG msg="successfully decoded OIDC configuration"
2024-09-02 14:06:32 time=2024-09-02T19:06:32.521Z level=INFO msg="successfully parsed OIDC configuration" issuer=https://auth.internal.local jwks_uri=https://auth.internal.local/oauth/v2/keys
2024-09-02 14:06:32 time=2024-09-02T19:06:32.522Z level=ERROR msg="invalid or missing backoffFrequency"

OK. It looks like this is related to an undocumented configuration parameter BackoffFrequency time.Duration. Looks like a reasonable default here may be 1s or 5s?

errant whale
#

Hello! I've been trying out permify this

novel rune
#

Hello, is there a way to specify HTTP agent params in typescript SDK ?

silver wyvern
#

Hello, is there a way to specify HTTP

spice basin
#

Hello again! I'm trying to user a user that is not "postgres" (superuser) in a postgresql database. It is a user with all permissions to modify an schema, tables, sequences, indexes, objects, etc. but when I use it for auto migrate (first database schema creation), it doesn't do nothing. My question is.. What special permissions are required for database creation?

Thanks in advance

autumn oxide
#

Hi @spice basin, the CREATEDB privilege might required for that.

#

Specifically, in docs it’s referred as: “to create a database, you must be a superuser or have the special CREATEDB privilege.

#

Could you try it ?

spice basin
silver wyvern
spice basin
#

Hi again! I'm back with a multi-tenant question. I’m working on an authorization model with custom roles and custom objects (e.g., country, business, zone, etc., though the names aren't important). Some roles have specific permissions (view, read, create, list). For example, here are a few tuples:

object:business#view@role:viewer#members

object:country#create@role:manager#members

Additionally, for each object, I have another entity called an "instance," which is owned by a resource. Example:

entity object
{
...
permission view = objparent.view and directly_assigned
}
instance:business.1#objparent@object:business
instance:business.1#directly_assigned@user:u1

With this setup, I can ensure that instance:business.1 is owned by the object business, and if it’s directly assigned to the user, and the user has the viewer role, they can view the instance business.1. (If there's a simpler way to handle this, I’m open to ideas!)

The challenge I’m facing now is that this model needs to work the same way for every tenant, except that a user can belong to different tenants with different roles and be assigned different instances. The logic around roles is the same for every tenant, and I want to avoid duplicating the model and data tuples for each tenant (considering 2,000+ tenants for scalating this model).

Is there an efficient way to handle this? Am I misunderstanding something about REBAC modeling?

I’m aware that data bundles exist, but I believe they might be inefficient when I need to update the models for all tenants just to allow, for example, an admin to view the country object, of adding a new role or action

Thanks in advance

autumn oxide
#

Hi again! I'm back with a multi-tenant

stark compass
#

Hi I'm trying out Permify for my authorization solution and here's my use case:

  • There are ProjectGroup object, which contains multiple Project and Folder.
  • ProjectGroup owner is able to view and edit everything. But they usually just create projects and assign the project owners and let them do the rest.
  • Project owner can view and edit project. The main responsibility is to create folder assign creator/reviewer and let them do the rest. (folder does not belong to project, they're in the group with the same level as project).
  • Lastly, Folder owner can RW folder and view can read folder

Here's my schema:

entity user {}

entity projectGroup {
    relation owner @user

    permission view = owner
    permission edit = owner
    permission project_create = owner
    permission folder_create = owner
    // permission folder_create = owner or project.owner
}

entity project {
    relation owner @user
    relation group @projectGroup

    permission view = owner or group.owner
    permission edit = owner or group.owner
}

entity folder {
    relation owner @user
    relation creator @user
    relation reviewer @user
    relation group @projectGroup

    permission edit = owner or group.owner
    permission question_create = creator or owner or group.owner
    permission view = reviewer or creator or owner or group.owner
}

How do I modify it so that I can grant the folder_create permission to the project owner ?

autumn oxide
#

Hi I'm trying out Permify for my

hoary marten
#

👋 Trying to sign up for the Permify Console but looks like it's getting blocked

[email] is not allowed to access this application.
chrome wolf
#

Hi there, for the HELM file, I see there is uri_secret but there is no reference regarding the keys etc. that is needed for that secret

#

Is there any guid regarding how to connect to the deployed Permify (using helm). Where is the token and secrets etc ?

autumn oxide
#

👋 Trying to sign up for the Permify

#

Is there any guid regarding how to

plush marlin
#

Hello guys, with the following configs:

tracer: enabled: true exporter: otlp endpoint: localhost:4318 urlpath: v1/traces insecure: true

Traces collected from permify instance don't seem to have same trace id from which the request originated.
Could anyone please help me on how to troubleshoot this? Thank you!

plush marlin
autumn oxide
#

These two should be the same but somehow

blazing iris
#

I have a question for mounting tls certs inside of permify where should the be mounted internally because everywhere i try i get permission denied and i cant find anything the documentation. Is there a way to get shell access inside the docker container? This is the error im getting time=2024-09-27T15:27:36.802Z level=ERROR msg="open /config/certs/fullchain.pem: permission denied"

blazing iris
#

Do the certificates have to be owned by someone besides the underlying user that is running the permify docker user?

blazing iris
errant whale
#

I have a question for mounting tls certs

spice basin
#

Hi again! Is there any way to manage entities programmatically (create, delete)? I'm implementing a middleware that will manage the authorization schema. Currently, I've been thinking to do as based on my information stored on a db build somehow the schema with the same syntax as permify needs and then push it, but it looks like a very artisanal implementation

autumn oxide
#

Hi again! Is there any way to manage

trim sonnet
#

Hello everyone, I'm having trouble getting the authn preshared key working. I'm running postgres and permify with a docker compose file. Here's the relevant info from the compose file:

    image: 'ghcr.io/permify/permify:v1.1.0'
    container_name: permify
    restart: always
    depends_on:
      - postgres
    ports:
      - '3476:3476'
      - '3478:3478'
    environment:
      PERMIFY_DATABASE_ENGINE: postgres
      PERMIFY_DATABASE_URI: 'postgres://permifyuser:permifypassword@postgres:5432/permifydb'
      PERMIFY_DATABASE_GARBAGE_COLLECTION_ENABLED: 'true'
      PERMIFY_AUTHN_ENABLED: 'true'
      PERMIFY_AUTHN_METHOD: preshared
      PERMIFY_AUTHN_PRESHARED_KEYS: '["MY_TESTING_KEY"]'```

And here's the curl command I'm trying with the error:
```curl --location --request POST 'localhost:3476/v1/tenants/list' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer MY-TESTING-KEY' \
--data-raw '{
    "page_size": 20,
    "continuous_token": ""
}'
{"code":2, "message":"ERROR_CODE_MISSING_BEARER_TOKEN", "details":[]}```

Here are the logs from the permify container:
```2024-09-28T21:40:51.124438117Z time=2024-09-28T21:40:51.124Z level=INFO msg="started call" protocol=grpc grpc.component=server grpc.service=base.v1.Tenancy grpc.method=List grpc.method_type=unary peer.address=127.0.0.1:55660 grpc.start_time=2024-09-28T21:40:51Z grpc.time_ms=0.009
2024-09-28T21:40:51.124473884Z time=2024-09-28T21:40:51.124Z level=ERROR msg="finished call" protocol=grpc grpc.component=server grpc.service=base.v1.Tenancy grpc.method=List grpc.method_type=unary peer.address=127.0.0.1:55660 grpc.start_time=2024-09-28T21:40:51Z grpc.code=Unknown grpc.error=ERROR_CODE_MISSING_BEARER_TOKEN grpc.time_ms=0.072```
tawdry viperBOT
#

This channel is connected to Olvy. Messages you send here will be added as feedback to the permify Olvy workspace.

spice basin
#

Hi! I'm deploying the service to my "production" environment and from permify I'm getting this error

┌────────────────────────────────────────────────────────┐
│                    Permify v1.1.1                      │
│          Fine-grained Authorization Service            │
│                                                        │
│    docs: ............... https://docs.permify.co       │
│    github: .. https://github.com/Permify/permify       │
│    blog: ............... https://permify.co/blog       │
│                                                        │
└────────────────────────────────────────────────────────┘
time=2024-10-02T20:41:46.449Z level=ERROR msg="Account ID is not set. Please fill in the Account ID for better support. Get your Account ID from https://permify.co/account"
time=2024-10-02T20:41:46.449Z level=INFO msg="🚀 starting permify service..."
time=2024-10-02T20:41:46.451Z level=INFO msg="WARN setDefaultQueryExecMode mode=cache_statement"
time=2024-10-02T20:41:46.451Z level=INFO msg="WARN setDefaultQueryExecMode mode=cache_statement"
time=2024-10-02T20:41:46.451Z level=INFO msg="WARN setPlanCacheMode mode=auto"
time=2024-10-02T20:41:46.451Z level=INFO msg="WARN setPlanCacheMode mode=auto"
time=2024-10-02T20:41:51.072Z level=ERROR msg="failed to migrate database" error="ERROR: permission denied for schema pg_catalog (SQLSTATE 42501)"
Error: ERROR: permission denied for schema pg_catalog (SQLSTATE 42501)

Im not using postgres user, so I need to give the specific permission to my custom user, but why it needs to read pg_catalog? it needs another permissions additionally?

Thanks in advance

autumn oxide
#

error on deployment

sterile bobcat
#

I'm experiencing very high CPU use on a permify deployment when hit with SubjectPermission requests where the subject has no permission on the entity. The request will time out and then spike database and permify cpu use very high. Are there plans for an optimization on this front? Permify version is 1.1.2

errant whale
#

I'm experiencing very high CPU use on a

zinc hornet
#

Hey! Does anyone have an idea if its feasible to connect Permify with an IAM Solution like Keycloak? How does the user data and permissions map between the two applications ?

autumn oxide
#

Keycloak connection

elder cosmos
#

Newbie alert: I am trying permify first time and stuck in this for a while. Can't figure out why the parent relation isn't working. An enterprise has admins and orgs belongs to enterprises. So add relation like relation enterprise_admins @enterprise#admin . But this is not working. What am I missing here?

schema: |-
  entity employee {}

  entity organization {
      relation view_access @employee
      relation admin_access @employee

      relation owner @enterprise

      relation enterprise_admins @enterprise#admin
  }

  entity enterprise {
      relation admin @employee
  }

  entity customer {
      relation owner @organization

      permission can_view = owner.view_access or owner.admin_access or owner.enterprise_admins
      permission can_edit = owner.admin_access or owner.enterprise_admins
  }
relationships:
  - enterprise:ent1#admin@employee:eEntAdmin
  - organization:org1#owner@enterprise:ent1
  - organization:org1#view_access@employee:e1
  - organization:org1#admin_access@employee:e2
  - customer:c1#owner@organization:org1
attributes: []
scenarios:
  - name: admin_access_test
    checks:
      - entity: customer:c1
        subject: employee:eEntAdmin
        context: null
        assertions:
          can_view: true
          can_edit: true
      - entity: customer:c1
        subject: employee:e1
        context: null
        assertions:
          can_view: true
          can_edit: false
      - entity: customer:c1
        subject: employee:e2
        context: null
        assertions:
          can_view: true
          can_edit: true
      - entity: customer:c1
        subject: employee:e4
        context: null
        assertions:
          can_view: false
          can_edit: false
    entity_filters: []
    subject_filters: []
errant whale
#

Newbie alert: I am trying permify first

sand venture
#

Request details: flowName=GeneralOAuthFlow

#

tried logging out of google first and deleting my cookies

autumn oxide
#

Google log out

random jackal
#

is premify-cli still on development ?? @autumn oxide @errant whale

blazing cloak
#

Hey 👋 - I'm trialing permify for our org with a combination of fine grained attribute and role based auth. In our experiments the LookupSubject appears to grind to a halt when the permission is one that depends on an attribute. Is that expected behaviour and something we should avoid ?

autumn oxide
#

Lookup subject

dim oyster
#

Hi 👋 , I'm interested in using permify to do authz in my app, and current going through selection of possible solutions. Are there any available resources covering size and performance of real world deployments?

sand venture
#

I don't see any further instruction on what i must do to connect starter to github repository

My org admin accepted and connected to a specific one and i am not sure what the next steps are

image.png
sand venture
spice basin
#

Hi! I'm trying to adding the java sdk to my mvn project, but dependency is not resolving... Is it still valid? or updated? (Im not using gradle)

spice atlas
#

Hi, also posted here.. not sure that space is being watched: #1298278079323439114 message

These docs talk about the ability to add rules to entities: https://docs.permify.co/getting-started/modeling#using-attributes-across-entities. However, when I try this, I get this error:

Error: 10:22:expected token to be RELATION, PERMISSION, ATTRIBUTE, got RULE instead

Is this capability supported? Am I on the wrong version of permify? I'm running this through the latest permify container image.

Permify Docs
Modeling Authorization - Permify Docs
autumn oxide
#

Modeling Authorization - Permify Docs

crude blade
#

what's wrong with my model: ```entity room_action {
relation role @role

attribute l_room integer

rule check_room() {
this.l_room > 0
}

permission perform = role.is_effective and this.check_room()
}

autumn oxide
#

what's wrong with my model: ```entity

hallow thunder
#

Hey guys I'm using the official Permify Helm chart to deploy it in my k8s cluster. Poking around the chart templates I realized that the HPA configuration that comes with the chart will not work since the Deployment does not have an resources request/limit on it and actually HPA needs them to scale up/down according to k8s docs. Even if this would be possible, based on the HPA scaling algorithm, it would be harder for the HPA to understand the usage of resources and this might drive us to face unexpected scaling events. Do you agree on it? Let me know if I'm wrong about it please

crude blade
#

Hi guys. I have a question: If I provide an attribute in context of check request, will it override the existed value in db and run check base on provided value ? I tried and it just work when attribute is new and cannot override temporally.

normal lagoon
#

Hi all, I have a use case that uses Permify's grpc server. I have installed the python grpc library generated by buf.build however it does not seem to include the stubs. Was this on purpose or am I missing them somewhere? I am attempting to import stub classes from base.v1.service_pb2 but intellisense is not finding any

dusk raven
#

Hey there, I have an issue trying to test my schema, for some reason I cannot assert that a given attribute typed string[] contains a given value. Any idea? 🙏

A minimal example where has_feature: true assertion always fail:

schema: >-
  entity user {}
  entity organization {
      relation admin @user
      // List of features enabled for the organization
      attribute features string[]
      permission has_feature = check_has_feature(features)
  }
  rule check_has_feature(features string[]) {
      context.data.feature in features
  }

relationships:
  - organization:1#admin@user:1
attributes:
  - organization:1$features|string[]:["premium", "test"]
scenarios:
  - name: "organization feature checks"
    description: "Test organization feature-related permissions"
    checks:
      - entity: "organization:1"
        subject: "user:1"
        context:
          data:
            feature: "premium"
        assertions:
          has_feature: true
      - entity: "organization:1"
        subject: "user:1"
        context:
          data:
            feature: "basic"
        assertions:
          has_feature: false
autumn oxide
#

Hi all, I have a use case that uses

spice basin
#

Hi! is there any limit associated to the /data/write (api) tuples array? I'm getting an error 400 bad request when inserting more than 100 tuples

unreal forum
#

Hi everyone!

I have this model:

entity plan {
    attribute maps_available integer
    attribute features string[]

    relation subscriber @user

    action create_maps = subscriber and maps_available(maps_available)
    action feature_available = subscriber and check_feature(features)
}

rule maps_available(maps_available integer) {
    context.data.maps_count < maps_available
}

rule check_feature(features string[]) {
    context.data.feature in features
}

When I run this permission check:

curl --location 'localhost:3476/v1/tenants/t1/permissions/check' \
--header 'Content-Type: application/json' \
--data '{
  "metadata":{
    "depth": 2000
  },
  "entity": {
    "type": "plan",
    "id": "1"
  },
  "permission": "create_maps",
  "subject": {
    "type": "user",
    "id": "1",
    "relation": ""
  },
  "context": {
    "data": {
        "maps_count": 1
    }
  }
}'

I got this error:

"proto: mismatched message type: got \"base.v1.BooleanValue\", want \"base.v1.IntegerValue\""

unreal forum
# unreal forum Hi everyone! I have this model: ``` entity plan { attribute maps_available...

These are the tuples and attributes I added to my DB.

tuples:

{
    "tuples": [
        {
            "entity": {
                "type": "plan",
                "id": "1"
            },
            "relation": "entitlements",
            "subject": {
                "type": "plan_entitlement",
                "id": "1",
                "relation": ""
            }
        },
        {
            "entity": {
                "type": "plan",
                "id": "1"
            },
            "relation": "subscriber",
            "subject": {
                "type": "user",
                "id": "1",
                "relation": ""
            }
        }
    ],
    "continuous_token": ""
}

attributes:

{
    "attributes": [
        {
            "entity": {
                "type": "plan",
                "id": "1"
            },
            "attribute": "maps_available",
            "value": {
                "@type": "type.googleapis.com/base.v1.IntegerValue",
                "data": 3
            }
        },
        {
            "entity": {
                "type": "plan",
                "id": "1"
            },
            "attribute": "features",
            "value": {
                "@type": "type.googleapis.com/base.v1.StringArrayValue",
                "data": [
                    "csv_reports",
                    "new_feature"
                ]
            }
        }
    ],
    "continuous_token": ""
}
unreal forum
#

Is someone using string array attributes in the entities?

The validation action does not seem to be working, or I'm not using the correct syntax.

here is my validation yaml file;


entity user {}

entity plan {
    attribute maps_available integer
    attribute features string[]

    relation subscriber @user

    action create_maps = subscriber and maps_available(maps_available)
    action feature_available = subscriber and check_feature(features)
}

rule maps_available(maps_available integer) {
    context.data.maps_count < maps_available
}

rule check_feature(features string[]) {
    context.data.feature in features
}

relationships:
  - plan:1#subscriber@user:1

attributes:
  - plan:1$maps_available|integer:3
  - plan:1$features|string[]:[csv_reports, advanced_search]

scenarios:
  - name: "scenario 1"
    description: "User with plan 1 can use CSV reports"
    checks:
      - entity: "plan:1"
        subject: "user:1"
        assertions:
          feature_available: true
        context:
          data:
            feature: csv_reports```

I keep getting `fail: user:1 feature available plan:1 -> expected: allowed actual: denied `
thick blaze
#

hii
this is pawan.
i am working on one project where i need to use the permify for access control.
in my project as admin i can create multiple documents, videos and other things and can give the access to multiple user to access the particular some material of my site
but i have confusion have the integrate the permify here to manage the access control for user to access the specify material in my site, that user have the access

i am using the react as frontend and drf as backend

crude blade
#

hi guys. i'm trying to use bundle. can i write condition statement when write a bundle

worthy eagle
#

hello everyone. i'm trying to make role hierarchies. for example:

manager > staff > intern.

any permissions that the intern has should also be available to the staff and manager.
how do i model this?

sharp depot
broken badge
#

Hi, I'm looking to build an authorisation service that is ideally self serve to non technical users - e.g. product managers can define the roles they want for a products they own. I love the playground which makes it very easy and intuitive to build a new schema, but what about reviewing and updating schemas? Is there an option to import an existing schema into the playground, or any examples of building a management UI on top of the schema API? Thanks!

radiant spruce
#

Is it possible to get timestamp at which a subject is added to an entity with x permission?

plush moat
#

Hi 👋🏼

I'm currently investigating some performance issues in my architecture.
I use Permify tracing capabilities, and we noticed that sometimes the “connect” operation to DB is the bottleneck.
Moreover, I can see that this operation repeats a lot of time for a single Permission/Check request.

Did you already encounter such behavior? If yes, how did you overcome it?

verbal skiff
errant whale
#

Hi! is there any limit associated to the

errant whale
#

Is someone using string array attributes

errant whale
#

Hi 👋🏼

#

Is it possible to get timestamp at which

#

Hi, I'm looking to build an

#

hi guys. i'm trying to use bundle. can i

errant whale
#

hello everyone. i'm trying to make role

errant whale
#

hii

oblique plinth
#

Hey! I am trying to integrate Permify (self-hosted) into a Spring Boot Project. Consequently the Java SDK would be more than helpful. I (maybe naively) assumed that the SDK would be published on Maven Central, but this does not seem to be the case.
Is the only possibility to install the SDK, by manually downloading the package from https://github.com/Permify/permify-java ? Or is the SDK hosted in some (maven) repository?

Would really appreciate any info on this 🙏

GitHub
GitHub - Permify/permify-java: Permify Java Client

Permify Java Client. Contribute to Permify/permify-java development by creating an account on GitHub.

oblique plinth
# oblique plinth Hey! I am trying to integrate Permify (self-hosted) into a Spring Boot Project. ...

Okay, after taking a further look into the files, and checking previous discussion, it seems that the package is published to "GitHubPackages". While this is great, as far as I can see, a PAT is needed to even download the package via said package repository. This seems very unfortunate for deployment. So I should rephrase my question to: Is the package also published in a "fully public" way (accessible without a GitHub account)? 🤔
Again, thanks in advance for any help!

silver wyvern
#

Hi@

#

permify-node readme

sleek sandal
#

Hi everyone, new to permify here. We are experimenting with a couple of OSS IAM platforms for our SaaS application. We are expecting a tool which can deliver something similar to AWS's IAM where

  1. There are multiple organisations (multi-tenant) and under each organisations you can have groups,
  2. You can attach permission to the groups
  3. A user can be a part of multiple groups
  4. Implement standalone permission for users not a part of any groups ..etc. Basically complete control on how we want to mix and match the access to the resources.

I guess the authorization of permify seems to cover these aspects of entity modelling and evaluating the permissions , Is there any UI for permifywhere the user dynamically selects some policies and the policies are attached to the user's entity and similarly to the group as well. Similarly on how it happens on AWS IAM , there are pre made policies and those policies are attached to the user or group by selecting them and a new permission is created for the user and group. How can we achieve this functionality with permify are there any resources for this. Any help or guidance is appreciated.

P.S: We are evaluating keycloak, cerbos and a couple of other tools for this usecase as well.

analog sand
#

Hi team,

Have we deprecated using request.<key_name> for passing the context inside schema?

All my schemas are now not working inside permify playground.

analog sand
#

Also, facing issues with the python SDK

Getting error while running pip install git+https://github.com/Permify/permify-python.git

Tried to debug it and found this when using the setup.py:

 Traceback (most recent call last):
   File "<redacted>/permify-python/setup.py", line 25, in <module>
     VERSION = os.environ.get("PACKAGE_VERSION").split('/')[-1]
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 AttributeError: 'NoneType' object has no attribute 'split'

I am using python 3.11

errant whale
#

Hi everyone, new to permify here. We are

oblique plinth
#

Hello,

I have a general question to the modeling capabilities, regarding custom roles.

What (by my understanding) Permify offers: "Entity-Instance bound" custom roles.

What I mean by that:
I can define a custom role that has certain permissions and assign users to it. But this custom role is always bound to one instance of a entity/resource.
So, assuming I have an entity type project with one specific project with the id 27, I can have a role named project-27_member, which defines (custom) permissions for, and only for, project 27.

What I want to achieve: Having a general "project_member" custom role

Being a role with defined permissions, but without an entity-instance attached. This way I can give different users the same role, but for different entity-instances.
So, e.g.:

  • The role "project_member" with the (assumed) permissions "view" and "edit" of the entity class project (no entity-instance attached)
  • user 1 has the role project_member for entity project with entity-id 27
  • user 2 has the same role "project_member" for entity class project, but with entity-id 28

This would eliminate the need to have one role per entity-instance.

Even after searching through the docs and playing around with the Playground, I have not found a way to achieve this. Am I missing something or am I correct, and something like this would need to be put in the application, since Permify does not support such "general" / "entity-unbound" custom roles?

Sorry for the long post, I would appreciate any insights!
Thanks!

silver wyvern
#

Also, facing issues with the python SDK

lapis adder
#

if my DSL is something like this:

entity user {}

entity group {
  relation supervisor @user
  relation member @user
}

entity submission {
  relation owner @user
  action view owner
}

is it possible to declare that a supervisor can view a submission as long as one of the members can? (is this supported?)

(i was wondering if there was a way to not add another group relation to submission)

lucid steeple
#

Hello,

I am currently trying to deploy Permify within my GKE cluster (on Google Cloud) among my microservices.

However, I am encountering the following error with the container, which keeps crashing:
"evel=ERROR msg="failed to migrate database" error="pinging pools failed: write pool ping failed: context deadline exceeded""

Here is my Permify configuration:

server:
  rate_limit: 100
  http:
    enabled: true
    port: 3476
  grpc:
    port: 3478

logger:
  level: info

database:
  engine: postgres
  uri: postgres://permify:XXXXXXX@cloud-sql-proxy/permify_db
  max_open_connections: 20
  max_idle_connections: 1
  max_connection_lifetime: 300s
  max_connection_idle_time: 60s
  garbage_collection:
    enabled: true
    interval: 200h
    window: 200h
    timeout: 5m

distributed:
  enabled: true
  address: "kubernetes:///permify.microservices-namespace"
  port: "5000"

Please note that cloud-sql-proxy is a proxy that allows my containers to access my Cloud SQL instance. The credentials seem correct, but it seems the connection to PostgreSQL is still failing.

Have you encountered this issue with Google proxies before? I am using this proxy image provided by Google:
gcr.io/cloudsql-docker/gce-proxy:1.33.2

To confirm, the connection works properly from other containers besides Permify.

errant whale
#

if my DSL is something like this:

wanton hinge
# lucid steeple Hello, I am currently trying to deploy Permify within my GKE cluster (on Goog...

Hey @lucid steeple , can you try to adding plan_cache_mode=disable to your database uri like discussed here:
https://github.com/Permify/permify/issues/1340

GitHub
[BUG] Permify on AWS EKS using an RDS PostgreSQL · Issue #1340 · Pe...

Describe the bug Hello! I'm trying to use Permify on AWS EKS using an RDS PostgreSQL instance as database. When the pod try to start, it crashed after a while with the error message: msg="...

bold falcon
#

Has anyone undertaken any research into the code changes required to configure a global schema for all tenants?

errant whale
#

Has anyone undertaken any research into

oblique plinth
split pivot
oblique plinth
errant whale
#

Hello,

nimble trench
#

Hey nice people of Permify community, trying to modelize something and I feel I am missing a simple details that make my use case not work.

I'm currently trying to get a recursive policy based on this and I ended up with something like this :

` entity identity {}

entity partition {

  relation parent @partition

  relation admin @identity @partition#admin
  relation member @identity 

  action view = admin or parent.view

}

entity camera {
relation parent @partition

  relation admin  @identity

  // permissions
  permission view   = admin or parent.view
  permission delete = admin

}`

And this as relations :

  • camera:C1#parent@partition:P11
  • camera:C2#parent@partition:P11
  • camera:C2#parent@partition:P21
  • camera:C3#parent@partition:P21
  • camera:C4#parent@partition:P22
  • partition:P22#parent@partition:P2
  • partition:P21#parent@partition:P2
  • partition:P11#parent@partition:P1
  • partition:P2#parent@partition:PR
  • partition:P1#parent@partition:PR
  • partition:PR#admin@identity:UIDR
  • partition:P1#admin@identity:UID1
  • partition:P2#admin@identity:UID2
  • partition:P11#admin@identity:UID11
  • partition:P21#admin@identity:UID21
  • partition:P22#admin@identity:UID22

Now I would expect my identity UID22 to NOT have access to C1 as it doesn't have a parent tree where it is admin, but the playground is giving me "true" What did I miss ?

Permify Docs
Recursive Relationships - Permify Docs
split pivot
fallen quest
#

Hello! I'm working on a permify project that will have a development environment. Is there a good way to seed the database for local development? I haven't come across anything in the docs, but based on what i've seen the best option seems to make a curl request on the docker compose up. Does this seem like the best way to do this or is there a better way?

cheers!

flint forge
#

Hello everyone!
My team is working on building a ReBAC centralized authorization system, and we're looking to self-host an open-source solution. Currently, we're testing some PoCs, with our main options being Permify Community and SpiceDB. We're running these on a K8s cluster on GKE in our development environment and conducting load tests to evaluate their performance.

Our performance for Permify is really bad, and we are probably doing something wrong! I really prefer Permify's schema language over SpiceDB's, but if we can't fix this performance I don't think we will have much choice. Any one care to help?

Our setup is quite simple, we followed this page and have a service and a deployment, with "distributed" config "off" for now.

Our simple load test consists of clearing existing data and then sending Y requests/s for X seconds in two stages: first we only write relation tuples with /data/write, with ids like user_1, user_2 for each request; and them we check permissions. For each write request we have 1 check request. Each write has 4 tuples each check has a depth of 3 or 4.

When running 500 req/s to 10 pods, Permify shows a p50 of 1.7s and p95 of 3.9s for the check requests, whereas SpiceDB shows a p50 of 24ms and p95 of 671ms. Both are using a postgresql DB, with the same CPU/RAM resources, and the deployment/pods have the identical resources as well. CPU/RAM doesn't seem to be the bottleneck, as the DB is staying below 50% CPU usage with plenty of free RAM, and the Pods also don't come close to the requested resources on k8s. We are mainly interested on the check performance as our use case is more read heavy.

I will omit schema and further details so this message doesn't grow any longer but can share more details in the thread if any one engages.
Thank you!

Permify Docs
Deploy on Kubernetes Cluster - Permify Docs
wheat sail
#

Hello,
We are working on building PoC for Permify. We have got the Permify running in docker on local via HTTP. Now by set TLS on to make it provide HTTPS, it has trouble in starting. Since there aren't enough log messages, we cannot find a reason why it fails. Cert and Key files generated by OpenSSL are in the right place on docker mount, and we confirmed the cert files several times.
Does anyone have idea about this issue?

2025-01-29 09:09:44 time=2025-01-29T08:09:44.314Z level=WARN msg=setPlanCacheMode mode=auto
2025-01-29 09:09:44 time=2025-01-29T08:09:44.314Z level=WARN msg=setPlanCacheMode mode=auto
2025-01-29 09:09:44 time=2025-01-29T08:09:44.320Z level=INFO msg="🗑️ starting database garbage collection..."
2025-01-29 09:09:44 time=2025-01-29T08:09:44.328Z level=INFO msg="🚀 grpc server successfully started: 3478"
2025-01-29 09:09:44 time=2025-01-29T08:09:44.328Z level=INFO msg="🚀 invoker grpc server successfully started: 5000"
2025-01-29 09:09:47 time=2025-01-29T08:09:47.331Z level=ERROR msg="context deadline exceeded"
2025-01-29 09:09:47 time=2025-01-29T08:09:47.332Z level=ERROR msg="context canceled"

thick blaze
#

hii

can any one help me for this delete api
http://localhost:3476/v1/tenants/t4/data/delete
my api input parameter
:-
{
"metadata": {
"schema_version": "cucsttg9jpl52jdfah0",
"snap_token": "CTzSHOkpHxg="
},
"tuple_filter": {
"entity": {
"type": "folder",
"id": "4"
},
"relation": "viewer",
"subject": {
"type": "user",
"id": "1"
}
},
"attribute_filter": {}
}

which input i need to pass inside the this api
as i am trying to delete only one relation between user 1 and folder 1 but some who it gets deleted all the relation of that folder (folder 1) with other users

thanks in advanced

silver wyvern
#

Deploy on Kubernetes Cluster - Permify D...

#

hii

fallen quest
#

Is there a way to add attributes to a entity subject relationship?

For instance i have this one ->

  • plan_entitlement:can_share#plan@plan:pro

I know i can add attributes to the entity

like so -> - plan_entitlement:share_maps$quota|integer:3

But i would like to figure out if permify supports adding them to specific relationships. Does anyone know?

errant whale
#

Tls configuration

nimble trench
#

Authorization on endpoints :
So question we had at work, we want to prevent people from pushing to the Data(s) endpoint to change policies/data (we have a dedicated system for this) while still allowing them to query the Check and Filtering endpoint, is it possible to do that out of the box with permify, or do we have to rewrap the permify API into our own authz layer ?

split pivot
split pivot
#

Hi there, I see some differences in the docs on the permify website vs the github repo. Which one is up-to-date? For example the writing relationships (https://docs.permify.co/api-reference/data/write-data) on website uses Data.Write but the example in github uses WriteRelationships (https://github.com/Permify/permify-go/tree/master?tab=readme-ov-file#write-relationships).

Permify Docs
Write Authorization Data - Permify Docs
GitHub
GitHub - Permify/permify-go: Permify Go Client

Permify Go Client. Contribute to Permify/permify-go development by creating an account on GitHub.

quasi heath
#

How to connect permify docker image with my postgreSQL database.
I have tried using this but it wont worked my schemas,relations wont getting reflected in the postgreSQL database.
docker run -p 3476:3476 -p 3478:3478 -e PERMIFY_DATABASE_URI=postgres://myuser:mypassword@localhost:5439/mydb ghcr.io/permify/permify

nimble trench
#

that initialized the DB properly then allowed us to use it

karmic remnant
#

we have 1000s of company which will create 1000s of project in each company - one company can have multiple project, each project can have their own role(could be 20 roles) and share with any user with email and based on access they will be able to see field based data for example cost center they will see column/attribute/field based on access. we can have 10000s of users how to achive using permify ?

echo parcel
#

We have a scenario where we want to perform 2 deletes operations: "delete relationships where team X is subject" and "delete relationships where team X is entity". We would like to convert this to a single API call to avoid consistency issues and we looked into Data bundles, but it seems to me this kind of delete is not possible, as the syntax enforces you to pass specific subject/entity. Is there a way I could convert these 2 delete operations into a single API call?

quasi heath
errant whale
#

How to connect permify docker image with

#

We have a scenario where we want to

#

Authorization on endpoints :

#

Write Authorization Data - Permify Docs

split pivot
#

I would like to compare using golang (permify grpc) a given schema string with the current schema in the DB and see if they are equal. The flow I'm looking for is: 1) check if read schema returns something, if it says no schema found then continue writing new schema, if error then return error 2) if schema found then do a simple diff 3) if diff is empty then do nothing, if non-empty then do some business logic.

I'm stuck at how to check if the error on Read Schema is SchemaNotFound. How do I do that?

spark fossil
#

Hello,

I am doing a POC with Permify to see if it is fit to our needs in terms of ReBAC. I was trying to benchmark the distributed mode of Permify but I am unable to make it work. I have a setup with 3 replicas in Kubernetes and a PostgreSQL database to back it up. When I try to call the Check Permission endpoint I get the following error:

{"code":4,"message":"rpc error: code = DeadlineExceeded desc = received context error while waiting for new LB policy update: context deadline exceeded","details":[]}

I searched issues on the grpc-go GitHub with error messages like this and they said to enable further logging from grpc-go, which I did with the following env var:

export GRPC_GO_LOG_VERBOSITY_LEVEL=99
export GRPC_GO_LOG_SEVERITY_LEVEL=info

Do you have any idea what could cause these errors? I linked the logs when I tried to do the Check Permission call and my config.yaml.
Thank you

📎 config.yaml 📎 permify-logs-distributed.txt
thick blaze
#

How to Track and Restore Schema Changes in Permify?
I am using Permify with PostgreSQL for my authorization system, and I want to track all schema changes over time. Specifically, I need to:

  1. List all past schema versions to track modifications.
  2. Retrieve an older schema version to compare with the current one.
  3. Audit schema changes in PostgreSQL to monitor who modified what and when.
  4. Restore deleted relations in case an accidental change removes permissions or entities.

What I Need Help With:
Does Permify have built-in tools to restore deleted relations automatically?
What’s the best way to store schema audit logs for long-term tracking?
Any best practices for version control in Permify + PostgreSQL?

If anyone has experience handling schema history in Permify, I’d love to hear your approach!

Thanks in advance.

plucky pike
#

docker run -d --expose=3476 --name matterpremify_0_1e5726ee -e WEBSITE_USE_DIAGNOSTIC_SERVER=false -e WEBSITES_ENABLE_APP_SERVICE_STORAGE=false -e WEBSITES_PORT=3476 -e WEBSITE_SITE_NAME=matterPremify -e WEBSITE_AUTH_ENABLED=False -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_HOSTNAME=matterpremify.azurewebsites.net -e WEBSITE_INSTANCE_ID=d346e83a11f865b02dfad99cef3a51d9988261b8d8e0447eeaffbea05dacfd0e ghcr.io/permify/permify:latest REDACTED
2025-02-18T09:20:55.610Z INFO - Logging is not enabled for this container.
Please use https://aka.ms/linux-diagnostics to enable logging to see container logs here.
2025-02-18T09:20:58.200Z INFO - Initiating warmup request to container matterpremify_0_1e5726ee for site matterpremify
2025-02-18T09:20:58.260Z INFO - Container matterpremify_0_1e5726ee for site matterpremify initialized successfully and is ready to serve requests.

Enable diagnostics logging - Azure App Service

Learn how to enable diagnostic logging and add instrumentation to your application, as well as how to access the information logged by Azure.

#

{"code":5,"message":"Not Found","details":[]}

#

need how can i use the it

slender moth
wind temple
#

Hi everyone, I'm currently integrating with the Permify Server using the permify-java SDK. If I'm not mistaken, the SDK doesn't include a gRPC client. I was wondering if there are any plans to enhance the SDK by adding gRPC client support?

silver wyvern
#

I would like to compare using golang (

errant whale
#

Hello,

quasi heath
#

there is no syntax to encode and store data in ts SDK for attribues?

while I found this for node :
const booleanValue = BooleanValue.fromJSON({ data: true });

const value = Any.fromJSON({
typeUrl: 'type.googleapis.com/base.v1.BooleanValue',
value: BooleanValue.encode(booleanValue).finish()
});

but

"BooleanValue" is not found in permify-typescript npm library

quasi heath
#

I am gettign this error when i do attributes dataWrite in typescript SDK:
Error writing data: ResponseError: Response returned an error code
at DataApi.<anonymous> (/Users/shivamsikotra/Shivam/structure-backend/node_modules/.pnpm/permify-typescript@1.0.0/node_modules/permify-typescript/dist/runtime.js:166:19)
at Generator.next (<anonymous>)
at fulfilled (/Users/shivamsikotra/Shivam/BM/BuildMacro-Work/structure-backend/node_modules/.pnpm/permify-typescript@1.0.0/node_modules/permify-typescript/dist/runtime.js:18:58)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
response: Response {
status: 404,
statusText: 'Not Found',
headers: Headers {
'content-type': 'application/json',
vary: 'Origin',
date: 'Thu, 20 Feb 2025 12:56:57 GMT',
'content-length': '70'
},
body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true },
bodyUsed: false,
ok: false,
redirected: false,
type: 'basic',
url: 'http://localhost:3476/v1/tenants/t1/data/write'
}
}

quasi heath
#

Hi I have used loookupEntity in my permify system but it is taking 300ms for response
Isn't it high?
It is making my API slower
any suggestions?

lilac narwhal
stable flint
#

is it possibly to run permify playground locally via docker?

errant whale
#

Attribute Based Access Control (ABAC) - ...

stable flint
#

Hey, is it possible to have recurisve check in perms

#

entity user { relationship member_of @org }, entity org {relationship member @user relationship admin @user relationship parent @org}

#

now would like to define access to folder to any of the admins of org user is part of or any admin of the parent(s) org

#

entiy folder { relationship owner @user permission edit = owner or ... }

nimble trench
#

entity user {
relation member_of @org
}

entity org {
relation member @user
relation admin @user
relation parent @org

permission view_folder = admin or parent.view_folder

}

entity folder {
relation owner @user
relation part_of @org
permission view= owner or part_of.view_folder
}

Something like this would do the recursion on the org tree (recursion doesn't work on relation so you can't do parent.admin, but it does work on permission)

stable flint
#

thanks isn't that limiting - I would like to have document that would of user and that document be readible my manager and manager manager and ...

#

now I would need to bind document to org

#

entity user {
relation member_of @org
}

entity reporting_line {
relation member @user
relation parent @manager
permission view_document = admin or parent.view_document
}

entity document {
relation owner @user
permission view = owner or
}

stable flint
#

maybe it should be that document is tied to reporting_line but it's a bit weird... it's possible that there could be mutliple owner and then that model becomes more funky

nimble trench
#

The thing with ReBAC (and I'm no expert but having played around with it this is what I found) is that :

You want to think your authorization bottom -> up (The document define the rule to see it, based on it's relation like the fact that it is part of an organization, The user doesn't define what it can see so you're member_of on user isn't usefull in the cas I can see)

Relation even if expressed as singular are always multiple (You can have multiple user associated as the owner of a document in Permify, tho your business logic might prevent it)

#

as an exemple if you want to allow any member of an organization to do something you can do :

entity user {}

entity organization {
relation member @user

permission do_something = member

}

#

then assigne multiple relation ship to an organisation

organisation:1#member@user:1
organisation:1#member@user:2
organisation:1#member@user:3
organisation:1#member@user:4

At this point you have 4 users that are member of organization with id "1" and they can all "do_something"

stable flint
#

got thanks, wonder if user is moved to other org I would need to remove then that org assossiation

#

entity user {
}

entity reporting_line {
relation member @user
relation manager @user
relation parent @reporting_line

permission edit_document = manager or reporting_line.edit_document

}

entity document {
// as owner changes organization
// I would need to also update reporting line relation
// if we have
// organisation:1#member@user:1
// organisation:1#manager@user:2
// document:123#owner@user:1
// I would need to add explicity relationship
// document:123#rl@org:1
// then if user1 changes org
// I would
// remove organisation:1#member@user:1
// and
// remove document:123#rl@org:1
// however ... if I have another user that is owner from from org1
// than would keep it - so need to fetch all the users and there orgs
// and this is less atomic change
relation rl @reporting_line
relation owner @user
permission edit = owner or rl.edit_document
}

nimble trench
#

Yes, that is actually one thing that is interesting about Policy Based Access Control is that you can have your policy rule reflect your business domain fairly easily (Let's say a user can only be part of 1 organization, so as part of your business rule you will have to delete the user from the old organization anyway, this should trigger an update of the relationship data)

Now other interesting thing is that if tomorrow it's decided that a user CAN be part of multiple organization, you don't actually have to change anything in the policy

north nymph
#

Hello! How can we write data for attributes using the cli? so far it seems that only relations are supported

nimble trench
stable flint
north nymph
# nimble trench not sure if this is what you mean by the CLI but the API has : https://docs.perm...

Permify CLI - https://github.com/Permify/permify-cli
based on https://github.com/Permify/permify-cli/blob/main/core/cmd/data/write.go it looks like it does not support writing attributes.

GitHub
GitHub - Permify/permify-cli: command line interface for Permify

command line interface for Permify. Contribute to Permify/permify-cli development by creating an account on GitHub.

GitHub
permify-cli/core/cmd/data/write.go at main · Permify/permify-cli

command line interface for Permify. Contribute to Permify/permify-cli development by creating an account on GitHub.

north nymph
stable flint
#

thanks, I saw it...that's good enough for me, would be nice to have it in docker for easier flow for new devs so one can run and play e2e locally fully under 5 mins

wraith matrix
#

Trying to understand something about permify, does this have integration with doing JIT access for AWS roles or is that something we'd need to build ourselves

north nymph
hearty sparrow
#

Is there anyways to do the Permify Sync with DB on a self host Permify ? Or do we require to use the Permify Service for it ?

desert basin
#

Hello! Is there any integration for PHP or Laravel?

drowsy wedge
#

TL;DR: Any tools or scripts out there to "translate" an OpenFGA authorization model into Permify's DSL?

Context: I'm prototyping a few different centralized authorization service options for my company. Right now, each of our business units handles authorization on its own. I've successfully modeled my business unit's current authorization requirements in OpenFGA, but have been disappointed with OpenFGA's lack of handling indirect relationships recursively (when modeling an organizational hierarchy, for example). So I'd also like to try out Permify. To save some time, I'm wondering if anyone's already built a tool/script/etc that takes an .fga.yaml or .fga file as input and translates it into Permify's DSL?

patent mauve
#

i could not find anything in the docs, llms or the searchbar, so i have to ask this great community directly:
i found that you can visualize your schema in the playground. But it only accepts the permify DSL.
i can get my current schema through /v1/tenants/{tenant}/schemas/read
but it's json and the playgrorund does not like that.
I can't seem to find, how to convert this json to the permify dsl. the closest i got was:

docker run -v $(pwd):/schemas ghcr.io/permify/permify:v1.3.3 ast /schemas/schema.json --pretty
Error: yaml: unmarshal errors:
  line 2: cannot unmarshal !!map into string
Usage:
  permify ast <file> [flags]

Flags:
  -h, --help     help for ast
      --pretty   If set to true, produces a human-readable output of the AST.

exit status 1

any help is greatly appreciated!

lilac narwhal
#

Hello!!
I Need help please.
I want to write data on this route permifyClient.data.write with sdk Permify-node by i've this error:
ERROR [Event] /base.v1.Data/Write NOT_FOUND: ERROR_CODE_ATTRIBUTE_TYPE_MISMATCH
ClientError: /base.v1.Data/Write NOT_FOUND: ERROR_CODE_ATTRIBUTE_TYPE_MISMATCH

this my schema
`entity accounts {

attribute accountStatus string

permission active = hasValidAccountStatus(accountStatus)

}

entity tenants {
relation parent @accounts
relation owner @accounts
relation admin @accounts @tenants#member
relation member @accounts

attribute tenantStatus string

permission manage = parent.active and hasValidTenantStatus(tenantStatus)  and (admin or owner)

}

entity organizations {
relation parent @tenants
relation admin @accounts
relation member @accounts @organizations#admin
relation banned @accounts

permission read = member not banned
permission create = admin not banned
permission update = admin not banned
permission delete = admin not banned

}

rule hasValidAccountStatus (accountStatus string) {
context.account.status == accountStatus
}

// rule hasValidTenantStatus (accountStatus string, tenantStatus string) {
// (context.account.status == accountStatus) && (context.account.tenants == tenantStatus)
// }

rule hasValidTenantStatus (tenantStatus string) {
context.tenant.status == tenantStatus
}`

lilac narwhal
# lilac narwhal Hello!! I Need help please. I want to write data on this route `permifyClient.da...

this my data (note date certain fields is variables values)
{ tenantId: tenant.id, metadata: { schemaVersion }, tuples: [ { entity: { type: "tenants", id: tenant.id }, relation: "owner", subject: { type: "accounts", id: account.id, relation:"" } } ], attributes: [ { entity: { type: "tenants", id: tenant.id }, attribute: "tenantStatus", value: { "@type": "type.googleapis.com/base.v1.StringValue", data: "activated" } }, { entity: { type: "accounts", id: account.id }, attribute: "accountStatus", value: { "@type": "type.googleapis.com/base.v1.StringValue", data: "activated" } } ] }

errant whale
#

this my data (note date certain fields

left mirage
#

Hi there, So I'm new and reading through the documentation. The .perm language looks simple enough to understand.

I have two quick questions,

  1. Is there a way to import other files into the .perm?
  2. Can I write multiple .perm files and then write the schemas using the write api - or would this override the existing schema?

I'm working in a componentized infrastructure, so localizing the permissions to the same place as the code for said action would be ideal

stone venture
#

Hi @errant whale I need to implement my custom middleware for authentication with permify . What are the ways I can do it

mossy crescent
#

Hi,

I need to add a startup deal for my product SSOJet at Permify. How can I do this?

formal zealot
#

Is there any way to access modification timestamps for relationships / entities?

silver wyvern
#

Is there any way to access modification

#

Hi there, So I'm new and reading

light thistle
#

What's the story around local testing of your policy changes? I see there is a github action but the problems with that are we don't use github and also that is too long of a feedback loop. I want to be able to make changes to my policy locally on my machine and quickly validate them with unit tests. I see there is a repository for a cli but doesn't look like its been active for years and nothing noted in documentation. What's the developer experience around authoring changes to your policy supposed to be?

spice atlas
#

I'm trying to inject relationship tuples during check. I'm trying to use the validate function, however it doesn't seem to understand or accept the contextual relationship tuples. This is my test file:

schema: |-
    entity user {}

    entity ad_group {
        relation member @user
    }

    entity organization {
        
        // organizational roles
        relation admin @user
        relation member @user

        relation admin_role @ad_group

        // permissions
        permission create = admin or admin_role
        permission read = admin or member
        permission update = admin
        permission delete = admin
    }


relationships:
- "organization:1#admin@user:tom"
- "organization:2#admin_role@ad_group:1"

attributes:

scenarios:
- name: "scenario1"
  checks:
  - entity: "organization:2"
    subject: "user:tom"
    context:
      tuples:
        - "ad_group:1#member@user:tom"
    assertions:
        create: true
        read: false
        update: false
        delete: false

Other functions appear to work well. Am I getting the syntax wrong? I'm using this command to validate:
docker run -v .:/workspace --rm ghcr.io/permify/permify validate /workspace/tests.perm

spice atlas
spice atlas
light thistle
#

Setup Permify in a kubernetes cluster using helm and installation went fine. After setting up port forwarding and opening the url I just get the following json response instead of a UI:

{
"code": 5,
"message": "Not Found",
"details": []
}

Am I missing something?

fierce ember
#

Hello,

We are working on a product using Permify. It's deployed on Kubernetes with istio and multiple replicas of Permify pods running on a dedicated RDS instance.

We keep on having "context canceled" errors as the load increases.

We have been trying to set log level to debug and add trace using Zipkin to understand processes... but we couldn't find the root cause of this error.

Does anyone have an idea about this issue?

time=2025-03-28T08:21:53.689Z level=ERROR msg="rpc error: code = Canceled desc = context canceled"
time=2025-03-28T08:21:53.692Z level=ERROR msg="finished call" protocol=grpc grpc.component=server grpc.service=base.v1.Permission grpc.method=Check grpc.method_type=unary grpc.start_time=2025-03-28T08:21:53Z grpc.request.deadline=2025-03-28T08:21:57Z grpc.code=Internal grpc.error="rpc error: code = Internal desc = ERROR_CODE_CANCELLED" grpc.time_ms=12.948
time=2025-03-28T08:21:53.692Z level=ERROR msg="finished call" protocol=grpc grpc.component=server grpc.service=base.v1.Permission grpc.method=Check grpc.method_type=unary grpc.start_time=2025-03-28T08:21:53Z grpc.request.deadline=2025-03-28T08:21:57Z grpc.code=Internal grpc.error="rpc error: code = Internal desc = ERROR_CODE_CANCELLED" grpc.time_ms=13.013
time=2025-03-28T08:21:53.692Z level=ERROR msg="finished call" protocol=grpc grpc.component=server grpc.service=base.v1.Permission grpc.method=Check grpc.method_type=unary grpc.start_time=2025-03-28T08:21:53Z grpc.request.deadline=2025-03-28T08:21:57Z grpc.code=Internal grpc.error="rpc error: code = Internal desc = ERROR_CODE_CANCELLED" grpc.time_ms=12.637

Thank you in advance for any info on this 🙏

hallow mist
#

Does anyone know of a way to make a permission always true? I'm using reBac and I want to assign global permissions that every user gets. How do I basically make permission x = true?

soft plaza
errant whale
#

I think I figured it out... I need to

#

Hello,

#

Does anyone know of a way to make a

spring hazel
#

Hi. I have an attribute "attribute allowed_ips string[]"

Now, I want to dynamically have a permission check against the list of ips provided. Any idea on how to write the permission?

For example

rule is_valid_ips(allowed_ips string[]) {
context.data.provided_ips in allowed_ips
}

Note : provided_ips is a string[] And currently this rule cannot be applied. Any other way of doing it?

ancient musk
#

Hi guys. I've been working on a POC to integrate Permify with .NET and i'm now stuck at the partial schema write. The schema doesn't update, with or without the schema_version in the request, but it's returning a different schema_version of the returned previously by schema/write endpoint.
Am i missing something?

image.png
ancient musk
#

Nevermind, the example in the documentation is wrong (entities should be partials). Thanks!

marsh rock
#

Hi. I’m reading the documentation for the first time and struggling to understand the behaviour of this ‘and’ and ‘of’ keywords in action definition. Can anyone explain?

One of the examples shown is:

action read = org.admin and (owner or maintainer or org.member)

Does that mean that to read this resource a user must be an org admin and also have one the other three roles?

nimble trench
#

yes, that's boolean Algebra so : A and (B or C or D) you need to have A, and any of B, C, D to get access (you could also have multiple in BCD and it would give you the read action)

carmine mistBOT
#

👋 Hello! This is a test message from your Guru. I am working correctly!

tough belfry
#

@carmine mist what is permify?

left hollow
#

Can someone send me the schema for RBAC
USER has roles
Role has permissions
And there will be super admin role also

smoky atlas
#

Hi, is it possible to put attributes on relations?
For example in this schema where I would like to add a "max_register_limit":

entity user {}

entity role {
relation assignee @user
}

entity account {
relation owner @user
relation registrant @role#assignee

permission register = owner or registrant

}

I dont want to put it straight on the account entity or in the role since role - account is a many to many relationship.
Preferably I would like to add it on the registrant relation. Is that possible?

frail igloo
#

hi, i have IDp to store all user info. how can we integrate Permify with my existing IDp, e.g. via SCIM?

i think there should be a way to let authZ service to use IDp data, otherwise, i can imagine we need to create a user entity for each user in IDp?

formal zealot
#

When operating a high-availability system against Permify, is there a recommended mechanism to distribute the latest snap token to all app instances (pods)? It seems a central coordinating system such as Redis (with pubsub or streams) would be required.

It would sure be nice if there was an out of the box way to achieve this.

halcyon fiber
#

Hi, I have a simple question:

I’m trying to negate a boolean attribute directly in an action, but I couldn’t figure out how to do it properly.

According to the documentation, I thought I could use the not keyword, but this throws an error in the playground:

entity user {}

entity project {
    relation member @user

    attribute blocked boolean
    action read = member or not blocked
}

As a workaround, I used a rule like this:

entity user {}

entity project {
    relation member @user

    attribute blocked boolean

    permission read = member or check_project_is_not_blocked(blocked)
}

rule check_project_is_not_blocked(blocked boolean) {
    blocked == false
}

This works, but it feels a bit overkill just to negate a boolean value.

Also, I noticed that the rule parameter must have the same name as the attribute for it to work. If I change the parameter name, I get an error. Is that expected behavior or a bug?

Thanks in advance!

smoky atlas
halcyon fiber
verbal badge
#

Question. How can I make sure that my operations are transactional? E.g. I have a request where I interact with permify api and I remove 1 or X things and add 1 thing. Is there some way in permify to handle transactions or do I have to do that completely in my application (which would be hard to track/do). maybe the bundle api is transactional? I didnt found something about this.

plush moat
#

Hello, i’m running permify against a Postgres but when my database is empty it doesn’t automatically generate the tables and schemas
Did I miss a configuration ?

verbal badge
verbal badge
plush moat
lucid lark
#

Hi, I am testing this out for potential use (self-hosted).
I have this issue that seems like a bug, but there might just be something I am doing wrong.

After updating the schema, nested authorization checks fail with ERROR_CODE_SCHEMA_NOT_FOUND,
but the issue resolves itself if i do an auth check on the entity witch holds the direct relation to the user.
I'll try to explain better.

Here is my schema:

entity user {}

entity organization {
    relation owner @user
    relation member @user

    permission viewer = owner or member
}

entity location {
    relation organization @organization

    permission viewer = organization.viewer
}

entity asset {
    relation location @location

    action viewer = location.viewer
}

The steps I am taking with the HTTP api:

  1. Write Schema (even with no changes)

  2. Check Access Control (user1, viewer, asset1)
    This results in ERROR_CODE_SCHEMA_NOT_FOUND no matter how many times i try

  3. Check Access Control (user1, viewer, location1)
    This also results in ERROR_CODE_SCHEMA_NOT_FOUND no matter how many times i try

  4. Check Access Control (user1, viewer, organization1)
    This results in CHECK_RESULT_ALLOWED as predicted

  5. Check Access Control (user1, viewer, asset1)
    Now it suddenly works and I get CHECK_RESULT_ALLOWED!

I find this a bit strange, but there might be a simple answer?

queen robin
#

Hi! I'm trying to add new boolean attribute to my schema and get relation reference not found in entity references error. All I do is trying to check my attribute through relation:

entity team {
  relation member @member
  relation admin @member @team#member
  relation manager @member @team#member
  relation owner @member @team#member

  attribute blocked boolean

  action read = member
  action write = (admin or owner or manager) not blocked
}

entity project {
  relation team @team
  relation owner @member @team#member
  relation member @member @team#member
  relation manager @member @team#member

  action read = member or team.admin or team.manager
  action write = (team.admin or team.owner or team.manager or manager) not team.blocked
}

Error shows when I add not team.blocked for write action in project entity. Is any ideas how I can fix this error or implement such check?

nimble trench
#

afaik you can't reference attributes of a relation, my guess is that something like :

action write = team.write or manager

would work since (team.admin or team.owner or team.manager) not blocked is evaluated in team.write

#

but you would have write on the project even if the team is blocked if you are manager of the project, not sure if that's what you want to achieve tho

queen robin
#

Oh, that's pretty not obvious that attributes aren't availible in relation. To workaround it I'm trying to add new action for team like that:

entity team {
    ...
    attribute blocked boolean
    action access = not blocked
}

entity project {
  ...
  action write = (team.admin or team.owner or team.manager or manager) and team.access
}

However I get no prefix parse function for not found error. It's strange because attribute with notprefix works if there is other action before it. For exampleaction access = owner not blocked works

covert tapir
#

I am looking to use permify for authorization. I wanted to know how can I define global permissions. for example, if someone from my company need to access a client page for investigation or bug fixes, I do not want to have

    relation member @user
}

and then add a relation to superAdmin to each company. meaning that I do not want to have something like company:c1#superAdmin:sa1 it will basically mean that for each company I need to add a reference to superAdmin:sa1

is there a way to achieve that?

gentle sonnet
#

Hi,
Are there any plans to keep maintaining the python sdk on pypi? Or should I build it from the git repo?

acoustic garnet
#

Hi, I am trying to implement authorisation using permify in my spring boot application.
I am planning to do the authorisation checks using AOP and custom annotations.
Is there any better approach than this one?
Please give different architecture that are commonly used for api level authorisation in an application using permify.

left hollow
#

@everyone
Is anyone facing issue with creating attributes ?

I'm unable to store attributes in database

curl -X POST 'localhost:3476/v1/tenants/default/data/write' --header 'Content-Type: application/json' --data-raw '{
"metadata": {
"schema_version": ""
},
"attributes": [
{
"entity": {
"type": "customer",
"id": "acme_oil"
},
"attribute": "name",
"value": {
"@type": "type.googleapis.com/base.v1.StringValue",
"value": "Acme Oil"
}
}
]
}'

but in database i am getting only

{
"@type": "type.googleapis.com/base.v1.StringValue"
}

the data field is missing in this

thorn shell
#

I was wondering if its possible to create global admins in a multi tenant setup and how could it be done?

low cliff
#

@everyone I want to store authorization data in on on-premises SQL server. Could you please let me know the configuration details for it?

plush moat
#

I’m using permify in a kubernetes cluster as a side container of my application (every pod of my application has a permify side container connected to the DB)

It appears that sometimes, the permission Check request seems to be cached by the permify instance and even after removing data using the Delete API, the Check Operation still returns “ALLOWED”

Is there a workaround to invalidate what seems to be a cache mechanism ?

main abyss
plush moat
main abyss
main abyss
plush moat
#

I didn’t find a way to disable caching

plush moat
tranquil badger
#

Hello! I'm trying to book a demo but the calendly link is not working - who can I talk to? Thanks!

silver wyvern
#

See section “When Snap Token is not

#

I didn’t find a way to disable caching

restive ember
#

Hi, am exploring permify multi tenancy for a centralized authorization setup.

I have a question: Is there a way to do meta-access control on a per API basis, such as protecting write operations to tenants (given that users are already authenticated with OIDC), to control which users/groups can write to a tenant. Something like what OpenFGA is experimenting https://openfga.dev/docs/getting-started/setup-openfga/access-control#02-create-the-access-control-store-and-model

Setup Access Control | OpenFGA

How to enable and setup the built-in access control OpenFGA server (experimental)

silver wyvern
#

Meta Access Control Layer

olive elk
#

How are people syncing data with the open-source permify implementation instead of permify cloud?

marsh crescent
#

hi hi, i want to setup distributed cache for permify on k8s. How to achieve it? do i need k8s headless service ? do i need any rbac config?

teal delta
#

Does the open-source version support this feature?【Using Attributes Across Entities】

silver wyvern
#

Attributes Across Entities

thorn shell
#

Hello, I have some questions about my schema design. For an organization with many departments teams and units, with many different apps and microservices.

nova garden
#

Hello. I'm hoping to get some pricing information and/or a demo, but none of the Calendly links on your site are working for me.

torn quarry
#

I am doing an evaluation of some open source authz servers based on zanzibar. How does Permify different from SpiceDB when it comes to global authorization? I will have Services deployed in multiple georgraphical locations but want 1 Authz service. SpiceDB requires Spanner / CockroachDB, how is this hanlded by Permify?

rain void
#

Hey, I’m running Permify on Kubernetes with 2 replicas connected to postgres.
With distributed cache disabled everything works fine, but when I enable distributed cache, Permission.Check calls hang and end with DeadlineExceeded, even though /healthz is SERVING, ports are listening(3476/3478/5000), and pods can reach each other. The logs suggest something is going wrong in request forwarding and keep showing:

time=2025-10-15T12:57:40.125Z level=ERROR msg="rpc error: code = Canceled desc = context canceled"
time=2025-10-15T12:57:40.126Z level=DEBUG msg="A context-related error occurred" error="context canceled"
time=2025-10-15T12:57:40.126Z level=ERROR msg=ERROR_CODE_CANCELLED
time=2025-10-15T12:57:40.126Z level=ERROR msg="finished call" protocol=grpc grpc.component=server grpc.service=base.v1.Permission grpc.method=Check grpc.method_type=unary peer.address=<pod-ip>:<port> grpc.start_time=2025-10-15T12:57:40Z grpc.request.deadline=2025-10-15T12:57:44Z grpc.code=Internal grpc.error="rpc error: code = Internal desc = ERROR_CODE_CANCELLED" grpc.time_ms=110.273

I have been trying to set log level to debug but couldn't find the root cause of this error.

Does anyone have an idea about this issue?

echo parcel
#

Hi. I'm running schema tests using the 'coverage' command and facing error "depth not enough". It's not consistent and only happens sometimes. This depth is possible to be passed via the API, for example in the Check Access Control endpoint (https://docs.permify.co/api-reference/permission/check-api). Is there a way to configure a depth value to be used for tests? It seems to be using an hardcoded value which is not enough for the schema I'm testing.

errant whale
#

Hi. I'm running schema tests using the '

#

Hey, I’m running Permify on Kubernetes

errant whale
#

I’m using permify in a kubernetes

jovial sequoia
#

Hi, Permify being the "default deny" architecture, I need your help / opinion, how can I get provide granular access.
Let's I have 100 users, who are part of group X and has access to list of object Y ( all the 10 items are in list, so the users can access any of them)
I have 10 more users who are part of the same group X, however I want to give access to only 8 (out of 10) items from object Y.

What I have tried: **
I tried "item_list and not deny_item_list", however, Permify does not support "and not" operator.
I tried deny boolean attribute and tried to negate it but again it boils down to and not operator.
I tried to negate the rule, which is valid per syntax however it's applicable per entity and not per user !(context.data.item_name in denied_items)
I tried to define the attribute deny_item_list in "entity user" so I can attach deny list per user, however not helping.
**
What I have not tried:
create 110 tuples (tuples per user), which is something I am avoiding, because it would be more overhead to maintain.

errant whale
#

Hi, Permify being the "default deny"

lilac narwhal
#

hello! I've recently try to update schema via partial-write route api but after many tries, the finale version off schema have not changed. when it get details via schemas/read with the last schema version value, it return the same JSON.

this my schema:
{ "schema": "entity user {}\n\nentity organization {\n\n // organizational roles\n relation admin @user\n relation member @user\n\n}\n\nentity repository {\n\n // represents repositories parent organization\n relation parent @organization\n\n // represents owner of this repository\n relation owner @user\n\n // permissions\n permission edit = parent.admin or owner\n permission delete = owner\n }" }

#

this is datas i want to update:
{ "metadata": { "schema_version": "" }, "entities": { "repository": { "write": [ "relation member @user", "permission invite = org.admin and (owner or member)", ], "delete": [ "edit" ], "update": [ "permission delete = member" ] } } }

this the json:

{"schema":{"entity_definitions":{"organization":{"name":"organization","relations":{"admin":{"name":"admin","relation_references":[{"type":"user","relation":""}]},"member":{"name":"member","relation_references":[{"type":"user","relation":""}]}},"permissions":{},"attributes":{},"references":{"admin":"REFERENCE_RELATION","member":"REFERENCE_RELATION"}},"repository":{"name":"repository","relations":{"owner":{"name":"owner","relation_references":[{"type":"user","relation":""}]},"parent":{"name":"parent","relation_references":[{"type":"organization","relation":""}]}},"permissions":{"delete":{"name":"delete","child":{"leaf":{"computed_user_set":{"relation":"owner"}}}},"edit":{"name":"edit","child":{"rewrite":{"rewrite_operation":"OPERATION_UNION","children":[{"leaf":{"tuple_to_user_set":{"tupleSet":{"relation":"parent"},"computed":{"relation":"admin"}}}},{"leaf":{"computed_user_set":{"relation":"owner"}}}]}}},"remove_user":{"name":"remove_user","child":{"leaf":{"computed_user_set":{"relation":"owner"}}}}},"attributes":{},"references":{"delete":"REFERENCE_PERMISSION","edit":"REFERENCE_PERMISSION","owner":"REFERENCE_RELATION","parent":"REFERENCE_RELATION","remove_user":"REFERENCE_PERMISSION"}},"user":{"name":"user","relations":{},"permissions":{},"attributes":{},"references":{}}},"rule_definitions":{},"references":{"organization":"REFERENCE_ENTITY","repository":"REFERENCE_ENTITY","user":"REFERENCE_ENTITY"}}}

errant whale
#

hello! I've recently try to update

wanton hinge
#

hi hi, i want to setup distributed cache

verbal skiff
#

Hello Permify folks! I maintain one of the most popular (10k+ ⭐) Go GraphQL libraries github.com/99designs/gqlgen and lately I've gotten a flood of interest in folks who want advice as to how to use Permify with gqlgen.... and I have NO examples to point them to. Anyone happen to have anything I can point to? Anything will do!

silver wyvern
#

Hello Permify folks! I maintain one of

lilac narwhal
#

hello All!
i have new issue to create relationship between data of my schema.

on this route {{base_url}}/tenants/t1/data/write , i have submitted this data below but i've received this response {"code":5,"message":"ERROR_CODE_SCHEMA_NOT_FOUND","details":[]}

{ "metadata": { "schemaVersion": "cutmf7gnd8bc738men1g" }, "tuples": [ { "entity": { "type": "organization", "id": "1" }, "relation": "admin", "subject": { "type": "user", "id": "3" } } ], "attributes": [ { "entity": { "type": "document", "id": "1" }, "attribute": "is_private", "value": { "@type": "type.googleapis.com/base.v1.BooleanValue", "data": true } } ] }

#

For information please Admin can you change the name schemaVersion to schema_version in the code because, when i try a simple data like this it dont take

this is the potentially good simple schema
{ "metadata": { "schemaVersion": "cutmf7gnd8bc738men1g" }, "tuples": [ { "entity": { "type": "organization", "id": "1" }, "relation": "admin", "subject": { "type": "user", "id": "3" } } ] }

errant whale
#

For information please Admin can you

lilac narwhal
quasi heath
#

Hi,
I am having a issue on permify like I am removing an user which was binded to a role before but permify Check API still gives me ALLOWED as response maybe due to internal cache but i haven't passed any cache arg see my yaml code attached below.Also when i updated my schema with minor change it respond with correct result i dont know how.

YAML Code

apiVersion: apps/v1
kind: Deployment
metadata:
name: permify
namespace: staging
labels:
app: permify
spec:
replicas: 1
selector:
matchLabels:
app: permify
template:
metadata:
labels:
app: permify
spec:
containers:
- name: permify
image: ghcr.io/permify/permify:latest
ports:
- containerPort: 3476
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: app-secret
key: DATABASE_URL
args:
- "serve"
- "--database-engine=postgres"
- "--database-uri=$(DATABASE_URL)"
- "--database-max-open-connections=20"
- "--database-auto-migrate=false"

errant whale
#

Hi,

stark jasper
silver wyvern
#

Authentication is not complete? · Issue ...

twin crow
#

Hey team! 👋
I'm looking into bulk/batch permission checking capabilities in Permify. My use case involves checking multiple permissions across multiple resources for a subject in a single request to reduce API calls and network overhead.
I found a couple of related GitHub issues:

#1199 - Bulk permission check: https://github.com/Permify/permify/issues/1199
#1520 - Add Support for Batch Processing: https://github.com/Permify/permify/issues/1520

Questions:

  1. Is there any update on implementing a batch/bulk permission check endpoint?
  2. What's the current recommended approach for checking multiple permissions efficiently? I know about the subject-permission endpoint, but it seems limited to checking all permissions for a single entity-subject pair.
  3. Are there any workarounds you'd recommend for checking permissions on multiple entities in a performant way?

For context, I need to check if a user can perform various actions (like view, edit, delete) across multiple resources (like document:1, document:2, etc.) and want to minimize the number of API calls.

Thanks in advance! 🙏

GitHub
Bulk permission check · Issue #1199 · Permify/permify

Is your feature request related to a problem? Please describe. We often require to query multiple permission on multiple resource for a subject and currently Permify doesn't have any way to do ...

GitHub
Add Support for Batch Processing in permission-check API · Issue #...

Is your feature request related to a problem? Please describe. This is an enhancement request to the permission-check API. The current implementation processes a single entity and subject per API c...

silver wyvern
#

Hi @twin crow, there is an open PR about bulk checks and currently I am running tests before we merge it. I will let you know once its ready to merge

twin crow
#

@silver wyvern Thank you for the update! That's great to hear.
Would you be able to share an approximate timeline for when the PR might be merged?

silver wyvern
#

Planning to include in the next release on 14th Dec

twin crow
#

@silver wyvern That's great, thank you! Looking forward to it!

charred spade
#

Hi !
First of all thanks for this great solution, we've been building on it to replace a legacy system for one month and are very satisfied with what it offers!
I have a question on the authentication configuration on the server (https://docs.permify.co/setting-up/configuration#authn-server-authentication).
We've managed to integrate the configuration with our current OIDC provider, and we were wondering if there is a built-in way to restrict the usage of endpoints based on the audience of the token. For example, allow a public oidc client to access the read endpoints, and a private token to access every endpoints.

Permify Docs
Configuration - Permify Docs
past arrow
#

Hi Permify team,
How should I design my listing APIs when using Permify?
Specifically, how can I correctly implement search, pagination, and sorting?

For example, consider this schema:

entity organ {
relation parent @organ
relation owner @user
permission view = owner or parent.view
}

entity vehicle {
relation organ @organ
relation owner @user
permission view = owner or organ.view
}

How can I fetch all vehicles that a given user is allowed to view?
If an admin user has access to a very large number of vehicles, how should I return page 10 of the vehicle list efficiently?
I think post-filtering or pre-filtering approaches are too heavy for listing APIs.

I know that SpiceDB’s dedicated tier has a materialized permissions feature that helps with listing and searching.
Can I implement something similar on my side using Permify (for example using the watch API or expand API).
Is this a good approach?
What methods do you recommend overall?

past arrow
#

@silver wyvern Can you help me?

silver wyvern
#

Protection of a List Endpoint

vital raft
#

Hello! I'm trying to read an attribute from an entity in JS but I get the value in Buffer. In the docs there is examples to unpack this buffer but only in C++, Java, Python and Go, not JS 🙁 Any help on how to fetch attributes using the JS library?

vital raft
#

ok I saw the library exports import { StringValue } from "@permify/permify-node/dist/src/grpc/generated/base/v1/base"; and you can do StringValue.decode(attribute.value.value).data to get the string

unreal forum
#

Hello! I need some help with an issue that I'm currently experiencing my production env.

I'm getting ERROR_CODE_DEPTH_NOT_ENOUGH errors with this schema:

`entity user {
// TODO: we are addding this attribute temporarily to support
// the member.user navigation in the teams entity belongs_to action
// Remove this attribute and action when data migration is done.
attribute is_user boolean
attribute is_active boolean

action user = is_user
action active = is_active

}

entity member {
relation user @user

attribute is_active boolean

permission active = user and is_active

}

entity team {
relation member @user @member
action belongs_to = member.user or member
permission active_member = member.active
}`

The error is being thrown when running a permission check query like this one:

path:
/v1/tenants/t1/permissions/check

body:
{ "metadata":{ "depth": 100 }, "entity": { "type": "team", "id": "2" }, "permission": "belongs_to", "subject": { "type": "user", "id": "2" } }

Permify version: v1.3.7

I can only reproduce the error in my production environment, where the only difference with lower environments is traffic.

silver wyvern
#

Depth Error - Cyclic Checks

obsidian vapor
#

Hey, seeing a huge performance difference when using attributes in permissions with lookupEntity. I have ~130k assessments with ~235k relations (130k owner + 74k recipient + 32k vb). Minimal schema:

entity user {}

entity account {
    relation owner @user
    relation recipient @user
}

entity assessment {
    relation recipient_account @account
    attribute facility_posted boolean

    permission is_recipient = recipient_account.recipient

    permission view_assessment = is_recipient
    permission view_assessment_posted = is_recipient and facility_posted
}

Calling lookupEntity like this (node sdk):

client.permission.lookupEntity({
  tenantId: "t1",
  metadata: { schemaVersion: "", snapToken: "", depth: 100 },
  entityType: "assessment",
  permission: "view_assessment_posted",
  subject: { type: "user", id: userId },
});

With view_assessment (relation-only):

lookupEntity COMPLETE: 172 IDs in 34ms

With view_assessment_posted (relation + attribute):

lookupEntity COMPLETE: 172 IDs in 29259ms

Same user, same result set. ~800x slower with the attribute.

Is this expected? Any way to optimize lookupEntity with ABAC?

silver wyvern
#

Lookup Entity with ABAC Performance

quasi heath
#

I am using permify v1.6.1 and getting stale permissions on lookup entity API.

#

When i do frequent write/delete of relations ,I am getting denied permission which should be allowed.

unreal forum
#

Hi everyone 👋

I have a question about best practices when integrating Permify with a relational database.
I need to return a paginated and filterable list of items from my SQL database, but only those that the current user has access to according to Permify.

The constraints are:

  • The number of items can be large.

  • The API must support filtering and pagination.

What is the recommended pattern in this case?

  • Should I first query my database (with filters + pagination) and then perform permission checks on that subset?

  • Or should I query Permify first (e.g. list accessible resources for a user) and then use those IDs in my SQL query?

  • Is there a more scalable pattern?

  • What Permify APIs should I use for this (Lookup entity | Lookup entity (strem) | Bulk permissions checks)?

Any guidance on the most scalable and recommended approach would be greatly appreciated.
Thanks!

remote cargo
#

I am using permify v1.6.1 and getting

remote cargo
#

Hi everyone 👋

echo parcel
#

Hi everyone,

We are assessing the use of Permify in our solution and we recently had performance issues with Permify. We wonder if these are expected results.

We had a complex schema and are now looking into simplifying it as most as possible and remove all recursion and using only direct relationships.

Below you can find a minimal example of what our schema looks like at the moment:

entity user {}

entity team {

    relation administrator @user                                    
    relation direct_member @user                                   
    
    relation device_reader @role
    relation inherited_device_reader @role

    permission device_read = direct_member and (device_reader.member or inherited_device_reader.member)
}

entity role {
    relation team @team
    permission member = team.direct_member
}

entity country {
    relation team @team
    permission device_read = team.device_read
}

entity business_unit {
    relation team @team
    permission device_read = team.device_read
}

entity device {
    relation customer @customer
    relation business_unit @business_unit

    permission read = business_unit.device_read and customer.device_read
}

entity customer {
    relation country @country
    permission device_read = country.device_read
}

The problematic call for us is to do an entity lookup (get the devices a user can read). For a sample of ~3500 devices, this single request is taking ~3 seconds. We've also confirmed that with more devices, the longer the request takes to complete.

The question is: is this an expected performance for an entity lookup at such (small-ish) scale? This kind of performance is not acceptable for the end user to see their devices.

Also looking into the same challenge shared by #permify-help-archived message, this means this is not a call we can avoid, as we have to do an entity lookup for all items before we can apply any sorting / filtering.

steel light
# echo parcel Hi everyone, We are assessing the use of Permify in our solution and we recentl...

3 seconds for 3,500 devices is actually the expected result here because you are treating Entity Lookup like a SQL SELECT statement.

Permify is designed for high-speed DAG traversal to answer "Can they?" usually for a single resource, so asking it to "List everything they can?" forces it to compute deep relationships (Device → Business Unit → Team → User) for thousands of candidates at once. It’s essentially performing a massive, recursive join across a graph in real-time. Permify is a Policy Engine, not a Search Engine and definitely not a graph database.

How to fix the "Expected Result"
Think of Permify as a Permissions Cache at the edge, and your database as the Resource Index. The proper flow for a "List Devices" page is:

Discovery (Database): Query your DB for devices. Your DB already knows which devices belong to which Business Unit or Customer. This lowers the number of lookups sent to Permify.

Validation (Permify): Take the paginated results and run a batch check in Permify on this much smaller data set to see if the user has the specific device_read permission for those IDs.

Result: You get a millisecond response for a paginated list, and the "Gatekeeper" (Permify) still maintains the source of truth for access.

If you ask Permify to find the devices first, you are asking a "Yes/No" engine to act like a "Search" engine. It will never be fast at scale doing filtering work it was never meant to do.

ebon dove
#

Hi! I am using the Python gRPC SDK. The Protobuf Buffers on the Buf Registry seem to be out of date, it doesn’t seem to contain the Bulk Check RPCs/messages. Could you let me know if this is the case, and if it is possible to update them?

echo parcel
# steel light 3 seconds for 3,500 devices is actually the expected result here because you are...

Thanks a lot for your reply @steel light.

We could filter in the database, but the information of "which Business Units" and "which Customers" can a user see also lives in Permify.

If we think about moving the lookup/filtering to the database, this could mean:

  1. Fetch the business units the user can read from Permify
  2. Fetch the customers the user can read from Permify
  3. Query in the DB the devices matching those business units and customers
  4. Confirm for the list of device ids if user has read access to it

I guess the lookups in 1. and 2. will always be faster, since they have lower cardinality (let's assume <10 business units, we could also potentially fetch countries instead of customers and assume those will always be <200).

But this poses another problem: what if the user can see a lot or all the devices (common case)? I see the bulk permission check is limited to 100 items and I guess the response time will grow with the number of permissions checks too. If a user has access to all the devices (3500), this would mean we would have to call Permify Bulk Check 35 times for a single user, which doesn't sound like a great idea and performance will probably be a concern again.

In the limit, I think we could avoid step 4. and assume the user has permission to read those devices, but we're basically inferring that we know the schema states that device.read permission = business_unit.device_read and customer.device_read

Am I thinking this right? Is it right to think that 1. and 2. (team membership, team association to business units and countries) should still live and be queried in Permify?

steel light
# echo parcel Thanks a lot for your reply <@267661647785623572>. We could filter in the datab...

If a user has access to all the devices (3500), this would mean we would have to call Permify Bulk Check 35 times for a single user, which doesn't sound like a great idea and performance will probably be a concern again.

It seems, you are looking at this from a pure backend data standpoint, not a UI/UX standpoint.

A wall of 3,500 devices is fairly useless for an end user. Even if you paginate 50 items at a time, clicking through 70 pages to find the right device is a terrible user experience. Your common denominator shouldn't be "everything the user is allowed to see," it should be "what the user actually needs to see right now."

Are there other database-level filters you can provide in the UI? (e.g., Search by Name, Status, Region, Tag).

If a user filters the UI for "Offline devices in Germany," your database query narrows those 3,500 candidates down to 12. You then pass those 12 IDs to Permify for the final validation check. By the time Permify gets involved, the UI and the database should have already done the heavy lifting of narrowing the search space.

I'm making some assumptions. Maybe explaining the use case better might help?

Also, don't assume anything with access state data. So, definitely no not assume the user has permissions anywhere. That's asking for a disaster. 🙂

echo parcel
# steel light > If a user has access to all the devices (3500), this would mean we would have ...

Yes, there are other database-level filters available, but in our idea Permify would be part of a first filtering already to limit the visibility of devices of a user (based on their 'access'). Taking your example, a user should not even be able to filter for devices in 'Germany' if he is only able to see devices in 'France' in the first place. This visibility is already expressed in our Permify schema.

So, how would I even show the first 50 visible devices to a user without doing a full device entity lookup in Permify? Because we don't know which devices a user should be able to see in the first place.

I don't think performing the filter on database first would work the way we were thinking about it at least. Let's assume the user filters for a business unit he shouldn't have read access to - it should not return anything because he shouldn't even be allowed to see any device there in the first place.
Let's also assume I want to implement pagination that way: I would get the first 100 devices randomly from the database, then I would ask Permify if he can read those 100 devices (bulk permission check) and he can actually read none (because they belong to some business_unit the user shouldn't have access to).

Trying to look at it from UI/UX standpoint, an improvement I can think of, since we're now focused on filtering immediately by business_unit and country, would be to have two immediate mandatory filters with business_unit and country. The user would have to mandatorily select at least one value for both options. We could:

  1. fill the possible values in the dropdowns for business_unit and country based on Permify lookups
  2. filter in the database based on the selection
  3. confirm the access in Permify using bulk check for the filtered devices (this potentially will always be true for every filtered device)

I guess this means it's impractical/unrealistic to give a device listing without filters to a user. Do you think this is going in the right direction?

steel light
#

Yes, but could you explain for my curiosity what the purpose of the device listing is? Or, what process is the user trying to accomplish?

echo parcel
#

Sure. And I can actually think of a use case we have where it would be impractical to do what we're saying.
The use case is the following: we have a page displaying a map showing where each device is located. We want only 'visible' devices to a user to be displayed in that map (e.g. a user can only see devices of a certain business_unit). We were doing this by performing a device.read entity lookup in Permify, but we're now realizing this won't scale with a growing number of devices.

Similarly to suggested before, my 'workaround' might be to:

  1. Fetch the business units the user can read using business_unit.device_read lookup from Permify
  2. Fetch the customers the user can read using customer.device_read lookup from Permify
  3. Query in the DB the devices matching those business units and customers (could be thousands of devices)

But it makes me wonder if Permify is even the right tool to do steps 1. and 2. for this use case, since we're not even using it for permission checks and device entity lookup would be too expensive to perform for that amount of data.

steel light
#

@echo parcel - What would the user be wanting to do with the map of devices? You've explained what you'd like in the UI, not what the user is expected to be doing. 🙂

silver wyvern
#

Python gRPC Client

steel light
silver wyvern
#

Lookup Performance (3500 Devices/ 3 Seconds)

hot pulsar
#

Hey everyone! Just wanted to post in this channel to let you know that we’ve launched the #1475506841604849705 channel. When you’ve got a question, that channel will be where we want folks posting them. It will help us keep track of everything better, and provide nice features like the ability to search questions (which might help you answer your own question!).

We’ll leave this channel open for the next couple weeks, but we’ll archive it at that point. As you use the new forum channel, let us know if there are any ways we can improve the system and make it even better for you.

open geyser
#

Hi everyone, Have anyone added pagination on a nextjs + graphOL project?

sleek flicker
open geyser
#

prob statement = I'm making a nextjs website with graphQL and typescript using the rickandmorty API for data fetching, I want to add pagination but didn't get the correct answer for it nd get confused
please tell me from where should I start so that I can find my answer

fair jackal
#

I need help working on MEN stack (mern) with the r.

Basically I'm struggling to access database with mongoose (not mongodb)

sleek flicker
autumn oxide
autumn oxide
open geyser
open geyser
#

Have anyone used createContext with nextjs and typescript ?

#

I did this way but its showing many errors

unknown.png
autumn oxide
open geyser
winter gust
#

hi all, just saw the post on HN and wondering if I understand this right. Permify reads from an application database, subscribing to changes through the transaction log, and turns this data into an authorization schema that can be used to performantly answer authorization queries. Is this right? If so, how does this work within transactions? I assume only committed data is transformed into the authorization schema? Is there a delay?

sleek flicker
#

This is very much correct @winter gust !

Yes only committed data is transformed into a DB you point at which is your writeDB where you store your authorization data.

Since all this happens in your tech stack there is as litte delay as 1-2ms.

You can create your authorization schema with our DSL. And then pretty much we handle the rest.

We’re will be improving following things.

  • message broker and CDC for number of queries.
  • Better cache with Redis and Redis Persist.
  • And better data consistency.

We would love to hear your feedback and define our road map together as well 🙂

winter gust
# sleek flicker This is very much correct <@479402347173511209> ! Yes only committed data is tr...

Thanks for the clarification! I have a legacy application that I'm looking to retrofit a modern authentication system on, so this sounds perfect. The only thing I'm wondering before trying it out is how to deal with authorization checks within a transaction. I assume the current pattern just isn't going to work, which is where we're using Spring's PreAuthorize on the service level. That basically just means that various methods that do things with an entity run a piece of ACL checking code before executing. I was hoping to plug Permify into that. So that means the following could happen, all within a transaction:

  1. Create new entity
  2. Call method that does thing with entity
  3. Before executing the above, first run ACL check code

Which would then fail, because the change hasn't yet been synchronised to the Permify database. This would probably be fine if we just did controller-level checking once at the start of handling a request, or we can just special case entities that have been created during the current request.

However, considering the ~2ms latency, I am also wondering how this works in relation to microservices. If microservice A creates/modifies an entity, then calls microservice B it would have to wait for the Permify database to be synced. Am I right? Is there a way to sync this?

autumn oxide
#

Hey @winter gust

If you’re entity is not defined, then access check will return unauthorized, false.

For the transaction flow you mentioned there are 2 ways unless you’re not checking aurhorization in controller level.

These are, after creating the entity waiting the syncronization result then handling action. Or as you say we can conduct a spesific solution for this case. If you can open a issue about it will definitely closely look at it.

The syncronizarion process works same with the microservices too. The healthier way of doing it waiting the syncronizarion result wihtin 2ms latency.

Improving synchronization is high priority in our roadmad. Additional to this, we’d love to learn more about your use case and discuss it.

tranquil cove
#

Hi everyone.
Stumbled across Permify today but have not seen any kind of comparisons with Casbin or Cerbos. Can someone tell me in short why Permify. What's the USP in comparison to the others? Currently I don't see the need for another library

winter gust
# autumn oxide Hey <@479402347173511209> If you’re entity is not defined, then access check w...

Thanks for the response! I'll come back when I've taken some time to actually experiment with Permify, right now I'm just basing these questions on what I've read on the website and github. However, to clarify what I meant regarding transactions, the following flow is what I had in mind:

  1. HTTP request comes in. Start database transaction.
  2. Within that transaction create an entity in the database
  3. Call service-layer methods which include authorisation checks. The transaction has not yet been committed at this point.
  4. The authorisation check does its thing. If it queries the database directly, or otherwise is built into the application with transaction-awareness, it works. If it calls out to an external service that only looks at committed data, it will presumably fail and need to special-case this.

In such applications it probably isn't reasonable to commit before 4. You might still need to roll the transaction back later after another operation fails.

autumn oxide
# tranquil cove Hi everyone. Stumbled across Permify today but have not seen any kind of compari...

Hey @tranquil cove

The main difference is we provide a relational based authorization solution. Casbin and Cerbos do not support ReBAC. Additional they’re not working on authorization data synchronization issue. We handle that with storing your object - resource relations within relational tuples in the database you prefer and decide authorization results based on these data. You can look up to Google Zanzibar paper for more information about managing authorization data as relational tuples process.

autumn oxide
autumn oxide
# winter gust Thanks for the response! I'll come back when I've taken some time to actually ex...

Got the process you wrote. Thanks for clarification.

And for latency optimization. If you’re wrote relational tuples to in the same db that you subscribed (ListenDB is same as WriteDB). You can minimize the transaction latency dramatically. Alternatively with using "/v1/relationships/write" endpoint you can create custom relational tuples, in that case you don't need to use CDC pattern.

Other than that as I mentioned we’re focused on this issue and evaluate some potential solutions. As we follow CDC design pattern https://dbconvert.com/blog/postgresql-change-data-capture-cdc/amp/ keeping data synronized is main priority for us.

Other than that, let us know if you’re struggle anywhere in website or GitHub.

DBConvert blog
PostgreSQL Change data capture (CDC) + golang sample code.

PostgreSQL offers Logical Decoding Method to make log-based change data capture possible. Setup and run CDC in several steps.

tranquil cove