Permit #permit-saas

Engineering Swantide

11/10/2025, 6:17 PM

also question regarding 'default' tenants. shouldn't leaving out tenant (for other api endpoints for examples) default to

default

tenant? i'm noticing that in some of my other apis, when I withold tenant,it doesn't append anything to the 'default' tenant only my other one created. Do I always have to enforce

default

tenant at all times if I only want one?

Neelesh Shastry

11/11/2025, 7:35 PM

Hello, where can I find the link to billing for app.permit.io ?

Christie Molloy

11/12/2025, 12:34 PM

Hi, I'm having an issue accessing the API docs since yesterday, have they moved? https://api.permit.io/v2/redoc Thanks

Slackbot

11/12/2025, 5:15 PM

This message was deleted.

Shyamalan Chemmery

11/13/2025, 12:40 AM

I have an attribute "ViewUsersOnly" (string array) in my resource and an attribute "company" (string) in users. I have a resource set that I created for my ABAC policy with a condition [resource.ViewUsersOnly] [array contains (ref)] [user.key] and it yields the resource when ViewUsersOnly contains the key of the user. But this resource set yields even after I changed the resource set to [resource.ViewUsersOnly] [array contains (ref)] [user.company]. Am I missing something?

Yilmaz Alizadeh

11/13/2025, 8:58 AM

I am experiencing slowness when calling endpoint https://api.permit.io/v2/facts/9aa8bcdc454049cd8c1459f6d1215b4f/f5b553a6ef6847779addd901fc44327b/relationship_tuples/bulk for bulk relationship tuple creation. projectId 9aa8bcdc454049cd8c1459f6d1215b4f and environmentId f5b553a6ef6847779addd901fc44327b. even with single operation it takes about 24 seconds. calling single without batch only takes milli seconds. could you please help me with thi.

Taha ÇEKEN

11/17/2025, 7:24 AM

Hi , I’m experiencing an issue related to url_mapping. I currently have 5 URL mapping configurations (Proxy Configs), and the issue occurs specifically when I create mappings using regex. The problem is that url_type
is not being saved correctly. For example, this mapping is saved properly and appears with the regex badge on the frontend:

Copy code

{
  "url": "https?://api.abclojistik.com/test/api/erp/(?:tr|en)/reports/?.*$",
  "url_type": "regex",
  "http_method": "get",
  "resource": "erp_report",
  "headers": {},
  "action": "read",
  "priority": null
}

However, this one gets saved with

"url_type": null

even though it is also a regex, and the frontend still shows it with the regex badge:

Copy code

{
  "url": "https?://api.abclojistik.com/test/api/hub/(?:tr|en)/orders/?.*$",
  "url_type": null,
  "http_method": "patch",
  "resource": "hub_order",
  "headers": {},
  "action": "update",
  "priority": null
}

When I fetch this configuration from the Permit.io API, it does not indicate that it’s a regex. I’m not sure if this inconsistency is the root cause, but I’m also getting a PDP crash when calling the

allowed_url

endpoint. I’ve attached the PDP crash logs to this message. it gives error about Horizon server. But this error occured after i added new url_mappings. I need to resolve this issue as soon as possible. Any help would be greatly appreciated.

Shyamalan Chemmery

11/17/2025, 9:21 AM

Hi, I have a requirement whereby the access granted, to a user, by a ReBAC resource role takes precedence over the access granted by an ABAC condition set. Can this be remedied by a custom policy and how?

Yilmaz Alizadeh

11/17/2025, 4:12 PM

Hi, If we create an action or relation with _ (underscore) using api or sdk it works ok and we have used this a lot. the issue is now we can't change anything in permitui that has underscore as it seems there is an enforcement in UI that doesn't allow underscore in names. any advice?

Chuck Chau

11/18/2025, 7:06 AM

Hi! The permit pdp docker container log is fill with the following warning

Copy code

horizon.opal_relay_api                  |WARNING | Could not report uptime status to server: got status code 503 from relay-api. This does not affect the PDP's 
operational state or data updates.\n", "record": {"elapsed": {"repr": "0:03:43.577686", "seconds": 223.577686}, "exception": null, "extra": {}, "file": {"name": 
"opal_relay_api.py", "path": "/app/horizon/opal_relay_api.py"}, "function": "_run", "level": {"icon": "⚠️", "name": "WARNING", "no": 30}, "line": 183, "message": 
"Could not report uptime status to server: got status code 503 from relay-api. This does not affect the PDP's operational state or data updates.", "module": 
"opal_relay_api", "name": "horizon.opal_relay_api", "process": {"id": 17, "name": "MainProcess"}, "thread": {"id": 281472985017632, "name": "MainThread"}, "time": 
{"repr": "2025-11-18 06:59:00.254824+00:00", "timestamp": 1763449140.254824}}}

Is there any setting I did not set, like the uptime server url?

Slackbot

11/18/2025, 12:28 PM

This message was deleted.

Stephen Morrison

11/18/2025, 9:13 PM

We keep getting issues where Permit can't access our PDP. It keeps returning 500s until we restart it, when it starts working again for a couple minutes and then stops. It doesn't fully stop it's just on users that are newly added.

Michael Chen

11/19/2025, 5:43 PM

Hi all! New here and just started tinkering with Permit in the past couple weeks, and it's really been helpful at helping me sort out access control. I have a location resource and the resource roles of location-staff, and basically, I want a robust way to detect if a user has the role of location-staff at all (doesn't matter which resource instance they have that role in, simply whether they have it at all) and I want to reference that to define a custom ABAC role. I'm trying to do this because there are tenant-level permissions I want to give to people that are location-staff but want to avoid having to assign/unassign them top level roles programmatically (or user attributes) every time we either give them the role for the first time or remove the location-staff resource instance role entirely. Is this possible? Or am I approaching this the wrong way? I've tried searching through the docs/asking the Permit AI about this specific issue (resource instance roles as attributes) to no avail; every answer I get seems to be only about top level roles (user.roles in the ABAC configuration seems to only be about top level roles?). Thank you for the work that you do!

Tuấn Anh

11/20/2025, 8:47 AM

Hi Permit team, following by https://docs.permit.io/how-to/enforce-permissions/data-filtering/ , I saw your team solved Source-Level Filtering (in the Database). How could I configure to use this feature?

Seiichi Arai

11/20/2025, 10:33 AM

Hi team, I tried to create a Group in the PermitIO web UI, but it didn’t show up after creation—even though I saw the message “Group created successfully.” Do you know what might be happening here?

Jon Erdman

11/20/2025, 4:02 PM

Seems like a Permit outage? Having trouble logging in and all of my API calls are failing.

Keith Hickman

11/21/2025, 6:24 PM

Hoping someone can help with a basic question. I've got a Python backend handling my permission validation. What's the difference between using a decorator and just calling a permit.check() inside every route/endpoint/action that needs permission?

Yilmaz Alizadeh

11/24/2025, 9:46 AM

I need to handle failed items and initiate recovery options for bulk operations. using bulk endpoint what happens if one of the operations in bulk fails. will the bulk operation fails or only that single item. what response will be. is there any option to make the whole operation fail if a single item fails.

Mihiru Kongahage

11/25/2025, 4:01 AM

Hi Team, We have need to implement a simple RBAC + ReBAC access control model and I'd like to validate the approach and design. Our Use Case I have a system with organizations, and each organization contains projects and users. Every user in an organization is assigned the member role by default. Members are allowed to create projects. Each project has its own project-level roles: - project_admin - project_member When a user (who is an member) creates a project, they automatically become the project_admin for that specific project. A project_admin can: Add or remove project_members Add or remove project_admins Current Permission Model Resource Types - project Roles - member - project#project_admin - project#project_member Each role has specific allowed actions on the resource types. Example permission check:

Copy code

{
  "user": {
    "key": "user_id1"
  },
  "action": "create",
  "resource": {
    "type": "project",
    "tenant": "default",
    "key": "project_test10"
  },
  "context": {}
}

Is this RBAC + ReBAC design and resource-instance model valid for Permit.io for this use case? Any other design options/candidates that you'd recommend? In the first iteration, we'd like to use the cloud PDP exclusively without a local PDP setup. Is there a another approach where this kind of permission model can be supported by exclusively using cloud PDP?

Matan Benjio

11/26/2025, 1:54 PM

Hi team, following up on the ticket with @Or Weis, we're sharing PDP logs and config for the persistent communication issues. Our Setup: • PDP Type: Local PDP (most basic setup) • Deployment: Helm chart

pdp

version :`0.0.5` • Configuration ( Basic):

Copy code

pdp:
  ApiKey: "[OUR_API_KEY]"
  port: 7000
  logs_forwarder:
    enabled: true
    debug_mode: false

The Core Problem: Our PDP is experiencing repeated failures to communicate with your control plane, resulting in HTTP 503 Service Unavailable errors and timeouts when trying to reach

<https://opal-relay.api.permit.io/v2/pdp/callback>

. Key Log Evidence: We've attached two log files from the incident period `[from Nov 17 at 12:30 PM to Nov 18 at 11:30 AM (IST)]`: 1.

logs_by_time.csv

- Shows the sequence of events. 2.

logs_by_group.csv

- Groups the repeated messages, showing the high frequency. The most repeating errors look like this:

Copy code

- server replied with HTTP 503 Service Unavailable
- Timeout while fetching url: <https://opal-relay.api.permit.io/v2/pdp/callback?retry=0>

This is causing a complete breakdown in our authorization flows. We'd appreciate your help in reviewing these logs and our configuration to understand why our local PDP cannot maintain a stable connection to your servers. Thanks in advance for your help. Cyclops security team.

logs_by_time.csv logs_by_group.csv

Jaieu Sheil

11/26/2025, 10:00 PM

Hi team I am trying to follow this guide to spin up a PDP in gcp cloud run - https://docs.permit.io/how-to/deploy/cloud-hosts/gcp-cloud-run/. When I do a health check on the instance, it returns 503

Copy code

{
  "components": {
    "horizon": {
      "details": {
        "watchdog": {
          "message": "Watchdog status when direct Horizon health check was not Ok.",
          "status": "error"
        }
      },
      "error": "Failed to connect to Horizon: error sending request for url (<http://0.0.0.0:7001/healthy>)",
      "status": "error"
    },
    "opa": {
      "error": "Failed to connect to OPA: error sending request for url (<http://localhost:8181/health>)",
      "status": "error"
    }
  },
  "status": "error"
}

Is there something wrong/missing in my configs?

Ester Hatchuel

11/27/2025, 6:19 AM

Hello, installed pdp helm chart and logs shows : | INFO | Received request. GET /health 2025-11-27T061015.020533+0000 | opal_client.engine.logger | INFO | Sent response. GET /health -> 200 2025-11-27T061016.986584+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO | Trying server - wss://opal.permit.io/ws 2025-11-27T061017.007336+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO | RPC Connection failed - [Errno -5] Name has no usable address 2025-11-27T061017.036199+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061017.036497+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:51190 - "GET /healthy HTTP/1.1" 503 2025-11-27T061018.960840+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO | Trying server - wss://opal.permit.io/ws 2025-11-27T061018.975944+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO | RPC Connection failed - [Errno -5] Name has no usable address 2025-11-27T061021.188084+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061021.188436+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:40428 - "GET /healthy HTTP/1.1" 503 [2025-11-27T061021Z INFO pdp_server:apihealth:handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable 2025-11-27T061021.188967+0000 | opal_client.engine.logger | INFO | Received request. GET /health 2025-11-27T061021.189310+0000 | opal_client.engine.logger | INFO | Sent response. GET /health -> 200 2025-11-27T061025.018754+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061025.019149+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:40428 - "GET /healthy HTTP/1.1" 503 [2025-11-27T061025Z INFO pdp_server:apihealth:handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable 2025-11-27T061025.019503+0000 | opal_client.engine.logger | INFO | Received request. GET /health 2025-11-27T061025.019841+0000 | opal_client.engine.logger | INFO | Sent response. GET /health -> 200 2025-11-27T061027.037228+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061027.037677+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:48132 - "GET /healthy HTTP/1.1" 503 [2025-11-27T061027Z WARN watchdog::service] Service 'python3' health check failed: Unhealthy status code: 503 (expected 200) (consecutive failures: 6/12) 2025-11-27T061031.187797+0000 | opal_client.engine.logger | INFO | Received request. GET /health 2025-11-27T061031.188469+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061031.188779+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:48148 - "GET /healthy HTTP/1.1" 503 [2025-11-27T061031Z INFO pdp_server:apihealth:handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable 2025-11-27T061031.189099+0000 | opal_client.engine.logger | INFO | Sent response. GET /health -> 200 2025-11-27T061031.192362+0000 | opal_client.policy_store.opa_client |WARNING | OPA client health: False (policy: False, data: False) 2025-11-27T061031.192574+0000 | uvicorn.protocols.http.httptools_impl | INFO | 127.0.0.1:48148 - "GET /healthy HTTP/1.1" 503 [2025-11-27T061031Z INFO pdp_server:apihealth:handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable 2025-11-27T061031.192840+0000 | opal_client.engine.logger | INFO | Received request. GET /health 2025-11-27T061031.193401+0000 | opal_client.engine.logger | INFO | Sent response. GET /health -> 200 when im trying to resolve opal.permit.io also from my local machine im getting No answer

Michał Wójcik

11/28/2025, 11:03 AM

Hi @Natalia Edelson, @Thomas, and the Permit.io team, During our recent meeting with both of you, we agreed that we would proceed with performance testing of our solution built on top of Permit.io. We had Rate_limit exception so we decided upgraded to Pro plan. However, despite the upgrade, we are still unable to generate mock data for the tests. We continue to receive rate limit (429) errors, even though our code does not use any parallelization or concurrency — the seeding is done through simple, sequential operations. My Api logs:

Copy code

2025-11-28 08:48:12.202Z fga-api fail: Sea.Fga.Api.Services.SeedDataGenerationService[0]
2025-11-28 08:48:12.202Z fga-api       Failed during test data generation
2025-11-28 08:48:12.202Z fga-api       HTTP Response:
2025-11-28 08:48:12.202Z fga-api       
2025-11-28 08:48:12.202Z fga-api       {
2025-11-28 08:48:12.202Z fga-api         "id": "8d98906253db42908260fb8696cb9781",
2025-11-28 08:48:12.202Z fga-api         "title": "You have exceeded the rate limit",
2025-11-28 08:48:12.202Z fga-api         "support_link": "<https://permit-io.slack.com/ssb/redirect>",
2025-11-28 08:48:12.202Z fga-api         "error_code": "RATE_LIMITED",
2025-11-28 08:48:12.202Z fga-api         "message": "We are sorry for the inconvenience, You have exceeded the rate limit for this resource. 
                       Please try again later.
                       If the issue keeps happening, contact our support on Slack for further guidance.",
2025-11-28 08:48:12.202Z fga-api         "additional_info": null
2025-11-28 08:48:12.202Z fga-api       }
2025-11-28 08:48:12.202Z fga-api 
2025-11-28 08:48:12.202Z fga-api       PermitSDK.OpenAPI.Models.PermitApiException: The HTTP status code of the response was not expected (429).
2025-11-28 08:48:12.202Z fga-api 
2025-11-28 08:48:12.202Z fga-api       Status: 429
2025-11-28 08:48:12.202Z fga-api       Response:
2025-11-28 08:48:12.202Z fga-api       {
2025-11-28 08:48:12.202Z fga-api         "id": "8d98906253db42908260fb8696cb9781",
2025-11-28 08:48:12.202Z fga-api         "title": "You have exceeded the rate limit",
2025-11-28 08:48:12.202Z fga-api         "support_link": "<https://permit-io.slack.com/ssb/redirect>",
2025-11-28 08:48:12.202Z fga-api         "error_code": "RATE_LIMITED",
2025-11-28 08:48:12.202Z fga-api         "message": "We are sorry for the inconvenience, You have exceeded the rate limit for this resource. 
                       Please try again later.
                       If the issue keeps happening, contact our support on Slack for further guidance.",
2025-11-28 08:48:12.202Z fga-api         "additional_info": null
2025-11-28 08:48:12.202Z fga-api       }
2025-11-28 08:48:12.202Z fga-api 
2025-11-28 08:48:12.202Z fga-api          at PermitSDK.OpenAPI.PermitClient.Create_relationship_tupleAsync(
                                                String proj_id,
                                                String env_id,
                                                RelationshipTupleCreate body,
                                                CancellationToken cancellationToken)
2025-11-28 08:48:12.202Z fga-api          at PermitSDK.Api.CreateRelationshipTuple(RelationshipTupleCreate relationshipTuple)
2025-11-28 08:48:12.202Z fga-api          at Sea.Fga.Permit.Services.PdpService.<>c__DisplayClass20_0.<<AddRelationship>b__0>d.MoveNext()
                                                in /app/src/BE/Sea.Fga.Permit/Services/PdpService.cs:line 402

Pdp logs:

Copy code

2025-11-28 09:21:50.791Z pdp 2025-11-28T09:21:50.790972+0000 | opal_client.data.fetcher                |ERROR  | Timeout while fetching url: <https://opal-relay.api.permit.io/v2/pdp/callback?retry=0>
2025-11-28 09:21:50.791Z pdp Traceback (most recent call last):
2025-11-28 09:21:50.791Z pdp   File "/usr/local/lib/python3.10/asyncio/locks.py", line 214, in wait
2025-11-28 09:21:50.791Z pdp     await fut
2025-11-28 09:21:50.791Z pdp asyncio.exceptions.CancelledError
2025-11-28 09:21:50.791Z pdp 
2025-11-28 09:21:50.791Z pdp During handling of the above exception, another exception occurred:
2025-11-28 09:21:50.791Z pdp 
2025-11-28 09:21:50.791Z pdp Traceback (most recent call last):
2025-11-28 09:21:50.791Z pdp   File "/usr/local/lib/python3.10/asyncio/tasks.py", line 456, in wait_for
2025-11-28 09:21:50.791Z pdp     return fut.result()
2025-11-28 09:21:50.791Z pdp asyncio.exceptions.CancelledError
2025-11-28 09:21:50.791Z pdp 
2025-11-28 09:21:50.791Z pdp The above exception was the direct cause of the following exception:
2025-11-28 09:21:50.791Z pdp 
2025-11-28 09:21:50.791Z pdp Traceback (most recent call last):
2025-11-28 09:21:50.791Z pdp   File "/usr/local/lib/python3.10/site-packages/opal_client/data/fetcher.py", line 75, in handle_url
2025-11-28 09:21:50.791Z pdp     response = await self._engine.handle_url(url, config=config)
2025-11-28 09:21:50.791Z pdp   File "/usr/local/lib/python3.10/site-packages/opal_common/fetcher/engine/fetching_engine.py", line 116, in handle_url
2025-11-28 09:21:50.791Z pdp     await asyncio.wait_for(wait_event.wait(), timeout)
2025-11-28 09:21:50.791Z pdp   File "/usr/local/lib/python3.10/asyncio/tasks.py", line 458, in wait_for
2025-11-28 09:21:50.791Z pdp     raise exceptions.TimeoutError() from exc
2025-11-28 09:21:50.791Z pdp asyncio.exceptions.TimeoutError
2025-11-28 09:21:50.791Z pdp 2025-11-28T09:21:50.791548+0000 | opal_client.callbacks.reporter          |ERROR  | Failed to send report to <https://opal-relay.api.permit.io/v2/pdp/callback?retry=0>, info=TimeoutError()

1. What are the exact rate limits for the Pro plan and for the Enterprise plan? 2. Are the rate limits applied per endpoint, or are they global (e.g., shared across all API calls or per IP address)? 3. Is there an overload or a bulk-insert option for relationship tuples? We already use all available bulk operations in the API (batch size 1000), but relationship can't find bulk for relationship. 4. Is it possible to temporarily increase the rate limit for our project/environment? Our mock data generation is fully synchronous (no concurrency), yet we still hit rate limits, making performance testing impossible at the moment.

Jakub Urban

11/28/2025, 3:16 PM

Hey 👋 I'm a colleague of @Míla Votradovec who's been in touch concerning TF support. First of all thanks for solving our issues 🙏 We've got further with our TF for permit.io and would actually like to start managing our production. The best way would I think be to be able to

tf import

the current production state, but that is not supported by the provider. Is there a chance this could be implemented (I'd say I'd be useful in general). Or do you have any other suggestion how to start managing existing resources?

Girija shankar

12/02/2025, 9:46 AM

We are currently performing a large-scale migration involving hundreds of thousands of accounts. This process includes tenant creation, user provisioning, and role assignment for each account. However, after processing a few hundred accounts, we begin encountering HTTP 429 (Too Many Requests) errors.

Yorrick Elzinga

12/02/2025, 2:22 PM

Hi, Is there a possibility to clone a development environment into a other(production) environment? So all roles and resources are exactly the same as in the development environement?

Utham Prabhu

12/03/2025, 6:52 AM

Hi, Quick context: We’re building a multi-module admin panel where each feature (Leaves, Projects, Attendance, WRM, etc.) has a few high-level permissions like

view

create

edit

, and

audit

. We don’t want to map all 300+ API endpoints individually inside Permit. Instead, we want Permit to manage only feature-level permissions, and then our Django backend will map API routes to those permissions internally. We also want to dynamically generate the sidebar based on the permissions Permit returns, so that each user only sees the modules they are allowed to access. One thing we need guidance on: How do we best structure resources and resource sets in Permit so that we can group permissions cleanly (ex: Leaves-related permissions → Leaves sidebar items, Projects → Project sidebar items) and also keep a clean mapping between features and the many API endpoints behind them? Basically, Permit will be the single source of truth for “feature permissions,” and Django will handle API-level mapping internally — but we want to know the neatest way to aggregate and organize these resources inside Permit so that the structure scales well.

ROMAN VAZQUEZ MACIAS

12/03/2025, 6:52 PM

What options exist for bulk uploading users to Permit.io? Each user must be assigned at least one role. Can a default RBAC role be used when uploading users?

ROMAN VAZQUEZ MACIAS

12/03/2025, 6:58 PM

Hi: Does bulk uploading incur a cost for the PRO license? Is there a way to add new users using EntraID?

ROMAN VAZQUEZ MACIAS

12/03/2025, 7:15 PM

Hi: Se puede hacer un proceso en backend que realice la carga masiva de usuarios para Google Cloud Plataform?, cuál es la forma recomendada?