Hi Permit team, I am fascinated to deploy Permit system completely in my private servers. But as your architecture which always needs Git-based system, so it is too wasteful and complex for us to maintain because Git system is only used for one purpose. Do you have another solution instead of Git to store policy files?

Hi Permit team, I’ve deployed the Permit.io PDP Docker image to a GCP Kubernetes cluster with 2 active pods. However, I’ve noticed that rule changes—such as updates to Rego files—are not always synced consistently across both pods. This leads to inconsistencies in policy evaluation within my application. Additionally, there appears to be a delay in syncing new rules from Permit.io to the PDP instances. What can be done to resolve these issues and ensure timely and consistent synchronization?

Congrats on the new PDP release! We are excited to give it a try. I have a couple questions: 1. Is it backwards compatible with the previous version's python client libraries or do I need to upgrade both at the same time? 2. On Redis integration a. Does it support connecting to a Redis with SSL enabled and/or Redis AUTH? b. Is it possible to set different TTLs for positive and negative results? I would ideally like to have it check more frequently on failures and cache those positives for longer.

This message was deleted.

For the

/user-permissions

endpoint on the PDP is there a maximum number of instances/records that can be returned? If not, how does it handle very large amounts of data? Your permit prisma plugin maps over the returned objects and essentially appends the ids to the where clause, scoping the request to only the instances that someone should be able to see. I would like to do take this approach in our application if possible but would like to get an idea of how this is likely to perform if there are very large amounts of data (tens to hundreds of thousands of records).

Hi Permit Team, I am trying to use FoAz feature of permit.io. I have configured FoAz Proxy by following this documentation https://docs.permit.io/foaz/detailed-guide. but when i am trying calling this from my front-end code, it's ending with 404 error. this is the curl request: curl 'https://proxy.api.permit.io/proxy/86abc5c3314842c480f845f8575c92a9?url=https://randomuser.me/api/' \ -H 'accept: application/json, text/plain, */*' \ -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \ -H 'content-type: application/json' \ -H 'origin: http://localhost:4200' \ -H 'priority: u=1, i' \ -H 'referer: http://localhost:4200/' \ -H 'sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: cross-site' \ -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36' \ -H 'x-permit-example: example' for this request i am getting 404 with this error { "detail": "Proxy rule not found, consider checking your 'URL' parameter and the request method, or adding a new mapping rule. Hint: pay attention to the trailing slash, or lack thereof." } this is my angular ui code: this.http.get('https://proxy.api.permit.io/proxy/86abc5c3314842c480f845f8575c92a9?url=https://randomuser.me/api/', { headers: { 'Content-Type': 'application/json', 'x-permit-example': 'example' } } ).subscribe({ next: (response: any) => { console.log('Response from Permit Proxy:', response); } , error: (error: any) => { console.error('Error from Permit Proxy:', error); } }); could you help me to figure out where i am doing wrong?

Hello @Omer Zuarets, for the activity api , timestamp_from request param gets result considering timestamp_from value as inclusive , and the value that we pass here is epoch seconds , we are syncing this data at some frequency for reporting purpose , we are syncing at incremental level, considering last sync time as timestamp_from for next api request , doing this will repeat result , we are thinking of making next api request by doing last_sync_time + 1 second , is this fine ? It would be fine if you are storing the activity data at seconds level otherwise there might be a possibility that some records would be lost

Hi @GreetBot / @Daniel Bass Do we have any API to register user on the permit.io portal, i tried finding API on this documentation https://api.permit.io/v2/redoc, but i am not able to find.

Hey Permit Team, I'm considering using Permit to design the authorization model for our multi-tenant SaaS application, and I’d love your advice on a specific scenario we're working through. Our Architecture • Multi-Tenancy: Each organization is a tenant, with support for hierarchical structures via the

path

attribute (e.g.,

/parent/child/...

). • Modules & Resources: The app is composed of modules (e.g.,

m1

,

m2

), each containing resources (e.g.,

r1

,

r2

). Standard actions apply (e.g.,

read

,

write

). • Tenant-Specific Entitlements: A key requirement is that each tenant has a predefined set of entitlements—modules and resources available to them, typically determined by their subscription plan. • Example: ◦ Tenant A is licensed for

m1

(read/write) and

m2

(read) ◦ Tenant B has access to all modules Our Main Challenge We want to enable Tenant Admins to manage permissions for users within their tenant, but only within the scope of their entitlements, which are defined by a Super Admin. Example Scenario • The system grants Tenant A access to modules

m1

and

m2

only. • The Admin of Tenant A wants to: ◦ Grant a user read access to resources in

m1

◦ Grant read/write access to resources in

m2

• The Admin should not be able to: ◦ View or assign permissions related to

m3

, since it’s outside Tenant A’s entitlements. Our Questions 1. What’s the best practice for modeling a tenant’s entitlements in Permit? 2. How can we use these entitlements to constrain what a Tenant Admin can see and assign? 3. Specifically: how can we enforce that an Admin can only grant permissions on resources if their parent tenant is entitled to the resource’s module? Any guidance, examples, or references would be greatly appreciated! Thanks so much,

Hi Permit Team I am facing one issue with latest pdp version (0.9.0) when deployed in gcp kubernetes. The PDP is keep restarting after several helath check failures. Seems OPA is not running. When I use 0.8.0 version the PDP works fine

@Or Weis we are getting this when trying to get roles from permit.io , please help in this regard , Treat this as SEV-1

You did nothing wrong, but we could not finish your request due to a technical issue on our end. Please try again.

<!here> I cant login to permit.io It looks it is down

Hello, Is there a channel to ask pricing questions?

Hello, team! I need to listen to Role Assignment changes. Does Permit provide webhooks for this? I see there’s this one, but it seems related to Permit Elements only: https://docs.permit.io/embeddable-uis/webhooks/#user-management---assign-role-to-user Thanks in advance.

Are there any documented minimum system requirements for the new PDP? I recently upgraded to version 0.9.0 on our Northflank dev environment, and encountered an issue where OPA failed to start, showing health check errors. After some troubleshooting, I found that increasing the instance size from 1GB to 2GB of memory resolved the issue. However, reverting back to 1GB causes the failure to return. Based on messages from others, it seems this could be a common point of confusion for teams upgrading to the newer PDP. That said, I did want to mention that I found the new version noticeably faster when testing locally—great work on that! It would be really helpful to have guidance on recommended instance sizes and resource requirements, especially as we plan for scaling. Thanks

Hi, I’m looking for guidance on how to handle a specific use case with Permit. Our platform is used in agriculture, where farms are tenants. Each farm has users with different roles and permissions (Owner, Agronomist, Employee). We’re now adding a marketplace feature where forage analysis laboratories (feed labs) can offer their services. These labs will become a new type of tenant, with their own users (owners and employees). Here's the situation we need to support: • Lab users (owners/employees) must be able to submit forage samples in two ways: a. Directly by the farm: the farm owner or employee completes the form and the Stripe Connect checkout process. b. On behalf of the farm: if the farm drops off a sample without completing the form online, a *lab employee*fills out the form and completes the payment using the farm’s saved Stripe credit card. • Lab owners already have the ability to complete invoice payments directly through the Stripe portal. The main challenge: We do not want to grant lab users access to all farm data by default. What we’d like: • When a farm begins working with a lab, the lab tenant would be granted scoped access to that specific farm tenant. • Permissions for lab users would automatically apply only to farms they are actively working with, without having to manually assign farm-level permissions to each lab employee. What’s the best way to model this in Permit? I’d like to configure tenants and roles in a way that keeps access scoped, secure, and easy to manage. Thanks!

Hi Permit Team/ @Or Weis, I’m planning to host a PDP instance on my Azure App Service, but I couldn’t find any reference documentation for this setup. Could you please guide me through the necessary steps to deploy PDP on Azure App Service?

Hi!, I'm working on a POC for Multi-tenancy and *ReBAC (Role-based Access Control) a*nd something curious is happening to me.

Permit.io Multi-Tenancy & ReBAC Challenge Initial Situation: I'm developing an API with FastAPI. I have two tenants, "contoso" and "security-context". Within these tenants, I have a resource type called "project" and another resource type called "tenant". A "tenant" resource is the parent of a "project" resource. I've defined a ReBAC role "tenant#Admin" at the "tenant" resource type level, and a "project#Admin" role at the "project" resource type level. I have a role derivation defined as: "tenant#admin derives into project#admin when the tenant resource is a parent of the project resource." Finally, I've defined a "createfinding" action assigned to the "tenant#admin" role. On the other hand, I have a user

pedro@pedromigueldiaz.tech

in the

security-context

Permit.io tenant who has the "tenant#admin" role for the resource

tenant:0ef0e8ac-9068-4edd-a94b-b2b882f9d47b

. This same user also exists in the

contoso

Permit.io tenant and is assigned "tenant#admin" for the resource

e968e890-6bd8-4133-85e3-57d266ea3940

. Furthermore, I have a project resource

project:2726719d-93e6-4f34-8d8b-c92b2f361866

that has a relationship with

tenant:e968e890-6bd8-4133-85e3-57d266ea3940

in the

contoso

Permit.io tenant. I also have another project resource

project:f733d978-0917-4beb-9016-2796daeb2c9f

that has a relationship with

tenant:0ef0e8ac-9068-4edd-a94b-b2b882f9d47b

in the

security-context

Permit.io tenant. The Curious Observation: What I'm observing is that when I make the following

permit.check

call:

allowed = await permit.check(
            user={
                "key": "pedro@pedromigueldiaz.tech"
            },
            action="createfinding",
            resource={
                "type": "project",
                "key": "f733d978-0917-4beb-9016-2796daeb2c9f",
                "tenant": "e968e890-6bd8-4133-85e3-57d266ea3940"
            },
            context=context or {}
        )

It returns

allow

. However, that

project:f733d978-0917-4beb-9016-2796daeb2c9f

does not exist as a resource related to

tenant:e968e890-6bd8-4133-85e3-57d266ea3940

in the

contoso

tenant. What I see in the logs is that since

tenant#admin:0ef0e8ac-9068-4edd-a94b-b2b882f9d47b

exists, and that resource has a relationship with

project:f733d978-0917-4beb-9016-2796daeb2c9f

in the

security-context

tenant, the

allow

is granted based on that relationship. It's as if the policy doesn't take into account the

"tenant": "e968e890-6bd8-4133-85e3-57d266ea3940"

value within the resource object in

permit.check()

. My understanding is that this is how I should indicate that I want to check the policy for the user

pedro@pedromigueldiaz.tech

but within the

contoso

tenant. I hope the problem is clear. Thank you very much!

Hi, I paid but my account still says free plan

Hi team, currently exploring permit.io for our authorization solution, and we've got several questions: We’re using FastAPI + PostgreSQL and need row-level SQL push-down for large

GET _list/entities

-style lists, with revocations visible in ≈ 1 s. Could you clarify: 1. Partial-eval SQL status ◦ Planned GA date / version? ◦ Will the output SQL format be stable post-GA? 2. Best path today ◦ Stick with

getUserPermissions

→ temp-table JOIN, or ◦ Use OPA

/v1/compile

AST + our own AST→SQL until GA? 3. Freshness ◦ Does the PDP re-generate the SQL predicate every request, or is there a cache/TTL we should tune? 4. Reference code ◦ Any public Python example showing current partial eval → SQL? 5. Analytics / BI ◦ Recommended pattern for auth-aware long-running queries (materialized views, snapshots, etc.)? Thanks!

Hey Permit team/@Or Weis We currently use the

check()

method for authorization check by passing the user, action, and resource directly. Is there also a way to pass a JWT token that includes this information, so the PDP can extract it and return the appropriate response?

Is anyone able to checkout some errors I'm seeing when using terraform to create resources in a new environment? I'm creating 55 permit resources including relations, and role_derivations. The issue is that on an initial

terraform apply

a few of the role_derivations inconsistently error out with no issues logged on the terraform side. When I run

terraform plan

I can see that the failed role_derivations are slated to be created. When I run

terraform apply

a second time it successfully creates the role_derivations that errored out initially. I'm hoping there are some clearer errors in the permit log side of things. This is a blocker from going live with permit in production. Other than this terraform with permit has been fantastic. Workspace: FabuBlox Project: default Environment: staging

What is permit's recommendation for setting up testing during a CI/CD pipeline for ReBAC?

set the channel topic: Questions about the Permit.io SAAS (all forms: cloud, on-prem, hybrid)

Hi @Or Weis (Permit.io) / team, I'm currently running the PDP locally using the environment key with the following command:

docker run \
  -e PDP_API_KEY=your_environment_key \
  -e OPAL_SPLIT_ROOT_DATA=1 \
  -p 7766:7000 \
  -p 8181:8181 \
  permitio/pdp-v2:latest

Is it possible to run the PDP using an organization key instead of the environment key? If so, how should the command be modified?

Hello everyone, is there a postgresql extension that allows applying ABAC to database tables/columns/rows?

Hello, I have a question RE: SSO Pricing for Permit. Is it possible to know the cost for logging into Permit via SSO? Kind regards

Permit PDP - support multiple projects and environments I want to use a PDP (or a set of PDP behind a load balancer) to support multiple projects and environments. 1. For this when I setup PDP, do I set it up with Org key? 2. When clients call PDP for permit.check do they use respective env key?

Multitenancy in Permit.io for B2B use case. I have some challenges which I am hoping I can have someone from permit shed some light on Here is my use case We will have a B2B Web Application which will be used by various B2B customers (10 to start off with and will grow into 100 as we grow ). Each B2B customer will have a selected few individuals who should be able to manage the RBAC. So that those individuals can edit RBAC assignment for their individual users. I will be using Azure AD B2B API connector with signup flow to create B2B users into permit.io. But this is not relevant at this time. Lets just say the user will be created in permit using an API call to permit. I have 2 issues/challenges I see with permit's concept of multi-tenancy: I create a project and an environment prod. Under prod I have 2 tenants (fabrikam and contoso) issue #1 1. I use permit api to add a user to tenant (or UI) to fabrikam. Yes it works. The user gets added to tenant fabrikam. So far so good. step 1 The user just got added to the tenant with no role assigned. (see screenshot) step 2 Now the user is assigned viewer role.(see screenshot) step 3 Lets say the user is removed from that role. The user is still part of fabrikam tenant , just that user dont have a role. However once role is removed the user gets unassigned from fabrikam tenant. it goes into an unassigned tenant state (see screenshot). That is if I look under fabrikam tenant user is not there. If I look under This is not quite what I would expect. Because a user can be assigned a role or not assigned a role. But if a user it assigned to a tenant that user should be tagged to that tenant regardless of the user have a role in that tenant or not. issue #2 I will post this as a new question since they are both related ot multitenancy but different questions