@Venkat has left the channel

Can anyone help me resolve an environment specific issue that I'm having? If I try to create a condition set in my dev environment everything works fine. I have a script that creates a temp environment before copying it over to dev and when I do the exact same request to create it in that environment it fails. my curl request

curl --request POST \
  --url <https://api.permit.io/v2/schema/default/temp-dev-kemo1x/condition_sets> \
  --header 'Authorization: Bearer <envApiToken>' \
  --header 'Content-Type: application/json' \
  --data '{
	"key": "own_or_public_process",
	"name": "Own or Public Process",
	"description": "Processes owned by the user or marked as public",
	"resource_id": "process",
	"type": "resourceset",
	"conditions": {
		"anyOf": [
			{
				"resource.isPrivate": {
					"equals": false
				}
			},
			{
				"resource.userId": {
					"equals": {
						"ref": "user.key"
					}
				}
			},
			{
				"resource.additionalOwners": {
					"array_contains": {
						"ref": "user.key"
					}
				}
			}
		]
	}
}'

Here's the response

{
  "id": "25a6eb8d1db74f1caa89c2ed34633e61",
  "title": "The request could not be completed",
  "error_code": "UNEXPECTED_ERROR",
  "message": "You did nothing wrong, but we could not finish your request due to a technical issue on our end. Please try again.\nIf the issue keeps happening, contact our support on Slack for further guidance."
}

My audit logs are also showing up delayed like 45 minutes when before they were showing up instantly which was incredibly useful for debugging and demoing to customers.

Hey, I'm trying to run the Permit container on Fargate behind an ALB with HTTP/2. I get error logs as per:

[34muvicorn.protocols.http.httptools_impl [0m|[33m[1mWARNING | Invalid HTTP request received.

It works with HTTP/1.1. Is there support for HTTP/2 and/or is it planned?

@Ask Inkeep how can we get proj_id and env_id and role_id to call an api

@Ask Inkeep Do you know what went erong here

C:\nvm\node\npm.cmd run run

> help-permissions@1.0.0 run
> node test.cjs

{"level":50,"time":"2025-04-20T17:21:10.797Z","label":"<http://Permit.io|Permit.io>","msg":"[422] Error in permit.check({\"key\":\"generated_user\",\"attributes\":{\"department\":\"Engineering\",\"training_status\":\"certified\"}}, view, default/undefined:premium_document), err: {\"detail\":[{\"loc\":[\"body\",\"resource\",\"type\"],\"msg\":\"field required\",\"type\":\"value_error.missing\"}],\"body\":{\"user\":{\"key\":\"generated_user\",\"attributes\":{\"department\":\"Engineering\",\"training_status\":\"certified\"}},\"action\":\"view\",\"resource\":{\"key\":\"premium_document\",\"attributes\":{\"document_type\":\"classified\",\"priority_level\":\"high\"},\"tenant\":\"default\"},\"context\":{}}}"}
D:\Jay\Algora\help-permissions\node_modules\permitio\build\main\enforcement\enforcer.js:288
            throw new PermitConnectionError(`Permit SDK got error: \n ${error.message} \n
                  ^

PermitConnectionError: Permit SDK got error: 
 Request failed with status code 422 

          and cannot connect to the PDP, please check your configuration and make sure the PDP is running at <https://cloudpdp.api.permit.io> and accepting requests. 

          Read more about setting up the PDP at <https://docs.permit.io>
    at D:\Jay\Algora\help-permissions\node_modules\permitio\build\main\enforcement\enforcer.js:288:19
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Enforcer.checkWithExceptions (D:\Jay\Algora\help-permissions\node_modules\permitio\build\main\enforcement\enforcer.js:259:16)
    at async Enforcer.check (D:\Jay\Algora\help-permissions\node_modules\permitio\build\main\enforcement\enforcer.js:237:16)
    at async Permit.check (D:\Jay\Algora\help-permissions\node_modules\permitio\build\main\index.js:108:16)
    at async D:\Jay\Algora\help-permissions\test.cjs:50:23

Node.js v22.14.0

const {Permit} = require('permitio');

const permit = new Permit({
    pdp: '<https://cloudpdp.api.permit.io>',
    token: 'permit_key_txxxx',
    // token: 'permit_key_xxxx',
});
const user = {
    key: 'generated_user',
    attributes: {
        department: 'Engineering',
        training_status: 'certified'
    }
};
const action = "view";

const resource = {
    key: 'premium_document',
    attributes: {
        document_type: 'classified',
        priority_level: 'high'
    }
};

(async () => {
    const permitted = await permit.check(user, action, resource);

    if (permitted) {
        console.log(`${user} is PERMITTED to '${action}' ${resource}!`);
    } else {
        console.log(`${user} is NOT PERMITTED to '${action}' ${resource}!`);
    }
})();

I am seeing a lot of context deadline exceeded on Get User and Get Attributes like calls or assigning a role resource. Everything is running locally! I am not setting a deadline on the context object I am passing to it. Ideas?

{"time":"2025-04-20T12:43:33.605155-07:00","level":"ERROR","msg":"serverError","error":{"error":"failed to assign role in <http://Permit.io|Permit.io>: Post \"<http://localhost:7766/v2/facts/f45912930a77419cb908cf7ee649b46d/2bf09a0624414c208eaf033b8e8e368c/users/3@gmail.com/roles>\": context deadline exceeded","trace":"goroutine 498 [running]:\nruntime/debug.Stack()\n\t/opt/homebrew/Cellar/go/1.24.1/libexec/src/runtime/debug/stack.go:26 +0x64\nmain.(*application).serverError(0x1400042c060, {0x1065b3010, 0x14000303080}, 0x14000809680, {0x1065a88c0, 0x140003d6000})\n\t/Users/vg/git/caseguild/TenantServer/cmd/tenantservice/errors.go:19 +0x3c\nmain.(*application).removeUserFromProject(0x1400042c060, {0x1065b3010, 0x14000303080}, 0x14000809680)\n\t/Users/vg/git/caseguild/TenantServer/cmd/tenantservice/handleaccess.go:192 +0x4cc\nnet/http.HandlerFunc.ServeHTTP(0x140002cf710, {0x1065b3010, 0x14000303080}, 0x14000809680)\n\t/opt/homebrew/Cellar/go/1.24.1/libexec/src/net

This message was deleted.

Hi everyone, I have my SMTP configured but it says that it is incorrect. I have done the same thing in auth0 and it works there. I am trying to connect SES here is the id of the response dc300f79190b405dac3125988c473d43

I am creating my own user management UI element, can someone tell me will permit.io send the invitation message if I make a post request to /user_invites?

At my company, we're currently defining a decoupled authorization platform for new projects, aiming to move away from the practice of implementing authorization directly in the code. One of the options we are evaluating is using the Permit.io UI (control plane) with policies stored in a Git repository, along with OPAL Server + Cedar Agent as the PDP. While reviewing the available documentation, I have the following questions for the Permit.io team: 1. Is the Cedar Agent ready for production use? 2. Are there any known clients currently using it in production? Any additional recommendations for production deployments? 3. The Cedar Agent project on GitHub hasn't been updated in over 6 months—it seems outdated. Does it incorporate updates from AWS Cedar (library and language)? 4. Has the integration between OPAL Server and Cedar Agent been tested and validated? 5. How can I configure the Permit.io portal to generate policies in Git using AWS Cedar instead of Rego? 6. Could you share a Git repository with Cedar policies implementing a multi-tenant schema? To be honest, we’re not very fond of Rego as a policy language, which is why we’re leaning toward AWS Cedar with Permit.io—provided the stack is production-ready. We would greatly appreciate it if someone from the Permit.io team could help shed some light on each of these questions.

Hey! For the search functionality in the directory, the search doesn't allow me to search/filter based on the content of the instance.

e.g: resource type: "process" Instance: "27567d01-c4e6-4bed-a5c5-84cdea5a9253"

If i search

27567d01-c4e6-4bed-a5c5-84cdea5a925

The resource doesn't appear. Would love to see this functionality implemented, thanks!

Hoping someone can help me understand why certain condition_set rules are not being evaluated for my abac policy. This is the relevant section of the audit log entry denying the action. It seems that it is only evaluating the auto generated resource sets. However, in the policy editor UI I can see that I have custom resource sets defined for the fabu_user role. In my rego code I can also see the rule set is defined. My main question is how does the PDP decide what is a "matching_resourceset"? Debugging this is made harder because when I click Edit Resource Set in the UI I get a "Sorry something went wrong" page.

"no_matching_rules"
,
      
"matching_resourcesets"
: [
        
"__autogen_fabu_user"
,
        
"__autogen_process"

      ],
      
"matching_usersets"
: [
        
"__autogen_fabu_user"
,
        
"__autogen_process"

      ]

hey guys, did something change in the getUserPermissions function in the last day or so? It now no longer seems to return resources where the permission is inherited via rebac from a parent - it's just showing directly assigned ones. This is breaking our production application.

Hey, hope y'all had a great day so far. I'd like to use the local pdp Container, but i can't find an option to create an read only API-Key. As i'd like to prevent possible policy administration by anyone who is aware of the key. Is this scenario somehow supported?

Hi guys, I am working on rails app and wanted to Integrate Permit IO. So I followed the instruction present in the doc. So, Permit.io's SDKs help you to interact with the Permit.io API. So I followed the following steps: 1. gem install 'permit-sdk' 2. Then tried to Import sdk:

require 'permit-sdk'

3. It throws following error:

cannot load such file -- permit-sdk (LoadError)

We would greatly appreciate it if someone from the Permit.io team could help.

Seems like it returns a false (permitClient.BulkCheck(checkRequests...) vs true (permitClient.Check) ?? Does bulk check not look at ABAC correctly? Using GO SDK.

Hello team. when listing users and we want to search by instance roles with the nodejs sdk is this not correct?

const foo = await permit.api.users.list({ role: 'tenant:11030c3c-7a13-4ccb-b308-997a3d8f9f5d#admin' })

Hello, please i need some help here. I'd like to create my first PDP, but I've checked everywhere but I can't find a button to create one even after clicking everywhere. Also, here I'd like to access and manage Rego code through the Policy Editor but for some reason, I am currently in read-only mode for the visual Policy Editor and can't access, view or edit the Rego code

Hi! I have two projects that I need to delete, but I'm unable to do so. I've tried with the API and with the GUI, and nothing works. I get a 500 error no matter which way I try. I want to delete the projects "testdelegation" and "pocproject". Can you help?

hello, I was wondering if I could get some help. I have a resource called

vehicle

that has 3 ABAC Option attributes:

vin (string)

,

owner_id (string)

,

fleet_id (string)

. Then in my users I have a user

vehicle-owner-1

that has the following metadata attributes:

{
  "id": "vehicle-owner-1",
  "vehicles": [
    "VIN123456789",
    "VIN987654321"
  ]
}

Under settings, in User Attributes, I've added

vehicles

as

Array<string>

. I'm trying to send a request to

/allowed

that would pass in a JIT attribute of the VIN being requested, and I want to have a rule that only allows the user to access the vehicle if the JIT VIN is one of the ones in their

vehicles

array. Can I get some guidance on how to accomplish this? Thanks

@Thomas Continuing the question about ReBAC. I read through the blog articles around AuthZ architecture, but was trying to map out how to handle tying multiple User identities together for the purpose of tracking actions in the audit log. The goal is to track actions and correlate them to an actor across multiple User identities, say an OIDC subject and a separate opaque API token we want to perform checks on.

feature-request: search box for environment

Hi, regarding ticket PER-11356: "Fix elements to work with Safari (and maybe Chrome private browsing as well)", The issue persists in versions 0.5.2 and 0.5.4 of

@permitio/permit-js

. Should it be working already, or do you plan to address this with this feature request? Thanks!

Can anyone on the permit team share how common it is to use the Permit Terraform provider? I think it is a more natural fit than what I'm currently doing with a mix of the nodejs sdk and the api to manage my schema.

@Ask Inkeep does

filterObjects

method exist on the NodeJS SDK?

This message was deleted.

Hey! We have hosted the PDP on AWS ECS with fargate and we have an ALB in front of it. We have some services that are triggering some polling, then we may receive a big number of requests per second. Does the pdp have any sort of builtin cache that we can enable somehow? Thanks in advance!

Hi everyone, I'm having some issue of getting user_permissions on a specific resource. Here is my case: I have a resource called Company that has 2 roles - admin and viewer. Also there is a resource called Branch with admin role. There are 2 relationships between them - Company -> parent -> Branch and Branch -> child -> Company. Also Company#admin derives Branch#admin but Branch#admin derives Company#viewer. When I make a request to get user permitted resources of Branch (the user is an admin of a Company and it has a Branch) the branch is not in the response because of the child relation. Why and what can I do to solve this?

Hello! Trying to see if I'm missing a PDP config to run the container on HTTPS. The latest version has internal checks at

<http://localhost:8181/v1/data/permit/rebac/cache_rebuild>

that would fail when running in https. The new

0.9.0-rc-1

version has an internal python3 health check at port 7001 that fails when running in https.

Hello. I've setup Okta integration per this doc https://docs.permit.io/integrations/scim/okta/ Users and Groups were synced to Permit but NOT User Attributes. I included below a screen shot with my Attribute mapping in Okta. Anybody ran into this issue or knows how to fix it?