POST
/
v1
/
tenants
/
{tenant_id}
/
permissions
/
lookup-entity
cr, err: = client.Permission.LookupEntity(context.Background(), & v1.PermissionLookupEntityRequest {
    TenantId: "t1",
    Metadata: & v1.PermissionLookupEntityRequestMetadata {
        SnapToken: ""
        SchemaVersion: ""
        Depth: 20,
    },
    EntityType: "document",
    Permission: "edit",
    Subject: & v1.Subject {
        Type: "user",
        Id: "1",
    }
})
{
  "entity_ids": [
    "<string>"
  ]
}

Lookup Entity endpoint lets you ask questions in form of “Which resources can user:X do action Y?”. As a response of this you’ll get a entity results in a format of string array or as a streaming response depending on the endpoint you’re using.

So, we provide 2 separate endpoints for data filtering check request,

In this endpoint you’ll get directly the IDs’ of the entities that are authorized in an array.

How Lookup Operations Evaluated

We explicitly designed reverse lookup to be more performant with changing its evaluation pattern. We do not query all the documents in bulk to get response, instead of this Permify first finds the necessary relations with given subject and the permission/action in the API call. Then query these relations with the subject id this way we reduce lots of additional queries.

To give an example,

entity user {}

entity organization {
		relation admin @user
}

entity container {
		relation parent @organization
		relation container_admin @user
		action admin = parent.admin or container_admin
}
	
entity document {
		relation container @container
		relation viewer @user
		relation owner @user
		action view = viewer or owner or container.admin
}

Lets say we called (reverse) lookup API to find the documents that user:1 can view. Permify first finds the relations that linked with view action, these are

  • document#viewer
  • document#owner
  • organization#admin
  • container#``container_admin

Then queries each of them with user:1.

Path Parameters

tenant_id
string
required

Identifier of the tenant, if you are not using multi-tenancy (have only one tenant) use pre-inserted tenant <code>t1</code> for this field. Required, and must match the pattern \“[a-zA-Z0-9-,]+\“, max 64 bytes.

Body

application/json
metadata
object

PermissionLookupEntityRequestMetadata metadata for the PermissionLookupEntityRequest.

entity_type
string

Type of the entity to lookup, required, must start with a letter and can include alphanumeric and underscore, max 64 bytes.

permission
string

Name of the permission to check, required, must start with a letter and can include alphanumeric and underscore, max 64 bytes.

subject
object

Subject represents an entity subject with a type, an identifier, and a relation.

context
object

Context encapsulates the information related to a single operation, including the tuples involved and the associated attributes.

Response

200 - application/json
entity_ids
string[]

List of identifiers for entities that match the lookup.

Subject FilteringLookup Entity (Streaming)