POST
/
v1
/
tenants
/
{tenant_id}
/
permissions
/
lookup-entity
cr, err := client.Permission.LookupEntity(context.Background(), &v1.PermissionLookupEntityRequest{
    TenantId: "t1",
    Metadata: &v1.PermissionLookupEntityRequestMetadata{
        SnapToken: "",
        SchemaVersion: "",
        Depth: 20,
    },
    EntityType: "document",
    Permission: "edit",
    Subject: &v1.Subject{
        Type: "user",
        Id: "1",
    }
    PageSize: 20,
    ContinuousToken: "",
})
{
  "entity_ids": [
    "<string>"
  ],
  "continuous_token": "<string>"
}

Lookup Entity endpoint lets you ask questions in form of “Which resources can user:X do action Y?”. As a response of this you’ll get a entity results in a format of string array or as a streaming response depending on the endpoint you’re using.

So, we provide 2 separate endpoints for data filtering check request,

In this endpoint you’ll get directly the IDs’ of the entities that are authorized in an array.

How Lookup Operations Evaluated

We explicitly designed reverse lookup to be more performant with changing its evaluation pattern. We do not query all the documents in bulk to get response, instead of this Permify first finds the necessary relations with given subject and the permission/action in the API call. Then query these relations with the subject id this way we reduce lots of additional queries.

To give an example,

entity user {}

entity organization {
		relation admin @user
}

entity container {
		relation parent @organization
		relation container_admin @user
		action admin = parent.admin or container_admin
}
	
entity document {
		relation container @container
		relation viewer @user
		relation owner @user
		action view = viewer or owner or container.admin
}

Lets say we called (reverse) lookup API to find the documents that user:1 can view. Permify first finds the relations that linked with view action, these are

  • document#viewer
  • document#owner
  • organization#admin
  • container#``container_admin

Then queries each of them with user:1.

Path Parameters

tenant_id
string
required

Identifier of the tenant, if you are not using multi-tenancy (have only one tenant) use pre-inserted tenant <code>t1</code> for this field. Required, and must match the pattern \“[a-zA-Z0-9-,]+\“, max 64 bytes.

Body

application/json

PermissionLookupEntityRequest is the request message for the LookupEntity method in the Permission service.

Response

200
application/json

A successful response.

PermissionLookupEntityResponse is the response message for the LookupEntity method in the Permission service.