Add an authorization layer to your app with Permit.io🔏 in a few minutes ⏱️

Struggling with writing permissions and authorization codes?? Feeling sad for you man! I was too struggling with this until I got to know about the Permit.io 🥹

In this blog, I'm going to cover some basics of Permit and how it can smoothly handles the authorization part of your application.

But before starting, let's know "What is Authorization?" first.
Authorization (abbreviated as AuthZ) is the critical and most advanced part of Identity Access Management (IAM). It controls access within a product. This is where you most often run into roles, permissions, ownership, application users, invites, approval flows, and many more common patterns. You can read more about Authorization, by going to the official blog shared by the founder of Permit.

 

Understanding Permit.io 🔏

Authorization is the need of every application. Without authZ, your application doesn't have control access within many parameters, making it unsafe. 🔑

Authorization plays the crucial role of ensuring that the right people and services have the right access to the right resources. Permit allows you to decouple your authorization policy and application code, providing you with everything you need to create the perfect authorization layer for your application - A centralized control panel, SDKs, APIs, and microservice for authorization. These allow you to easily set up decision and enforcement points within your application. The good thing about it is all authorization decisions are made on your side with zero latency.

🧑‍💻Permit’s cloud service provides you with a full set of no-code tools that allow you, as well as every relevant person in your organization (e.g., product, security, support, or sales), to manage authorization within your application securely, with zero coding knowledge required.

🍩 Permit provides you with a full set of pre-built UI components that provide fully functional access control, allowing you to safely delegate them to your end users.

👷‍♂️ Policy models such as ABAC (Attribute-based Access Control) and ReBAC (Relationship-based Access Control), or even a combination of both of them are now really easy to configure with Permit.io.

All your access control needs in one place

 

A Quick Tutorial of Permit.io 🧑‍💻

Ready to be hands-on with Permit to add authorization to your applications? In this tutorial, we will be integrating Permit.io into your application within a few steps.

Before starting, please make an account in Permit.io so that you'll be able to get your API key and access the Permit.io dashboard where you assign roles to ppl as per your choice and decision. If you're facing any problems, click on this link for a quick guide: Setting up your account with Permit

1️⃣ Get your Permit Environment API Key

You can also copy the Environment API Key of the active environment by clicking on the User Menu > Copy Environment Key

2️⃣ Setup your PDP (Policy Decision Point) Container
The PDP functions as your microservice for authorization and is provided as a docker container ready for you to use, or as a cloud version for quick experimentation.

We will be using Docker Container for this.

• Pull the Permit.io Image (assuming you have Docker installed, if not click to install)

  docker pull permitio/pdp-v2:latest

• Replace the API key with your key in the below command

  docker run -it -p 7766:7000 --env PDP_DEBUG=True --env PDP_API_KEY=<YOUR_API_KEY> permitio/pdp-v2:latest

• Now, your PDP container is running, Use the below command to check or verify the running container.

  docker ps

3️⃣ It's time to add Permit.io to your app!
We will be using Permit SDK for this. You can integrate Permit.io for a wide variety of coding languages.

Languages available

For this tutorial, we will be going to use nodeJs Sdk.

• Install the Permit.io SDK

  npm install permitio

• Import the SDK into your code

  import { Permit } from "permitio";

• Create a new instance of the SDK.

 // This line initializes the SDK and connects your Node.js app
 // to the Permit.io PDP container you've set up in the previous step.
 const permit = new Permit({
   // your API Key
   token: "[YOUR_API_KEY]",
   // in production, you might need to change this url to fit your deployment
   pdp: "http://localhost:7766",
   // if you want the SDK to emit logs, uncomment this:
   // log: {
   //   level: "debug",
   // },
   // The SDK returns false if you get a timeout / network error
   // if you want it to throw an error instead, and let you handle this, uncomment this:
   // throwOnError: true,
 });

I hope you don't face any problems in adding the API key now 😉

4️⃣ Check for permissions using the SDK
You can run a permission check with permit.check(), passing in 3 arguments:

1. user: a unique string id that identifies the user doing the action. This is typically the user key.
2. action: the action performed.
3. resource: the resource (object) the action is performed on.

const permitted = await permit.check("rohan@xyz.co", "modify", "document");
if (permitted) {
  console.log("Rohan is PERMITTED to modify a document");
} else {
  console.log("Rohan is NOT PERMITTED to modify a document");
}

user: Rohan, action: modify, Resource: Document

Usually instead of an email you'd use the unique identifier provided by your chosen authentication solution.

In cases where you are dealing with more than one tenant in your application, permit.check() can pass the tenant as part of the resource.

The tenant passed in needs to be either the tenant id or the tenant key. List of All Tenant API

Example:

const permitted = await permit.check(
  // the key of the user
  "rohan@xyz.co",
  // the action
  "modify",
  {
    type: "document",
    tenant: "permit_io",
  }
);

You can also check the permission against the ABAC Policy. An ABAC Policy is made up of User Sets and Resource Sets.

If we are running a permit.check() for an ABAC policy, we can attach just-in-time attributes to the user and the resource. These attributes are merged (and overridden) user and resource attributes that were persisted to the permitted API.

const permitted = await permit.check(
  // the user object
  {
    // the user key
    key: "check@permit.io",
    // just-in-time attributes on the user
    attributes: {
      location: "India",
      department: "Engineering",
    },
  },
  // the action the user is trying to do
  "action",
  // Resource
  {
    // the type of the resource (the resource key)
    type: "resource",
    // just-in-time attributes on the resource
    attributes: {
      hasApproval: "true",
    },
    // the tenant the resource belong to
    tenant: "tenant",
  }
);

5️⃣ Full Application Example:

const { Permit } = require("permitio");

const express = require("express");
const app = express();
const port = 4000;

// This line initializes the SDK and connects your Node.js app
// to the Permit.io PDP container you've set up in the previous step.
const permit = new Permit({
  // in production, you might need to change this url to fit your deployment
  pdp: "http://localhost:7766",
  // your secret API Key
  token: "[YOUR_API_KEY]",
});

// You can open http://localhost:4000 to invoke this http
// endpoint, and see the outcome of the permission check.
app.get("/", async (req, res) => {
  // Example user object
  // You would usually get the user from your authentication layer (e.g. Auth0, Cognito, etc) via a JWT token or a database.
  const user = {
    key: "[A_USER_ID]",
    firstName: "John",
    lastName: "Smith",
    email: "john@permit.io",
  };

  // check for permissions to a resource and action (in this example, create a document)
  const permitted = await permit.check(user.key, "create", "document");
  if (permitted) {
    res.status(200).send(`${user.firstName} ${user.lastName} is PERMITTED to create document!`);
  } else {
    res.status(403).send(`${user.firstName} ${user.lastName} is NOT PERMITTED to create document!`);
  }
});

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`);
});

Navigate to the Audit log page to see your permissions request results.

If you want to run this tutorial in your comfortable language or want to test Permit.io in other languages, head over to this link: Select Your Language

 

Concludingggg... 🥹

Permit is a full-stack authorization-as-a-service solution that will enable you to apply secure, granular, and user-friendly permission management.

The Permit Slack Community is a great place to get help with planning your implementation, using Permit features, or any other related questions you might encounter

In the part II of this blog, I'll talking about OPAL- Open Policy Administration Layer (OPAL) which is an open-source project developed and maintained by the Permit.io team. It serves as an administration layer for Policy Engines, detecting changes to both policy and policy data in real time and pushing live updates to your agents.

Permit.io Official Website: https://www.permit.io/
Permit.io Official Docs: https://docs.permit.io/quickstart

Thanks for reading till here! You are awesome. Have a productive day. 💖

Comments

[Gabriel L. Manor]

Thanks for sharing this tutorial, @rohan_sharma! Authorization is indeed a crucial feature for any application, and Permit make it super easy to implement.

[Rohan Sharma]

+1... The product is super awesome!!!! Plus it's very easy to use. 🥹

[Rohan Sharma]

Feel free to share your thoughts!! Must visit: permit.io/

[Pheonix Coder 🐦‍🔥]

Great solution for authZ. Thanks @rohan_sharma for bringing it to us

[Rohan Sharma]

Thank Pheonix! Try it once you won't regret!

[Priya Yadav]

Wow...rohan amazing 🤩

[Rohan Sharma]

Glad you liked it!

[SuRaj KuMar]

Tussi very very Great ho......!!!!!!!!

[Rohan Sharma]

haha.. Thanks

[Niharika Goulikar]

Very informative!

[Rohan Sharma]

I'm glad you liked it!