Subject Permission List

POST /v1/tenants/{tenant_id}/permissions/subject-permission The Subject Permission List endpoint answers the question: “Which permissions can user:1 perform on repository:1?” Instead of checking individual permissions one at a time, this endpoint evaluates all permissions defined in your schema for the entity type and returns a map of each permission name to its check result (RESULT_ALLOWED or RESULT_DENIED).

Use this endpoint to build permission-aware UIs — for example, deciding which buttons to show or which actions to enable based on the current user’s access to a specific resource.

Path Parameters

tenant_id

string

required

The tenant identifier. Use t1 for single-tenant deployments. Must match ^([a-zA-Z0-9_\-@\.:+]{1,128}|\*)$.

Request Body

metadata

object

required

Show properties

schema_version

string

Schema version to use for evaluation. Leave empty to use the latest schema.

snap_token

string

Snap token for consistent reads. See Snap Tokens.

only_permission

boolean

When true, only returns entries defined as permission (not relation) in your schema. Defaults to false.

depth

integer

required

Maximum recursion depth for the permission evaluation graph. Must be >= 3. Recommended: 20.

entity

object

required

The entity to evaluate permissions against.

Show properties

type

string

required

Entity type as defined in your schema (e.g. repository).

string

required

Entity identifier (e.g. 1).

subject

object

required

The subject to evaluate permissions for.

Show properties

type

string

required

Subject entity type (e.g. user).

string

required

Subject identifier (e.g. 1).

relation

string

Optional subject relation (e.g. member). Leave empty for direct subject reference.

context

object

Optional contextual data for ABAC evaluation. See Contextual Tuples.

Show properties

tuples

array

Temporary relationship tuples that exist only for this request.

attributes

array

Temporary attributes that exist only for this request.

data

object

Arbitrary key-value data passed to attribute rules.

Response

results

map[string, CheckResult]

A map of permission names to their check result for the given subject on the given entity.Possible values for each entry:

RESULT_ALLOWED — the subject has this permission
RESULT_DENIED — the subject does not have this permission

Example

curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/permissions/subject-permission' \
--header 'Content-Type: application/json' \
--data-raw '{
  "metadata": {
    "snap_token": "",
    "schema_version": "",
    "only_permission": true,
    "depth": 20
  },
  "entity": {
    "type": "repository",
    "id": "1"
  },
  "subject": {
    "type": "user",
    "id": "1",
    "relation": ""
  }
}'

Response

{
  "results": {
    "push": "RESULT_ALLOWED",
    "read": "RESULT_ALLOWED",
    "delete": "RESULT_DENIED",
    "create_issue": "RESULT_ALLOWED"
  }
}

Use cases

UI permission gates — Determine which buttons, menu items, or actions to display for the current user on a given resource.
Audit views — Show an administrator all permissions a specific user has on an entity.
Batch pre-computation — Resolve all permissions for a resource upfront instead of checking each individually at render time.

only_permission: true filters out raw relation entries (e.g. owner, viewer) and returns only computed permission definitions. Set to false (the default) to include both.

Introduction

Permission Service

Schema Service

Data Service

Tenancy & Bundle

Watch Service

Subject Permission List

Path Parameters

Request Body

Response

Example

Response

Use cases

Build docs developers (and LLMs) love

Introduction

Permission Service

Schema Service

Data Service

Tenancy & Bundle

Watch Service

​Path Parameters

​Request Body

​Response

​Example

​Response

​Use cases

Build docs developers (and LLMs) love

Path Parameters

Request Body

Response

Example

Response

Use cases