Permit.io Launch Week - Day 2: Precise Decisions

Welcome to day two of Permit.io’s Launch Week! Today, we focus on decisions—specifically, how developers can implement more dynamic and efficient decision-making processes in their applications. With new features that improve data filtering, enhance policy evaluation, and scale decision-making capabilities, we’re excited to showcase how Permit.io is advancing authorization management.

We also have a special guest today—Ben Greenberg from Couchbase—who will help introduce an exciting integration we’ve built with Couchbase, one of the most widely used NoSQL databases.

You can watch the full live stream of these features here:

Let’s dive into the features we’re launching today:

Couchbase Data Filtering: Smarter Query Handling

We’re thrilled to introduce Couchbase Data Filtering, a middleware integration designed to streamline permissions directly at the database layer.

This feature allows developers to filter database queries based on user permissions, ensuring that only authorized queries can be executed.

Traditionally, permission checks are handled in the application layer, often leading to inefficiencies, especially when working with large datasets. Without filtering at the data level, you risk sending queries that retrieve unauthorized data or overcomplicating the code to handle these checks later.

That’s where the Couchbase integration comes in. This integration allows Permit.io to run a permission check on any Couchbase query before execution, filtering it according to user roles and policies. It ensures that only authorized data is accessible, even before it leaves the database. Whether it’s retrieving certain fields based on a user’s role or preventing a sensitive query from being executed, Couchbase Data Filtering gives you full control of the database layer.

Think of this example: a user may be able to query a database but should only see specific fields like name and email, not sensitive data like phone numbers or addresses. With a simple call to the Permit filter function, you can map Couchbase queries to Permit policies and get a permission decision before executing the query.

Partial Evaluation: Advanced Query Filtering

We’re also excited to announce Partial Evaluation, a feature that allows filtering SQL queries directly based on user permissions, with the added flexibility of filtering within the policy engine.

This feature enables Permit to modify queries in real-time, ensuring that database results are pre-filtered according to user permissions before the query is even executed.

In traditional systems, permission checks are typically performed after retrieving data, requiring extra logic in your application. This can lead to inefficiency and scattered code, making it harder to maintain.

Partial Evaluation allows you to embed permission checks directly into the query. Instead of manually filtering data after the fact, Permit’s Partial Evaluation function modifies the query based on user permissions before sending it to the database.

With SQLAlchemy, for instance, Permit can intercept and transform a query into a permission-aware version, reducing the amount of code developers need to write and maintain. This functionality is available in Permit starting from version 0.6.0.

This feature ensures that the right data is retrieved and evaluated at the database level, reducing the need for post-query logic and simplifying your application code.

Read the full docs of this feature here

RBAC for CASL: Extending Front-End Authorization

The next feature we’re introducing is an extension of RBAC for CASL, a well-known front-end authorization library, now integrated with Permit to support relationship-based access control (ReBAC).

This feature gives developers the ability to check permissions for user actions directly from the front end, enabling more dynamic and user-specific experiences.

Managing user permissions in the front end often requires custom logic for each action, such as enabling or disabling buttons based on user roles. Without an integrated solution, developers can spend significant time writing conditional rendering logic.

With this CASL extension, you can send queries to the Permit Policy Decision Point (PDP) directly from the front end to check what users are allowed to do with each item in real-time. If a user is, for example, browsing a list of documents, CASL can determine if the user is authorized to edit or delete each document and dynamically render the appropriate action buttons.

This makes front-end development faster and more efficient, allowing you to build secure, permission-based UI components.

await permit.loadLocalStateBulk([
  // RBAC example
  { action: 'view', resource: 'statement' },
  { action: 'view', resource: 'products' },
  { action: 'delete', resource: 'file' },

  // ABAC example
  {
    action: 'view',
    resource: 'files_for_poland_employees',
    userAttributes: {
      department: 'Engineering',
      salary: '100K',
    },
    resourceAttributes: { country: 'PL' },
  },

  // ReBAC example
  { action: 'create', resource: 'document:my_file.doc' },
]);

Full documentation on how to work with Permit and CASL is available here

Scaling OPA on the PDP with SQLite: Enhanced Decision Performance

Lastly, we’re introducing a major improvement in scaling policy decisions with Open Policy Agent (OPA) using SQLite.

This feature allows you to scale policy decision-making by enabling Permit’s PDP to handle significantly larger datasets, removing previous limitations on data size.

OPA, while a powerful policy engine, has a limitation on the amount of data it can handle (previously capped at 2GB). This creates bottlenecks for teams working with large-scale applications that need to process large datasets for permissions.

By integrating SQLite into the PDP, we are able to remove the 2GB limitation and enable in-memory, high-speed data storage for larger, scalable policy decisions. You can now handle much larger amounts of data, and these improvements ensure that decision-making can scale horizontally, supporting even the most demanding applications. With SQLite as the storage backend, you can share data across multiple PDPs, increasing both capacity and performance.

Today’s features emphasize smarter decision-making at all levels of your stack, from database queries to front-end UI elements, ensuring that you can enforce permissions efficiently and at scale.

• Couchbase Data Filtering simplifies database permissions at the query level.
• Partial Evaluation allows for more efficient, permission-aware SQL queries.
• RBAC CASL makes front-end permission checks dynamic and easier to implement.
• Scaling OPA with SQLite ensures that you can handle large datasets and scale policy decisions effortlessly.

Stay tuned for tomorrow’s updates as we continue Permit Launch Week with a focus on policy modeling!