> ## Documentation Index
> Fetch the complete documentation index at: https://proxy-docs.permify.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Lookup Entity (Data Filtering)
Lookup Entity endpoint lets you ask questions in form of **“Which resources can user:X do action Y?”**. As a response of this you’ll get a entity results in a format of string array or as a streaming response depending on the endpoint you're using.
So, we provide 2 separate endpoints for data filtering check request,
* Lookup Entity
* [Lookup Entity Streaming](./lookup-entity-stream)
In this endpoint you'll get directly the IDs' of the entities that are authorized in an array.
### How Lookup Operations Evaluated
We explicitly designed reverse lookup to be more performant with changing its evaluation pattern. We do not query all the documents in bulk to get response, instead of this Permify first finds the necessary relations with given subject and the permission/action in the API call. Then query these relations with the subject id this way we reduce lots of additional queries.
To give an example,
```jsx theme={null}
entity user {}
entity organization {
relation admin @user
}
entity container {
relation parent @organization
relation container_admin @user
action admin = parent.admin or container_admin
}
entity document {
relation container @container
relation viewer @user
relation owner @user
action view = viewer or owner or container.admin
}
```
Lets say we called (reverse) lookup API to find the documents that user:1 can view. Permify first finds the relations that linked with view action, these are
* `document#viewer`
* `document#owner`
* `organization#admin`
* `container#``container_admin`
Then queries each of them with `user:1.`
## OpenAPI
````yaml post /v1/tenants/{tenant_id}/permissions/lookup-entity
openapi: 3.0.0
info:
title: Permify API
description: >-
Permify is an open source authorization service for creating fine-grained
and scalable authorization systems.
version: v1.6.10
contact:
name: API Support
url: https://github.com/Permify/permify/issues
email: hello@permify.co
license:
name: AGPL-3.0 license
url: https://github.com/Permify/permify/blob/master/LICENSE
servers: []
security: []
tags:
- name: Permission
- name: Watch
- name: Schema
- name: Data
- name: Bundle
- name: Tenancy
paths:
/v1/tenants/{tenant_id}/permissions/lookup-entity:
post:
tags:
- Permission
summary: lookup entity
operationId: permissions.lookupEntity
parameters:
- name: tenant_id
description: >-
Identifier of the tenant, if you are not using multi-tenancy (have
only one tenant) use pre-inserted tenant t1 for this
field. Required, and must match the pattern \“[a-zA-Z0-9-,]+\“, max
64 bytes.
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/LookupEntityBody'
required: true
responses:
'200':
description: A successful response.
content:
application/json:
schema:
$ref: '#/components/schemas/PermissionLookupEntityResponse'
default:
description: An unexpected error response.
content:
application/json:
schema:
$ref: '#/components/schemas/Status'
x-codeSamples:
- label: go
lang: go
source: >-
cr, err := client.Permission.LookupEntity(context.Background(),
&v1.PermissionLookupEntityRequest{
TenantId: "t1",
Metadata: &v1.PermissionLookupEntityRequestMetadata{
SnapToken: "",
SchemaVersion: "",
Depth: 20,
},
EntityType: "document",
Permission: "edit",
Subject: &v1.Subject{
Type: "user",
Id: "1",
}
PageSize: 20,
ContinuousToken: "",
})
- label: node
lang: javascript
source: |-
client.permission.lookupEntity({
tenantId: "t1",
metadata: {
snapToken: "",
schemaVersion: "",
depth: 20
},
entity_type: "document",
permission: "edit",
subject: {
type: "user",
id: "1"
},
page_size: 20,
continuous_token: ""
}).then((response) => {
console.log(response.entity_ids)
})
- label: cURL
lang: curl
source: >-
curl --location --request POST
'localhost:3476/v1/tenants/{tenant_id}/permissions/lookup-entity' \
--header 'Content-Type: application/json' \
--data-raw '{
"metadata":{
"snap_token": "",
"schema_version": "",
"depth": 20
},
"entity_type": "document",
"permission": "edit",
"subject": {
"type":"user",
"id":"1"
},
"page_size": 20,
"continuous_token": "",
}'
components:
schemas:
LookupEntityBody:
type: object
properties:
metadata:
$ref: '#/components/schemas/PermissionLookupEntityRequestMetadata'
entity_type:
type: string
description: >-
Type of the entity to lookup, required, must start with a letter and
can include alphanumeric and underscore, max 64 bytes.
permission:
type: string
description: >-
Name of the permission to check, required, must start with a letter
and can include alphanumeric and underscore, max 64 bytes.
subject:
$ref: '#/components/schemas/Subject'
context:
$ref: '#/components/schemas/Context'
scope:
type: object
additionalProperties:
$ref: '#/components/schemas/StringArrayValue'
description: >-
Scope: A map that associates entity types with lists of identifiers.
Each entry
helps filter requests by specifying which entities are relevant to
the operation.
page_size:
type: integer
format: int64
description: |-
page_size is the number of entities to be returned in the response.
The value should be between 1 and 100.
continuous_token:
type: string
description: |-
continuous_token is an optional parameter used for pagination.
It should be the value received in the previous response.
description: >-
PermissionLookupEntityRequest is the request message for the
LookupEntity method in the Permission service.
PermissionLookupEntityResponse:
type: object
properties:
entity_ids:
type: array
items:
type: string
description: List of identifiers for entities that match the lookup.
continuous_token:
type: string
description: >-
continuous_token is a string that can be used to paginate and
retrieve the next set of results.
description: >-
PermissionLookupEntityResponse is the response message for the
LookupEntity method in the Permission service.
Status:
type: object
properties:
code:
type: integer
format: int32
message:
type: string
details:
type: array
items:
$ref: '#/components/schemas/Any'
PermissionLookupEntityRequestMetadata:
type: object
properties:
schema_version:
type: string
description: Version of the schema.
snap_token:
type: string
description: >-
The snap token to avoid stale cache, see more details on [Snap
Tokens](../../operations/snap-tokens).
depth:
type: integer
format: int32
description: Query limit when if recursive database queries got in loop.
description: >-
PermissionLookupEntityRequestMetadata metadata for the
PermissionLookupEntityRequest.
Subject:
type: object
properties:
type:
type: string
id:
type: string
relation:
type: string
description: >-
Subject represents an entity subject with a type, an identifier, and a
relation.
Context:
type: object
properties:
tuples:
type: array
items:
$ref: '#/components/schemas/Tuple'
description: A repeated field of tuples involved in the operation.
attributes:
type: array
items:
$ref: '#/components/schemas/Attribute'
description: A repeated field of attributes associated with the operation.
data:
type: object
description: Additional data associated with the context.
description: |-
Context encapsulates the information related to a single operation,
including the tuples involved and the associated attributes.
StringArrayValue:
type: object
properties:
data:
type: array
items:
type: string
description: The array of strings.
description: Wrapper for an array of strings.
Any:
type: object
properties:
'@type':
type: string
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
Tuple:
type: object
properties:
entity:
$ref: '#/components/schemas/Entity'
relation:
type: string
subject:
$ref: '#/components/schemas/Subject'
description: Tuple is a structure that includes an entity, a relation, and a subject.
Attribute:
type: object
properties:
entity:
$ref: '#/components/schemas/Entity'
attribute:
type: string
title: Name of the attribute
value:
$ref: '#/components/schemas/Any'
description: >-
Attribute represents an attribute of an entity with a specific type and
value.
Entity:
type: object
properties:
type:
type: string
id:
type: string
description: Entity represents an entity with a type and an identifier.
````