Permissions Module
The permissions module (sso.permissions) provides utilities for working with ReBAC (Relationship-Based Access Control) permissions. Permissions use Zanzibar-style relation tuples and are fetched from the API.
Methods
sso.permissions.hasPermission()
Signature:
hasPermission(permission: string): Promise<boolean>
Description: Check if the authenticated user has a specific permission. Fetches from user profile API which uses cached permissions.
Parameters:
| Name | Type | Description |
|---|---|---|
| permission | string | Permission in format “namespace:object_id#relation” |
Returns: Promise<boolean> - True if the permission is present.
Example:
const hasAccess = await sso.permissions.hasPermission('organization:acme#owner');
if (hasAccess) {
// Allow access
}
sso.permissions.listPermissions()
Signature:
listPermissions(): Promise<string[]>
Description: Get all permissions for the authenticated user.
Returns: Promise<string[]> - Array of permission strings.
Example:
const permissions = await sso.permissions.listPermissions();
console.log(permissions);
// ["organization:acme#owner", "service:api#admin"]
sso.permissions.hasFeature()
Signature:
hasFeature(feature: string): Promise<boolean>
Description: Check if the user has access to a specific feature (based on their subscription/plan).
Parameters:
| Name | Type | Description |
|---|---|---|
| feature | string | Feature name to check |
Returns: Promise<boolean> - True if the feature is available.
Example:
const canExport = await sso.permissions.hasFeature('advanced-export');
sso.permissions.getPlan()
Signature:
getPlan(): Promise<string | null>
Description: Get the current plan name for the user in the context of the current organization/service.
Returns: Promise<string | null> - Current plan name or null.
Example:
const plan = await sso.permissions.getPlan();
console.log(plan); // "pro", "enterprise", etc.
sso.permissions.can()
Signature:
can(namespace: string, objectId: string, relation: string): Promise<boolean>
Description: Check if user has a specific permission on a resource. Convenience wrapper around hasPermission.
Parameters:
| Name | Type | Description |
|---|---|---|
| namespace | string | The permission namespace |
| objectId | string | The object ID (slug) |
| relation | string | The relation to check |
Returns: Promise<boolean> - True if permission exists.
Example:
const isOwner = await sso.permissions.can('organization', 'acme-corp', 'owner');
sso.permissions.isOrgMember()
Signature:
isOrgMember(orgId: string): Promise<boolean>
Description: Check if user is a member of an organization.
Parameters:
| Name | Type | Description |
|---|---|---|
| orgId | string | Organization ID or slug |
Returns: Promise<boolean>
sso.permissions.isOrgAdmin()
Signature:
isOrgAdmin(orgId: string): Promise<boolean>
Description: Check if user is an admin of an organization.
Parameters:
| Name | Type | Description |
|---|---|---|
| orgId | string | Organization ID or slug |
Returns: Promise<boolean>
sso.permissions.isOrgOwner()
Signature:
isOrgOwner(orgId: string): Promise<boolean>
Description: Check if user is an owner of an organization.
Parameters:
| Name | Type | Description |
|---|---|---|
| orgId | string | Organization ID or slug |
Returns: Promise<boolean>
sso.permissions.hasServiceAccess()
Signature:
hasServiceAccess(serviceId: string): Promise<boolean>
Description: Check if user has access to a service.
Parameters:
| Name | Type | Description |
|---|---|---|
| serviceId | string | Service ID or slug |
Returns: Promise<boolean>
sso.permissions.getPermissionsByNamespace()
Signature:
getPermissionsByNamespace(namespace: string): Promise<string[]>
Description: Filter user permissions by namespace.
Parameters:
| Name | Type | Description |
|---|---|---|
| namespace | string | Namespace to filter by |
Returns: Promise<string[]> - Array of matching permissions.
Example:
const orgPermissions = await sso.permissions.getPermissionsByNamespace('organization');