Fine-Grained Authorization (Permit)

Database operations often require careful control over who can access or modify which data. While Prisma ORM excels at data modeling and database access, it doesn't include built-in authorization capabilities. This guide shows how to implement fine-grained authorization in your Prisma applications using the @permitio/permit-prisma extension.

Fine-grained authorization (FGA) provides detailed and precise control over what data users can access or modify at a granular level. Without proper authorization, your application might expose sensitive data or allow unauthorized modifications, creating security vulnerabilities.

This extension supports three access control models from Permit.io:

What it is: Users are assigned roles (Admin, Editor, Viewer) with predefined permissions to perform actions on resource types.

Example: An "Editor" role can update any document in the system.

Best for: Simple permission structures where access is determined by job function or user level.

What it is: Access decisions based on attributes of users, resources, or environment.

Examples:

Allow access if user.department == document.department

Allow updates if document.status == "DRAFT"

How it works with the extension: When enableAttributeSync is on, resource attributes are automatically synced to Permit.io for policy evaluation.

Best for: Dynamic rules that depend on context or data properties.

What it is: Permissions based on relationships between users and specific resource instances.

Example: A user is an "Owner" of document-123 but just a "Viewer" of document-456.

How it works with the extension:

Resource instances are synced to Permit.io (with enableResourceSync: true )

) Permission checks include the specific resource instance ID

Best for: Collaborative applications where users need different permissions on different instances of the same resource type.

RBAC : When you need simple, role-based access control

: When you need simple, role-based access control ABAC : When decisions depend on data properties or contextual information

: When decisions depend on data properties or contextual information ReBAC: When users need different permissions on different instances

Before implementing fine-grained authorization with Prisma, make sure you have:

A Prisma application with existing models and queries

Basic understanding of authorization concepts

Node.js and npm installed

Install the extension alongside Prisma Client:

npm install @permitio/permit-prisma @prisma/client



You'll also need to sign up for a Permit account to define your authorization policies.

Note:

Ensure that the Permit PDP container is running. It is recommended to run it using Docker for better performance, security, and availability. For instructions, refer to the Permit documentation: Deploy Permit to Production and PDP Overview .

First, extend your Prisma Client with the Permit extension:

import { PrismaClient } from "@prisma/client" ;

import { createPermitClientExtension } from "@permitio/permit-prisma" ;



const prisma = new PrismaClient ( ) . $ extends (

createPermitClientExtension ( {

permitConfig : {

token : process . env . PERMIT_API_KEY ,

pdp : "http://localhost:7766" ,

} ,

enableAutomaticChecks : true

} )

) ;



RBAC uses roles to determine access permissions. For example, "Admin" roles can perform all actions while "Viewer" roles can only read data.

Define resources and actions in Permit.io dashboard: Create resources matching your Prisma models (e.g., "document")

Define actions (e.g., "create", "read", "update", "delete")

Create roles with permission sets (e.g., "admin", "editor", "viewer") Set the active user in your code:



prisma . $permit . setUser ( "john@example.com" ) ;





const documents = await prisma . document . findMany ( ) ;



ABAC extends access control by considering user attributes, resource attributes, and context.

Configure the extension for ABAC:

const prisma = new PrismaClient ( ) . $ extends (

createPermitClientExtension ( {

permitConfig : { token : process . env . PERMIT_API_KEY , pdp : "http://localhost:7766" } ,

enableAutomaticChecks : true ,

} )

) ;



Set user with attributes:

prisma . $permit . setUser ( {

key : "doctor@hospital.com" ,

attributes : { department : "cardiology" }

} ) ;





const records = await prisma . medicalRecord . findMany ( {

where : { department : "cardiology" }

} ) ;



ReBAC models permissions based on relationships between users and specific resource instances.

Configure the extension for ReBAC:

const prisma = new PrismaClient ( ) . $ extends (

createPermitClientExtension ( {

permitConfig : { token : process . env . PERMIT_API_KEY , pdp : "http://localhost:7766" } ,

accessControlModel : "rebac" ,

enableAutomaticChecks : true ,

enableResourceSync : true ,

enableDataFiltering : true

} )

) ;



** Access instance-specific resources:**

prisma . $permit . setUser ( "owner@example.com" ) ;





const file = await prisma . file . findUnique ( {

where : { id : "file-123" }

} ) ;



For more control, you can perform explicit permission checks:



const canUpdate = await prisma . $permit . check (

"john@example.com" ,

"update" ,

"document"

) ;



if ( canUpdate ) {

await prisma . document . update ( {

where : { id : "doc-123" } ,

data : { title : "Updated Title" }

} ) ;

}





await prisma . $permit . enforceCheck (

"john@example.com" ,

"delete" ,

{ type : "document" , key : "doc-123" }

) ;



Here are some common scenarios where fine-grained authorization is valuable:

Multi-tenant applications : Isolate data between different customers

: Isolate data between different customers Healthcare applications : Ensure patient data is only accessible to authorized staff

: Ensure patient data is only accessible to authorized staff Collaborative platforms : Grant different permissions on shared resources

: Grant different permissions on shared resources Content management systems: Control who can publish, edit, or view content