Hello, my question might seem strange but I am trying to use the TS keto SDK. From what I figured out, I have to use the

PermissionApi

to generate a client. Then I have to use the

checkPermission

function to test the permission. What I don’t understand is why the

checkPermission

function asks for a relation ? The payload seems to be the same than for creating a relationship. I checked the HTTP API and it asks for the same thing. But in my case I want to test if “userId” can do the action “edit”. I don’t want to check if “userId” is a member of “editors”. I want to check actions not relations. It should be the OPL that is in charge of translating permissions to relation membership based on my OPL rules. What did I miss ?

I'm trying to figure out this as well. Doesn-t make much sense to have permit defined in the OLP, but having to query the permissions adding a relation parameter.

From what I figured out on my own, Keto uses relations in a graph to determine if a subject has permission on an object. If there exists a path between the two entities then the action is allowed, otherwise it is refused. The underlying API seems to only know about relations. The "permits" notion is only known by OPL which is a layer built upon the underlying API. But Keto has to work with or without using the OPL, which is why the API is low level and does not consider OPL features when querying it. This is why you need to check the permission by providing a "relation" field, which happens to be your "permits" action. I hope this makes it a bit clearer for you!