Based on the knowledge sources, there appears to be a confusion in terminology. In the Ory Permission Language (OPL), there is only one method for traversing relations, which is consistently referred to as

traverse

in the documentation examples, but sometimes described as

transitive

in the specification. Looking at the code examples in the documentation, the method used for traversing relations is consistently shown as `traverse`:

typescript this.related.parents.traverse((parent) => parent.permits.view(ctx))

However, in the OPL specification, this same concept is sometimes referred to as a `TransitiveCheck`:

TransitiveCheck = "this" "." "related" "." RelationName "." "transitive" "(" Var "=>" ( PermissionCall | IncludesCheck ) ")" .

This inconsistency between the documentation examples and the specification appears to be the source of confusion. In practice, the method you should use in your OPL code is

traverse

, as shown in all the practical examples. The functionality itself allows you to follow relationships transitively through your permission model. For example, if a document is in a folder, and a user has permission to view the folder, you can use

traverse

to check if the user can view the document through its parent folder relationship. There's also an open issue (#1626) that mentions inconsistencies when using

this.permits(ctx)

versus calling a transitive permission directly, which suggests there might be some implementation issues with how transitive permissions are handled in certain cases. [Ory Permission Language Specification](https://www.ory.sh/docs/keto/reference/ory-permission-language#statements)

I'll show you how to check if a specific user has the "read" permission on an article using Ory Permissions. Here are examples using different methods: ## Using REST API ### GET Method

GET /relation-tuples/check?namespace=Articles&object=Article:abcdefg12345&relation=read&subject_id=User:fdff2bff-7604-4a58-baf7-550ce7ae4419

### POST Method

POST /relation-tuples/check Content-Type: application/json  {   "namespace": "Articles",   "object": "Article:abcdefg12345",   "relation": "read",   "subject_id": "User:fdff2bff-7604-4a58-baf7-550ce7ae4419" }

## Using Python SDK

python import ory_client from ory_client.api import permission_api  # Configure client configuration = ory_client.Configuration(     host = "<https://playground.projects.oryapis.com>" )  # Create API client instance with ory_client.ApiClient(configuration) as api_client:     # Create permission API instance     api_instance = permission_api.PermissionApi(api_client)          try:         # Check permission         api_response = api_instance.check_permission(             namespace="Articles",              object="Article:abcdefg12345",              relation="read",              subject_id="User:fdff2bff-7604-4a58-baf7-550ce7ae4419"         )         print(api_response)     except ory_client.ApiException as e:         print("Exception when calling PermissionApi->check_permission: %s\n" % e)

## Using JavaScript/TypeScript SDK

javascript // Check a permission const isAllowed = await ory   .permission   .checkPermission({     namespace: "Articles",      object: "Article:abcdefg12345",      relation: "read",      subject_id: "User:fdff2bff-7604-4a58-baf7-550ce7ae4419"   })   .then(({data}) => data.allowed)

The response will indicate whether the user has the requested permission on the article. [Keto API Reference](https://www.ory.sh/docs/keto/reference/rest-api) [Ory Permissions Python SDK](https://www.ory.sh/docs/keto/sdk/python) [SDK V1 upgrade guide](https://www.ory.sh/docs/guides/upgrade/sdk-v1#permissions--access-control)

To check if a subject has a specific permission using the Ory Keto CLI, you can use the

keto check

command. Here's how to check if the subject

User:fdff2bff-7604-4a58-baf7-550ce7ae4419

has the

read

permission on object

Article:abcdefg12345

under the namespace `Articles`:

bash keto check User:fdff2bff-7604-4a58-baf7-550ce7ae4419 read Articles Article:abcdefg12345

The command follows this syntax:

keto check <subject> <relation> <namespace> <object> [flags]

If you want to specify additional options, you can use flags like: -

--max-depth

or `-d`: To set the maximum depth of the search tree - `--format`: To set the output format (e.g., json, yaml, table) - `--read-remote`: To specify a remote address for the read API endpoint For example, with additional options:

bash keto check User:fdff2bff-7604-4a58-baf7-550ce7ae4419 read Articles Article:abcdefg12345 --format json --max-depth 10

The command will return whether the permission check was successful or not. [Keto CLI Documentation](https://www.ory.sh/docs/keto/cli/keto-check#keto-check)

It looks like you're trying to use the

keto

command but it's not installed or not in your PATH. To use the Ory Keto CLI, you need to install it first. Here are the steps to install and use the Keto CLI: ## Install the Ory CLI The Keto CLI is part of the Ory CLI. You can install it using one of these methods: ### macOS (using Homebrew)

bash brew install ory/tap/cli

### Linux/macOS (using curl)

bash curl -sSf <https://raw.githubusercontent.com/ory/meta/master/install.sh> | sh -s -- cli

### Windows (using Scoop)

bash scoop bucket add ory <https://github.com/ory/scoop.git> scoop install ory-cli

### Using npm/yarn

bash npm install -g @ory/cli # or yarn global add @ory/cli

## Verify Installation After installation, verify that the Ory CLI is installed correctly:

bash ory --version

## Using Keto Commands Once the Ory CLI is installed, you can use Keto commands through the Ory CLI:

bash ory is allowed User:fdff2bff-7604-4a58-baf7-550ce7ae4419 read Articles Article:abcdefg12345

For self-hosted Keto instances, you can also use the standalone Keto CLI which can be downloaded from the [GitHub releases page](https://github.com/ory/keto/releases). [Ory CLI Installation](https://www.ory.sh/docs/guides/cli/installation) If you're using Ory Network, make sure to authenticate first:

bash ory auth ory use project <your-project-id>

Then you can run the permission check as shown above. Let me know if you need further assistance with the installation or using the Ory CLI!

@chilly-king-10285 When attempting to use

ory is allowed …

to check the above permission I keep getting this error on mcaos: Could not make request: rpc error: code = NotFound desc = The requested resource could not be found Error: rpc error: code = NotFound desc = The requested resource could not be found

Based on the error message you're receiving, it appears that the Ory CLI can't find the resource you're trying to check permissions for. This "NotFound" error typically occurs for a few specific reasons when using the Ory CLI for permission checks. The most common causes for this error are: 1. You might not be properly connected to your Ory Network project 2. The namespace "Articles" might not exist in your permission system 3. The relationship tuples for the specified resources haven't been created yet Here are some troubleshooting steps you can try: ## 1. Verify your Ory project connection Make sure you're authenticated and using the correct project:

bash # Authenticate with Ory Network ory auth  # List your projects ory list projects  # Use the correct project ory use project <your-project-id>

## 2. Check if the namespace exists You need to ensure the "Articles" namespace exists in your permission system. If you're using Ory Network, you can check this in the Ory Console under the Permissions section. ## 3. Create the necessary relationship tuples If the namespace exists but the specific relationship doesn't, you'll need to create it first:

bash # Create a relationship tuple ory create relation-tuples --namespace Articles --object Article:abcdefg12345 --relation read --subject-id User:fdff2bff-7604-4a58-baf7-550ce7ae4419

## 4. Verify the correct syntax Make sure you're using the correct syntax for the permission check:

bash ory is allowed --namespace Articles --object Article:abcdefg12345 --relation read --subject-id User:fdff2bff-7604-4a58-baf7-550ce7ae4419

## 5. Check API endpoint configuration If you're using a self-hosted Keto instance, ensure your CLI is configured to use the correct API endpoints:

bash # Set the read API endpoint ory keto set-read-remote <your-read-api-url>  # Set the write API endpoint ory keto set-write-remote <your-write-api-url>

The "NotFound" error specifically indicates that either the namespace, the object, or the relationship between them doesn't exist in your permission system. You'll need to create these resources before you can check permissions on them.

Based on your error message, it seems you need to configure the Ory CLI to use the correct endpoints for your Ory Keto instance. Here's how to do that: ## Configure Ory CLI for Keto Endpoints If you're using a self-hosted Keto instance, you need to tell the CLI where your read and write API endpoints are located:

bash # Set the read API endpoint (typically port 4466) ory keto set-read-remote <http://localhost:4466>  # Set the write API endpoint (typically port 4467) ory keto set-write-remote <http://localhost:4467>

Replace

localhost

with the appropriate hostname if your Keto instance is running on a different machine. ## Verify the Configuration After setting the endpoints, you can verify the configuration:

bash # Check the current read remote ory keto get-read-remote  # Check the current write remote ory keto get-write-remote

## Using the CLI with Configured Endpoints Once configured, you can run your permission check:

bash ory keto check User:fdff2bff-7604-4a58-baf7-550ce7ae4419 read Articles Article:abcdefg12345

## For Ory Network Users If you're using Ory Network instead of self-hosted Keto, you should authenticate and select your project instead:

bash # Authenticate with Ory Network ory auth  # List your projects ory list projects --workspace <workspace-id>  # Use the correct project ory use project <project-id>

Then you can use the permission check commands without needing to set remote endpoints. [Keto CLI Documentation](https://www.ory.sh/docs/keto/cli/keto) If you're still encountering issues, make sure your Keto server is running and accessible from your machine.

@chilly-king-10285 Error: unknown command “keto” for “ory”

I see you're encountering an error when trying to use the

ory keto

command. This error occurs because the Ory CLI doesn't have a direct

keto

subcommand. Let me explain the correct approach: ## Using Ory CLI with Keto When working with Ory Permissions (powered by Keto) through the Ory CLI, you need to use the appropriate permission-related commands directly:

bash # For permission checks ory is allowed --namespace Articles --object Article:abcdefg12345 --relation read --subject-id User:fdff2bff-7604-4a58-baf7-550ce7ae4419

## Using Standalone Keto CLI If you want to use the Keto-specific CLI commands (like

keto check

), you need to install the standalone Keto CLI, which is separate from the Ory CLI: ### Install Keto CLI You can install the standalone Keto CLI using one of these methods: #### Linux

bash bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -d -b . keto sudo mv ./keto /usr/local/bin/

#### macOS

bash brew install ory/tap/keto

#### Windows

bash scoop bucket add ory <https://github.com/ory/scoop.git> scoop install keto

#### Docker

bash docker pull oryd/keto:<version-you-want> docker run --rm -it oryd/keto:<version-you-want> help

After installation, you can use the Keto CLI directly:

bash # Set the read API endpoint export KETO_READ_REMOTE="127.0.0.1:4466"  # Run the check command keto check User:fdff2bff-7604-4a58-baf7-550ce7ae4419 read Articles Article:abcdefg12345

[Keto Installation](https://www.ory.sh/docs/keto/install) [Keto CLI Documentation](https://www.ory.sh/docs/keto/cli/keto) Let me know if you need further assistance with installing or using the Keto CLI!