Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Permit Elements Enables Low-Code User-Managed Access Control

Permit Elements Enables Low-Code User-Managed Access Control has released Permit Elements, a low-code end-user authentication interface builder. Permit Elements allows developers to embed interfaces enabling their end-users to decide which roles have permission to perform actions. At the time of release, there are elements available for user management and audit logs. is built on top of the open-source tools Open Policy Agent (OPA) and Open Policy Administration Layer (OPAL). It provides SDKs and APIs to add decision and enforcement points within applications. The Backoffice provides a set of low-code tools that facilitate assigning roles and permissions to users.

High-level architecture

High-level architecture (credit:


Permit Elements allows developers to embed interfaces within their application that allow end-users to have control in assigning users to roles. This is done by assigning roles to permission levels. There are five permission levels available including Workspace Owner, Manager, Viewer, Assignable Roles, and Hidden Roles. For example, a Viewer can only view the element but not make changes to it, whereas an Assignable Role is given permission controlled by the element, but is not able to view the element itself.

Permit Elements user management interface

Permit Elements user management interface (credit:


To use the element, will need to be initialized in the backend of the application. A route will need to be created that permits the end-user to login_as themselves and gain access to the element. This route can be done using cookies, bearer token, or other headers. Finally, early within the application lifecycle, between confirming the user's identity and loading the embedded component, the route should be called to initialize Permit Elements:

    loginUrl: ',
    tenant: 'your_tenant_key',
    loginMethod: LoginMethod.bearer
}).then((res: any) => {//optional handle success
 }).catch((err: any) => {//handle error

Within the application code, the end-user-assigned roles and permissions can be validated using the SDK. The following example checks if the user has permission for the action create against the resource document:

const permitted = await permit.check("", "create", "document");
if (permitted) {
  console.log("User is PERMITTED to create a document");
} else {
  console.log("User is NOT PERMITTED to create a document");

The release also includes an audit log element. This provides access to the audit logs generated by, tracking all authentication and authorization events in the system. Both elements can be customized for look and feel and are embeddable as iframes. also provides anomaly detection and identity protection. Similar to Amazon GuardDuty, analyzes user patterns and reports anomalous behavior by sending alerts to either application managers or end-users. Or Weis, CEO of, described this feature as "built-in and seamless user behavior analytics, providing early detection to account take overs or accounts otherwise turning malicious.".

An opt-in identity protection feature is available that requires sharing identity information with Weis explains that this data is used by

together with its own internet scanning tools and partner solutions for identity protection. When an identity used in a Permit-protected product is found to have leaked, e.g. as part of a data breach or attack, alerts are sent to the application managers and/or the end-customers themselves.

Permit Elements is available to users. More details about the release can be found on the blog.

About the Author

Rate this Article