Skip to main content

Configure Permission Service

Using the Ory CLI, you can quickly adjust the configuration of the Ory Cloud Permission Service and apply config from the Cloud environment to self-hosted Ory Keto instances.

tip

Ory Keto is the open-source project that powers the Ory Cloud Permission Service.

This feature is useful for fluently moving your local setup to the Cloud, or for working on the configuration and testing different settings in the safety of the local development environment.

To work with the Ory Cloud Permission Service, you must have an active Ory Cloud project. Use the CLI or the Ory Console to create one.

Export configuration from Ory Cloud

To get your project's Permission Service configuration, run this command:

info

You must be signed in to an Ory Cloud account to perform this action. Read this document to learn more.

## List all available projects
ory list projects

## Get config
ory get permission-config <project-id> --format yaml

The --format flag defines the format of the output file. You can choose one of yaml ,json, or json-pretty.

Getting the configuration in the YAML format produces output that is ready to use with self-hosted Ory Keto.

Export to file

For a convenient way to get the Permission Service configuration working in self-hosted Ory Keto, save the configuration to a YAML file.

Run this command:

ory get permission-config <project-id> --format yaml > permission-config.yaml

Import configuration to Ory Cloud

To start using the configuration from a self-hosted Ory Keto instance in the Ory Cloud Permission Service, import the configuration file with the CLI:

ory update permission-config <project-id> --file permission-config.yaml

Adjust specific keys

You can adjust specific keys in the configuration using the ory patch CLI command.

Running this sample command sets the /limit/max_read_depth key value to 3:

ory patch permission-config <project-id> \
--replace '/limit/max_read_depth=3'
note

Read this document to learn more about adjusting project configuration with the Ory CLI.

Manage relation tuples

You can manage relation tuples using Ory CLI. To run these operations, you must provide the ID of the Ory Cloud project in which you want to manage the tuples using the --project flag.

For convenience, you can export the ID of your project as an environment variable and use the variable with the --project flag instead of passing the project ID directly in the command:

info

Examples in this section use the environment variable. To try them out without making adjustments, export your project ID as an environment variable.

## List all available projects
ory list projects

## Export project ID as env. variable
export PROJECT=<ory-cloud-project-id>

Create

Read the Ory CLI reference to learn more about this command.

echo "groups:devs#member@tom" \
| ory parse relation-tuples --project=$PROJECT --format=json \
| ory create relation-tuples --project=$PROJECT
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom

List

Read the Ory CLI reference to learn more about this command.

ory list relation-tuples --project=$PROJECT
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom
#
# NEXT PAGE TOKEN
# IS LAST PAGE true

Delete

Read the Ory CLI reference to learn more about this command.

ory delete relation-tuples --project=$PROJECT --all
# WARNING: This operation is not reversible. Please use the `--force` flag to proceed.
# These tuples would be deleted:
#
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom
#
# NEXT PAGE TOKEN
# IS LAST PAGE true

## Delete the tuple(s) after making sure this is what you want to do.
ory delete relation-tuples --project=$PROJECT --all --force