Skip to main content

How to use Prisma ORM with Permit.io

15 min

Introduction

Permit.io is an authorization-as-a-service platform that lets you implement fine-grained access control rules based on real-world relationships.

This guide explains how to connect Permit.io to a new Express + Prisma app, define a Relationship-Based Access Control (ReBAC) policy, and automatically filter Prisma queries so users only see the data they're allowed to access.

You'll build a small project-task API to demonstrate access inheritance in action - no manual WHERE clauses required.

You can find a complete example of this guide here.

Prerequisites

1. Set up your project

First of all, you'll create a new Express + Prisma project from scratch using TypeScript. You'll also install the tools needed to support ReBAC filtering with Permit.io.

1.1 Create the project folder

mkdir prisma-rebac-filtering
cd prisma-rebac-filtering
npm init -y

1.2 Install the required dependencies

Install application and development dependencies:

npm install express cors dotenv @prisma/client
npm install -D prisma typescript tsx

Then, initialize your Prisma setup:

npx prisma init

This creates a prisma/ directory with a default schema.prisma file and a .env file at the root.

1.3 Set up your TypeScript config

Create a tsconfig.json file:

{
  "compilerOptions": {
    "target": "ES2020",
    "module": "CommonJS",
    "moduleResolution": "node",
    "esModuleInterop": true,
    "forceConsistentCasingInFileNames": true,
    "strict": true,
    "skipLibCheck": true,
    "outDir": "dist"
  },
  "include": ["src", "scripts"]
}

1.4 Create your folder structure

Set up your project folders:

mkdir -p src/controllers src/middleware src/config scripts

You're now ready to define your Prisma data model.

2. The authorization model

Before we continue with the setup, it's important to define how access control will work in your application.

This guide uses Relationship-Based Access Control (ReBAC) to automatically restrict database queries based on a user's relationship to the data.

Let's see what this looks like:

ReBAC authorization model

Scenario overview

You're building a project management API that supports team-level access controls. Each project belongs to a team (like Marketing or Engineering), and users should only be able to access the projects—and their associated tasks—that they're assigned to.

This is a perfect use case for ReBAC, because:

  • Access depends on relationships between users and data (e.g., team membership)
  • You want task access to inherit from project access
  • You want to avoid manually checking permissions in every controller

Resources

These are the main data entities you'll protect:

  • Project: Represents a team-specific workspace that may contain business-critical data (timelines, budgets, client deliverables).
  • Task: Represents an item of work that belongs to a project

Relationships

  • Projects contain tasks (Project → Task)
  • Users are members of projects (User → Project)

Instance-level roles

Instance-level roles describe what users can do with specific resources:

RoleDescription
project#MemberUser can access a specific project
task#MemberUser can access tasks in that project

Role derivation

ReBAC lets you automatically derive roles based on relationships. In this case:

  • If a user is a project#Member, they automatically become a task#Member for all tasks within that project.
  • New tasks inherit project access—no need to update permissions manually.

Access policies

Once relationships and roles are defined, access policies determine what users can do:

RoleActionResource
project#MemberreadProject
task#MemberreadTask

This model ensures that:

  • Users can only access the projects and tasks they're assigned to
  • No cross-team visibility
  • Access automatically stays in sync with the business structure

Access control planning

3. Define your data model

To support permission-aware data filtering, you need to structure your database so that relationships are clearly defined. In this case, every Task belongs to a Project, and users gain access to tasks by being members of the parent project.

3.1 Update your Prisma schema

Open prisma/schema.prisma and replace the contents with the following:

prisma/schema.prisma
generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model Project {
  id        String   @id @default(uuid())
  name      String
  tasks     Task[]   // One-to-many relationship for permission inheritance
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
}

model Task {
  id          String   @id @default(uuid())
  name        String
  description String?
  projectId   String
  project     Project  @relation(fields: [projectId], references: [id])
  createdAt   DateTime @default(now())
  updatedAt   DateTime @updatedAt
}

3.2 Run your first migration

To create the database schema:

npx prisma migrate dev --name init

This will:

  • Apply your schema to the connected PostgreSQL database
  • Generate your Prisma Client
  • Create tables for Project and Task with a one-to-many relationship

3.3 Confirm the structure

You can open Prisma Studio to inspect your database:

npx prisma studio

This structure allows the @permitio/permit-prisma extension to filter records by user relationships at query time. Next, you'll seed test data to simulate distinct team ownership over projects and tasks.

4. Seed test data with project boundaries

To test your data filtering logic, you'll create two projects, each with its own set of tasks. This separation simulates team ownership and will allow you to validate that users only see the data of their assigned project.

4.1 Create the seed script

Create a new file at scripts/seed.ts and add the following:

import { PrismaClient } from '@prisma/client';

const prisma = new PrismaClient();

async function main() {
  console.log('🌱 Seeding test data...');

  // Clear existing records
  await prisma.task.deleteMany();
  await prisma.project.deleteMany();

  // Create Project Alpha for the Marketing team
  const projectAlpha = await prisma.project.create({
    data: {
      id: 'project_alpha',
      name: 'Marketing Campaign Q2',
    },
  });

  // Create Project Beta for the Engineering team
  const projectBeta = await prisma.project.create({
    data: {
      id: 'project_beta',
      name: 'API Development Sprint',
    },
  });

  // Add tasks to Project Alpha
  await prisma.task.createMany({
    data: [
      {
        id: 'task-alpha-1',
        name: 'Strategy Planning',
        description: 'Define campaign goals and KPIs',
        projectId: projectAlpha.id,
      },
      {
        id: 'task-alpha-2',
        name: 'Budget Review',
        description: 'Review marketing budget with finance',
        projectId: projectAlpha.id,
      },
    ],
  });

  // Add tasks to Project Beta
  await prisma.task.createMany({
    data: [
      {
        id: 'task-beta-1',
        name: 'Implement Auth API',
        description: 'Create endpoints for user login/signup',
        projectId: projectBeta.id,
      },
      {
        id: 'task-beta-2',
        name: 'Schema Migration',
        description: 'Update tables for new user roles',
        projectId: projectBeta.id,
      },
    ],
  });

  console.log('✅ Seeded 2 projects and 4 tasks with distinct ownership');
}

main()
  .catch((e) => {
    console.error('❌ Error seeding data:', e);
    process.exit(1);
  })
  .finally(async () => {
    await prisma.$disconnect();
  });

4.2 Run the seed script

npx tsx scripts/seed.ts

If successful, you'll see:

✅ Seeded 2 projects and 4 tasks with distinct ownership


At this point, if you run a query like `prisma.task.findMany()`, it will return all tasks. In the next steps, you'll connect Permit.io to filter these results automatically based on the user's access rights.

## 5. Install and configure ReBAC filtering

In this section, you'll install the `@permitio/permit-prisma` extension and configure it to automatically filter Prisma queries based on your access control policies.

### 5.1 Install the Permit extension

Install the `permit-prisma` package:

```terminal
npm install @permitio/permit-prisma

5.2 Configure the Permit client

Create a new file at src/config/permit-config.ts:

import dotenv from 'dotenv';
dotenv.config();

export const clientExtensionConfig = {
  permitConfig: {
    token: process.env.PERMIT_API_KEY!, // Your Permit.io API key
    pdp: process.env.PERMIT_PDP_URL || 'http://localhost:7766', // Local or cloud PDP
    debug: true,
  },
  enableAutomaticChecks: true,
  enableDataFiltering: true,     // Enables automatic query filtering
  enableResourceSync: true       // (Optional) Keeps Permit in sync with resource changes
};
API Key

You can find your API key and PDP URL in your Permit.io dashboard.

5.3 What this configuration does

When you later extend the Prisma Client with this config:

  • All Prisma queries will automatically check access rules
  • findMany() and similar methods will only return data the user is allowed to access
  • You no longer need to manually add WHERE clauses to enforce permissions

You're now ready to define your ReBAC policy using the Permit CLI.

6. Define your access control policy in Permit.io

Next, you'll use the Permit CLI to apply a ready-made ReBAC template that matches your project-task structure.

6.1 Install the Permit CLI

npm install -g @permitio/cli

6.2 Log in to your Permit account

Use the CLI to authenticate:

permit login

This opens a browser window where you can log in to your Permit.io account and link your CLI session to an environment.

6.3 Apply the ReBAC policy template

Permit provides a prebuilt policy structure for hierarchical data filtering.

Apply it using:

permit env template apply --template orm-data-filtering

This will create:

  • Resources: project, task
  • Relationships: project is the parent of task
  • Roles:
    • project#Member: User can access a specific project
    • task#Member: Derived from project membership
  • Access policies: Users with the appropriate roles can read each resource

6.4 View the policy in the Permit UI

Go to the Permit.io dashboard and navigate to your environment to explore:

  • Your resource graph
  • Role derivations
  • Relationship mappings
  • Policy rules for read access
info

These rules are used by the @permitio/permit-prisma extension to determine which records to return for each user—automatically.

With your policy in place, you're now ready to wire up user context and filtering logic in your Express middleware.

7. Add middleware to set user context

To filter Prisma queries per user, you need to:

  1. Identify the current user (simulated via an email header)
  2. Attach the filtered Prisma Client instance to the request
  3. Set the user in the Permit context (prisma.$permit.setUser())

7.1 Create the middleware file

Create a new file: src/middleware/auth.middleware.ts

import { Request, Response, NextFunction } from 'express';
import { PrismaClient } from '@prisma/client';
import createPermitClientExtension from '@permitio/permit-prisma';
import { clientExtensionConfig } from '../config/permit-config';

// Extend PrismaClient with Permit
const prisma = new PrismaClient().$extends(
  createPermitClientExtension(clientExtensionConfig)
);

// Extend Request type with Prisma and user context
export interface AuthRequest extends Request {
  user?: { email: string };
  prisma?: typeof prisma;
}

export const authenticate = (
  req: AuthRequest,
  res: Response,
  next: NextFunction
): void => {
  const userEmail = req.headers['x-user-email'] as string;

  if (!userEmail) {
    res.status(401).json({ error: 'Missing user email' });
    return;
  }

  // Register the user in Permit context
  prisma.$permit.setUser(userEmail);

  // Add user + Prisma client to request
  req.user = { email: userEmail };
  req.prisma = prisma;

  next();
};
Going to prod.

In a production app, you'd replace the x-user-email header with proper authentication logic (e.g. JWT or session validation).

7.2 What this middleware does

  • Reads the user's email from the request header
  • Sets the user identity in the Permit context (used for query filtering)
  • Adds the filtered Prisma client to the request object (req.prisma)
  • Makes the user and database client available to all downstream route handlers

You're now ready to build your API endpoints without writing a single line of access control logic.

8. Build your API endpoints

You'll now create two endpoints:

  • GET /api/projects: returns all projects the user has access to
  • GET /api/tasks: returns all tasks the user has access to (inherited from project membership)

Thanks to the Permit-Prisma integration, you won't need to add any manual filtering logic—it's handled automatically.

8.1 Get user-visible projects

Create a controller file: src/controllers/project.controller.ts

import { Response } from 'express';
import { AuthRequest } from '../middleware/auth.middleware';

export const getProjects = async (req: AuthRequest, res: Response) => {
  try {
    const prisma = req.prisma!;

    const projects = await prisma.project.findMany(); // Auto-filtered

    res.json({
      user: req.user?.email,
      count: projects.length,
      projects,
    });
  } catch (error: any) {
    console.error('Error fetching projects:', error);
    res.status(500).json({ error: error.message });
  }
};

Even though this is a raw findMany() query, only authorized records will be returned for the current user.

8.2 Get user-visible tasks

Create another controller: src/controllers/task.controller.ts

import { Response } from 'express';
import { AuthRequest } from '../middleware/auth.middleware';

export const getTasks = async (req: AuthRequest, res: Response) => {
  try {
    const prisma = req.prisma!;
    const projectId = req.query.projectId as string;

    const where = projectId ? { projectId } : undefined;

    const tasks = await prisma.task.findMany({ where }); // Still filtered

    res.json({
      user: req.user?.email,
      count: tasks.length,
      tasks,
    });
  } catch (error: any) {
    console.error('Error fetching tasks:', error);
    res.status(500).json({ error: error.message });
  }
};
projectId

Even if you provide a projectId manually, the query results are still filtered by permissions.

8.3 What this demonstrates

  • You can write normal Prisma queries
  • Users will only get records they're allowed to see
  • You don't need custom role-checking logic in every handler
  • Task access is automatically derived from project membership

You're now ready to wire it all together and launch the app.

9.1 Create your Express app

Create src/app.ts:

import express from 'express';
import cors from 'cors';
import { authenticate } from './middleware/auth.middleware';
import { getProjects } from './controllers/project.controller';
import { getTasks } from './controllers/task.controller';

const app = express();
const PORT = process.env.PORT || 3000;

app.use(cors());
app.use(express.json());

// Auth middleware applies ReBAC filtering per request
app.get('/api/projects', authenticate, getProjects);
app.get('/api/tasks', authenticate, getTasks);

app.listen(PORT, () => {
  console.log(`🚀 Server running at http://localhost:${PORT}`);
  console.log(`🔐 ReBAC filtering is now active`);
});

9.2 Run the server

Start the development server with:

npx tsx src/app.ts

If everything is set up correctly, the console will display:

🚀 Server running at http://localhost:3000
🔐 ReBAC filtering is now active

9.3 Test your API

You can simulate requests as different users by setting the x-user-email header. This mimics logged-in users with access to specific projects.

Example: John (Marketing team member)

curl -H "x-user-email: john@company.com" http://localhost:3000/api/projects

This should only return Project Alpha (and its tasks).

Example: Mary (Engineering team member)

curl -H "x-user-email: mary@company.com" http://localhost:3000/api/tasks

This should only return tasks from Project Beta.

tip

If you haven't yet assigned users to project memberships in the Permit.io UI, visit the Policy Editor and assign users to roles (project#Member).

Once you've confirmed these results, your Prisma API is now enforcing secure, relationship-based access control, all without adding manual filtering logic anywhere in your code.

You've now built a secure API that:

  • Filters query results based on user relationships
  • Uses ReBAC to avoid role explosion and brittle permission logic
  • Keeps Prisma queries clean, safe, and scalable

10. Next steps

Now that you've successfully implemented data filtering with Prisma and ReBAC, you can extend this foundation to support more complex authorization use cases and developer tooling.

Extend your model

  • Add a User model and create a many-to-many Membership relationship between users and projects.
  • Introduce instance-level roles like Editor or Owner with different permissions.
  • Support additional actions like create, update, and delete, using Permit.io's role policies.

Add authentication

Integrate your API with an auth provider (e.g., Clerk, Auth0) and replace the x-user-email header with a secure identity mechanism (like a JWT token).

Use Permit Elements

Permit.io provides UI components for:

  • Managing user access visually
  • Reviewing access logs
  • Approving access requests (MCP)

Explore Permit Elements to make access management easier for your end users or admins.

More resources


Stay connected with Prisma

Continue your Prisma journey by connecting with our active community. Stay informed, get involved, and collaborate with other developers:

We genuinely value your involvement and look forward to having you as part of our community!