Paragon · Capability

Paragon Managed Sync — Permissions

ReBAC-style permissions API over synced records. Check access, list users/objects, and expand relationships to enforce source-system permissions in RAG retrieval.

Paragon Managed Sync — Permissions is a Naftiko capability published by Paragon, one of 10 capabilities the APIs.io network indexes for this provider. It bundles 5 operations.

The capability includes 5 read-only operations. Lead operation: Check whether a subject has a given relation to an object. Can be deployed as a REST endpoint, MCP tool, or Agent Skill via Naftiko.

Tagged areas include Paragon, Managed Sync, Permissions, ReBAC, and RAG.

Run with Naftiko ParagonManaged SyncPermissionsReBACRAG

MCP Tools

paragon-permissions-check-access

Check whether a subject has a given relation to an object.

read-only idempotent
paragon-permissions-batch-check-access

Batch access checks in a single call.

read-only idempotent
paragon-permissions-list-users

List subjects with access to an object.

read-only idempotent
paragon-permissions-list-objects

List objects a subject has the requested relation to.

read-only idempotent
paragon-permissions-expand

Expand the relationship tree for a (subject, relation, object) tuple.

read-only idempotent

Capability Spec

managed-sync-permissions.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Paragon Managed Sync — Permissions
  description: ReBAC-style permissions API over synced records. Check access, list users/objects, and expand relationships to enforce source-system permissions in RAG retrieval.
  tags:
    - Paragon
    - Managed Sync
    - Permissions
    - ReBAC
    - RAG
  created: '2026-05-22'
  modified: '2026-05-22'
binds:
  - namespace: env
    keys:
      PARAGON_USER_TOKEN: PARAGON_USER_TOKEN
      PARAGON_PROJECT_ID: PARAGON_PROJECT_ID
capability:
  consumes:
    - type: http
      namespace: managed-sync-permissions
      baseUri: https://managed-sync.useparagon.com
      description: Paragon Managed Sync Permissions API consumer.
      resources:
        - name: projects-projectId-permissions-check-access
          path: /projects/{projectId}/permissions/check-access
          operations:
            - name: checkAccess
              method: POST
              description: Paragon Check Access
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: $.
              inputParameters:
                - name: projectId
                  in: path
                  type: string
                  required: true
                - name: body
                  in: body
                  type: object
                  required: true
        - name: projects-projectId-permissions-batch-check-access
          path: /projects/{projectId}/permissions/batch-check-access
          operations:
            - name: batchCheckAccess
              method: POST
              description: Paragon Batch Check Access
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: $.
              inputParameters:
                - name: projectId
                  in: path
                  type: string
                  required: true
                - name: body
                  in: body
                  type: object
                  required: true
        - name: projects-projectId-permissions-list-users
          path: /projects/{projectId}/permissions/list-users
          operations:
            - name: listUsers
              method: POST
              description: Paragon List Users With Access
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: $.
              inputParameters:
                - name: projectId
                  in: path
                  type: string
                  required: true
                - name: body
                  in: body
                  type: object
                  required: true
        - name: projects-projectId-permissions-list-objects
          path: /projects/{projectId}/permissions/list-objects
          operations:
            - name: listObjects
              method: POST
              description: Paragon List Objects With Access
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: $.
              inputParameters:
                - name: projectId
                  in: path
                  type: string
                  required: true
                - name: body
                  in: body
                  type: object
                  required: true
        - name: projects-projectId-permissions-expand
          path: /projects/{projectId}/permissions/expand
          operations:
            - name: expandRelationships
              method: POST
              description: Paragon Expand Permission Relationships
              outputRawFormat: json
              outputParameters:
                - name: result
                  type: object
                  value: $.
              inputParameters:
                - name: projectId
                  in: path
                  type: string
                  required: true
                - name: body
                  in: body
                  type: object
                  required: true
      authentication:
        type: bearer
        token: '{{env.PARAGON_USER_TOKEN}}'
  exposes:
    - type: mcp
      namespace: managed-sync-permissions-mcp
      port: 9093
      transport: http
      description: MCP adapter for Managed Sync Permissions.
      tools:
        - name: paragon-permissions-check-access
          description: Check whether a subject has a given relation to an object.
          hints:
            readOnly: true
            destructive: false
            idempotent: true
          call: managed-sync-permissions.checkAccess
          with:
            projectId: tools.projectId
            body: tools.body
          outputParameters:
            - type: object
              mapping: $.
        - name: paragon-permissions-batch-check-access
          description: Batch access checks in a single call.
          hints:
            readOnly: true
            destructive: false
            idempotent: true
          call: managed-sync-permissions.batchCheckAccess
          with:
            projectId: tools.projectId
            body: tools.body
          outputParameters:
            - type: object
              mapping: $.
        - name: paragon-permissions-list-users
          description: List subjects with access to an object.
          hints:
            readOnly: true
            destructive: false
            idempotent: true
          call: managed-sync-permissions.listUsers
          with:
            projectId: tools.projectId
            body: tools.body
          outputParameters:
            - type: object
              mapping: $.
        - name: paragon-permissions-list-objects
          description: List objects a subject has the requested relation to.
          hints:
            readOnly: true
            destructive: false
            idempotent: true
          call: managed-sync-permissions.listObjects
          with:
            projectId: tools.projectId
            body: tools.body
          outputParameters:
            - type: object
              mapping: $.
        - name: paragon-permissions-expand
          description: Expand the relationship tree for a (subject, relation, object) tuple.
          hints:
            readOnly: true
            destructive: false
            idempotent: true
          call: managed-sync-permissions.expandRelationships
          with:
            projectId: tools.projectId
            body: tools.body
          outputParameters:
            - type: object
              mapping: $.