Skip to main content
Evaluates permissions against the caller’s effective grants. Each positional argument is a permission string in {kind}.{verb} format. The command prints a table showing whether each permission is granted or denied, and exits non-zero if any check is denied. Use this to verify what the current identity is allowed to do before attempting an operation, or to debug authorization issues.

Synopsis

murmur check-permissions [flags] <kind.verb> [kind.verb ...]

Arguments

NameTypeRequiredDescription
kind.verbstringyesOne or more permissions to check, each in {kind}.{verb} format (e.g. agent.read, secret.edit).
--resourcestringnoCatalog resource ref in {kind}/{name} format, applied to all checks.

Output

A tab-aligned table with one row per permission checked:
ColumnDescription
PERMISSIONThe permission string that was evaluated.
GRANTEDyes if the caller has this permission, no if denied.
REASONExplanation of why the permission was granted or denied.
The command exits with a non-zero status if any permission is denied.

Examples

Check multiple permissions

murmur check-permissions agent.read agent.list agent.delete

PERMISSION      GRANTED  REASON
agent.read      yes      granted by role "developer"
agent.list      yes      granted by role "developer"
agent.delete    no       no matching grant

Check a permission against a specific resource

murmur check-permissions agent.edit --resource agent/my-task

PERMISSION    GRANTED  REASON
agent.edit    yes      granted by role "developer"

Errors

CodeMeaningWhat to do
INVALID_ARGUMENTA positional argument is not in {kind}.{verb} format, or --resource is not in {kind}/{name} format.Fix the argument format and retry.
UNAUTHENTICATEDIdentity token is missing or expired.Run murmur auth or check your murmur.local.yaml configuration.
non-zero exitOne or more permissions were denied.Review the output table to see which permissions were denied and why.