KesselInventoryService_Check
Performs an relationship check to determine whether a subject has a specific permission or relationship on a resource.
This API evaluates whether the provided subject is a member of the specified relation (e.g., “viewer”, “editor”, “admin”) on the target object. It answers the question: “Does subject X have relation Y on object Z?”
Common use cases include enforcing read access, conditional UI visibility, or authorization gating for downstream API calls.
Request Body required
Section titled “Request Body required ”object
Required parameters (from an authz perspective)
- resource type and id
- permission (cannot be derived from the type as a type may have multiple ‘read’ permissions. Ex: https://github.com/RedHatInsights/rbac-config/blob/master/configs/prod/schemas/src/notifications.ksl#L31)
- user (possibly derived from an identity token)
object
object
A reference to a Subject or, if a relation is provided, a Subject Set.
object
An optional relation which points to a set of Subjects instead of the single Subject.
e.g. “members” or “owners” of a group identified in subject.
object
object
Consistency requirement for the check operation. If not specified, standard server configuration defaults to minimizeLatency. Server deployments may override this default behavior (for example, to at_least_as_acknowledged).
object
The service selects the fastest snapshot available. Must be set true if used.
All data used in the API call must be at least as fresh as found in the ConsistencyToken. More recent data might be used if available or faster.
object
All data used in the API call must be at least as acknowledged,
meaning it includes data up to the latest write known to Inventory.
This aligns with ReportResource write visibility: when
write_visibility=IMMEDIATE, the write waits for acknowledgement, so a
subsequent read with at_least_as_acknowledged is guaranteed to be at
least as recent as that write.
Some deployments may use this behavior as the server-side default when
consistency is omitted.
Must be set true if used.
Responses
Section titled “ Responses ”OK
object
object
default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.