naftiko: 1.0.0-alpha2 info: label: Paragon Managed Sync — Permissions description: ReBAC-style permissions API over synced records. Check access, list users/objects, and expand relationships to enforce source-system permissions in RAG retrieval. tags: - Paragon - Managed Sync - Permissions - ReBAC - RAG created: '2026-05-22' modified: '2026-05-22' binds: - namespace: env keys: PARAGON_USER_TOKEN: PARAGON_USER_TOKEN PARAGON_PROJECT_ID: PARAGON_PROJECT_ID capability: consumes: - type: http namespace: managed-sync-permissions baseUri: https://managed-sync.useparagon.com description: Paragon Managed Sync Permissions API consumer. resources: - name: projects-projectId-permissions-check-access path: /projects/{projectId}/permissions/check-access operations: - name: checkAccess method: POST description: Paragon Check Access outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: projectId in: path type: string required: true - name: body in: body type: object required: true - name: projects-projectId-permissions-batch-check-access path: /projects/{projectId}/permissions/batch-check-access operations: - name: batchCheckAccess method: POST description: Paragon Batch Check Access outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: projectId in: path type: string required: true - name: body in: body type: object required: true - name: projects-projectId-permissions-list-users path: /projects/{projectId}/permissions/list-users operations: - name: listUsers method: POST description: Paragon List Users With Access outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: projectId in: path type: string required: true - name: body in: body type: object required: true - name: projects-projectId-permissions-list-objects path: /projects/{projectId}/permissions/list-objects operations: - name: listObjects method: POST description: Paragon List Objects With Access outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: projectId in: path type: string required: true - name: body in: body type: object required: true - name: projects-projectId-permissions-expand path: /projects/{projectId}/permissions/expand operations: - name: expandRelationships method: POST description: Paragon Expand Permission Relationships outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: projectId in: path type: string required: true - name: body in: body type: object required: true authentication: type: bearer token: '{{env.PARAGON_USER_TOKEN}}' exposes: - type: mcp namespace: managed-sync-permissions-mcp port: 9093 transport: http description: MCP adapter for Managed Sync Permissions. tools: - name: paragon-permissions-check-access description: Check whether a subject has a given relation to an object. hints: readOnly: true destructive: false idempotent: true call: managed-sync-permissions.checkAccess with: projectId: tools.projectId body: tools.body outputParameters: - type: object mapping: $. - name: paragon-permissions-batch-check-access description: Batch access checks in a single call. hints: readOnly: true destructive: false idempotent: true call: managed-sync-permissions.batchCheckAccess with: projectId: tools.projectId body: tools.body outputParameters: - type: object mapping: $. - name: paragon-permissions-list-users description: List subjects with access to an object. hints: readOnly: true destructive: false idempotent: true call: managed-sync-permissions.listUsers with: projectId: tools.projectId body: tools.body outputParameters: - type: object mapping: $. - name: paragon-permissions-list-objects description: List objects a subject has the requested relation to. hints: readOnly: true destructive: false idempotent: true call: managed-sync-permissions.listObjects with: projectId: tools.projectId body: tools.body outputParameters: - type: object mapping: $. - name: paragon-permissions-expand description: Expand the relationship tree for a (subject, relation, object) tuple. hints: readOnly: true destructive: false idempotent: true call: managed-sync-permissions.expandRelationships with: projectId: tools.projectId body: tools.body outputParameters: - type: object mapping: $.