Permissions
Use auth.permissions for permission grants, revocations, search, and
operation status checks. Permission operations return references; poll those
references before treating the change as complete.
Grant permissions
Section titled “Grant permissions”operation = auth.permissions.grant_person( subject_type="pesel", subject_value="90010112345", permissions=["invoice_read"], description="Read invoices", first_name="Jan", last_name="Kowalski",)from ksef2.domain.models import EntityPermission
operation = auth.permissions.grant_entity( subject_value="1234567890", permissions=[EntityPermission(type="invoice_read", can_delegate=False)], description="Accounting office read access", entity_name="Accounting Sp. z o.o.",)operation = auth.permissions.grant_authorization( subject_type="nip", subject_value="1234567890", permission="self_invoicing", description="Self-invoicing agreement", entity_name="Partner Sp. z o.o.",)Check operation status
Section titled “Check operation status”status = auth.permissions.get_operation_status( reference_number=operation.reference_number,)print(status.status.code, status.status.description)Query and revoke
Section titled “Query and revoke”from ksef2.domain.models import PersonalPermissionsQuery
page = auth.permissions.query_personal( query=PersonalPermissionsQuery(permission_types=["invoice_read"]),)
for permission in page.permissions: print(permission.id, permission.permission_state)Use the returned permission id for revocation:
auth.permissions.revoke_common(permission_id="permission-id")auth.permissions.revoke_authorization(permission_id="authorization-id")Attachments
Section titled “Attachments”status = auth.permissions.get_attachment_permission_status()print(status.is_attachment_allowed)Recommended flow
Section titled “Recommended flow”-
Grant the smallest permission set required by the target subject.
-
Persist the operation reference returned by KSeF.
-
Poll operation status before exposing the permission in your application.
-
Query permissions to collect ids for audits or revocation.
-
Revoke by permission id when access should end.