Paragon · Arazzo Workflow

Paragon Permissioned Synced Record Retrieval

Version 1.0.0

Pull a synced record, check the requester's access, and download its file content only if allowed.

1 workflow 1 source API 1 provider

View Spec View on GitHub Embedded IntegrationsIntegration InfrastructureiPaaSAI AgentsMCPIntegrationsArazzoWorkflows

Provider

paragon

Workflows

permissioned-record-retrieval

Resolve a synced record, enforce source-system permissions, then download content.

Pulls synced records, retrieves the chosen record, performs an access check for the requesting subject, and downloads the file content only when the check returns allowed.

4 steps inputs: integration, object, projectId, recordId, relation, subject, syncType outputs: allowed, content, permissions

pullSyncedRecords

Pull the first page of normalized records for the integration and sync type to establish the working set.

getSyncedRecord

Retrieve the full normalized record, including its captured source-system permissions, for the chosen record ID.

checkAccess

Run a ReBAC-style access check to confirm the requesting subject has the required relation to the object before any content is read.

downloadContent

Download the binary content of the file-type record now that access has been confirmed for the requesting subject.

Source API Descriptions

openapi

managedSyncApi https://raw.githubusercontent.com/api-evangelist/paragon/refs/heads/main/openapi/paragon-managed-sync-api-openapi.yml

Arazzo Workflow Specification

arazzo: 1.0.1
info:
  title: Paragon Permissioned Synced Record Retrieval
  summary: Pull a synced record, check the requester's access, and download its file content only if allowed.
  description: >-
    The permission-enforcing retrieval pattern for RAG over Managed Sync. The
    workflow pulls a page of synced records, fetches the full normalized record
    for a chosen ID, runs a ReBAC-style access check for the requesting subject,
    and branches: only when access is allowed does it download the file's binary
    content. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: managedSyncApi
  url: ../openapi/paragon-managed-sync-api-openapi.yml
  type: openapi
workflows:
- workflowId: permissioned-record-retrieval
  summary: Resolve a synced record, enforce source-system permissions, then download content.
  description: >-
    Pulls synced records, retrieves the chosen record, performs an access check
    for the requesting subject, and downloads the file content only when the
    check returns allowed.
  inputs:
    type: object
    required:
    - projectId
    - integration
    - syncType
    - recordId
    - subject
    - relation
    - object
    properties:
      projectId:
        type: string
        description: Your Paragon Project ID.
      integration:
        type: string
        description: Integration identifier (e.g. googleDrive).
      syncType:
        type: string
        description: The sync pipeline type (e.g. files).
      recordId:
        type: string
        description: The synced record ID to retrieve and download.
      subject:
        type: string
        description: The requesting actor (e.g. [email protected]).
      relation:
        type: string
        description: The relation to check (e.g. viewer, editor, owner).
      object:
        type: string
        description: The object identifier to check access against (e.g. file:abc123).
  steps:
  - stepId: pullSyncedRecords
    description: >-
      Pull the first page of normalized records for the integration and sync
      type to establish the working set.
    operationId: pullSyncedRecords
    parameters:
    - name: projectId
      in: path
      value: $inputs.projectId
    - name: integration
      in: query
      value: $inputs.integration
    - name: syncType
      in: query
      value: $inputs.syncType
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      records: $response.body#/records
  - stepId: getSyncedRecord
    description: >-
      Retrieve the full normalized record, including its captured source-system
      permissions, for the chosen record ID.
    operationId: getSyncedRecord
    parameters:
    - name: projectId
      in: path
      value: $inputs.projectId
    - name: recordId
      in: path
      value: $inputs.recordId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      sourceId: $response.body#/sourceId
      permissions: $response.body#/permissions
  - stepId: checkAccess
    description: >-
      Run a ReBAC-style access check to confirm the requesting subject has the
      required relation to the object before any content is read.
    operationId: checkAccess
    parameters:
    - name: projectId
      in: path
      value: $inputs.projectId
    requestBody:
      contentType: application/json
      payload:
        subject: $inputs.subject
        relation: $inputs.relation
        object: $inputs.object
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      allowed: $response.body#/allowed
    onSuccess:
    - name: accessGranted
      type: goto
      stepId: downloadContent
      criteria:
      - context: $response.body
        condition: $.allowed == true
        type: jsonpath
  - stepId: downloadContent
    description: >-
      Download the binary content of the file-type record now that access has
      been confirmed for the requesting subject.
    operationId: downloadContent
    parameters:
    - name: projectId
      in: path
      value: $inputs.projectId
    - name: recordId
      in: path
      value: $inputs.recordId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      content: $response.body
  outputs:
    permissions: $steps.getSyncedRecord.outputs.permissions
    allowed: $steps.checkAccess.outputs.allowed
    content: $steps.downloadContent.outputs.content