Skip to main content

Introduction to Authorization and OpenFGA

note
OpenFGA is an open source Fine-Grained Authorization solution based on Google's Zanzibar. We welcome community contribution to this project.

This section explains authorization, fine-grained authorization, RBAC, ABAC, ReBAC.

What Is OpenFGA?

OpenFGA is an open source solution to Fine-Grained Authorization that applies the concept of ReBAC. It was created by the Auth0 FGA team and was inspired by Zanzibar. It was designed for reliability and low latency at a high scale. It offers an HTTP API and has SDKs for programming languages including Node.js/JavaScript, GoLang and .NET. More SDKs and integrations such as Rego are planned for the future.

Authentication vs Authorization

Authentication (or AuthN) is a process that ensures a user's identity. Authorization (or AuthZ) means determining if a user can perform a certain action on a particular resource.

For example, when logging in to Twitter, the process in which Twitter verifies the user's username and password are correct is Authentication. The process of checking if that user can view or reply to a certain Tweet is Authorization.

Read more about AuthN vs AuthZ.

What Is Fine-Grained Authorization (FGA)?

Fine-Grained Authorization is being able to grant individual users access to specific objects or resources in a system. FGA at scale means being able to do so in a system that can have millions of objects, users and relations, and has a high change rate - objects are regularly added and access permissions are constantly being updated. A good example of this is Google Drive, where access can be granted either to documents, or folders; it can be granted to users individually or as a group. Access regularly changes as new documents are created and shared with specific users, whether inside the same company or outside.

What Are Role-Based Access Control (RBAC) And Attribute-Based Access Control (ABAC)?

In Role-Based Access Control, permissions are assigned to users based on their role in a system (e.g. a user would need an editor role to edit posts).

In Attribute-Based Access Control, instead of permissions being granted based on roles, they are granted based on a set of attributes on a user or resource (e.g. if a user has both marketing and manager attributes they can publish and delete posts that have a marketing attribute, but not others).

If you are interested you can read more about RBAC and ABAC.

What Is Relationship Based Access Control (ReBAC)?

ReBAC allows expressing rules based on relations that users have with objects and that objects have with other objects. For example, a user can view a document if they can view its parent folder.

What Is Zanzibar?

Zanzibar is "Google's Consistent, Global Authorization System" for "determining whether online users are authorized to access digital objects" across their products (Google Drive, YouTube, Google Photos, etc..). It uses (object, relation, user) tuples to store relation data and traverses those relations to check if there is a relation between a user and an object.

Learn more about Zanzibar at the Zanzibar Academy.