Skip to main content

Introduction to Authorization and OpenFGA

OpenFGA relies on several understandings of authorization, including fine-grained authorization, role-based access control, attribute-based access control, and relationship-based access control.

What Is OpenFGA?

OpenFGA is an open source solution to Fine-Grained Authorization, or FGA, that applies the concept of relationship-based access control, or ReBAC. It was created by the Okta FGA team and inspired by Zanzibar. Designed for reliability and low latency at a high scale, OpenFGA offers both HTTP and GRPC APIs, as well as SDKs for programming languages like Node.js/JavaScript, GoLang, .NET, Python, and Java, with additional SDKs and integrations (including Rego) planned for future releases.

Authentication vs Authorization

Authentication (or AuthN) ensures a user's identity. Authorization (or AuthZ) determines if a user can perform a certain action on a particular resource.

For example, when you log in to Google, Authentication verifies that your username and password are correct. Authorization checks if you can access a given Google service. For more information about AuthN vs AuthZ, click here..

What Is Fine-Grained Authorization?

Fine-Grained Authorization (FGA) allows admininstrators to to grant individual users access to specific objects or resources in a system. Well-designed FGA systems allow millions of objects, users and relations to change rapidly as objects are added and access permissions are updated. A notable example of fine-grained authorization is Google Drive: access can be granted either to documents or to folders, as well as to individual users or users as a group, and access rights regularly change as new documents are created and shared with specific users or groups.

What Are Role-Based Access Control And Attribute-Based Access Control?

In Role-Based Access Control (RBAC), permissions are assigned to users based on their role in a system. For example, a user needs the editor role to edit content. For more information about RBAC, click here.

In Attribute-Based Access Control (ABAC), permissions are granted based on a set of attributes that a user or resource possesses. For example, a user assigned both marketing and manager attributes is entitled to publish and delete posts that have a marketing attribute. For more information about ABAC, click here.

What Is Relationship-Based Access Control?

Relationship-Based Access Control (ReBAC) allows user access rules to be conditional on relations that a given user has with a given object and that object's relationship other objects. For example, a given user can view a given document if the user has access to the document's parent folder.

What Is Zanzibar?

Zanzibar is Google's global authorization system across Google's product suite. It uses object-relation-user tuples to store relation data, then checks those relations for a match between a user and an object. For more information about Zanzibar, click here.