Authorization Concepts
Authentication and Authorization
Authentication ensures a user's identity. Authorization determines if a user can perform a certain action on a particular resource.
For example, when you log in to Google, Authentication is the process of verifying that your username and password are correct. Authorization is the process of ensuring that you can access a given Google service or feature.
What is Fine-Grained Authorization?
Fine-Grained Authorization (FGA) means deciding access at the level of the individual resource and action — "Alice can edit document-42", not just "Alice is an editor". Well-designed FGA systems handle millions of objects and users with permissions that change rapidly, like Google Drive's per-document and per-folder sharing.
See Fine-Grained Authorization for the full explanation.
What is Role-Based Access Control?
In Role-Based Access Control (RBAC), permissions are assigned to users based on roles like editor or admin. RBAC fits flat, single-tenant access models but breaks down with hierarchy, sharing, or multi-tenancy.
See RBAC vs. ReBAC for when roles run out and how OpenFGA models RBAC cleanly.
What is Attribute-Based Access Control?
In Attribute-Based Access Control (ABAC), permissions are granted based on attributes of the user, resource, or request — for example, a user with marketing and manager attributes can publish marketing posts. ABAC implementations typically pull attributes from multiple sources at decision time.
See ABAC vs. ReBAC for how the two combine.
What is Policy-Based Access Control?
Policy-Based Access Control (PBAC) manages authorization policies centrally, external to application code. Most ABAC implementations are also PBAC. OpenFGA's model DSL is itself a policy: committed to Git, reviewed via PR, deployed like any other code — see Policy Engines vs. Relationship Engines.
What is Relationship-Based Access Control?
Relationship-Based Access Control (ReBAC) makes access rules conditional on relationships between users and objects, and between objects themselves — "a user can view a document if they have access to its parent folder". ReBAC is a superset of RBAC and natively covers ABAC scenarios when attributes are expressed as relationships. OpenFGA extends ReBAC with Conditions and Contextual Tuples for the remaining attribute-driven cases.
See What is ReBAC? for the full picture.
What is Zanzibar?
Zanzibar is Google's global authorization system, used by Drive, YouTube, Calendar, and Cloud. It stores object-relation-user tuples and answers checks and reverse queries against the resulting graph. OpenFGA implements the Zanzibar model on your existing databases.
See What is Zanzibar? for what the paper introduced and how OpenFGA maps to it.