Skip to main content

Perform a List Users call

Warning

ListUsers is currently in an experimental release. Read the announcement for more information.

This section will illustrate how to perform a list users request to determine all the users of a given type that have a specified relationship with a given object.

Before You Start

  1. Deploy an instance of the OpenFGA server, and have ready the values for your setup: FGA_STORE_ID, FGA_API_URL and, if needed, FGA_API_TOKEN.
  2. You have installed the SDK.
  3. You have configured the authorization model and updated the relationship tuples.
  4. You have loaded FGA_STORE_ID and FGA_API_URL as environment variables.

Step By Step

Assume that you want to list all users of type user that have a reader relationship with document:planning:

01. Configure the OpenFGA API Client

Before calling the ListUsers API, you will need to configure the API client.

// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
  apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
  storeId: process.env.FGA_STORE_ID,
  authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

02. Calling List Users API

To return all users of type user that have have the reader relationship with document:planning:

const response = await fgaClient.listUsers({
  object: {
    type: "document",
    id: "planning"
  },
  user_filters: [{
    type: "user",
  }],
  relation: "reader",
}, {
  authorization_model_id: "01HVMMBCMGZNT3SED4Z17ECXCA",
});
// response.users = [{"object":{"type":"user","id":"anne"}},{"object":{"type":"user","id":"beth"}}]
// response.excluded_users = []

The result user:anne and user:beth are the user objects that have the reader relationship with document:planning.

Warning

The performance characteristics of the ListUsers endpoint vary drastically depending on the model complexity, number of tuples, and the relations it needs to evaluate. Relations with 'and' or 'but not' are particularly expensive to evaluate.

Usersets

In the above example, only specific subjects of the user type were returned. However, groups of users, known as usersets, can also be returned from the List Users API. This is done by specifying a relation field in the user_filters request object. Usersets will only expand to the underlying subjects if that type is specified as the user filter object.

Below is an example where usersets can be returned:

model
  schema 1.1

type user

type group
  relations
    define member: [ user ]

type document
  relations
    define viewer: [ group#member ]

With the tuples:

userrelationobject
group:engineering#memberviewerdocument:1
group:product#memberviewerdocument:1
user:willmembergroup:engineering#member

Then calling the List Users API for document:1 with relation viewer of type group#member will yield the below response. Note that the user:will is not returned, despite being a member of group:engineering#member because the user_filters does not target the user type.

const response = await fgaClient.listUsers({
  object: {
    type: "document",
    id: "1"
  },
  user_filters: [{
    type: "group#member",
  }],
  relation: "viewer",
}, {
  authorization_model_id: "01HXHK5D1Z6SCG1SV7M3BVZVCV",
});
// response.users = [{"userset":{"id":"engineering","relation":"member","type":"group"}},{"userset":{"id":"product","relation":"member","type":"group"}}]
// response.excluded_users = []

Type-bound Public Access

The list users API supports tuples expressing public access via the wildcard syntax (e.g. user:*). Wildcard tuples that satisfy the query criteria will be returned with the wildcard root object property that will specify the type. The API will not expand wildcard results further to any ID'd subjects. Further, specific users that have been granted accesss will be returned in addition to any public acccess for that user's type.

Example response with type-bound public access:

{
  "users": [
    {
      "wildcard": {
        "type":"user"
      }
    },
    {
      "object": {
        "type":"user",
        "id":"anne"
      }
    }
  ],
  "excluded_users":[]
}

Excluded Users

In certain cases, it is important to communicate that certain users are excluded from returned usersets and do not have a relation to the target obect. Most notably, this occurs in models with type-bound public access via wildcard syntax (e.g. user:*) and negation via the but not syntax.

Below is an example where excluded users are returned:

model
  schema 1.1

type user

type document
  relations
    define viewer: [user:*] but not blocked
    define blocked: [user]

With the tuples:

userrelationobject
user:*viewerdocument:1
user:anneblockeddocument:1

Calling the List Users API for document:1 with relation viewer of type user will yield the response below. It indicates that any object of type user (including those not already in OpenFGA as parts of tuples) has access to the system, except for a user with id anne.

const response = await fgaClient.listUsers({
  object: {
    type: "document",
    id: "1"
  },
  user_filters: [{
    type: "user",
  }],
  relation: "viewer",
}, {
  authorization_model_id: "01HXHKQX73VA6MJ3SRSY0D05VW",
});
// response.users = [{"wildcard":{"type":"user"}}]
// response.excluded_users = [{"object":{"type":"user","id":"anne"}}]
Take a look at the following section for more on how to perform list users in your system
OpenFGA List Users API

Read the List Users API documentation and see how it works.