Best Practices of Managing Tuples and Invoking APIs
The following list outlines some guidelines and best practices for using OpenFGA:
- Do not store Personal Identifiable Information in tuples
- Always specify authorization model ID whenever possible
- If using ListObjects, avoid having intersection or exclusion in the authorization model
Do Not Store Personal Identifiable Information in Tuples
You can use any string for user and object identifiers, however you should not input or assign identifiers that include Personal Data or any other sensitive data, such as data that may be restricted under regulatory requirements.
The documentation and samples uses first names and simple ids to illustrate easy-to-follow examples.
Always Specify Authorization Model ID Whenever Possible
It is strongly recommended that authorization model ID be specified in your Relationship Queries (such as Check and ListObjects) and Relationship Commands (such as Write).
Specifying authorization model ID in API calls have the following advantages:
- Better performance as OpenFGA will not need to perform a database query to get the latest authorization model ID.
- Allows consistent behavior in your production system until until you are ready to switch to the new model.
If Using ListObjects, Avoid Having Intersection or Exclusion in the Authorization Model
If you are planning to use ListObjects, avoid using intersection or exclusion as it is not optimized for them yet.