Skip to main content

Managing Group Access

In this guide you will learn how to grant a group of users access to a particular object.

When to use

Adding a relationship tuple specifying that a group has a relation to an object is helpful in cases where you want to encompass a set of users with the same relation to an object. For example:

  • Grant a group of engineers viewer access to roadmap.doc
  • Create a block_list of members who can't access a document
  • Sharing a document with a team
  • Granting viewer access to a photo to followers only
  • Making a file viewable for all users within an organization
  • Restricting access from or to users in a certain locale

Before You Start

In order to understand this guide correctly you must be familiar with some OpenFGA Concepts and know how to develop the things that we will list below.

Assume that you have the following authorization model.
You have two types:

  • company that can have a employee relation
  • document that can have a reader relation.
model
schema 1.1

type user

type company
relations
define employee: [user]

type document
relations
define reader: [company#employee]

In addition, you will need to know the following:

Modeling User Groups

You need to know how to add users to groups and grant groups access to an object. Learn more →

OpenFGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in OpenFGA

Step By Step

01. Adding Company To The Document

If we want to have every employee of a type company have a reader relationship with a particular object of type document (in this case document:planning), we need to add a tuple like so:

[// Every employee in the company can read document:planning
{
"_description": "Every employee in the company can read document:planning",
"user": "company:xyz#employee",
"relation": "reader",
"object": "document:planning"
}]

02. Adding Employee To The Company

If we also write a tuple that says that Anne is a employee of company:xyz, like so:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

await fgaClient.write({
writes: [
{"user":"user:anne","relation":"employee","object":"company:xyz"}
],
}, {
authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw"
});

03. Checking An Individual Member's Access To An Object

Then a call to the Check API to see whether Anne can read document:planning will return true:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:anne',
relation: 'reader',
object: 'document:planning',
}, {
authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
});

// allowed = true

The same check for a different user Becky, however, will return false, because Becky does not have an employee relationship with company:xyz:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:becky',
relation: 'reader',
object: 'document:planning',
}, {
authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
});

// allowed = false
Modeling User Groups

Learn about how to model users and groups.

Managing Group Membership

Learn about managing group membership.