Skip to main content

Managing Group Membership

In this guide you will learn how to update a user's membership to a group by adding and removing them from it.

When to use

Suppose:

  • An employee is hired at a company and thus gains access to all of the company's resources.
  • An employee quits and thus loses access to all of the company's resources.
  • A user joins a GitHub organization and gains access to the organizations private repositories.
  • A student graduates from school and loses access to the school's facilities.

These are cases where using group membership can be helpful as you do not need to iterate over all of the group's resources to add or revoke access to particular objects. You can add a relationship tuple indicating that a user belongs to a group, or delete a tuple to indicate that a user is no longer part of the group.

Before You Start

In order to understand this guide correctly you must be familiar with some OpenFGA Concepts and know how to develop the things that we will list below.

Assume that you have the following authorization model.
You have two types:

  • org that can have a member relation
  • document that can have a reader relation.
model
  schema 1.1
type user
type org
  relations
    define member: [user]
type document
  relations
    define reader: [org#member]

Let us also assume that we have an org called "contoso" and a document called planning, and every member of that org can read the document. That is represented by having the following relationship tuple in the store:

[
  // Members of the contoso org can read the planning document
  {
    "user": "org:contoso#member",
    "relation": "reader",
    "object": "document:planning",
  },
]

With the above authorization model and relationship tuples, OpenFGA will respond with {"allowed":false} when check is called to see if Anne can read document:planning.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

// Run a check
const { allowed } = await fgaClient.check({
  authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
  tuple_key: {
    user: 'anne',
    relation: 'reader',
    object: 'document:planning',
  },
});

// allowed = false

Now let's make Anne a member of org:contoso by adding another tuple:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

await fgaClient.write({
  writes: {
    tuple_keys: [
      // Anne is a member of the contoso org
      { user: 'user:anne', relation: 'member', object: 'org:contoso'}
    ]
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw" 
});

The OpenFGA service will now correctly respond with {"allowed":true} when check is called to see if Anne can read document:planning, but it will still respond with {"allowed":false} if we ask the same question for another user called Becky, who is not a member of the group org:contoso.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

// Run a check
const { allowed } = await fgaClient.check({
  authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
  tuple_key: {
    user: 'user:anne',
    relation: 'reader',
    object: 'document:planning',
  },
});

// allowed = true
Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

// Run a check
const { allowed } = await fgaClient.check({
  authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
  tuple_key: {
    user: 'user:becky',
    relation: 'reader',
    object: 'document:planning',
  },
});

// allowed = false

Modeling User Groups

You need to know how to add users to groups and grant groups access to an object. Learn more →

Managing Group Access

You need to know how to manage group access to an object. Learn more →

OpenFGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in OpenFGA

Step By Step

01. Revoking Group Membership

Imagine that every member of org:contoso has a reader relationship to 1000 documents. Now imagine that anne is no longer a member of org:contoso, so we want to revoke her access to all those documents, including document:planning. To accomplish this, we can simply delete the tuple in OpenFGA that specifies that Anne is a member of org:contoso.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

await fgaClient.write({
  deletes: {
   tuple_keys : [
      { user: 'user:anne', relation: 'member', object: 'org:contoso'}
    ]
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw" 
});

02. Validating revoked member no longer has access

Once the above relationship tuple is deleted, we can check if Anne can read document:planning. OpenFGA will return { "allowed": false }.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
  apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
  apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
  storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

// Run a check
const { allowed } = await fgaClient.check({
  authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
  tuple_key: {
    user: 'user:anne',
    relation: 'reader',
    object: 'document:planning',
  },
});

// allowed = false
Check the following sections for more on how to model group.
Modeling User Groups

Learn about how to model users and groups.

Managing Group Access

Learn about managing group access.