Skip to main content

What is Fine-Grained Authorization?

Fine-grained authorization (FGA) means deciding access at the level of the individual resource and action, rather than at the role or coarse-scope level. "Alice can edit document-42" is fine-grained; "Alice is an editor" is not.

What "fine-grained" actually buys you

  • Per-resource sharing. A user can be granted access to one document without inheriting access to everything in the workspace.
  • Hierarchical inheritance. Access to a folder grants access to its documents — but only that folder, not every folder.
  • Reverse queries. "List every document this user can read" — the query a UI needs to render correctly.
  • Cross-tenant collaboration. Granting a single resource to an external user without making them a tenant member.

Coarse-grained models can simulate these with enough effort, but the authorization layer ends up duplicating a graph database in roles tables. Fine-grained engines store the graph directly.

How OpenFGA implements FGA

  • A typed model defines resource types and the relations between them.
  • Tuples record specific relationships between specific principals and specific resources.
  • The check API answers per-action questions in milliseconds.
  • Conditions cover attribute-driven cases inside the same model.

Where FGA matters most

  • Document management and collaboration (Google Drive, Notion, Figma patterns).
  • Multi-tenant SaaS with external sharing.
  • AI agents and RAG, where each user must only see their slice of the corpus — covered in AI agent authorization.

Choosing the right model

A short decision path:

  • Flat access, a handful of roles, single tenantRBAC is enough.
  • Decisions driven mostly by request attributes (region, department, time-of-day) — start with ABAC or a policy engine.
  • Hierarchy, sharing, multi-tenancy, or reverse queries — you want a relationship engine. OpenFGA handles attribute checks too via conditions, so you usually don't need a second engine.
  • Mixed infrastructure + application policy — a policy engine at the admission layer plus OpenFGA for the application is the common pairing.
Learn more about OpenFGA.
Authorization Concepts

Core authorization terminology.

ReBAC overview

Relationship-Based Access Control explained.