Skip to main content

This section has guides, concepts and examples that help you define an authorization model.

When to use

The content in this section is useful:

  • If you are starting with OpenFGA and want to learn how to represent your organization's/system's authorization needs.
  • If you are working on iterating on an authorization model you previously defined.


Getting Started

How to create an authorization model for your system starting from the requirements.

Direct Access

Learn the basics of modeling authorization and granting access to users.

User Groups

Learn to model user group membership, and to grant access to all members of a group.

Roles and Permissions

Learn to model roles for users at the object level and model permissions for those roles.

Parent-Child objects

Learn to model access based on parent-child relationships, e.g.: folders and documents.

Block Lists

Learn to model denying access if users are part of list of blocked users.

Public Access

Learn to model giving everyone specific access to an object, e.g.: everyone can read.

Multiple Restrictions

Learn to model requiring multiple privileges before granting access.

Custom Roles

Learn to model custom roles that are created by users.


Learn to model requiring dynamic attributes.

Contextual and Time-Based Authorization

Learn to model and authorize when IP Address, time, and other dynamic and contextual restrictions are involved.

Authorization Through Organization Context

Learn to model and authorize when a user belongs to multiple organizations.

Building Blocks

Learn the underlying concepts/building blocks that can be used to build any model.

Advanced Use-Cases

Explore advanced use cases and patterns for authorization modeling with OpenFGA.


Learn to migrate relations and models in a production environment.