Skip to main content

Direct Relationships

In this guide you'll learn how to model relationships that may or may not be assigned directly to individual users.

When to use

Disabling direct relationships for a certain relation on an objects are useful especially in cases where you are trying to model some permissions that are not usually granted individually to a user.

This is useful when:

  • For security reason, not permitting permissions assigned directly to individuals without associating roles

Before you start

To better understand this guide, you should be familiar with some OpenFGA Concepts and know how to develop the things listed below.

You will need to know the following:

  • Direct Access
  • OpenFGA Concepts

Direct access

You need to know how to create an authorization model and create a relationship tuple to grant a user access to an object. Learn more →

OpenFGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in OpenFGA
  • Direct Relationship Type Restrictions: used in the context of the relation definition can be used to allow direct relationships to the objects of this type

What are direct relationships?

Direct relationships are relationships where a user has a relationship to an object that is not dependent on any other relationship they have with that object.

When checking for a relationship, a direct relationship exists if a relationship tuple is present in the system with the exact same object and relation that were in the query and where the user is one of:

  • the same user ID as that in the query
  • type bound public access (<type>:*)
  • a set of users that contains the user ID present in the query

Enable or disable direct relationships

Direct relationships can be enabled for a specific relation on an object type by adding direct relationship type restrictions from that relation's definition. Likewise, they can be disabled by removing the direct relationship type restrictions.

model
  schema 1.1

type user

type document
  relations
    define viewer: [user, user:*, team#member] or editor
    define editor: [user, team#member]

type team
  relations
    define member: [user]
info

The authorization model describes two object types: document and team.

The document type definition has two relations, editor and viewer. Both relations allow a direct relationship; viewer also allows an indirect relationship through editor.

In the team type definition, there is a single member relation that only allows direct relationships.

How it affects your system

To illustrate the effect enabling or disabling direct relationships on a specific relation has, we'll investigate several situations.

1. With direct relationships enabled

Let us start with the authorization model we had above:

model
  schema 1.1

type user

type document
  relations
    define viewer: [user, user:*, team#member] or editor
    define editor: [user, team#member]

type team
  relations
    define member: [user]

Now choose the type of relation to see how it affects your system:

Assume you have a tuple that states that Anne is a viewer of document:planning

[{
  "user": "user:anne",
  "relation": "viewer",
  "object": "document:planning"
}]

Now if we do a check request to see if Anne can view the planning document, we will get a response of {"allowed": true}.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
  apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
  storeId: process.env.FGA_STORE_ID,
  authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
    user: 'user:anne',
    relation: 'viewer',
    object: 'document:planning',
  }, {
  authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

This is because:

  • There is a relationship tuple specifying that Anne has a viewer relationship with document:planning.
  • Direct relationships are allowed in the viewer relation definition in the document type definition.

2. With direct relationships disabled

In this section, we will investigate the effect of disabling direct relationships on the document's viewer relation.

model
  schema 1.1

type user

type document
  relations
    define viewer: editor
    define editor: [user, team#member]

type team
  relations
    define member: [user]
info

Notice that in this updated authorization model, the direct relationship keyword has been removed from the document's viewer relation definition.

Now choose the type of relation to see how it affects your system:

Assume you have a tuple that states that Fred is a viewer of document:planning

[{
  "user": "user:fred",
  "relation": "viewer",
  "object": "document:planning"
}]

Now if we do a check request to see if Fred can view the planning document, we will get a response of {"allowed": false}.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
  apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
  storeId: process.env.FGA_STORE_ID,
  authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
    user: 'user:fred',
    relation: 'viewer',
    object: 'document:planning',
  }, {
  authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = false

This is because:

  • Even though there is a relationship tuple specifying that Fred has a viewer relationship with document:planning.
  • Direct relationships are NOT allowed in the viewer relation definition in the document type definition.
Check the following sections for more one how direct relationships can be used. Also, take a look at the access relation in the feature type in Modeling Entitlements for another use-case.
Modeling Roles and Permissions

Learn how to remove the direct relationship to indicate nonassignable permissions.

Modeling for IoT

See how Roles and Permissions can be used in an IoT use-case.

Modeling Entitlements

Take a look at the access relation in the feature type for an example of removing the direct relationship