Skip to main content

Public Access

note
OpenFGA is an open source Fine-Grained Authorization solution based on Google's Zanzibar. We welcome community contribution to this project.

In this guide you will learn how to grant public access to an object, such as a certain document, using OpenFGA.

When to use

Public access allows your application to grant every user in the system access to an object. You would add a relationship tuple with a user as * when:

  • sharing a document publicly to indicate that everyone can view it
  • a public poll is created to indicate that anyone can vote on it
  • a blog post is published and anyone should be able to read it
  • a video is made public for anyone to watch

Before You Start

In order to understand this guide correctly you must be familiar with some OpenFGA Concepts and know how to develop the things that we will list below.

Assume that you have the following authorization model.
You have a type called document that can have a view relation.

type document
relations
define view as self

In addition, you will need to know the following:

Direct Access

You need to know how to create an authorization model and create a relationship tuple to grant a user access to an object. Learn more →

OpenFGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in OpenFGA
  • With Everyone: a * can be used in relationship tuples to represent every user
caution

Make sure to use unique ids for each object and user within your application domain when creating relationship tuples for OpenFGA. We are using first names and simple ids to just illustrate an easy-to-follow example.

Step By Step

In previous guides, we have shown how to indicate that objects are related to users or objects. In some cases, you might want to indicate that everyone is related to an object (for example when sharing a document publicly).

01. Create A Relationship Tuple

To do this we need to create a relationship tuple using the `*` syntax. The * syntax is used to indicate that all users and objects have a relation) to a specific object.

Let us create a relationship tuple that states: anyone can view document:company-psa.doc

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

await fgaClient.write({
writes: {
tuple_keys: [
// * denotes that the user is every user and object
{ user: '*', relation: 'view', object: 'document:company-psa.doc'}
]
}
});

02. Check That The Relationship Exists

Once the above relationship tuple is added, we can check if bob cab view document:company-psa.doc. OpenFGA will return { "allowed": true } even though no relationship tuple linking bob to the document was added. That is because the relationship tuple with * as the user made it so everyone can view the document, making it public.

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'bob',
relation: 'view',
object: 'document:company-psa.doc',
},});

// allowed = true
Wildcard syntax usage

Please note that * is a special OpenFGA syntax meaning everyone when used as a user within a relationship tuple. It is not a wildcard or regex expression.

You cannot use it with a type to mean all objects in that type. workspace:* does not mean all types; it means a single object with the type workspace and the object_id the string *.

Modeling: Getting Started

Learn about how to get started with modeling.

Configuration Language

Learn about OpenFGA Configuration Language.

Modeling Blocklists

Learn about model block lists.