Skip to main content

Introduction to Authorization and Auth0 Fine Grained Authorization (FGA)

Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

This section explains authorization, fine-grained authorization, RBAC, ABAC, ReBAC.

What is Auth0 Fine Grained Authorization (FGA)?

Auth0 Fine Grained Authorization (FGA) is Auth0's Fine-Grained Authorization at scale SaaS based on Google's Zanzibar. It is currently under development. It is designed to make it easy for application builders to easily add fine-grained authorization to their apps. It offers an HTTP API and has SDKs for programming languages like Node.js/JavaScript and GoLang. More languages and also policy languages like Rego are planned for the future. It is optimized for reliability and low latency at a high scale. For latency and compliance reasons we’ll have environments per jurisdiction (e.g. US, EU, AU) and also global clusters for applications that have a global user base.

The Auth0 FGA Playground

Get started on the Auth0 Playground

Authentication vs Authorization

Authentication (or AuthN) is a process that ensures a user's identity. Authorization (or AuthZ) means determining if a user can perform a certain action on a particular resource.

For example, when logging in to Twitter, the process in which Twitter verifies the user's username and password are correct is Authentication. The process of checking if that user can view or reply to a certain Tweet is Authorization.

Read more about AuthN vs AuthZ.

What Is Fine-Grained Authorization (FGA)?

Fine-Grained Authorization is being able to grant individual users access to specific objects or resources in a system. FGA at scale means being able to do so in a system that can have millions of objects, users and relations, and has a high change rate - objects are regularly added and access permissions are constantly being updated. A good example of this is Google Drive, where access can be granted either to documents, or folders; it can be granted to users individually or as a group. Access regularly changes as new documents are created and shared with specific users, whether inside the same company or outside.

What Are Role-Based Access Control (RBAC) And Attribute-Based Access Control (ABAC)?

In Role-Based Access Control, permissions are assigned to users based on their role in a system (e.g. a user would need an editor role to edit posts).

In Attribute-Based Access Control, instead of permissions being granted based on roles, they are granted based on a set of attributes on a user or resource (e.g. if a user has both marketing and manager attributes they can publish and delete posts that have a marketing attribute, but not others).

If you are interested you can read more about RBAC and ABAC.

What Is Relationship Based Access Control (ReBAC)?

ReBAC allows expressing rules based on relations that users have with objects and that objects have with other objects. For example, a user can view a document if they can view its parent folder.

What Is Zanzibar?

Zanzibar is "Google's Consistent, Global Authorization System" for "determining whether online users are authorized to access digital objects" across their products (Google Drive, YouTube, Google Photos, etc..). It uses (object, relation, user) tuples to store relation data and traverses those relations to check if there is a relation between a user and an object.

Learn more about Zanzibar at the Zanzibar Academy.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.