Skip to main content

Introduction to Authorization and Okta Fine Grained Authorization (FGA)

FGA relies on several understandings of authorization, including fine-grained authorization, role-based access control, attribute-based access control, and relationship-based access control.

What is Fine Grained Authorization (FGA)?

Fine Grained Authorization (FGA) is Okta's Fine-Grained Authorization at scale SaaS based on Google's Zanzibar. It is designed to make it easy for application builders to easily add fine-grained authorization to their apps. It offers an HTTP API and has SDKs for programming languages like Node.js/JavaScript and GoLang. More languages and also policy languages like Rego are planned for the future. It is optimized for reliability and low latency at a high scale. For latency and compliance reasons we’ll have environments per jurisdiction (e.g. US, EU, AU) and also global clusters for applications that have a global user base.

The Okta FGA Playground

Get started on the Okta FGA Playground

Authentication vs Authorization

Authentication (or AuthN) ensures a user's identity. Authorization (or AuthZ) determines if a user can perform a certain action on a particular resource.

For example, when you log in to Google, Authentication verifies that your username and password are correct. Authorization checks if you can access a given Google service. For more information about AuthN vs AuthZ, click here..

What Is Fine-Grained Authorization?

Fine-Grained Authorization (FGA) allows admininstrators to to grant individual users access to specific objects or resources in a system. Well-designed FGA systems allow millions of objects, users and relations to change rapidly as objects are added and access permissions are updated. A notable example of fine-grained authorization is Google Drive: access can be granted either to documents or to folders, as well as to individual users or users as a group, and access rights regularly change as new documents are created and shared with specific users or groups.

What Are Role-Based Access Control And Attribute-Based Access Control?

In Role-Based Access Control (RBAC), permissions are assigned to users based on their role in a system. For example, a user needs the editor role to edit content. For more information about RBAC, click here.

In Attribute-Based Access Control (ABAC), permissions are granted based on a set of attributes that a user or resource possesses. For example, a user assigned both marketing and manager attributes is entitled to publish and delete posts that have a marketing attribute. For more information about ABAC, click here.

What Is Relationship-Based Access Control?

Relationship-Based Access Control (ReBAC) allows user access rules to be conditional on relations that a given user has with a given object and that object's relationship other objects. For example, a given user can view a given document if the user has access to the document's parent folder.

What Is Zanzibar?

Zanzibar is Google's global authorization system across Google's product suite. It uses object-relation-user tuples to store relation data, then checks those relations for a match between a user and an object. For more information about Zanzibar, click here.

Have Feedback?

You can use any of our support channels for any questions or suggestions you may have.