Introduction to the Okta Fine Grained Authorization (FGA) Dashboard
Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Okta FGA during the Developer Community Preview can be found here.
What is Okta FGA Dashboard?
The Okta FGA Dashboard is a tool that helps you manage your Okta FGA setup.
It allows you to create, visualize and test your authorization models. It also allows you to create credentials in order to be able to directly call the Okta FGA API.
Getting started
Log into the Okta FGA Dashboard. You will be asked to set up your account if this is the first time you have logged in. Enter an account name and store name in the provided text box and click Get Started.
You will be then presented with the Getting Started page which will guide you in the steps for setting up your store. The first step will be Define your Authorization Model. Click Navigate to Model Explorer to get started.
You may switch to other steps in the process by accessing the Store Management sidebar.
Saving your model
In the Model Explorer page, you may make changes to the authorization model in the editor panel located on the left part of the page. Note that only the DSL syntax is supported.
After the changes are made, click SAVE. The SAVE button will be disabled if no changes have been made since the last save.
After the authorization model is saved, the Previewer will be updated with a visualization of the new authorization model.
After the authorization model is saved, the SAVE button is no longer active.
Syntax errors will be highlighted in red. Hovering the mouse over the error will provide additional details.
Adding relationship tuples
In the Tuple Management page, you may add relationship tuples in the Tuple Editor panel located on the left part of the page.
Click Add Tuple+ to add new relationship tuples.
For the USER text box, type in the user identifier. Make sure the user identifier is in the correct format.
For the OBJECT line, the drop down list allows you to choose the type and the text box allows you type in the object name.
For the RELATION there will be a drop down selector allowing you to choose from the type's possible relations.
Click the check mark button to save. The X button will cancel the changes.
The added relationship tuples will be shown in the tuples editor panel.
Relationship tuples may be removed by clicking the trash can button.
Running queries
In the Tuple Management page, you may also run relationship tuple queries to view how the relationship is established between a user and an object. This is available in the Query Tool panel in the right part of the screen.
There is a textbox below the header Query Tool where you can type the query.
The query is in the form "is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object. The query field supports queries in the form of:
- "Is x related to y as z?"
- "Who is related to y as z?"
Is x related to y as z?
The first type of query is of the form: "Is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object.
In the query box, type "Is adam related to team:awesome as member?" and type Enter.
Successful queries will show visualization on how the relationship is established in the Query Tool panel. In addition, there is a green YES box in the panel.
Unsuccessful queries will be denoted with a red NO box in the Query Tool panel.
Who is related to y as z?
The second type of query is of the form: "Who is related to y as z?". This form of query will provide visualization on who has a particular relationship with an object.
In the query box, type "Who is related to team:awesome as member?" and type Enter.
A successful query will show visualization on all the users that have the relationship in the TUPLE QUERIES panel. As it can be seen, only adam and ben has member relationship with team:awesome.
Developer mode
The Developer Mode page provides a single page view with panels that allow managing the authorization model, relationship tuples, and assertions. You may toggle between the authorization model editor and the authorization model previewer by clicking the Preview button in the Editor panel. New relationship tuples may be added and relationship tuples may be removed in the Tuples Editor.
Adding assertions
In the developer mode page, you may run assertions to test authorization models and relationship tuples. To add new assertions, click Add Assertion button in the Assertions Editor panel located on the right side of the screen.
This will bring up the text for User, Relation and Object. Type in the values desired. Toggle the ASSERTION selection on (green) to indicate that you expect the relationship to exist. Toggle the ASSERTION selection off (light gray) to indicate that you expect the relationship not to exist.
Click check mark button to add the assertion. Click X button to cancel.
To test all assertions, click the Run All button.
You may also only test a subset of the assertions by selecting the desired assertions to test and clicking Run Selected.
The result of the last assertions test will be shown at the bottom of the panel.
Settings
The Settings page allows you to update the store settings, including store name and store ID. The store name is used for user-facing identification in the dashboard. You may also generate API credentials (ID and secret pairs) by accessing the Create Credentials button.
Create API credentials
The Create API Credentials page allow you to generate API credentials (ID and secret pairs) that may be used by the Okta FGA API and SDKs. To generate the API credentials:
You need to create credentials before you are able to call the the Okta FGA API.
Click the Create Credentials button
Enter the Credentials Name and click Submit.
The client secret will be available in the pop up window. Copy the secret value and store it in a secure location. If the secret is lost or compromised, you must rotate this secret to generate a new one. Click Confirm to close the pop up window.
You will not be able to retrieve the secret again without rotating it, and expiring the previous value.
To update the secret to a new value, click Rotate Secret in the Settings page.
To remove the secret, click Delete Credentials in the Settings page.
Manage collaborators
The FGA dashboard allows you to share access and collaborate on models, tuples, and assertions with others via an invite system accessible by clicking on Manage Collaborators in the top bar of the dashboard interface.
During this first phase of the Developer Community Preview, every collaborator has admin rights. We will add additional roles and fine-grained permissions in a future release.
How to invite collaborators
To invite collaborators, navigate to the Manage Collaborators view and click the Invite Collaborator button. In the modal that opens, you can enter the invitee’s email in the text box and then click Invite. The invitee will then receive an email inviting them to join the project. Once they accept the invitation, they will have admin access to all the account’s FGA dashboard resources.
After inviting, you may also use the Copy action button to copy the invitation link to the clipboard. This makes it easy to share access through a messaging platform like Slack or Teams. To use the invite link, the new collaborator must sign in using the same email you added, otherwise the invitation will be invalidated.
Invitations are one-time only. If an invitation is canceled, expires, or is invalidated in any other way, a new invitation will have to be sent.
The UI will show you the existing invites and collaborators based on status.
How to cancel an invitation
Anyone with access to the Manage Collaborators view has the ability to cancel a pending invitation. To do this, click the button with a red trash can icon beside the user whose invitation you’d like to cancel. The invitation will become invalid and can no longer be used.
If the invitation has already been accepted, you will instead need to revoke the invitee’s access instead of cancelling the invitation to prevent the invitee from accessing the account’s dashboard resources.
How to accept an invitation
You can receive an invite through an email or through a link shared directly with you.
After you receive an invite with a link, you can go to that link and will be asked to sign in. Make sure to sign in with the same email address that the invitation was sent to, otherwise the invitation will be canceled and you will have to request a new invite.
How to remove a collaborator
If the collaborator has an active dashboard session when removed, it might take some time for the change to propagate. They may still have access for a few minutes.
Removing a collaborator revokes their access to the dashboard, but if a user has had API access shared with them, or has generated/rotated client secrets while they had access to the dashboard, they might still have access to the model and tuples of your store via the API. If necessary, rotate the secrets in the Store Settings view for each store in your account.
Switching between customer accounts
When you have more than one customer account, you may switch between these accounts by clicking the name of the current account in the top bar of the Dashboard interface. The ‘Switch Account’ button will display the customer accounts you have access to.
Create new store
The FGA dashboard allows you to create more than one store by clicking the STORES selector at the left side of the dashboard interface.
Any user with access to the Customer Account you are in will have access to the newly created store.
- Select Create new store in the store selector drop down menu.
- Enter the desired store name in the Create New Store page and click Finish.
Switching between stores
When you have more than one stores, you may switch between these stores by clicking the store selector, and selecting the store you would like to switch to.
Note: There is a known issue where the Dashboard only allows selecting between the first 6 stores created, we are working on a fix.
Limitations
For the developer community preview, Okta FGA is not considered production-ready and does not come with any SLAs. As such, its availability and uptime are not guaranteed.
In addition, the Okta FGA has limits on the frequency of API calls, store and authorization models. Details can be found here.
These limits are intentionally set low, as this is a preview product. If you're interested in using the APIs in a product, please reach out to us on our Discord community.
At a high level:
- Each authorization model can have at most 80 types.
- Each store can create/update authorization model at most 10 times per minute.
- Each store can read a particular authorization model at most 30 times per minute.
- Each store has a limit of 300 check requests per second.
- Each store has a limit of 25 read requests per second.
- Each store has a limit of 30 expand requests per minute.
- Each store has a limit of 20 write request per second and each write request can accept adding or deleting at most 40 relationship tuples.
- Each store has a limit of 5 read changes requests per second.
- Each store has a limit of 10 list objects requests per minute. (Note: each request will return whatever is found in 3 seconds or a max of 1000 objects, whichever limit is reached first)
- Each store has a limit of 50000 relationship tuples.