Introduction to the Okta Fine Grained Authorization (FGA) Dashboard

What is Okta FGA Dashboard?

The Okta FGA Dashboard is a tool that helps you manage your Okta FGA setup.

It allows you to create, visualize and test your authorization models. It also allows you to create credentials in order to be able to directly call the Okta FGA API.

The Okta FGA Dashboard

Get started with Okta Fine Grained Authorization on the Okta FGA Dashboard

Getting started

1. Log into the Okta FGA Dashboard. You will be asked to set up your account if this is the first time you have logged in. Enter an account name and store name in the provided text box and click Get Started.

   

2. You will be then presented with the Getting Started page which will guide you in the steps for setting up your store. The first step will be Define your Authorization Model. Click Navigate to Model Explorer to get started.

   

3. You may switch to other steps in the process by accessing the Store Management sidebar.

Saving your model

1. In the Model Explorer page, you may make changes to the authorization model in the editor panel located on the left part of the page. Note that only the DSL syntax is supported.

   

2. After the changes are made, click SAVE. The SAVE button will be disabled if no changes have been made since the last save.

   

3. After the authorization model is saved, the Previewer will be updated with a visualization of the new authorization model. You will also be given a new Model ID that corresponds to the latest model.

   

4. After the authorization model is saved, the SAVE button is no longer active.

   

info

Syntax errors will be highlighted in red. Hovering the mouse over the error will provide additional details.

Adding relationship tuples

1. In the Tuple Management page, you may add relationship tuples in the Tuple Editor panel located on the left part of the page.

   

2. Click Add Tuple+ to add new relationship tuples.

   

3. This will bring up the input for User, Object and Relation.

• For the USER text box, type in the user identifier. Make sure the user identifier is in the correct format.

• For the OBJECT line, the drop down list allows you to choose the type and the text box allows you type in the object name.

• For the RELATION there will be a drop down selector allowing you to choose from the type's possible relations.

  

4. Click the check mark button to save. The X button will cancel the changes.

   

5. The added relationship tuples will be shown in the tuples editor panel.

   

6. Relationship tuples may be removed by clicking the trash can button.

   

Running queries

1. In the Tuple Management page, you may also run relationship tuple queries to view how the relationship is established between a user and an object. This is available in the Query Tool panel in the right part of the screen.

   

2. There is a textbox below the header Query Tool where you can type the query.

   

3. The query is in the form "is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object. The query field supports queries in the form of:

   • "Is x related to y as z?"
   • "Who is related to y as z?"

Is x related to y as z?

The first type of query is of the form: "Is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object.

1. In the query box, type "Is adam related to team:awesome as member?" and type Enter.

   

2. Successful queries will show visualization on how the relationship is established in the Query Tool panel. In addition, there is a green YES box in the panel.

   

3. Unsuccessful queries will be denoted with a red NO box in the Query Tool panel.

   

Who is related to y as z?

The second type of query is of the form: "Who is related to y as z?". This form of query will provide visualization on who has a particular relationship with an object.

1. In the query box, type "Who is related to team:awesome as member?" and type Enter.

   

2. A successful query will show visualization on all the users that have the relationship in the TUPLE QUERIES panel. As it can be seen, only adam and ben has member relationship with team:awesome.

   

Developer mode

The Developer Mode page provides a single page view with panels that allow managing the authorization model, relationship tuples, and assertions. You may toggle between the authorization model editor and the authorization model previewer by clicking the Preview button in the Editor panel. New relationship tuples may be added and relationship tuples may be removed in the Tuples Editor.

Adding assertions

1. In the developer mode page, you may run assertions to test authorization models and relationship tuples. To add new assertions, click Add Assertion button in the Assertions Editor panel located on the right side of the screen.

   

2. This will bring up the text for User, Relation and Object. Type in the values desired. Toggle the ASSERTION selection on (green) to indicate that you expect the relationship to exist. Toggle the ASSERTION selection off (light gray) to indicate that you expect the relationship not to exist.

   

3. Click check mark button to add the assertion. Click X button to cancel.

4. To test all assertions, click the Run All button.

   

5. You may also only test a subset of the assertions by selecting the desired assertions to test and clicking Run Selected.

6. The result of the last assertions test will be shown at the bottom of the panel.

Settings

The Settings page allows you to update the store settings, such as the store name. The store name is used for user-facing identification in the dashboard. You may also generate API credentials (ID and secret pairs) by accessing the Create Credentials button.

Create API credentials

The Create API Credentials page allow you to generate API credentials (ID and secret pairs) that may be used by the Okta FGA API and SDKs. To generate the API credentials:

note

You need to create credentials before you are able to call the the Okta FGA API.

1. Click the Create Credentials button

   

2. Enter the Credentials Name and click Submit.

   

3. The client secret will be available in the pop up window. Copy the secret value and store it in a secure location. If the secret is lost or compromised, you must rotate this secret to generate a new one. Click Confirm to close the pop up window.

   

caution

You will not be able to retrieve the secret again without rotating it, and expiring the previous value.

4. To update the secret to a new value, click Rotate Secret in the Settings page.

   

5. To remove the secret, click Delete Credentials in the Settings page.

   

Deleting a Store

The Settings page

Manage collaborators allows you to delete your current store. To delete a store:

1. Click the Delete Store button

   

2. A pop-up appears warning you that this will permanently delete the store model, tuples, and API keys.

   

3. Enter the Store Name and click Submit.

   

Manage account

To view details about your account, click Manage Account on the top bar of the dashboard. This is where you can find your Account ID and subscription tier, as well as the text box where you can also edit your Account Name; click Save Changes when you're done. If you would like to change your subscription, use the linked Contact Us form.

See the available subscription plans.

Manage collaborators

The FGA dashboard allows you to share access and collaborate on models, tuples, and assertions with others via an invite system accessible by scrolling to the Invite and Manage Collaborators section.

Currently, every collaborator has admin rights. We will be adding additional roles and fine-grained permissions in a future release.

How to invite collaborators

To invite collaborators, navigate to the Manage Collaborators view and click the Invite Collaborator button. In the modal that opens, you can enter the invitee’s email in the text box and then click Invite. The invitee will then receive an email inviting them to join the project. Once they accept the invitation, they will have admin access to all the account’s FGA dashboard resources.

note

After inviting, you may also use the Copy action button to copy the invitation link to the clipboard. This makes it easy to share access through a messaging platform like Slack or Teams. To use the invite link, the new collaborator must sign in using the same email you added, otherwise the invitation will be invalidated.

note

Invitations are one-time only. If an invitation is canceled, expires, or is invalidated in any other way, a new invitation will have to be sent.

The UI will show you the existing invites and collaborators based on status.

• Expired
• Pending
• Accepted and Joined

How to cancel an invitation

Anyone with access to the Manage Collaborators view has the ability to cancel a pending invitation. To do this, click the button with a red trash can icon beside the user whose invitation you’d like to cancel. The invitation will become invalid and can no longer be used.

note

If the invitation has already been accepted, you will instead need to revoke the invitee’s access instead of cancelling the invitation to prevent the invitee from accessing the account’s dashboard resources.

How to accept an invitation

You can receive an invite through an email or through a link shared directly with you.

After you receive an invite with a link, you can go to that link and will be asked to sign in. Make sure to sign in with the same email address that the invitation was sent to, otherwise the invitation will be canceled and you will have to request a new invite.

How to remove a collaborator

caution

If the collaborator has an active dashboard session when removed, it might take some time for the change to propagate. They may still have access for a few minutes.

caution

Removing a collaborator revokes their access to the dashboard, but if a user has had API access shared with them, or has generated/rotated client secrets while they had access to the dashboard, they might still have access to the model and tuples of your store via the API. If necessary, rotate the secrets in the Store Settings view for each store in your account.

Switching between customer accounts

When you have more than one customer account, you may switch between these accounts by clicking the name of the current account in the top bar of the Dashboard interface. The ‘Switch Account’ button will display the customer accounts you have access to.

Create new store

The FGA dashboard allows you to create more than one store by clicking the STORES selector at the left side of the dashboard interface.

Any user with access to the Customer Account you are in will have access to the newly created store.

1. Select Create new store in the store selector drop down menu.

2. Enter the desired store name in the Create New Store page and click Finish.

Switching between stores

When you have more than one stores, you may switch between these stores by clicking the store selector, and selecting the store you would like to switch to.

Note: There is a known issue where the Dashboard only allows selecting between the first 6 stores created, we are working on a fix.

Related Section

Take a look at the following section for more on how to use the dashboard.

How to get your API keys

Getting your API keys from dashboard and integrate with SDK.

• More