Skip to main content

Introduction to the Auth0 Fine Grained Authorization (FGA) Dashboard

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

What is Auth0 FGA Dashboard?

The Auth0 FGA Dashboard is a tool that helps you manage your Auth0 Fine Grained Authorization (FGA) setup.

It allows you to create, visualize and test your authorization models. It also allows you to create credentials in order to be able to directly call the Auth0 FGA API.

The Auth0 FGA Dashboard

Get started with Auth0 Fine Grained Authorization on the Auth0 FGA Dashboard

Getting started

  1. Log into the Auth0 FGA Dashboard. You will be asked to set up your account if this is the first time you have logged in. Enter an account name and store name in the provided text box and click Get Started.

    Image showing the Auth0 FGA Dashboard signup screen

  2. You will be then presented with the Getting Started page which will guide you in the steps for setting up your store. The first step will be Define your Authorization Model. Click Navigate to Model Explorer to get started.

    Image showing the dashboard getting started page

  3. You may switch to other steps in the process by accessing the Store Management sidebar.

Saving your model

  1. In the Model Explorer page, you may make changes to the authorization model in the editor panel located on the left part of the page. Note that only the DSL syntax is supported.

    Image showing the model explorer

  2. After the changes are made, click SAVE. The SAVE button will be disabled if no changes have been made since the last save.

    Image showing the model explorer save button active

  3. After the authorization model is saved, the Previewer will be updated with a visualization of the new authorization model.

    Image showing the model explorer previewer

  4. After the authorization model is saved, the SAVE button is no longer active.

    Image showing the model explorer save button after save

info

Syntax errors will be highlighted in red. Hovering the mouse over the error will provide additional details.

Image showing the model explorer with invalid syntax

Adding relationship tuples

  1. In the Tuple Management page, you may add relationship tuples in the Tuple Editor panel located on the left part of the page.

    Image showing the tuples editor

  2. Click Add Tuple+ to add new relationship tuples.

    Image showing the tuples editor add tuples button

  3. This will bring up the input for User, Object and Relation.

  • For the USER text box, type in the user identifier. Make sure the user identifier is in the correct format.

  • For the OBJECT line, the drop down list allows you to choose the type and the text box allows you type in the object name.

  • For the RELATION there will be a drop down selector allowing you to choose from the type's possible relations.

    Image showing the relationship tuples input box

  1. Click the check mark button to save. The X button will cancel the changes.

    Image showing the relationship tuples being added

  2. The added relationship tuples will be shown in the tuples editor panel.

    Image showing after the relationship tuples are added

  3. Relationship tuples may be removed by clicking the trash can button.

    Image showing location of trash can button

Running queries

  1. In the Tuple Management page, you may also run relationship tuple queries to view how the relationship is established between a user and an object. This is available in the Query Tool panel in the right part of the screen.

    Image showings the query window

  2. There is a textbox below the header Query Tool where you can type the query.

    Image showing location of query tool text box

  3. The query is in the form "is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object. The query field supports queries in the form of:

    • "Is x related to y as z?"
    • "Who is related to y as z?"

The first type of query is of the form: "Is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object.

  1. In the query box, type "Is adam related to team:awesome as member?" and type Enter.

    Image showing query box question

  2. Successful queries will show visualization on how the relationship is established in the Query Tool panel. In addition, there is a green YES box in the panel.

    Image showing successful query

  3. Unsuccessful queries will be denoted with a red NO box in the Query Tool panel.

    Image showing unsuccessful query

The second type of query is of the form: "Who is related to y as z?". This form of query will provide visualization on who has a particular relationship with an object.

  1. In the query box, type "Who is related to team:awesome as member?" and type Enter.

    Image showing query box with question who

  2. A successful query will show visualization on all the users that have the relationship in the TUPLE QUERIES panel. As it can be seen, only adam and ben has member relationship with team:awesome.

    Image showing query box with question who with answer

Developer mode

The Developer Mode page provides a single page view with panels that allow managing the authorization model, relationship tuples, and assertions. You may toggle between the authorization model editor and the authorization model previewer by clicking the Preview button in the Editor panel. New relationship tuples may be added and relationship tuples may be removed in the Tuples Editor.

Image showing developer mode

Adding assertions

  1. In the developer mode page, you may run assertions to test authorization models and relationship tuples. To add new assertions, click Add Assertion button in the Assertions Editor panel located on the right side of the screen.

    Image showing the add assertion button

  2. This will bring up the text for User, Relation and Object. Type in the values desired. Toggle the ASSERTION selection on (green) to indicate that you expect the relationship to exist. Toggle the ASSERTION selection off (light gray) to indicate that you expect the relationship not to exist.

    Image showing the add assertion popup

  3. Click check mark button to add the assertion. Click X button to cancel.

  4. To test all assertions, click the Run All button.

    Image showing run all and results

  5. You may also only test a subset of the assertions by selecting the desired assertions to test and clicking Run Selected.

  6. The result of the last assertions test will be shown at the bottom of the panel.

Settings

The Settings page allows you to update the store settings, including store name and store ID. The store name is used for user-facing identification in the dashboard. You may also generate API credentials (ID and secret pairs) by accessing the Create Credentials button.

Image showing Auth0 FGA settings page

Create API credentials

The Create API Credentials page allow you to generate API credentials (ID and secret pairs) that may be used by the Auth0 FGA API and SDKs. To generate the API credentials:

note

You need to create credentials before you are able to call the the Auth0 FGA API.

  1. Click the Create Credentials button

    Image showing Auth0 FGA settings page click create credential

  2. Enter the Credentials Name and click Submit.

    Image showing Auth0 FGA credential name page

  3. The client secret will be available in the pop up window. Copy the secret value and store it in a secure location. If the secret is lost or compromised, you must rotate this secret to generate a new one. Click Confirm to close the pop up window.

    Image showing Auth0 FGA credential secret popup

caution

You will not be able to retrieve the secret again without rotating it, and expiring the previous value.

  1. To update the secret to a new value, click Rotate Secret in the Settings page.

    Image showing rotating secret

  2. To remove the secret, click Delete Credentials in the Settings page.

    Image showing delete secret

Manage collaborators

The FGA dashboard allows you to share access and collaborate on models, tuples, and assertions with others via an invite system accessible by clicking on Manage Collaborators in the top bar of the dashboard interface.

During this first phase of the Developer Community Preview, every collaborator has admin rights. We will add additional roles and fine-grained permissions in a future release.

How to invite collaborators

Image showing how to invite collaborators

To invite collaborators, navigate to the Manage Collaborators view and click the Invite Collaborator button. In the modal that opens, you can enter the invitee’s email in the text box and then click Invite. The invitee will then receive an email inviting them to join the project. Once they accept the invitation, they will have admin access to all the account’s FGA dashboard resources.

note

After inviting, you may also use the Copy action button to copy the invitation link to the clipboard. This makes it easy to share access through a messaging platform like Slack or Teams. To use the invite link, the new collaborator must sign in using the same email you added, otherwise the invitation will be invalidated.

note

Invitations are one-time only. If an invitation is canceled, expires, or is invalidated in any other way, a new invitation will have to be sent.

The UI will show you the existing invites and collaborators based on status.

  • Expired Expired
  • Pending Pending
  • Accepted and Joined Accepted and Joined

How to cancel an invitation

Image showing cancel an invitation

Anyone with access to the Manage Collaborators view has the ability to cancel a pending invitation. To do this, click the button with a red trash can icon beside the user whose invitation you’d like to cancel. The invitation will become invalid and can no longer be used.

note

If the invitation has already been accepted, you will instead need to revoke the invitee’s access instead of cancelling the invitation to prevent the invitee from accessing the account’s dashboard resources.

How to accept an invitation

You can receive an invite through an email or through a link shared directly with you.

Image showing email invitation

After you receive an invite with a link, you can go to that link and will be asked to sign in. Make sure to sign in with the same email address that the invitation was sent to, otherwise the invitation will be canceled and you will have to request a new invite.

How to remove a collaborator

Image showing how to remove a collaborator

note

Removing a collaborator revokes their access to the dashboard, but if a user has had API access shared with them, or has generated/rotated client secrets while they had access to the dashboard, they might still have access to your model and tuples via the API. If necessary, rotate the secrets in the Store Settings view.

Switching between customer accounts

Image showing switching account

When you have more than one customer account, you may switch between these accounts by clicking the name of the current account in the top bar of the Dashboard interface. The ‘Switch Account’ button will display the customer accounts you have access to.

Limitations

For the developer community preview, Auth0 FGA is not considered production-ready and does not come with any SLAs. As such, its availability and uptime are not guaranteed.

In addition, the Auth0 FGA has limits on the frequency of API calls, store and authorization models. Details can be found here.

These limits are intentionally set low, as this is a preview product. If you're interested in using the APIs in a product, please reach out to us on our Discord community.

At a high level:

How to get your API keys

Getting your API keys from dashboard and integrate with SDK.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.