Skip to main content

Introduction to the Okta Fine Grained Authorization (FGA) Playground

What is Okta FGA Playground?

The Okta FGA Playground is a learning tool meant to help you learn and play with Okta Fine Grained Authorization (FGA). It allows you to easily create, visualize, share and test your authorization models.

Warning

Currently on the Playground, store security is through obscurity; to access a store you need to know its UUID, but there are no other checks. Please use identifiers and do not store any PII or data that cannot be public.

The Okta FGA Playground

Get started with Okta Fine Grained Authorization on the Okta FGA Playground

Tour of Okta FGA Playground

If this is the first time you visit the Okta FGA Playground, it will ask you to go through a tour to explain how you can use it. We suggest taking a moment to complete the tour there before coming back to this post.

  1. In your browser, open https://play.fga.dev in a new tab.

  2. You should see this page if this is the first time you click on that link: Image showing the Okta FGA Playground asking to complete the intro

    The Okta FGA Playground asking to complete the tutorial. Press NEXT to see the intro or SKIP to skip it

  3. If you skip or complete the intro, you will be asked if you would like to go through the tour: Image showing the Okta FGA Playground asking to complete the tour

    The Okta FGA Playground asking to complete the tour. Press TAKE A TOUR to start the tour or GET STARTED to skip directly to the playground

  4. You should see this page if you have completed the tour Image showing the Okta FGA Playground

    The Okta FGA Playground once the tour is completed

Default Stores vs. User Stores

The Okta FGA Playground has both default stores and user stores.

Default stores have authorization models, relationship tuples and assertions that are pre-populated by Okta and are not modifiable. They are samples to allow you to better understand advanced use cases.

User stores are user defined configurations. The authorization models, relationship tuples and assertions may be modified and saved.

Creating a new store

  1. Click the NEW STORE button on the top right hand corner of the screen. Image showing the Okta FGA Playground New Store button

  2. Type in store name in the text box. Note that the store name may only contain letters, numbers and '-'. Image showing the Okta FGA Playground new store prompt

  3. Click CREATE button. Image showing the Okta FGA Playground new store create button

Saving your model

  1. On your User Stores, you may make changes to the authorization model in the types panel located on the upper left part of the screen. Note that only the DSL syntax is supported. Image showing the Okta FGA Playground types panel

  2. After the changes are made, click SAVE. Image showing the Okta FGA Playground types save button

  3. After the authorization model is saved, the Types Previewer will be updated with the new authorization model preview. Image showing the Okta FGA Playground type preview

  4. After the authorization model is saved, the SAVE button is no longer active. Image showing the Okta FGA Playground type save button after save

    info
    • Playground will only save if there are no syntax errors.
    info

    Syntax errors will be highlighted in red. Hovering the mouse over the error will provide additional details. Image showing the Okta FGA Playground with invalid syntax

Adding relationship tuples

  1. On your User Stores, you may add relationship tuples in the relationship tuples panel located on the lower left part of the screen. Image showing the Okta FGA Playground relationship tuples panel

  2. Click ADD TUPLE to add new relationship tuples. Image showing the Okta FGA Playground add tuples button

  3. This will bring up the text boxes for User, Relation and Object. Type in the values desired. Image showing the Okta FGA Playground add tuples screen

  4. Click SAVE button. Image showing the Okta FGA Playground add tuples save button

  5. The added relationship tuples will be shown in the relationship tuples panel. Image showing the Okta FGA Playground relationship tuples added

  6. Relationship tuples may be removed by clicking the garbage bin button. Image showing the Okta FGA Playground relationship tuples removal button

    info

    Relationship tuples may not be added if the corresponding authentication model has not yet been saved/updated. This can be verified by having an active SAVE button in the types panel.

Adding assertions

  1. On your User Stores, you may run assertions to test authorization models and relationship tuples. To add new assertions, click Assertions tab in the relationship tuples panel located on the lower left part of the screen. Image showing the Okta FGA Playground assertions tab

  2. After Assertions tab is selected, click ADD ASSERTION to add new assertions. Image showing the Okta FGA Playground add assertion button

  3. This will bring up the text for User, Relation and Object. Type in the values desired. The Allowed selection is TRUE if you want to assert the relationship exists. Otherwise, Allowed selection is FALSE if you want to assert the relationship does not exist. Image showing the Okta FGA Playground assertion true relationship

  4. Click SAVE button to add the assertion. Image showing the Okta FGA Playground assertion being saved

  5. Assert for non-existing relationship by selected Allowed to be FALSE. Image showing the Okta FGA Playground assertion false relationship

  6. To run all tests, click the Run all tests button. Image showing the Okta FGA Playground assertion run all tests button

  7. The assertion test results are indicated in the assertion panels. The blue experiment box shows the number of tests. The green check box indicates the number of passing assertions. The red slash box indicates the number of failed assertions. Image showing the Okta FGA Playground assertion results

Running queries

  1. You may also run relationship tuple queries to view how the relationship is established between a user and an object. To do this, click the TUPLE QUERIES tab in the previewer panel at the lower right half of the screen. Image showing the Okta FGA Playground queries tab

  2. After TUPLE QUERIES tab is clicked, you will be shown the TUPLE QUERIES panel where you can type the query at the text box. Image showing the Okta FGA Playground query text box

There are two types of queries that can be asked:

The first type of query is of the form: "Is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object.

  1. In the query box, type "Is adam related to resource:page1 as reader?" and type Enter. Image showing the Okta FGA Playground is related query

  2. A successful query will show visualization on how the relationship is established in the TUPLE QUERIES panel. Image showing the Okta FGA Playground successful how query

  3. An unsuccessful query will be denoted with a red box in the TUPLE QUERIES panel. Image showing the Okta FGA Playground unsuccessful query

The second type of query is of the form: "Who is related to y as z?". This form of query will provide visualization on who has a particular relationship with an object.

  1. In the query box, type "who is to related to resource:page1 as reader?" and type Enter. Image showing the Okta FGA Playground who is related query

  2. A successful query will show visualization on all the users that have the relationship in the TUPLE QUERIES panel. As it can be seen, only adam has reader relationship with resource:page1. Image showing the Okta FGA Playground successful who query

Getting store ID

The store ID is a value that uniquely identify the store. To obtain the store ID:

  1. Click on the three dots button on the top-right of the screen. Image showing button to press

  2. Select Copy Store ID on the top-right of the screen. Image showing pasted text

  3. The store ID is in the clipboard.

Sharing the store

You can also share the store to others by sending them the playground's store URL. To share the store:

  1. Click on the three dots button on the top-right of the screen. Image showing button to press

  2. Select Share on the top-right of the screen. Image showing button to share

  3. The playground's store URL is in the clipboard.

  4. To load the playground's shared store, paste the URL in the address bar and press enter. You will be asked to Create store. Enter a name that you wish to uniquely identify this store. Image showing store URL being entered

Take a look at the following sections for examples that can be tried on Okta FGA Playground.
Entitlements

Modeling Entitlements for a System in Okta FGA.

IoT

Modeling Fine Grained Authorization for an IoT Security Camera System with Okta FGA.

Slack

Modeling Authorization for Slack with Okta FGA.

Have Feedback?

You can use any of our support channels for any questions or suggestions you may have.