Skip to main content

Modeling Google Drive permissions with Auth0 FGA

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

This tutorial explains how to represent Google Drive permissions model with Auth0 FGA.

What you will learn
  • Indicate relationships between a group of users and an object. See Modeling User Groups for more.
    Used here to indicate that all users within a domain can access a document (sharing a document within an organization).
  • Model concentric relationship to have a certain relation on an object imply another relation on the same object. See Modeling Concepts: Concentric Relationships for more.
    Used here is to indicate that writers are also commenters and viewers.
  • Using the union operator condition to indicate that a user might have a certain relation with an object if they match any of the criteria indicated.
    Used here to indicate that a user can be a viewer on a document, or can have the viewer relationship implied through commenter.
  • Using the `*` syntax in a relationship tuple's user field to indicate that everyone has a certain relation with an object. See Modeling Public Access for more.
    Used here to share documents publicly.
  • Model parent-child objects to indicate that a user having a relationship with a certain object implies having a relationship with another object in Auth0 FGA.
    Used here is to indicate that a writer on a folder is a writer on all documents inside that folder.

Google Drive

Explore the Google Drive sample on the Auth0 FGA Playground

Before You Start

In order to understand this guide correctly you must be familiar with some Auth0 Fine Grained Authorization (FGA) concepts and know how to develop the things that we will list below.

Auth0 FGA Concepts

It would be helpful to have an understanding of some concepts of Auth0 FGA before you start.

Modeling Concentric Relationships

You need to know how to update the authorization model to allow having nested relations such as all writers are readers. Learn more →

Modeling Object-to-Object Relationships

You need to know how to create relationships between objects and how that might affect a user's relationships to those objects. Learn more →

Used here to indicate that users who have access to view a folder have access to view all documents inside it.

Modeling Public Access

You need to know how to add a relationship tuple to indicate that a resource is publicly available. Learn more →

Concepts & Configuration Language

What You Will You Be Modeling

Google Drive is a system to store, share, and collaborate on files and folders. Source

In this tutorial, you will build a subset of the Google Drive permission model (detailed below) in Auth0 Fine Grained Authorization (FGA), using some scenarios to validate the model.

Note: For brevity, this tutorial will not model all of Google Drive's permissions. Instead, it will focus on modeling for the scenarios outlined below

Requirements

Google Drive's permission model is represented in their documentation.

In this tutorial, you will be focusing on a subset of these permissions.

Requirements:

  • Users can be owners, editors, commenters and viewers of documents
  • Documents can be shared with all users in a domain
  • Folders can contain documents and users with a certain permission on a folder have that same permission to a document in that folder
  • Documents and folders can be shared publicly

Defined Scenarios

There will be the following users:

  • Anne, who is in the xyz domain
  • Beth, who is in the xyz domain
  • Charles, who is in the xyz domain
  • Diane, who is NOT in the xyz domain
  • Erik, who is NOT in the xyz domain

There will be:

  • a 2021-budget document, owned by Anne, shared for commenting with Beth and viewable by all members of the xyz domain.
  • a 2021-planning folder, viewable by Diane and contains the 2021-budget document
  • a 2021-public-roadmap document, owned by Anne, available for members xyz domain to comment on and is publicly viewable

Modeling Google Drive's Permissions

01. Individual permissions

To keep thing simple and focus on Auth0 Fine Grained Authorization (FGA) features rather than Google Drive complexity we will model only four roles (Viewer, Commenter, Writer, Owner).

At the end of this section we want to have the following permissions represented:

Image showing permissions

To represent permissions in Auth0 FGA we use relations. For document permissions we need to create the following authorization model:

type document
relations
define owner as self
define writer as self
define commenter as self
define viewer as self

The Auth0 Fine Grained Authorization (FGA) service determines if a user has access to an object by checking if the user has a relation to that object. Let us examine one of those relations in detail:

type document
relations
define viewer as self
info

The snippet above indicates that objects of type document have users related to them as "viewer" if those users belong to the userset of all users related to the document as "viewer".

This means that a user can be directly related as a viewer to an object of type "document"

If we want to say beth is a commenter of document:2021-budget we create this relationship tuple:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
writes: {
tuple_keys: [
{ user: 'beth', relation: 'commenter', object: 'document:2021-budget'}
]
}
});

We can now ask Auth0 FGA "is beth a commenter of repository document:2021-budget?"

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'beth',
relation: 'commenter',
object: 'document:2021-budget',
},});

// allowed = true

We could also say that anne is an owner of the same document:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
writes: {
tuple_keys: [
{ user: 'anne', relation: 'owner', object: 'document:2021-budget'}
]
}
});

And ask some questions to Auth0 FGA:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'owner',
object: 'document:2021-budget',
},});

// allowed = true
Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'writer',
object: 'document:2021-budget',
},});

// allowed = false

The first reply makes sense but the second one does not. Intuitively, if anne was an owner, she was also be a writer. In fact, Google Drive explains this in their documentation

Image showing roles

To make Auth0 FGA aware of this "concentric" permission model we need to update our definitions:

type document
relations
define owner as self
define writer as self or owner
define commenter as self or writer
define viewer as self or commenter
info

Let's examine one of those relations in detail:

objects of type document have users related to them as "viewer": if they belong to any of (the union of) the following:

  • the userset of all users related to the document as "viewer"
  • the userset of all users related to the document as "commenter"

With this update our model now supports nested definitions and now:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'owner',
object: 'document:2021-budget',
},});

// allowed = true
Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'writer',
object: 'document:2021-budget',
},});

// allowed = true

02. Organization permissions

Google Drive allows you to share a file with everyone in your organization as a viewer, commenter or writer/editor.

At the end of this section we want to end up with the following permissions represented:

Image showing permissions

To add support for domains and members all we need to do is add this object to the Auth0 FGA authorization model:

type domain
relations
define member as self
info

Objects of type "domain" have users related to them as "member" if they belong to the userset of all users related to the domain as "member".

In other words, users can be direct members of a domain.

Let's now create a domain, add members to it and make all members viewers of document:2021-budget.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
writes: {
tuple_keys: [
// make anne, beth, charles a member of the xyz domain
{ user: 'anne', relation: 'member', object: 'domain:xyz'},
{ user: 'beth', relation: 'member', object: 'domain:xyz'},
{ user: 'charles', relation: 'member', object: 'domain:xyz'},
// make members of xyz domain viewers of document:2021-budget
{ user: 'domain:xyz#member', relation: 'viewer', object: 'document:2021-budget'}
]
}
});

The last relationship tuple introduces a new Auth0 FGA concept. A userset. When the value of a user is formatted like this objectType:objectId#relation, Auth0 Fine Grained Authorization (FGA) will automatically expand the userset into all its individual user identifiers:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'charles',
relation: 'viewer',
object: 'document:2021-budget',
},});

// allowed = true

03. Folder permission propagation

Permission propagation happens between folders and files: if you are a viewer in a folder, you can view its documents. This applies even when you are not explicitly a viewer in a document. Image

At the end of this section we want to end up with the following permissions represented. Note that a folder is an object in the document type, as we do not need a separate type:

Image showing permissions

We need to add the notion that a document can be the parent of another document. We know how to do that:

type document
relations
define parent as self
define owner as self
define writer as self or owner
define commenter as self or writer
define viewer as self or commenter
info

Notice the newly added "parent" relation in the configuration above.

We can indicate this relation by adding the following relationship tuples

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
writes: {
tuple_keys: [
// Diane is a viewer of document:2021-planning
{ user: 'diane', relation: 'viewer', object: 'document:2021-planning'},
// document:2021-planning is a parent of document:2021-budget
{ user: 'document:2021-planning', relation: 'parent', object: 'document:2021-budget'}
]
}
});

What we still lack is the ability to propagate permissions from parent to children. We want to say that a user is a viewer of a document if either:

  • [done] they have a viewer relationship (directly or through domain membership)
  • [pending] they have a viewer relationship with the parent document

We need a way to consider the parent viewers, not just direct viewers of the document when getting a check for:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'diane',
relation: 'viewer',
object: 'document:2021-budget',
},});

// allowed = undefined

More details on this technique can be found in the section Modeling Parent-Child Objects.

We express it like this:

    define viewer as self or commenter or viewer from parent
info

The users with a viewer relationship to a certain object of type "document" are any of:

  • the "viewers": the set of users who are directly related to the document as a "viewer"
  • the "commenters": the set of users who are related to the object as "commenter"
  • the "viewers of the parents": from the objects who are related to the doc as parent, return the sets of users who are related to those objects as "viewer"

What the added section is doing is:

  1. read all relationship tuples related to document:2021-budget as parent which returns:

    [{ "object": "document:2021-budget", "relation": "parent", "user": "document:2021-planning" }]

  2. for each relationship tuple read, return all usersets that match the following, returning tuples of shape:

    { "object": "document:2021-planning", "viewer", "user": ??? }

    including: { "object": "document:2021-planning", "viewer", "user": "diane:" }

The updated authorization model looks like this:

type document
relations
define owner as self or owner from parent
define writer as self or owner or writer from parent
define commenter as self or writer or commenter from parent
define viewer as self or commenter or viewer from parent
define parent as self
type domain
relations
define member as self

04. Sharing files and folders publicly

Google Drive has a feature which allows sharing a file or folder publicly, and specifying the permissions a public user might have (writer/commenter/viewer).

Assume that Anne has created a new document: 2021-public-roadmap, has shared it with commenter permissions to the xyz.com, and has shared it as view only with the public at large.

Image showing requirements

Here's where another Auth0 Fine Grained Authorization (FGA) feature, `*` (as in everyone), would come in handy.

To mark Anne as the owner, the domain members as commenters and the public as viewers, we need to add the following relationship tuples:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
writes: {
tuple_keys: [
// Anne is the owner of document:2021-public-roadmap
{ user: 'anne', relation: 'owner', object: 'document:2021-public-roadmap'},
// Members of the domain:xyz can comment on document:2021-public-roadmap
{ user: 'domain:xyz#member', relation: 'commenter', object: 'document:2021-public-roadmap'},
// The public can view document:2021-public-roadmap
{ user: '*', relation: 'viewer', object: 'document:2021-public-roadmap'}
]
}
});

Anne is an owner of the document

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'owner',
object: 'document:2021-public-roadmap',
},});

// allowed = true

Beth is a member of the xyz.com domain, and so can comment but cannot write

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'beth',
relation: 'writer',
object: 'document:2021-public-roadmap',
},});

// allowed = false
Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'beth',
relation: 'commenter',
object: 'document:2021-public-roadmap',
},});

// allowed = true

Erik is NOT a member of the xyz.com domain, and so can only view the document

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'erik',
relation: 'writer',
object: 'document:2021-public-roadmap',
},});

// allowed = false
Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'erik',
relation: 'viewer',
object: 'document:2021-public-roadmap',
},});

// allowed = false

Google Drive

Explore the Google Drive sample on the Auth0 FGA Playground

Search with permissions

Give your users search results with objects that they have access to

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.