Skip to main content

Modeling with Multiple Restrictions

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

In this guide we are going to model requiring multiple authorizations before allowing users to perform actions on particular objects using Auth0 FGA. For example, users are allowed to delete a document if both of these conditions are met:

  • they are a member of the organization that owns the document
  • they have writer permissions on the document

In this way, we prevent other users from deleting such document.

When to use

This is useful when:

  • Limiting certain actions (such as deleting or reading sensitive document) to privileged users.
  • Adding restrictions and requiring multiple authorization paths before granting access.

Before you start

In order to understand this guide correctly you must be familiar with some Auth0 FGA Concepts and know how to develop the things that we will list below.

You will start with the authorization model below, it represents a document type that can have users related as writer and organizations related as owner. Document's can_write relation is based on whether user is a writer to the document. The organization type can have users related as member.

Let us also assume that we have:

  • A document called "planning" owned by the ABC organization.
  • Becky is a member of the ABC organization.
  • Carl is a member of the XYZ organization.
  • Becky and Carl both have writer access to the "planning" document.
type document
relations
define owner as self
define writer as self
define can_write as writer
type organization
relations
define member as self

The current state of the system is represented by the following relationship tuples being in the system already:

[
// organization ABC is the owner of planning document
{
"user": "organization:ABC",
"relation": "owner",
"object": "document:planning",
},
// Becky is a writer to the planning document
{
"user": "becky",
"relation": "writer",
"object": "document:planning",
},
// Carl is a writer to the planning document
{
"user": "carl",
"relation": "writer",
"object": "document:planning",
},
// Becky is a member of the organization ABC
{
"user": "becky",
"relation": "member",
"object": "organization:ABC",
},
// Carl is a member of the organization XYZ
{
"user": "carl",
"relation": "member",
"object": "organization:XYZ",
},
]
info

Note that we assign the organization, not the organization's members, as owner to the planning document.


In addition, you will need to know the following:

Modeling Parent-Child Objects

You need to know how to model access based on parent-child relationships, e.g.: folders and documents. Learn more →

Modeling Roles and Permissions

You need to know how to model roles for users at the object level and model permissions for those roles. Learn more →

Auth0 FGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between objects of this type and other users in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in Auth0 FGA
  • Intersection Operator: the intersection operator can be used to indicate a relationship exists if the user is in all the sets of users

Step by Step

With the above authorization model and relationship tuples, Auth0 Fine Grained Authorization (FGA) will correctly respond with {"allowed":true} when checkis called to see if Carl and Becky can write this document.

We can verify that by issuing two check requests:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'becky',
relation: 'can_write',
object: 'document:planning',
},});

// allowed = true
Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'carl',
relation: 'can_write',
object: 'document:planning',
},});

// allowed = true

What we would like to do is offer a way so that a document can be written by Becky and Carl, but only writers who are also members of the organization that owns the document can remove it.

To do this, we need to:

  1. Add can_delete relation to only allow writers that are members of the ownership organization
  2. Verify that our solutions work

01. Add can_delete relation to only allow writers that are members of the ownership organization

The first step is to add the relation definition for can_delete so that it requires users to be both writer and member of the owner. This is accomplished via the keyword and.

type document
relations
define owner as self
define writer as self
define can_write as writer
define can_delete as writer and member from owner
type organization
relations
define member as self

02. Verify that our solutions work

To verify that our solutions work, we need to check that Becky can delete the planning document because she is a writer AND she is a member of organization:ABC that owns the planning document.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'becky',
relation: 'can_delete',
object: 'document:planning',
},});

// allowed = true

However, Carl cannot delete the planning document because although he is a writer, Carl is not a member of organization:ABC that owns the planning document.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'carl',
relation: 'can_delete',
object: 'document:planning',
},});

// allowed = false
Modeling: User Groups

Learn about how to add group members.

Modeling: Blocklists

Learn about how to set block lists.

Modeling: Public Access

Learn about model public access.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.