Skip to main content

Concentric Relationships

note
Fine Grained Authorization (FGA) is the early-stage product we are building at Okta to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Okta FGA during the Developer Community Preview can be found here.

In this short guide, you'll learn how to represent a concentric relationships.

For example, if you want to have all editors of a document also be viewers of said document.

When to use

Concentric relations make the most sense when your domain logic has nested relations, where one having relation implies having another relation.

For example:

  • all editors are viewers
  • all managers are members
  • all device_managers are device_renamers

This allows you to only create a single relationship tuple rather than creating n relationship tuples for each relation.

Before You Start

To better understand this guide, you should be familiar with some Okta FGA Concepts and know how to develop the things listed below.

You will start with the authorization model below, it represents a document type that can have users related as editor and viewer.

Let us also assume that we have a document called "meeting_notes.doc" and bob is assigned as editor to this document.

model
  schema 1.1

type user

type document
  relations
    define viewer: [user]
    define editor: [user]

The current state of the system is represented by the following relationship tuples being in the system already:

[
  {
    "user": "user:bob",
    "relation": "editor",
    "object": "document:meeting_notes.doc",
  },
]

In addition, you will need to know the following:

Modeling User Groups

You need to know how to add users to groups and grant groups access to resources. Learn more →

Okta FGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in Okta FGA

The Playground

Try this guide out on the Okta FGA Playground

Step By Step

With the current type definition, there isn't a way to indicate that all editors of a certain document are also automatically viewers of that document. So for a certain user, in order to indicate that they can both edit and view a certain document, two relationship tuples need to be created (one for editor, and another for viewer).

01. Modify Our Model To Imply Editor As Viewer

Instead of creating two relationship tuples, we can leverage concentric relationships by defining editors are viewers.

Our authorization model becomes the following:

model
  schema 1.1

type user

type document
  relations
    define viewer: [user] or editor
    define editor: [user]
info

viewer of a document are any of:

  1. users that are directly assigned as viewer
  2. users that have editor of the document

With this authorization model change, having an editor relationship with a certain document implies having a viewer relationship with that same document.

02. Check That Editors Are Viewers

Since we had a relationship tuple that indicates that bob is an editor of document:meeting_notes.doc, this means bob is now implicitly a viewer of document:meeting_notes.doc. If we now check: is bob a viewer of document:meeting_notes.doc? we would get the following:

Initialize the SDK
// Checkout the "How to Setup the SDK Client" page for more details.
const { CredentialsMethod, OpenFgaClient } = require('@openfga/sdk'); // OR import { CredentialsMethod, OpenFgaClient } from '@openfga/sdk';

// Ensure the environment variables are set
// FGA_API_SCHEME = 'https'
// FGA_API_HOST = 'api.us1.fga.dev' for Dev Preview and Early Access / 'api.playground.fga.dev' for the FGA Playground
// FGA_STORE_ID = 'YOUR_STORE_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_MODEL_ID = 'YOUR_MODEL_ID' - optional, can be overridden per request, helps reduce latency
// FGA_API_TOKEN_ISSUER = 'fga.us.auth0.com' for Dev Preview and Early Access / not needed for the FGA Playground
// FGA_API_AUDIENCE = 'https://api.us1.fga.dev/' for Dev Preview and Early Access / not needed for the FGA Playground
// FGA_CLIENT_ID = 'YOUR_CLIENT_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page / not needed for the FGA Playground
// FGA_CLIENT_SECRET = 'YOUR_CLIENT_SECRET' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page / not needed for the FGA Playground

const fgaClient = new OpenFgaClient({
    apiScheme: process.env.FGA_API_SCHEME,
    apiHost: process.env.FGA_API_HOST,
    storeId: process.env.FGA_STORE_ID,
    authorizationModelId: process.env.FGA_MODEL_ID,
    credentials: { // Credentials are not needed if connecting to the Playground API
      method: CredentialsMethod.ClientCredentials,
      config: {
        apiTokenIssuer: process.env.FGA_API_TOKEN_ISSUER,
        apiAudience: process.env.FGA_API_AUDIENCE,
        clientId: process.env.FGA_CLIENT_ID,
        clientSecret: process.env.FGA_CLIENT_SECRET,
      },
    },
});

// Run a check
const { allowed } = await fgaClient.check({
    user: 'user:bob',
    relation: 'viewer',
    object: 'document:meeting_notes.doc',
}, {
  authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
});

// allowed = true
Note

When creating relationship tuples for Okta FGA make sure to use unique ids for each object and user within your application domain. We're using first names and simple ids to just illustrate an easy-to-follow example.

Check the following sections for more on how concentric relationships can be used.
Modeling Google Drive

See how to indicate that editors are commenters and viewers in Google Drive.

Modeling GitHub

See how to indicate that repository admins are writers and readers in GitHub.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.