Skip to main content

Usersets

What Is A Userset?

A userset represents a set or collection of users.

Usersets can be used to indicate that a group of users in the system have a certain relation with an object. This can be used to assign permissions to groups of users rather than specific ones, allowing us to represent the permissions in our system using less tuples and granting us flexibility in granting or denying access in bulk.

In Okta FGA, usersets are represented via this notation: object#relation, where object is made up of a type and an object identifier. For example:

  • company:xyz#employee represents all users that are related to company:xyz as employee
  • tweet:12345#viewer represents all users that are related to tweet:12345 as viewer

How Do Check Requests Work With Usersets?

Imagine the following authorization model:

model
schema 1.1

type user

type org
relations
define member: [user]

type document
relations
define reader: [user, org#member]

Now let us assume that the store has the following tuples:

[// Userset "Members of the xyz org" can read the budget document
{
"_description": "Userset \"Members of the xyz org\" can read the budget document",
"user": "org:xyz#member",
"relation": "reader",
"object": "document:budget"
}// Anne is part of the userset "Members of the xyz org"
{
"_description": "Anne is part of the userset \"Members of the xyz org\"",
"user": "user:anne",
"relation": "member",
"object": "org:xyz"
}]

If we call the check API to see if user anne has a reader relationship with document:budget, Okta FGA will check whether anne is part of the userset that does have a reader relationship. Because she is part of that userset, the request will return true:

Initialize the SDK
// Checkout the "How to Setup the SDK Client" page for more details.
const { CredentialsMethod, OpenFgaClient } = require('@openfga/sdk'); // OR import { CredentialsMethod, OpenFgaClient } from '@openfga/sdk';

// Ensure the environment variables are set
// FGA_API_URL = 'https://api.us1.fga.dev' // 'https://api.eu1.fga.dev' for EU and 'https://api.au1.fga.dev' for AU
// FGA_STORE_ID = 'YOUR_STORE_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_MODEL_ID = 'YOUR_MODEL_ID' - optional, can be overridden per request, helps reduce latency
// FGA_API_TOKEN_ISSUER = 'fga.us.auth0.com'
// FGA_API_AUDIENCE = 'https://api.us1.fga.dev/' // 'https://api.eu1.fga.dev/' for EU and 'https://api.au1.fga.dev/' for AU
// FGA_CLIENT_ID = 'YOUR_CLIENT_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_CLIENT_SECRET = 'YOUR_CLIENT_SECRET' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page

const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL,
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID,
credentials: { // Credentials are not needed if connecting to the Playground API
method: CredentialsMethod.ClientCredentials,
config: {
apiTokenIssuer: process.env.FGA_API_TOKEN_ISSUER,
apiAudience: process.env.FGA_API_AUDIENCE,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
},
},
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:anne',
relation: 'reader',
object: 'document:budget',
}, {
authorization_model_id: '1uHxCSuTP0VKPYSnkq1pbb1jeZw',
});

// allowed = true

How Do Expand Requests Work With Usersets?

Imagine the following authorization model:

model
schema 1.1

type user

type document
relations
define writer: [user, org#member]
define reader: [user, org#member] or writer

If we wanted to see which users and usersets have a reader relationship with document:budget, we can call the Expand API. The response will contain a userset tree where the leaf nodes are specific user IDs and usersets. For example:

{
"tree": {
"root": {
"type": "document:budget#reader",
"union": {
"nodes": [
{
"type": "document:budget#reader",
"leaf": {
"users": {
"users": ["user:bob"]
}
}
},
{
"type": "document:budget#reader",
"leaf": {
"computed": {
"userset": "document:budget#writer"
}
}
}
]
}
}
}
}

As you can see from the response above, with usersets we can express unions of user groups. We can also express intersections and exclusions.

Internals

Using the type definitions in the authorization model, some of the situations we can represent are:

  • that a user is not in a set of users having a certain relation to an object, even if a relationship tuple exists in the system. See Disabling Direct Relationships
  • that a user has a certain relationship with an object if they are in the union, intersection or exclusion of usersets.
  • that a user being in a set of users having a certain relation to an object can result in them having another relation to the object. See Concentric Relationships
  • that the user being in a set of users having a certain relation to an object and that object is in a set of users having a certain relation to another object, can imply that the original user has a certain relationship to the final object. See Object-to-Object Relationships

When executing the Check API of the form check(user, relation, object), Okta FGA will perform the following steps:

  1. In the authorization model, look up type and its relation. Start building a tree where the root node will be the definition of that relation, which can be a union, exclusion, or intersection of usersets, or it can be direct users.
  2. Expand all the usersets involved into new nodes in the tree. This means recursively finding all the users that are members of the usersets. If there are direct relationships with users, create leaf nodes.
  3. Check whether user is a leaf node in the tree. If the API finds one match, it will return immediately and will not expand the remaining nodes.

Image showing the path  traverses to find if a user is in the userset related to an object

Managing Group Membership

How to add users to a userset

Managing Group Access

How to add permissions to a userset

Have Feedback?

You can use any of our support channels for any questions or suggestions you may have.