Skip to main content

Managing User Access

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

In this guide you will learn how to give a user access to a particular object.

When to use

Granting access with a relationship tupleis a core part of Auth0 FGA. Without any relationship tuples, any check will fail. You should use:

  • authorization model to represent what relations are possible between the users and objects in your system
  • relationship tuples to represent the facts about the relationships between users and objects in your system.

Before you start

In order to understand this guide correctly you must be familiar with some Auth0 FGA Concepts and know how to develop the things that we will list below.

Assume that you have the following authorization model.
You have a type called tweet that can have a reader.

type tweet
relations
define reader as self

In addition, you will need to know the following:

Modeling Basics

You need to know how to create an authorization model and create a relationship tuple to grant a user access to an object. Learn more →

Auth0 FGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between objects of this type and other users in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in Auth0 FGA

Step by Step

01. Adding direct relationship

For our application, we will give user Anne the reader relationship to a particular tweet. To do so we add a tuple as follows:

[
// Anne can read tweet:1
{
"user": "anne",
"relation": "reader",
"object": "tweet:1",
},
]

With the above, we have added a direct relationship between Anne and tweet:1. When we call the Check API to see if Anne has a reader relationship, Auth0 FGA will say yes.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'reader',
object: 'tweet:1',
},});

// allowed = true

02. Removing direct relationship

Now let's change this so that Anne no longer has a reader relationship to tweet:1 by deleting the tuple:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
deletes: {
tuple_keys : [
{ user: 'anne', relation: 'reader', object: 'tweet:1'}
]
}
});

With this, we have removed the direct relationship between Anne and tweet:1. And because our type definition for reader does not include any other relations, a call to the Check API will now return a negative response.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'reader',
object: 'tweet:1',
},});

// allowed = false
Modeling Basics

Learn about how to model granting user access to an object.

Modeling Public Access

Learn about how to model granting public access.

How to update relationship tuples

Learn about how to update relationship tuples in SDK.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.