Auth0 Fine Grained Authorization: Developer Community Preview Release

Hey @dlehammer! Welcome to the community!

Is the below a good summary of your question?

  • You have a certain resource (let’s say Project X)
  • Project X can have multiple attributes on it. Let’s say “name” is visible and “estimated_cost” is confidential
  • Alice, an admin on Project X should be able to access both the “name” and “estimated_cost” attributes
  • Bob, a support engineer on Project X should only be able to access the “name” attribute.

If that is the case, one way to model it using Auth0 FGA could be:

# You have projects
type project
  relations
    # projects can have admins
    define admin as self
    # projects can have support engineers
    define support_engineer as self
    # only admins can edit projects
    define editor as admin
    # admins and support engineers can view projects
    define viewer as support_engineer or admin

# You have attribute visibility (e.g. normal/confidential)
type attribute_visibility
  relations
    # attribute visibilities belong to a project
    define project as self
    # attribute visibilities have editors
    define editor as self
	# attribute visibilities have viewers
    define viewer as self or editor

# You have attributes
type attribute
  relations
    # attributes have a visibility
    define visibility as self
    # attributes have a project
    define project as self
    # attributes have an editor
    define editor as editor from project and editor from visibility
    # attributes have a viewer
    define viewer as viewer from project and viewer from visibility
    define can_edit as editor
    define can_view as viewer
[
// Project X has two attribute visibilities, normal and confidential
{
	"user": "project:X",
	"relation": "project",
	"object": "attribute_visibility:normal"
},
{
	"user": "project:X",
	"relation": "project",
	"object": "attribute_visibility:confidential"
},
// Project X admins can edit and view confidential attributes
{
	"user": "project:X#admin",
	"relation": "editor",
	"object": "attribute_visibility:confidential"
},
// Project X admins can edit and view normal attributes
{
	"user": "project:X#admin",
	"relation": "editor",
	"object": "attribute_visibility:normal"
},
// Project X support engineers can view normal attributes
{
	"user": "project:X#support_engineer",
	"relation": "viewer",
	"object": "attribute_visibility:normal"
},
// Alice is an admin on Project X
{
	"user": "alice",
	"relation": "admin",
	"object": "project:X"
},
// Bob is a support engineer on Project X
{
	"user": "bob",
	"relation": "support_engineer",
	"object": "project:X"
},
// Project X has a name attribute
{
	"user": "project:X",
	"relation": "project",
	"object": "attribute:project-x-name"
},
// Project X has an estimated budget attribute
{
	"user": "project:X",
	"relation": "project",
	"object": "attribute:project-x-estimated-budget"
},
// estimated budget's visibility is confidential
{
	"user": "attribute_visibility:confidential",
	"relation": "visibility",
	"object": "attribute:project-x-estimated-budget"
},
// name's visibility is normal
{
	"user": "attribute_visibility:normal",
	"relation": "visibility",
	"object": "attribute:project-x-name"
},
]

We can check that:

User Action Resource Allowed?
Alice View Project X’s name Yes
Alice View Project X’s estimated budget Yes
Bob View Project X’s name Yes
Bob View Project X’s estimated budget No

You can see an interactive version of the model described above on the Auth0 FGA Playground: Auth0 Fine Grained Authorization

Let us know if this helps!


Take a look at the Auth0 FGA documentation: https://docs.fga.dev
Join the Auth0 Lab Discord community: The Auth0 Lab

1 Like