Overview
A timing inconsistency is observed in the Fine-Grained Authorization (FGA) store when adding or removing users with specific relations to objects. Specifically, when attempting to update user access (for example, assigning or removing a user with an “editor” relation to a particular object), changes are not consistently reflected in real-time. After a tuple deletion (such as removing a user’s access), the user may still appear as having access for several seconds, causing potential discrepancies in access control visibility. This delay may last up to 10 seconds before the current state is accurately reflected.
Applies To
- Fine-Grained Authorization (FGA) Store
- OpenFGA Python Client
- Access control updates for user roles and object relations
Solution
To resolve the timing delay and ensure consistent real-time visibility of tuple updates, add a HIGHER_CONSISTENCY option to the list users request. This configuration ensures that updates, such as user access assignments or removals, are processed with higher priority and reflected in a more timely manner.
Refer to the following documentation for more details: OpenFGA Consistency Modes.