Frequently Asked Questions on Okta Fine Grained Authorization


This article provides answers to frequently asked questions on Okta Fine Grained Authorization.

Frequently Asked Questions

Q: What is Okta Fine Grained Authorization?

FGA is authorization-as-a-service that empowers developers with centralized and flexible fine-grained authorization that provides greater scalability, availability, and auditability than traditional access control methods.

It is inspired by the Google Zanzibar paper, which describes the system Google uses to solve authorization across all their products, such as Google Drive, YouTube, Google Cloud, and others. It uses a Relationship-Based Access Control (ReBAC) approach instead of traditional pure RBAC/ABAC models, and it enables any level of granularity when defining access control policies.

Okta FGA works 100% independently of Auth0 or Okta as identity providers but will eventually have easy integrations available for both platforms.

Q: Does Okta FGA require using Auth0 or Okta as their identity providers?

No. Okta FGA can be used with any identity provider. Okta FGA only needs to be provided with a user ID string to identify a user.

Q: Are there free or self-service plans for Okta FGA

Not at the moment. A trial can be created to evaluate the product for free. The trial has low rate limits and does not have production terms of service. The trial does not have a time limit, but it is something that can be eventually added.

For Okta customers interested in using Okta FGA for production. Otherwise, please Contact Us.

Q: How is Okta FGA priced?

Okta FGA is priced based on Monthly Active Users. Okta counts users based on the user_id parameter specified in the check and list-objects API endpoints.

To learn more about pricing for Okta customers, please reach out to your account executive. Otherwise, please Contact Us.

Q: What is the SLA for FGA?

Okta FGA has a 99.99% SLA.

Q: What is OpenFGA?

OpenFGA ( is an open-source version of Okta FGA. Okta FGA uses OpenFGA internally. Okta originally developed OpenFGA and donated it to the Cloud Native Computing Foundation. Okta is the main contributor to the project.

Q: What are the differences between OpenFGA and Okta FGA?

From a feature perspective, the primary difference is that there is a dashboard for Okta FGA.

Okta FGA is a hosted version of OpenFGA. Okta takes care of the following:

  • Deploying it in a highly available and low latency environment. Okta FGA is deployed in two separate AWS regions, routing out traffic from a region that is degraded or unavailable.
  • Keep the cloud infrastructure secure and compliant
  • Run Database migrations and backups
  • Provide 24x7 customer support, on-call support
  • Monitoring uptime and latency and being responsible for resolving any production issues with the product.
  • Have recovery processes in place
  • Provide 99.99 SLA and SOC2 Type I compliance
  • Complying with each country’s data residency laws, including Okta’s own services and the ones from our subprocessors.

Q: What SDKs does Okta FGA have?

Okta FGA has SDKs for Go, Javascript, .NET, Python, Java

Q: What information is available about creating Okta FGA Authorization Models?

There is a lot of content that covers modeling in the product documentation:

The OpenFGA Sample Stores repository has an always-growing set of examples for different use cases.

Reach out to the Okta FGA space in the Auth0 Community and ask for help!

Q: What are some common use cases for FGA?

Okta FGA can be used for any authorization scenario; examples for some industries are below:

  • HR / ATS / Job Posting (e.g., Greenhouse, iCIMs) - Managing which permissions users have over different job postings or the candidates that apply to them.
  • Healthcare - Manage which physicians or other staff have access to patient data. Giving patients the ability to delegate access to their clinical records.
  • Finance - Managing who has access to a bank account and giving customers the ability to delegate access to other people.
  • Cloud Infrastructure (e.g., HPE Greenlake, DigitalOcean) - Managing which applications and/or users can access different cloud resources.
  • Collaboration (e.g., Miro, Slack) - Enabling users the ability to share content with other users and control the level of access.
  • Training (e.g., Udemy, WorkRamp) - Controlling which users get access to what content.
  • Project Management (e.g., Asana, SmartSheet) - Enable users to collaborate on different projects and assign specific levels of access to each project.

Related References

1 Like