Technology · Ebook

OpenFGA: Fine-Grained Authorization

by Shriira Press

OpenFGA is the CNCF fine-grained authorization system, inspired by Google's Zanzibar — you model authorization as relationships (an authorization model plus relationship tuples) and OpenFGA answers access checks ('can user X do Y on Z?') centrally, fast, and flexibly. This free book teaches it from the ground up: the authorization problem and what OpenFGA is, authorization concepts (RBAC, ABAC, ReBAC, and Zanzibar), OpenFGA's architecture (the service, stores, and check engine), the authorization model (types, relations, rules, and the DSL), relationship tuples (the access data and usersets), checks and queries (Check, ListObjects, ListUsers, Expand), modeling authorization (roles, ownership, groups, hierarchies, sharing), advanced modeling (conditions, contextual tuples, public access), integrating OpenFGA (syncing tuples, performance, operations), and using it in practice. Ten focused chapters with clear diagrams that make relationship-based access control concrete — model access as a graph of relationships, check by traversing it, and handle complex real-world authorization (ownership, sharing, teams, hierarchies) that simple roles can't, auditable and at scale.

Contents

1. 1Preface
2. 2Chapter 1 — What OpenFGA Is
3. 3Chapter 2 — Authorization Concepts
4. 4Chapter 3 — OpenFGA Architecture
5. 5Chapter 4 — The Authorization Model
6. 6Chapter 5 — Relationship Tuples
7. 7Chapter 6 — Checks and Queries
8. 8Chapter 7 — Modeling Authorization
9. 9Chapter 8 — Advanced Modeling
10. 10Chapter 9 — Integrating OpenFGA
11. 11Chapter 10 — OpenFGA in Practice