OpenFGA: Fine-Grained Authorization
Shriira Press
Answer 'can this user do this?' the right way. Model authorization as relationships and check access centrally, fast, and flexibly — Zanzibar-style fine-grained authorization for everyone.
Welcome to OpenFGA: Fine-Grained Authorization.
OpenFGA is the CNCF fine-grained authorization system, inspired by Google's Zanzibar — you model authorization as relationships (an authorization model plus relationship tuples) and OpenFGA answers access checks ('can user X do Y on Z?') centrally, fast, and flexibly. This free book teaches it from the ground up: the authorization problem and what OpenFGA is, authorization concepts (RBAC, ABAC, ReBAC, and Zanzibar), OpenFGA's architecture (the service, stores, and check engine), the authorization model (types, relations, rules, and the DSL), relationship tuples (the access data and usersets), checks and queries (Check, ListObjects, ListUsers, Expand), modeling authorization (roles, ownership, groups, hierarchies, sharing), advanced modeling (conditions, contextual tuples, public access), integrating OpenFGA (syncing tuples, performance, operations), and using it in practice. Ten focused chapters with clear diagrams that make relationship-based access control concrete — model access as a graph of relationships, check by traversing it, and handle complex real-world authorization (ownership, sharing, teams, hierarchies) that simple roles can't, auditable and at scale.
This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.
A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.
We hope it serves you well.
— Shriira Press