Blog

Fine-Grained Authorization is now generally available

Aditya Kajla
November 20, 2024

FGA is the most flexible and granular authorization system, built for product and engineering teams looking to quickly implement fine-grained permissions in their applications. Use FGA to centralize your authorization logic, implement complex authorization schemes like Google Docs-style permissions, and define precise access control that goes beyond RBAC.

What is Fine-Grained Authorization?

If you’re building B2B applications, you’re probably familiar with role-based access control (RBAC). RBAC is the most common permissions model used in SaaS applications. With RBAC, users are assigned roles like ‘Admin’, ‘Manager’, or ‘Employee’, each granting specific permissions like ‘create-reports’, or ‘view-documents’. RBAC is a form of ‘coarse-grained’ authorization in which permissions like ‘edit-reports’ apply to all resources of that type (e.g. all reports), but there is no ability to specify exactly which resources (reports) a user can edit.

Modern applications are getting more collaborative and enterprise security requirements are getting stricter. As a result, today's applications require more granular and flexible permissions. For example, GitHub goes beyond RBAC and allows users to create their own custom teams with custom repository permissions. Other enterprise applications like Dropbox, Figma, and Notion allow permissions on a per resource basis (per video, document, folder, etc).

This per-resource access control is known as fine-grained authorization. Unlike coarse-grained access control schemes like RBAC, FGA enables applications to grant users permissions to specific resources in an application. As an example, a coarse-grained permission to ‘edit-reports’ (applies to all reports) can be re-written as finer-grained rules such as ‘admin:aditya can edit report:metrics’ (applies to a specific report).

FGA is a powerful paradigm supporting a host of new collaborative permissions use cases like Google Docs or Notion-style document sharing, to custom teams, projects, or workspaces, and even permissions-aware Retrieval-Augmented Generation (RAG) applications.

FGA, ReBAC and the Google Zanzibar model

Building FGA from scratch can be a significant challenge. The shift from RBAC to FGA increases application complexity by at least an order of magnitude.

In 2019, Google published its Zanzibar paper, which details the technical challenges their team faced during a multi-year effort to build a centralized, fine-grained authorization service. This service now powers permissions for popular products like Google Drive at a scale of billions of authorization rules and trillions of permissions checks.

Zanzibar is essentially a highly-scalable authorization graph in which authorization rules are represented as 3-part tuples that connect two resources (or groups of resources) via a relationship. At scale, thousands or even millions of these tuples connect together to form an authorization graph. Permission checks are done efficiently by determining if there is a path between two nodes in the graph.

Screenshot 2024-11-12 at 12.19.33 PM.png

Implementing FGA in this way is known as relationship based access control (ReBAC). ReBAC and Zanzibar have quickly become the standard for implementing application-level, fine-grained authorization because they can easily represent common authorization concepts like organization hierarchies and nested inheritance rules.

WorkOS FGA is a fully managed fine-grained authorization service based on Google Zanzibar. Users can define a ReBAC-like authorization model using an intuitive schema language, create tuples (known as warrants in FGA), and check permissions from their applications using the FGA APIs.

Should you go fine-grained?

WorkOS FGA offers a plug-and-play Zanzibar-like service, delivering the same scalability, consistency, and performance — without any infrastructure to deploy and maintain.

We’ve built WorkOS FGA to help teams of all sizes solve various use cases: a seed-stage startup building a Google Docs-like collaborative application, an AI-startup looking to implement fine-grained permissions for a RAG application, a platform team at a large enterprise looking to adopt FGA as part of the transition from monolith to microservices.

Getting started with WorkOS FGA

FGA works with your existing WorkOS account and environments. Check out the developer docs and dashboard to get started.

When you’re ready to ship an authorization model to production, use one of the FGA SDKs to create/delete warrants and check/query user permissions directly from your application.

What’s next

FGA is built using the same battle-hardened technology that powered Warrant in production over the past few years. Since releasing early access over the summer, FGA is already being used by multiple companies and applications, serving millions of authorization operations per day.

Today, we’re excited to officially launch the service into general availability and welcome even more companies to build using the platform. The team is already hard at work on new features and improvements, so stay tuned for more to come!

If you want to learn more or have any questions, please get in touch. Happy building!

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.