Scaling up: Why Fine-Grained Authorization is key as your product moves upmarket

Access control is one of the things that you will have to tackle from the very beginning. If your goal is to sell to larger enterprises, then you better plan your authorization strategy accordingly.

In this article, we will discuss the first authorization step, which is more often than not role-based access control (RBAC), when it stops being enough, what the next move is, and how WorkOS can help you address your authorization needs and be enterprise ready from day one.

When RBAC is not enough

‍Role-based access control (RBAC) has been around since the 90s and is still relevant for good reason. It simplifies access control by defining and assigning roles and permissions to users. If you are an admin, you can edit and delete resources; if you are a member, you can only view and create new ones. This is an oversimplification to get the point across: based on the role you have assigned, and on the permissions that this role includes, you can or cannot do stuff.

RBAC is always the starting point for most but they quickly outgrow it. As your product grows the inherent problems of RBAC become more prominent to the point that they become impossible to overcome.

Let’s see some of these problems.

Role explosion

At some point, you will have too many customers, and they will have conflicting role requirements. You may start with an admin and viewer role, but company X will ask you to add a creator role, company Y will need a manager role, and company Z will need to further break down roles and permissions per resource, and just like that you are facing a dilemma with two options, both of which are bad:

• Implement overrides in your code for each org, or
• Have custom roles per org.

Most people choose the second option as the lesser of two evils and end up with role explosion. Sooner or later, your roles table will blow out of proportion and slow down all of your authorization checks. Role explosion is difficult, costly, and dangerous from a security perspective.

Maintenance complexity

A direct result of role explosion is the increasing complexity of maintenance. Keeping roles up-to-date, as they keep increasing day by day, is a herculean task that requires constant vigilance and ongoing effort. As a user accumulates roles, it's easy to forget to change some of them when they change responsibilities, introducing security holes in your app.

Lack of flexibility

RBAC models are static; once defined, they don't easily adapt to changing circumstances or nuanced access decisions. To address this inflexibility, manual intervention is often required, with all the problems that come with it. Granting access can take long, and removing access can introduce security vulnerabilities. This rigidity can make it difficult to adapt quickly to evolving business needs. RBAC also cannot address access needs that require context (e.g., location, time of day, etc.).

Impact on user and developer experience

User experience usually suffers with RBAC. Users often find themselves missing the required roles to do their job, don’t know exactly which role they need to ask for to do what they need to do, and even when they figure it out they have to often wait for a long time until it’s done. Developer and admin experience also takes a hit, since all this maintenance and complexity are hindering everyone’s productivity and confidence in the system.

Moving from RBAC to FGA

Once a company grows so much that their RBAC implementation becomes a bottleneck for growth, they decide to move to a fine-grained authorization (FGA) model.

FGA enables admins to control access to resources at a granular level. Instead of a broad all-or-nothing approach that applies permissions at a high level (e.g., granting access to an entire app or database), FGA enables precise control at a very granular level such as specific files, database records or individual actions (like view, edit, or delete).

FGA uses policies and rules that consider the context of access requests, such as the user's role, location, time of access, and the sensitivity of the data being accessed, then restricting or granting access to users based on these policies.

Some of the features that make FGA indispensable when moving upmarket are:

• Diverse user needs: When your product moves from serving small businesses to catering to larger enterprises, the diversity of your users increases significantly. Larger organizations typically have more complex structures, with varying levels of authority, specialized roles, and workflows. Each department, team, or individual may need access to different sets of data or features. FGA allows you to define access at a much more granular level—such as by data field, action, or feature—based on the specific needs of each user or group.
• Improved security and compliance: As you move upmarket, security and compliance become more critical than ever. Large enterprises often operate in regulated industries (e.g., healthcare, finance, or government), where access to certain data must be restricted in accordance with laws such as HIPAA, GDPR, or PCI-DSS. FGA gives you the ability to enforce the precise level of access required by compliance standards, reducing the risk of a data breach or compliance violation.
• Access control at scale: FGA allows you to scale access management by allowing for a combination of roles, user attributes, and context-specific permissions. Instead of creating dozens of roles with overlapping privileges, fine-grained authorization enables you to manage access in more dynamic and efficient ways. You can assign permissions at a finer level, such as on specific documents, customer data, or even specific actions within the product (e.g., view, edit, delete). This flexibility becomes essential when managing large, diverse teams.
• Customizable access for external users: FGA allows you to define access levels not only for employees but also for external users, ensuring they can only access what’s necessary to their role. This can be critical in B2B scenarios, where external stakeholders may have limited access to your product's features, data, or functionality. Rather than granting blanket access to a partner or client, fine-grained controls allow you to tailor the experience based on the specific relationship and use case. This means you can protect sensitive company data while still delivering a seamless and productive experience for your partners and clients.
• Stay on top of competition: As your product moves upmarket, you’re likely competing with other enterprise-level solutions that already have robust security and access controls in place. FGA can become a key differentiator in this competitive landscape. It demonstrates to prospective clients that your product can scale with their organization’s growth, offering the security and flexibility required to manage complex permissions. A sophisticated, fine-tuned authorization system instills trust to larger customers, particularly those in industries where data privacy and security are paramount.

However, building an FGA solution can be a costly project. RBAC is pretty straightforward and most teams will implement it on their own, but FGA is less common. Companies like Google, can afford to do it, and they did, with Zanzibar, an authorization system that supports millions of authorization requests per second for products like YouTube and Google Drive. Google published a paper and since then , several open and closed-source implementations have popped up on the market.

There are open source solutions you can use, like SpiceDB or OpenFGA, but it would only solve a part of the problem, since you would still have to figure out (and maintain) the scaling. You need to provide and manage a database, maintain performance, and keep the high uptime and availability that a centralized system needs.

Move upmarket fast with WorkOS FGA

With WorkOS FGA you get fast, large-scale authorization checks and a system flexible enough to handle even the most complex use cases. You can define your authorization model once and enforce it across micro-services, applications, cloud environments, and more. You can define and manage your resources, hierarchies, access policies, and inheritance rules from the FGA dashboard or programmatically with the FGA API or the WorkOS CLI.

WorkOS FGA is a best in class service that can help you build your most complex access control scenarios. This way you can worry less about authorization and more about building your core product.

For more details on how to migrate your RBAC model to WorkOS FGA, check our From RBAC to Fine-Grained Authorization guide.