WorkOS Docs Homepage
FGA
API referenceDashboardSign In
Getting StartedOverviewOverviewQuick StartQuick StartPlaygroundPlaygroundKey ConceptsSchemaSchemaWarrantsWarrantsResourcesResourcesPoliciesPoliciesQuery LanguageQuery LanguageWarrant TokensWarrant TokensOperations & UsageOperations & UsageManagementSchema ManagementSchema ManagementLocal DevelopmentLocal DevelopmentIdentity Provider SessionsIdentity Provider SessionsModelingOrg Roles & PermissionsOrg Roles & PermissionsCustom RolesCustom RolesGoogle DocsGoogle DocsEntitlementsEntitlementsUser GroupsUser GroupsManaged Service ProviderManaged Service ProviderAttribute-Based Access ControlAttribute-Based Access ControlConditional RolesConditional RolesPolicy ContextPolicy ContextPublic AccessPublic AccessSuperusersSuperusersBlocklistsBlocklists
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

Managed Service Provider

Model a managed service provider (MSP) that provides services to clients and manages projects, tasks, and assets.

On this page

  • When to Use It?
  • Schema
  • Example
    • 1. Apply the schema
    • 2. Create warrants
    • 3. Check access

Explore the example from this guide in the FGA Playground, where you can interact with the schema, warrants, and access checks in real-time!

In a managed service provider (MSP) scenario, a client organization grants access to an external provider to perform services or manage resources on its behalf, while retaining control over access by assigning roles to the provider and its personnel.

When to Use It?

This model is ideal when you need to grant limited access to external service providers without compromising internal access controls. It’s particularly useful in scenarios where external teams (like IT consultants, marketing agencies, or law firms) are brought in to manage specific projects or assets.

  • IT services: Clients delegate infrastructure or helpdesk support to an MSP.
  • Marketing agencies: Agencies manage campaigns and related assets for clients.
  • Law firms: External legal teams manage cases and documents for clients.
  • Project management: Providers handle maintenance tasks and asset management for clients.
  • Warehousing: Providers manage inventory and logistics for clients.

Schema

schema.txt
version 0.3
type user
// A client is a customer of the provider
type client
relation admin [user]
// A provider is a service provider managed by the client
type provider
relation admin [user]
relation technician [user]
inherit technician if
relation admin
// A project is a project managed by the client and assigned a provider
type project
relation client [client]
relation provider [provider]
relation editor [user]
relation viewer [user]
inherit editor if
any_of
relation admin on client [client]
relation admin on provider [provider]
relation technician on provider [provider]
inherit viewer if
any_of
relation editor
type task
relation assignee [user]
relation project [project]
relation edit []
relation view []
inherit edit if
any_of
relation assignee
relation editor on project [project]
inherit view if
any_of
relation edit
relation viewer on project [project]
type asset
relation manager [user]
relation project [project]
relation edit []
relation view []
inherit edit if
any_of
relation manager
relation editor on project [project]
inherit view if
any_of
relation edit
relation viewer on project [project]

Example

1. Apply the schema

Create a file called schema.txt containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.

Note: make sure to select the correct environment with the CLI

workos fga schema apply schema.txt

2. Create warrants

Create warrants that associate users, clients, providers, and projects. The example schema defines the following relationships:

  • clients and providers with projects
  • tasks and assets as children of projects
  • users with clients or providers (using one of the defined roles: admin or technician)

Let’s create a few warrants between client client-1, provider provider-1, project project-1, and users:

Create warrants
curl "https://api.workos.com/fga/v1/warrants" \
-X POST \
-H "Authorization: Bearer sk_example_123456789" \
--data-raw \
'[
{
"op": "create",
"resource_type": "client",
"resource_id": "client-1",
"relation": "admin",
"subject": {
"resource_type": "user",
"resource_id": "user_2oDscjroNWtzxzYEnEzT9P7VYEe"
}
},
{
"op": "create",
"resource_type": "provider",
"resource_id": "provider-1",
"relation": "technician",
"subject": {
"resource_type": "user",
"resource_id": "user_3kLwpXyzQTuvbNApRmC5X4ZhAmd"
}
},
{
"op": "create",
"resource_type": "project",
"resource_id": "project-1",
"relation": "client",
"subject": {
"resource_type": "client",
"resource_id": "client-1"
}
},
{
"op": "create",
"resource_type": "project",
"resource_id": "project-1",
"relation": "provider",
"subject": {
"resource_type": "provider",
"resource_id": "provider-1"
}
},
{
"op": "create",
"resource_type": "task",
"resource_id": "task-1",
"relation": "project",
"subject": {
"resource_type": "project",
"resource_id": "project-1"
}
},
{
"op": "create",
"resource_type": "asset",
"resource_id": "asset-1",
"relation": "project",
"subject": {
"resource_type": "project",
"resource_id": "project-1"
}
},
]'

3. Check access

With our environment setup, we can check whether the user can view an asset.

Check if a user has permission to view an asset
curl "https://api.workos.com/fga/v1/check" \
-X POST \
-H "Authorization: Bearer sk_example_123456789" \
--data-raw \
'{
"checks": [
{
"resource_type": "asset",
"resource_id": "asset-1",
"relation": "view",
"subject": {
"resource_type": "user",
"resource_id": "user_3kLwpXyzQTuvbNApRmC5X4ZhAmd"
}
}
],
}'
© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.