Model a managed service provider (MSP) that provides services to clients and manages projects, tasks, and assets.
Explore the example from this guide in the FGA Playground, where you can interact with the schema, warrants, and access checks in real-time!
In a managed service provider (MSP) scenario, a client organization grants access to an external provider to perform services or manage resources on its behalf, while retaining control over access by assigning roles to the provider and its personnel.
This model is ideal when you need to grant limited access to external service providers without compromising internal access controls. It’s particularly useful in scenarios where external teams (like IT consultants, marketing agencies, or law firms) are brought in to manage specific projects or assets.
version 0.3 type user // A client is a customer of the provider type client relation admin [user] // A provider is a service provider managed by the client type provider relation admin [user] relation technician [user] inherit technician if relation admin // A project is a project managed by the client and assigned a provider type project relation client [client] relation provider [provider] relation editor [user] relation viewer [user] inherit editor if any_of relation admin on client [client] relation admin on provider [provider] relation technician on provider [provider] inherit viewer if any_of relation editor type task relation assignee [user] relation project [project] relation edit [] relation view [] inherit edit if any_of relation assignee relation editor on project [project] inherit view if any_of relation edit relation viewer on project [project] type asset relation manager [user] relation project [project] relation edit [] relation view [] inherit edit if any_of relation manager relation editor on project [project] inherit view if any_of relation edit relation viewer on project [project]
Create a file called schema.txt containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
Note: make sure to select the correct environment with the CLI
workos fga schema apply schema.txt
Create warrants that associate users, clients, providers, and projects. The example schema defines the following relationships:
admin or technician)Let’s create a few warrants between client client-1, provider provider-1, project project-1, and users:
curl "https://api.workos.com/fga/v1/warrants" \ -X POST \ -H "Authorization: Bearer sk_example_123456789" \ --data-raw \ '[ { "op": "create", "resource_type": "client", "resource_id": "client-1", "relation": "admin", "subject": { "resource_type": "user", "resource_id": "user_2oDscjroNWtzxzYEnEzT9P7VYEe" } }, { "op": "create", "resource_type": "provider", "resource_id": "provider-1", "relation": "technician", "subject": { "resource_type": "user", "resource_id": "user_3kLwpXyzQTuvbNApRmC5X4ZhAmd" } }, { "op": "create", "resource_type": "project", "resource_id": "project-1", "relation": "client", "subject": { "resource_type": "client", "resource_id": "client-1" } }, { "op": "create", "resource_type": "project", "resource_id": "project-1", "relation": "provider", "subject": { "resource_type": "provider", "resource_id": "provider-1" } }, { "op": "create", "resource_type": "task", "resource_id": "task-1", "relation": "project", "subject": { "resource_type": "project", "resource_id": "project-1" } }, { "op": "create", "resource_type": "asset", "resource_id": "asset-1", "relation": "project", "subject": { "resource_type": "project", "resource_id": "project-1" } }, ]'
With our environment setup, we can check whether the user can view an asset.
curl "https://api.workos.com/fga/v1/check" \ -X POST \ -H "Authorization: Bearer sk_example_123456789" \ --data-raw \ '{ "checks": [ { "resource_type": "asset", "resource_id": "asset-1", "relation": "view", "subject": { "resource_type": "user", "resource_id": "user_3kLwpXyzQTuvbNApRmC5X4ZhAmd" } } ], }'