Model public document access using FGA policies.
This guide is also available as an example in the FGA Playground, where you can interact with the schema, warrants, and queries in real-time!
Public access allows users to view resources without requiring a direct relationship or explicit grant. This is useful for cases where content is meant to be openly accessible but still requires a basic set of conditions, such as being published or flagged as public.
version 0.3 type user type document relation viewer [user] inherit viewer if policy is_public_document policy is_public_document(document_attributes map) { document_attributes.public == true && document_attributes.status == "published" }
Note: Public access can also be modeled with wildcard warrants. This example focuses on using policies for more control over access conditions.
Create a file called schema.txt containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
Note: make sure to select the correct environment with the CLI
workos fga schema apply schema.txt
With our environment setup, we can check the user’s permission to view a document.
curl "https://api.workos.com/fga/v1/check" \ -X POST \ -H "Authorization: Bearer sk_example_123456789" \ --data-raw \ '{ "checks": [ { "resource_type": "document", "resource_id": "doc-1", "relation": "viewer", "subject": { "resource_type": "user", "resource_id": "user_2oDscjroNWtzxzYEnEzT9P7VYEe" }, "context": { "document_attributes": { "id": "doc-1", "public": true, "status": "published" } } } ] }'