Model public document access using FGA policies.
Explore the example from this guide in the FGA Playground, where you can interact with the schema, warrants, and access checks in real-time!
Public access allows users to view resources without requiring a direct relationship or explicit grant. This is useful for cases where content is meant to be openly accessible but still requires a basic set of conditions, such as being published or flagged as public.
version 0.3 type user type document relation viewer [user] inherit viewer if policy is_public_document policy is_public_document(document_attributes map) { document_attributes.public == true && document_attributes.status == "published" }
Note: Public access can also be modeled with wildcard warrants. This example focuses on using policies for more control over access conditions.
Create a file called schema.txt containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
Note: make sure to select the correct environment with the CLI
workos fga schema apply schema.txt
With our environment setup, we can check the user’s permission to view a document.
curl "https://api.workos.com/fga/v1/check" \ -X POST \ -H "Authorization: Bearer sk_example_123456789" \ --data-raw \ '{ "checks": [ { "resource_type": "document", "resource_id": "doc-1", "relation": "viewer", "subject": { "resource_type": "user", "resource_id": "user_2oDscjroNWtzxzYEnEzT9P7VYEe" }, "context": { "document_attributes": { "id": "doc-1", "public": true, "status": "published" } } } ] }'