User Groups

Learn how to make user group abstractions to manage permissions at scale.

User groups in Fine-Grained Authorization (FGA) allow you to manage permissions at scale by grouping users and granting access to those groups. This is particularly useful in large organizations where managing individual user permissions can become cumbersome.

When to use?

You should consider using user groups in the following scenarios:

Large Organizations: When you have a large number of users and resources, managing permissions individually can be inefficient.

Dynamic User Base: If your user base changes frequently (e.g., employees joining or leaving), management groups can simplify the process of updating permissions.

Hierarchical Structures: When your organization has a hierarchical structure (e.g., departments, teams), management groups can help you define permissions at different levels of the hierarchy without duplicating effort.

Example Applications

Management groups can be applied in various scenarios, including:

Enterprise Applications: In large enterprises, you can create groups for different departments (e.g., Sales, Engineering) and assign permissions to these groups rather than individual users.

Multi-Tenant SaaS Applications: For SaaS applications serving multiple organizations, you can create groups for each tenant and manage permissions for users within those tenants.

Example Schema

 version 0.3

type user

type organization
  relation admin [user]
  relation document_viewer [user]
  relation document_manager [user]

  inherit document_manager if
    relation admin // admins are also document managers

  inherit document_viewer if
    relation document_manager // document managers are also viewers

type document
  // A document has a parent organization
  relation parent [organization]
  relation edit [user]
  relation view [user]

  // Allow users to edit the document if they
  //  are in the document manager group on the organization that owns it
  inherit edit if
    relation document_manager on parent [organization]

  // Allow users to view the document if they
  //  are in the document viewer group on the organization that owns it
  inherit view if
    relation document_viewer on parent [organization]