WorkOS Docs Homepage
FGA
API referenceDashboardSign In
Getting StartedOverviewOverviewQuick StartQuick StartPlaygroundPlaygroundKey ConceptsSchemaSchemaWarrantsWarrantsResourcesResourcesPoliciesPoliciesQuery LanguageQuery LanguageWarrant TokensWarrant TokensOperations & UsageOperations & UsageManagementSchema ManagementSchema ManagementLocal DevelopmentLocal DevelopmentIdentity Provider SessionsIdentity Provider SessionsModelingOrg Roles & PermissionsOrg Roles & PermissionsCustom RolesCustom RolesGoogle DocsGoogle DocsEntitlementsEntitlementsUser GroupsUser GroupsManaged Service ProviderManaged Service ProviderAttribute-Based Access ControlAttribute-Based Access ControlConditional RolesConditional RolesPolicy ContextPolicy ContextPublic AccessPublic AccessSuperusersSuperusersBlocklistsBlocklists
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

Resources

Resources are FGA's references to your application's access controlled resources.

On this page

  • Overview
  • Creating and Managing Resources
  • Metadata

FGA stores a set of warrants representing relationships between resources in an application. These resources are typically application-specific objects persisted in the application’s datastore (e.g. MySQL, PostgreSQL, MongoDB, etc). In FGA, they are referred to as resources.

Overview

report : balance-sheet
| |
Resource Type Resource ID

Resources consist of three attributes:

  • Resource Type – Specifies what type of entity a particular resource is (e.g. a user, a tenant, a report, etc).
  • Resource ID – Specifies a unique identifier for the resource (typically the same unique identifier used in your application to identify the resource).
  • Meta (optional) – A JSON object containing additional data related to the resource that it would be helpful for FGA to know about (e.g. a user’s email address, a tenant’s display name, a description of the privileges a role grants, etc).

Resources make it easier to manage the warrants associated with each resource, providing a way for applications to persist authorization-specific data outside of (or often, in lieu of) their primary datastore.

Creating and Managing Resources

FGA automatically creates the resources that are referenced by warrants when they are created. This means developers using FGA don’t need to worry about manually creating resources.

For example, given the following warrant:

report:balance-sheet#editor@user:john-doe
{
"resource_type": "report",
"resource_id": "balance-sheet",
"relation": "editor",
"subject": {
"resource_type": "user",
"resource_id": "john-doe"
}
}

FGA will automatically create two resources upon creation of the warrant:

report:balance-sheet
{
"resource_type": "report",
"resource_id": "balance-sheet"
}
user:john-doe
{
"resource_type": "user",
"resource_id": "john-doe"
}

Resources can be managed from the FGA Dashboard and/or via API. Refer to the Resources API Reference to learn more about managing resources via API.

When a resource is deleted, any warrants associated with the resource will automatically be deleted. This makes it easier for applications to remove all warrants associated with a resource when the resource is deleted from the application itself.

Metadata

Resources can be augmented with additional authorization-specific metadata (e.g. the display name for a role or permission, the description of a particular feature, etc). Metadata is especially useful when implementing permission-specific user interfaces. For example, when building a customer-facing page for managing team-level roles and permissions, metadata can provide user-friendly names and descriptions of what actions/resources each role or permission will grant to a user.

user:john-doe w/ metadata
{
"resource_type": "user",
"resource_id": "john-doe",
"meta": {
"email": "john-doe@acme-corp.com",
"isActivated": true
}
}
role:accountant w/ metadata
{
"resource_type": "role",
"resource_id": "accountant",
"meta": {
"name": "Accountant",
"description": "Allows a user to view the financial reporting pages and edit charges."
}
}

There is a 50kb limit on the size of the metadata object.

PoliciesUse policies to implement advanced attribute based access control with FGA, providing relevant data from your application at access control check time
Up next
© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.