Modular Authorization Models

[aaguiarz]

The authorization policies for a specific application need to be maintained by the application team. In organizations with multiple teams, it would be optimal to let each team maintain their own authorization model.

OpenFGA currently supports a single model per store, and we don't plan to change that, but we want to provide a way to enable each team maintain their models.

A possible solution would be to split the OpenFGA in multiple 'modules':

base.fga

module base

type user

type role
  relations
    define member : [user]

document_management.fga

module document_management
include "base.fga"

type folder
    define viewer : [user, group#member]

The files would need to be combined before saving them to the OpenFGA store, e.g.

fga model compose base.fga document_management.fga --target model.fga
fga model write --file model.fga

RFC

Engineering tickets:

• https://github.com/openfga/api/issues/137
• https://github.com/openfga/language/issues/148
• https://github.com/openfga/vscode-ext/issues/165
• https://github.com/openfga/cli/issues/262
• https://github.com/openfga/openfga/issues/1402

[aaguiarz]

Draft RFC here https://github.com/openfga/rfcs/pull/14