The authorization policies for a specific application need to be maintained by the application team. In organizations with multiple teams, it would be optimal to let each team maintain their own authorization model.
OpenFGA currently supports a single model per store, and we don't plan to change that, but we want to provide a way to enable each team maintain their models.
A possible solution would be to split the OpenFGA in multiple 'modules':
base.fga
module base
type user
type role
relations
define member : [user]
document_management.fga
module document_management
include "base.fga"
type folder
define viewer : [user, group#member]
The files would need to be combined before saving them to the OpenFGA store, e.g.
fga model compose base.fga document_management.fga --target model.fga
fga model write --file model.fga
The authorization policies for a specific application need to be maintained by the application team. In organizations with multiple teams, it would be optimal to let each team maintain their own authorization model.
OpenFGA currently supports a single model per store, and we don't plan to change that, but we want to provide a way to enable each team maintain their models.
A possible solution would be to split the OpenFGA in multiple 'modules':
base.fga
document_management.fga
The files would need to be combined before saving them to the OpenFGA store, e.g.
RFC
Engineering tickets: