The Developer’s Guide to Fine-Grained Authorization

Fine-Grained Authorization (FGA) is a more granular and scalable authorization scheme than traditional Role-Based Access Control (RBAC). Unlike RBAC, which defines permissions at the app section level, FGA allows for precise control over individual resources. This makes it ideal for apps with user-generated content that require handling millions of authorization requests per second. Implementing FGA can be complex and requires a data model that efficiently represents relationships between users and resources. It also involves building resolver logic to handle cases where permissions aren't explicitly coded into an authorization check but are implied by other existing roles or hierarchies. Centralized vs. decentralized FGA architectures depend on the existing architecture of a company, with centralized implementations being more common for FGA systems. Several open and closed source options have emerged to help teams outsource FGA implementation, such as WorkOS FGA, SpiceDB, and OpenFGA.