Skip to content

What is Relationship Based Access Control?

Relationship Based Access Control – more commonly known as ReBAC – is a popularized access control method that provides for restriction based on relationships. Typically implemented at a level closest to the protected object (i.e. the protected API route or particular Application UX), a ReBAC model can be used to define the permissions required to enable authorized access at a fine granularity.

Hi, I’m Peter Fernandez, an Innovator, Architect, Consultant, Engineer, and Principal Developer Advocate at Auth0 by Okta, and I’m here to tell you more about Relationship Based Access Control provided by Auth0.

What are Relationships?

A relationship is a connection between a subject – typically a user – and the object being protected (such as a protected API route or a particular Application UX). Multiple, interconnected relationships can be built, allowing a fine definition of access control granularity to be modelled.

How do Relationships compare?

At the other end of the scale are models that don’t typically allow for such fine granularity. RBAC, for example, though initially often easier to build and deploy, typically offers far precision over exactly what is access controlled, and how.

How do Relationships relate?

ReBAC will typically allow for the modelling of other paradigms – such as RBAC and/or ABAC – and offers granularity of access that scales to allow a system to control exactly how many authorization checks need to be performed, when, and how. Irrespective of whether that resource is some Application UX, or some resource accessed via an API.

Build it yourself?

You could build support in-house, yourself. That’s true. Click on the image to read more about doing just that, and watch the recording of my related webinar here. If your team has the resources, time, capacity, knowledge, and expertise in developing SSO; deploying Attack Protection; leveraging OIDC and/or SAML for Authentication, Social and/or Enterprise Federation; implementing Passwordless and/or MFA, and/or (optionally) OAuth 2.0 for API Authorization – then it’s definitely an option. But what if there was a better way?

Meet Auth0’s FGA

FGA is Auth0’s ReBAC – i.e. Relationship Based Access Control – SaaS system that’s based on Google Zanzibar. Available for self-hosting via OpenFGA – or currently available as a hosted Developer Preview – Auth0 makes it easy to enable collaborative relationships, going far beyond the typical Role-Based Access Control (a.k.a. RBAC) model. The more we’ve spoken to developers just like you, the more we’ve learned just how many use cases it can solve.

ReBAC built to scale

Auth0 FGA makes fine-grained authorization fast, scalable, and easy to use. It also supports building customized control, empowering new perspectives on how to manage access. A developer-friendly, API-first solution, FGA offers a way to enable highly secure collaborative and granular access control at any level, anywhere in your application(s). Leveraging Authorization powered by Auth0, build granular access control using an easy-to-read modelling language and friendly APIs.

Customizable…

 Build customized models to handle complex scenarios and emulate the likes of RBAC, ABAC or any other system of access control with Auth0 FGA. Click on the image to check out the handy modelling guides provided right out of the box.

…Access Control…

With Auth0 FGA, take access control to a whole new level! Build complex hierarchies and leverage object-level atomicity using a powerful SaaS-based API. Click on the image to learn more.

…secured by Auth0

Configure the Auth0 FGA API to leverage OAuth 2.0 utilizing Authorization provided by Auth0 and take full advantage of all the features offered by the Auth0 platform as standard.

Integrate with ease

With the Auth0 FGA SDK, you can start building an initial integration in a matter of hours. Click on the image to visit the website and discover how to integrate with ease.

Authorization built to scale

User collaboration and granular access control are enabled in your applications and resource servers using the developer-friendly SDKs and APIs provided by Auth0’s FGA. With full-featured auditing capabilities included as standard, FGA provides the fundamental building blocks for implementing authorization at scale. Visit openfga.dev and try it out for yourself, or sign up for the Developer Preview at auth0.com/fine-grained-authorization!

Read more about it on the Auth0 Blog

Take a look at the Auth0 Blog, and learn how integrating a fine-grained model can help you streamline implementation when it comes to Authorization.

Stay informed

Helpful Identity & Access Management articles that are timely and relevant, whatever your level of experience. Whether you prefer to learn by reading, listening, watching videos, cloning repos, copying code, or attending a workshop or conference: content is everywhere and made for developers like you. Click on the image to subscribe to the newsletter today!

Begin the journey…

Sign up here, and create a free Auth0 Tenant to begin your journey. Play with prototyping an integration of your existing code – or develop something new; experience the Okta Customer Identity Cloud, powered by Auth0, in a way that best suits you.

…or try a Demo.

If you’re looking for some inspiration, why not take a look at some of the pre-build demos at demo.okta.com – where you can test-drive sample integrations for both the Okta Customer Identity Cloud and the Okta Workforce Identity Cloud too!