Ever felt like you’re juggling flaming torches when dealing with user permissions in your saas app? Don’t worry, you’re not alone. Traditional Role-Based Access Control (RBAC) might have been fine when your biggest concern was “Admin vs. Viewer,” but most applications live in a totally different universe. Think Slack, Notion, or GitHub where access isn’t just about having a certain title, but about belonging to specific teams, organizations, or projects (sometimes all at once).
That’s where OpenFGA enters the scene with a cool concept called Relationship-Based Access Control (ReBAC). Say goodbye to a million static roles and hello to a system that actually understands how humans (and their projects) really work.
Why RBAC Feels Like Ancient History
Let’s be forreal: RBAC basically lumps permissions into neat little buckets (Admin, Editor, Viewer). Which sounds great until you realize you need 14 variations of “Editor” just to handle all the unique scenarios in your multi-tenant saas product. Organizations have complicated hierarchies. Projects sometimes have external contributors who need limited access. And that’s just Monday.
Pretty soon, you’re drowning in roles: JuniorEditor, SeniorEditor, Project123Editor, TemporaryExternalEditorButOnlySometimes. Every time someone changes teams or gets hired as a contractor, you’re stuck dragging roles around like a reluctant donkey. Yikes!
Meet ReBAC: Because It’s All About Relationships
Rather than forcing people into a static label, Relationship-Based Access Control says, “Hey, let’s base access on who’s related to what.” Is Bob the owner of Project Alpha? Great, give him full reign. Is Alice a viewer of that project’s design doc? Sure, let her see it but not edit it. Once Bob leaves the project, you just remove that single relationship no need to break out the chainsaw on your entire role structure.
Key Idea: Relationships > Roles
Owner of a project
Member of an organization
Viewer of a specific document
Collaborator on a task
In ReBAC, these relationships are front and center. It’s like creating a spiderweb of connections when one strand changes, you just tweak that strand.
OpenFGA: Putting Fine-Grained Authorization to Work
OpenFGA is an open-source tool that brings ReBAC to life. It’s built to handle scale, performance, and an ever-growing list of complicated relationships without making you tear your hair out.
Example Time: A Multi-Tenant Collaboration Platform
-Organizations & Teams
user:alice -> member -> organization:acme
team:design -> belongs_to -> organization:acme
user:bob -> member -> team:design
-Translation: Alice is in Acme Org, Bob’s in the Design Team. Instant clarity. No “AcmeDesignTeamAdminJunior” roles needed.
-Projects
user:alice -> owner -> project:website-redesign
team:design -> owner -> project:logo-revamp
user:bob -> collaborator -> project:website-redesign
Now, if Alice wants Bob’s help on the website redesign, she just sets him up as a collaborator. Easy, right?
-Documents
user:alice -> viewer -> document:wireframes
user:bob -> editor -> document:wireframes
If Bob moves to a different project, just remove that relationship. No fuss, no re-labeling.
Why ReBAC (and OpenFGA) Win in the Real World
- Granular control minus the headaches
Each resource is guarded by relationships. Want to keep tight control? Just specify the exact relationship needed.
Dynamic updates
If Bob leaves Team Design, you just remove “member -> team:design.” Instantly, Bob’s out. No rummaging through role definitions.
- Cleaner maintenance
Fewer roles mean fewer migraines. Your business logic evolves, and your relationships update accordingly. No dusty policy docs to maintain.
- Better Security
By focusing on specific relationships, you’re less likely to give out blanket permissions. Fine-grained is safer.
Bringing It All Together
If you’ve ever banged your head against a desk over RBAC, you know it can turn messy fast. Especially in multi-tenant apps, where “Admin” can mean 20 different things. By switching to a relationship-based approach with OpenFGA, you align your access model to how real humans actually operate. That means no more monstrous role spreadsheets, no more “this is how it’s always been,” and definitely more time to build your product.
Parting Thoughts
It’s 2025 y’all, time to retire that ancient, one-size-fits-all approach. OpenFGA gives you the flexibility to handle complex user relationships with elegance. Whether you’re cooking up the next Slack, managing external contractors, or just tired of editing roles for your friends named Bob, ReBAC can save you from permissions purgatory.
And if you want to learn more about exactly how to make this happen, come check out my talk on OpenFGA at NDC Security in Oslo on Thursday, 23 Jan. I’ll be talking about how to model ReBAC for real-world projects. Your future self (and your users) will send you a virtual fist bump.
Top comments (0)