SqlOS

Fine-Grained Auth

IHasResourceId

Connect your EF Core entities to the FGA resource tree.

4 sections

IHasResourceId is the interface that connects your domain entities to the FGA resource tree. Any entity that needs authorization filtering must implement it.

Interface#

CSHARP
public interface IHasResourceId
{
    string ResourceId { get; }
}

Implementation#

Add ResourceId to your entity and implement the interface:

CSHARP
public class Chain : IHasResourceId
{
    public string Id { get; set; } = Guid.NewGuid().ToString();
    public string ResourceId { get; set; } = "";
    public string Name { get; set; } = "";
    public string? Description { get; set; }
    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
}

Assigning the ResourceId#

When creating an entity, create the FGA resource first and assign the ID:

CSHARP
var resourceId = context.CreateResource("org::acme", request.Name, "chain");
 
var chain = new Chain
{
    ResourceId = resourceId,
    Name = request.Name
};
 
context.Chains.Add(chain);
await context.SaveChangesAsync(ct);

How it's used#

When you call GetAuthorizationFilterAsync<T>, the filter joins your entity's ResourceId against the set of accessible resources for the subject:

CSHARP
var filter = await authService
    .GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW");
 
// The filter expression uses chain.ResourceId to check access
var chains = await dbContext.Chains.Where(filter).ToListAsync();

This translates to a SQL Server table-valued function join, so authorization happens at the database level.