FGA Overview

FGA models resources as a tree. You grant roles on a node. Child nodes inherit access. EF sends filters to SQL Server. You do not load everything and filter in memory.

How it works#

Define resources (projects, chains, stores), roles (admin, viewer), and permissions (VIEW, EDIT). Grant a role to a user on a resource. Every descendant of that resource inherits the grant.

Resource hierarchy

▾Acme Corp (Organization)

▾Walmart (Chain)

•Store #001 (Location)inherits LOCATION_VIEW

•Store #002 (Location)inherits LOCATION_VIEW

▾Target (Chain)

•chain grantinherits CHAIN_VIEW + CHAIN_EDIT

▾Globex (Organization)

•Costco (Chain)no access for jane

Resources

Organizations, projects, chains, stores, or any hierarchy you define.

Roles and permissions

Attach reusable permission bundles to a resource and inherit them downward.

Query filters

Push auth checks into SQL Server instead of loading data and trimming it in memory.

Query-time filtering#

The core feature. Instead of loading all records and filtering in memory, FGA pushes authorization into the SQL query:

CSHARP

var filter = await authService
    .GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW");
 
var chains = await dbContext.Chains
    .Where(filter)
    .OrderBy(c => c.Name)
    .ToListAsync();

Users only see rows they may access. Under the hood that becomes a SQL Server TVF call.

Company Admin sees 5 chains:

Admin view

Store Clerk sees 0 chains (only their store):

Clerk view

Setup#

CSHARP

builder.AddSqlOS<AppDbContext>();
 
var app = builder.Build();
app.MapSqlOS();

Dashboard#

/sqlos/admin/fga/ — browse resources, grants, roles, permissions, and run the access tester.

FGA Resources

FGA stays close to your data

The value proposition is not just expressive permissions. It is that the same authorization model can drive list filtering, detail checks, dashboard inspection, and SQL-native enforcement from one runtime.

Key concepts#

Concept	Description
Resource	A node in the hierarchy (org, project, store)
Subject	Who is being authorized (user, agent, service account)
Role	A named set of permissions (viewer, editor, admin)
Permission	A capability key (CHAIN_VIEW, INVENTORY_EDIT)
Grant	Links subject + role + resource; inherits downward

Deep dives#

How it works#

Define resources (projects, chains, stores), roles (admin, viewer), and permissions (VIEW, EDIT). Grant a role to a user on a resource. Every descendant of that resource inherits the grant.

Resource hierarchy

▾Acme Corp (Organization)

▾Walmart (Chain)

•Store #001 (Location)inherits LOCATION_VIEW

•Store #002 (Location)inherits LOCATION_VIEW

▾Target (Chain)

•chain grantinherits CHAIN_VIEW + CHAIN_EDIT

▾Globex (Organization)

•Costco (Chain)no access for jane

Resources

Organizations, projects, chains, stores, or any hierarchy you define.

Roles and permissions

Attach reusable permission bundles to a resource and inherit them downward.

Query filters

Push auth checks into SQL Server instead of loading data and trimming it in memory.

Query-time filtering#

The core feature. Instead of loading all records and filtering in memory, FGA pushes authorization into the SQL query:

CSHARP

var filter = await authService
    .GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW");
 
var chains = await dbContext.Chains
    .Where(filter)
    .OrderBy(c => c.Name)
    .ToListAsync();

Users only see rows they may access. Under the hood that becomes a SQL Server TVF call.

Company Admin sees 5 chains:

Store Clerk sees 0 chains (only their store):

Dashboard#

/sqlos/admin/fga/ — browse resources, grants, roles, permissions, and run the access tester.

FGA stays close to your data

Concept

Description

Resource

A node in the hierarchy (org, project, store)

Subject

Who is being authorized (user, agent, service account)

Role

A named set of permissions (viewer, editor, admin)

Permission

A capability key (CHAIN_VIEW, INVENTORY_EDIT)

Grant

Links subject + role + resource; inherits downward

Model access as a tree and push the filtering work into SQL

How it works#

Resources

Roles and permissions

Query filters

Query-time filtering#

Setup#

Dashboard#

Key concepts#

Deep dives#

Model access as a tree and push the filtering work into SQL

How it works#

Resources

Roles and permissions

Query filters

Query-time filtering#

Setup#

Dashboard#

Key concepts#

Deep dives#