SqlOS

Fine-Grained Auth

Resource Hierarchy

Model your app's data as a tree for inherited permissions.

4 sections

Resources are a tree. One parent per node (root has none). For access checks, FGA walks up from the target node to root and looks for grants.

Tree structure#

Model your app's hierarchy as nested resources:

PLAINTEXT
root
├── org::acme (Organization)
│   ├── chain-1 (Chain)
│   │   ├── location-1 (Location)
│   │   │   ├── item-1 (Inventory)
│   │   │   └── item-2 (Inventory)
│   │   └── location-2 (Location)
│   └── chain-2 (Chain)
└── org::globex (Organization)
    └── chain-3 (Chain)

Create a resource#

Use CreateResource to add a node to the tree:

CSHARP
var resourceId = context.CreateResource(
    parentId: "org::acme",
    name: "New Chain",
    resourceTypeId: "chain"
);

With a custom ID:

CSHARP
var resourceId = context.CreateResource(
    parentId: "root",
    name: "Acme Corp",
    resourceTypeId: "organization",
    id: $"org::{org.Id}"
);

CreateResource adds the resource to the EF Core change tracker. Call SaveChangesAsync to persist.

How inheritance works#

When checking CHAIN_VIEW on chain-1:

  1. Check grants directly on chain-1
  2. Check grants on org::acme (parent)
  3. Check grants on root (grandparent)
  4. If any ancestor has a grant with a role that includes CHAIN_VIEW, access is allowed

This means a single grant at the organization level gives access to everything underneath, without creating per-resource grants.

Browse in the dashboard#

Path: Fine-Grained Auth > Resources

Resource hierarchy

The Resources page shows the full tree with resource types, child counts, and grant counts.