Filter EF queries with FGA

You'll learn how to build an FGA filter and apply it in EF Core queries for list and detail endpoints.

Prerequisites

FGA model seeded and resources created for your data
ISqlOSFgaAuthService available in your API

Goal#

List endpoints return only rows the current subject may read — in one SQL round-trip.

Steps#

Inject ISqlOSFgaAuthService in your endpoint or service.
Build a filter for the entity type:

CSHARP

var filter = await fgaAuth.GetAuthorizationFilterAsync<Project>(
    subjectId: userId,
    permissionKey: "project.read");
 
var projects = await db.Projects
    .Where(filter)
    .Where(p => p.IsActive)
    .OrderBy(p => p.Name)
    .Take(20)
    .ToListAsync();

Point checks for single-resource actions use CheckAccessAsync (see Checking a permission).
Verify with the access tester in /sqlos/admin/fga/.

Expected outcome#

LINQ translates to SQL with the FGA TVF in the plan
Pagination and sorting stay in the database
No N+1 calls to an external policy engine

Next steps#

List filtering — pagination and PagedSpec
Syncing auth to FGA
SDK reference

Filter EF queries with FGA

Authorization as a WHERE clause

Goal#

Steps#

Expected outcome#

Next steps#

Authorization as a WHERE clause

Goal#

Steps#

Expected outcome#

Next steps#