Documentation

IHasResourceId

← All docs

IHasResourceId

Connect your EF Core entities to the FGA resource tree.

IHasResourceId is the interface that connects your domain entities to the FGA resource tree. Any entity that needs authorization filtering must implement it.

Interface

public interface IHasResourceId
{
    string ResourceId { get; }
}

Implementation

Add ResourceId to your entity and implement the interface:

public class Chain : IHasResourceId
{
    public string Id { get; set; } = Guid.NewGuid().ToString();
    public string ResourceId { get; set; } = "";
    public string Name { get; set; } = "";
    public string? Description { get; set; }
    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
}

Assigning the ResourceId

When creating an entity, create the FGA resource first and assign the ID:

var resourceId = context.CreateResource("org::acme", request.Name, "chain");

var chain = new Chain
{
    ResourceId = resourceId,
    Name = request.Name
};

context.Chains.Add(chain);
await context.SaveChangesAsync(ct);

How it's used

When you call GetAuthorizationFilterAsync<T>, the filter joins your entity's ResourceId against the set of accessible resources for the subject:

var filter = await authService
    .GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW");

// The filter expression uses chain.ResourceId to check access
var chains = await dbContext.Chains.Where(filter).ToListAsync();

This translates to a SQL Server table-valued function join, so authorization happens at the database level.