Permissions - SqlOS Docs

A permission is a capability key scoped to a resource type. Permissions define what actions can be performed on which kinds of resources.

Define permissions in startup

options.UseFGA(fga =>
{
    fga.SeedResourceType("chain", "Chain");
    fga.SeedResourceType("location", "Location");
    fga.SeedResourceType("inventory", "Inventory Item");

    fga.SeedPermission("CHAIN_VIEW", "View Chain", "chain");
    fga.SeedPermission("CHAIN_EDIT", "Edit Chain", "chain");
    fga.SeedPermission("LOCATION_VIEW", "View Location", "location");
    fga.SeedPermission("LOCATION_EDIT", "Edit Location", "location");
    fga.SeedPermission("INVENTORY_VIEW", "View Inventory", "inventory");
    fga.SeedPermission("INVENTORY_EDIT", "Edit Inventory", "inventory");
});

Naming convention

Use RESOURCETYPE_ACTION in uppercase:

Key	Resource type	Action
`CHAIN_VIEW`	chain	Read access
`CHAIN_EDIT`	chain	Write access
`LOCATION_VIEW`	location	Read access
`INVENTORY_EDIT`	inventory	Write access

Usage in code

Permission keys are strings passed to authorization checks:

// List filtering
var filter = await authService
    .GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW");

// Point check
var access = await authService
    .CheckAccessAsync(subjectId, "CHAIN_EDIT", resourceId);

// Capability check
var canEdit = await authService
    .HasCapabilityAsync(subjectId, "CHAIN_EDIT");

Permission model

public class SqlOSFgaPermission
{
    public string Id { get; set; }
    public string Key { get; set; }            // "CHAIN_VIEW"
    public string DisplayName { get; set; }    // "View Chain"
    public string ResourceTypeId { get; set; } // "chain"
}