Ask HN: Does OpenFGA Support Multi-Level Indirect Relationship Evaluation? I've been evaluating OpenFGA for relationship-based access control (ReBAC) and I believe I've identified a significant limitation: *OpenFGA does not support multi-level indirect relationship evaluation beyond one level of indirection*. ## Example Scenario: Management Chain Authorization Imagine a scenario where permissions should propagate up a management chain: 1. *Object A* is *owned* by *User B*. 2. *User B* is *managed* by *User C*. 3. *User C* is *managed* by *User D*. ### What OpenFGA Can Handle If I define an authorization rule like: ``` allow manager from owner ``` Then *User C* inherits access to *Object A* because: > "User C manages User B, who owns Object A." ### What OpenFGA Cannot Handle OpenFGA does not allow further relationship chaining: > "User D should be able to view Object A, because User D manages User C, who manages User B, who owns Object A." This limitation exists because OpenFGA does not allow the `from` clause (also called a tupleset) to reference another relation. The documentation explicitly states that OpenFGA will *throw an error* if an authorization model attempts this kind of multi-level evaluation: - ["Referencing Relations on Related Objects"](https://openfga.dev/docs/configuration-language#referencing-relations-on-related-objects) - ["Modeling Parent-Child Relationships"](https://openfga.dev/docs/modeling/parent-child#05-check-if-bob-is-an-editor-of-documentmeeting_notesdoc) ## My Questions for HN: 1. *Have I correctly understood this limitation of OpenFGA?* 2. *Are there any authorization frameworks/tools that do support recursive evaluation of indirect relationships?* Would love to hear if anyone has encountered and solved this issue, or if OpenFGA's approach is just a fundamental design tradeoff in this space. Thanks! |