OpenFGA is a fine-grained authorization server and policy decision point that implements relationship-based access control. It serves as a centralized authorization service for evaluating access requests and managing relationship tuples across distributed microservices and multi-tenant environments.
The engine combines relationship graphs with attribute-based access control, using the Common Expression Language to evaluate dynamic runtime attributes and conditional access rules. It handles complex hierarchies and nested permissions by traversing chains of associations and parent-child links to determine if a principal is authorized to perform a specific action.
The system supports a wide range of operational capabilities, including authorization as code via versioned schema models, batch permission processing, and multi-backend persistence with support for PostgreSQL, MySQL, and SQLite. It provides tools for model visualization, automated deployment through continuous integration pipelines, and comprehensive observability via OpenTelemetry.
The server can be installed and configured across Docker and Kubernetes environments using Helm charts.
