# openfga/openfga **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/openfga-openfga).** 4,793 stars · 351 forks · Go · apache-2.0 ## Links - GitHub: https://github.com/openfga/openfga - Homepage: https://openfga.dev - awesome-repositories: https://awesome-repositories.com/repository/openfga-openfga.md ## Topics `abac` `authorization` `entitlements` `fga` `fine-grained-access-control` `fine-grained-authorization` `go` `golang` `hacktoberfest` `openfga` `pbac` `permissions` `rbac` `rebac` `security` `zanzibar` ## Description OpenFGA is a fine-grained authorization server and policy decision point that implements relationship-based access control. It serves as a centralized authorization service for evaluating access requests and managing relationship tuples across distributed microservices and multi-tenant environments. The engine combines relationship graphs with attribute-based access control, using the Common Expression Language to evaluate dynamic runtime attributes and conditional access rules. It handles complex hierarchies and nested permissions by traversing chains of associations and parent-child links to determine if a principal is authorized to perform a specific action. The system supports a wide range of operational capabilities, including authorization as code via versioned schema models, batch permission processing, and multi-backend persistence with support for PostgreSQL, MySQL, and SQLite. It provides tools for model visualization, automated deployment through continuous integration pipelines, and comprehensive observability via OpenTelemetry. The server can be installed and configured across Docker and Kubernetes environments using Helm charts. ## Tags ### Security & Cryptography - [Relationship-Based Access Controls](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls.md) — Implements a security model that manages permissions by defining relationships between subjects and objects. - [Authorization Services](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/authorization-and-user-administration/access-control-authorization/authorization-services.md) — Provides a centralized service that acts as a single source of truth for permission decisions across microservices. - [Fine-Grained Permission Checking](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/team-action-permission-checks/fine-grained-permission-checking.md) — Evaluates access requests via high-performance APIs to determine if a user is authorized to perform a specific action. ([source](https://cdn.jsdelivr.net/gh/openfga/openfga@main/README.md)) - [Relationship-Based Models](https://awesome-repositories.com/f/security-cryptography/access-control-models/relationship-based-models.md) — Specifies authorization logic using a domain-specific language to define relationships, roles, and attribute-based conditions. ([source](https://openfga.dev/docs/modeling)) - [Group-Based Access Controls](https://awesome-repositories.com/f/security-cryptography/access-restrictions/group-based-access-controls.md) — Grants relations or permissions to a set of users by linking group objects to specific resources. ([source](https://openfga.dev/docs/modeling/user-groups)) - [Attribute-Based Access Control](https://awesome-repositories.com/f/security-cryptography/attribute-based-access-control.md) — Implements a framework that evaluates authorization requests using dynamic runtime attributes and contextual data. - [Authorization Logic](https://awesome-repositories.com/f/security-cryptography/authorization-logic.md) — Provides a centralized source of truth for authorization logic and relationship data used across all services. ([source](https://openfga.dev/docs/use-cases/microservices-authorization)) - [Authorization Model Management](https://awesome-repositories.com/f/security-cryptography/authorization-model-management.md) — Provides tools to write, retrieve, and version the logic that defines how access is granted. ([source](https://openfga.dev/docs/getting-started/cli)) - [Authorization Query Engines](https://awesome-repositories.com/f/security-cryptography/authorization-query-engines.md) — Evaluates access requests via network calls or embedded libraries to deliver real-time permission decisions. ([source](https://openfga.dev/docs/fga)) - [Request-Time Attribute Processing](https://awesome-repositories.com/f/security-cryptography/domain-access-restrictions/request-access-restrictions/request-time-attribute-processing.md) — Processes dynamic data provided at request time, like IP addresses, to evaluate conditional access rules. ([source](https://openfga.dev/docs/best-practices/modeling-abac)) - [Hybrid Relationship-Attribute Access Systems](https://awesome-repositories.com/f/security-cryptography/hybrid-relationship-attribute-access-systems.md) — Combines relationship graphs with dynamic runtime attributes using Common Expression Language for conditional access. - [Tuple Lifecycle Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls/tuple-lifecycle-management.md) — Manages the creation and removal of associations between users and objects with support for atomic updates. ([source](https://openfga.dev/docs/getting-started)) - [Graph-Based Authorization Checks](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/authorization-and-user-administration/access-control-authorization/graph-based-authorization-checks.md) — Evaluates access requests by analyzing a graph of relationship tuples and hierarchical parent-child links. ([source](https://openfga.dev/docs/authorization-concepts)) - [Agent Identities](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management/agent-identities.md) — Assigns unique identities and granular, task-specific permissions to autonomous AI agents as first-class principals. ([source](https://openfga.dev/docs/use-cases/ai-agent-authorization)) - [Relationship-Based Permission Checks](https://awesome-repositories.com/f/security-cryptography/just-in-time-access/low-latency-permission-evaluators/relationship-based-permission-checks.md) — Evaluates access requests by analyzing relationship tuples to deliver real-time permission decisions with high performance. ([source](https://openfga.dev/docs/adopters/vitrolife)) - [Multi-Tenant Isolation Layers](https://awesome-repositories.com/f/security-cryptography/multi-tenant-isolation-layers.md) — Ensures strict data and permission separation across multiple tenants within a single authorization store. ([source](https://openfga.dev/docs/use-cases)) - [Non-Human Principal Modeling](https://awesome-repositories.com/f/security-cryptography/non-human-principal-modeling.md) — Treats automated agents as first-class identities within a permission hierarchy to manage their access. ([source](https://openfga.dev/docs/modeling/agents)) - [Contextual Permission Verification](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/contextual-permission-verification.md) — Evaluates access requests using temporary, non-persistent relationship tuples provided at runtime. ([source](https://openfga.dev/docs/modeling/contextual-time-based-authorization)) - [Permission Management](https://awesome-repositories.com/f/security-cryptography/permission-management.md) — Manages billions of relationship tuples with millisecond latency for thousands of requests per second. ([source](https://openfga.dev/docs/adopters/read-ai)) - [Policy Decision Points](https://awesome-repositories.com/f/security-cryptography/policy-decision-points.md) — Serves as a policy decision point that evaluates authorization logic to return real-time permission decisions. - [Request-Time Context Evaluation](https://awesome-repositories.com/f/security-cryptography/security/policies/access-control/authorization-context-rule-definition/evaluation-contexts/request-time-context-evaluation.md) — Evaluates authorization requests using temporary, non-persistent attributes provided during the session. ([source](https://openfga.dev/docs/modeling/organization-context-authorization)) - [Scoped Permission Assignments](https://awesome-repositories.com/f/security-cryptography/access-assignment-analyzers/scoped-permission-assignments.md) — Grants access to principals at varying levels of granularity, ranging from organization-wide inheritance to direct object assignments. ([source](https://openfga.dev/docs/modeling/agents/agents-as-principals)) - [Authorization Type Definitions](https://awesome-repositories.com/f/security-cryptography/authorization-type-definitions.md) — Creates distinct types for application resources to ensure precision in permission queries and compliance auditing. ([source](https://openfga.dev/docs/best-practices/modeling-design-principles)) - [Batch Authorization Evaluators](https://awesome-repositories.com/f/security-cryptography/batch-authorization-evaluators.md) — Evaluates multiple authorization requests in a single batch call with configurable short-circuiting to reduce latency. ([source](https://openfga.dev/docs/interacting/authzen)) - [Conditional Access Restrictions](https://awesome-repositories.com/f/security-cryptography/domain-access-restrictions/request-access-restrictions/resource-access-restrictions/action-based-access-restrictions/conditional-access-restrictions.md) — Restricts actions based on runtime parameters or object states to ensure dynamic access control. ([source](https://openfga.dev/docs/concepts)) - [Usage-Based Access Restrictions](https://awesome-repositories.com/f/security-cryptography/domain-access-restrictions/request-access-restrictions/usage-based-access-restrictions.md) — Restricts permissions based on quantitative metrics and request context, such as time-based expiration or call counts. ([source](https://openfga.dev/docs/modeling/agents/task-based-authorization)) - [External Resource Sharing](https://awesome-repositories.com/f/security-cryptography/external-resource-sharing.md) — Grants specific users from different organizations access to individual resources across tenant boundaries. ([source](https://openfga.dev/docs/use-cases/multi-tenant-saas)) - [Role Inheritance Resolution](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/compliance-governance/audit-and-compliance/policy-enforcement-frameworks/strategy-assignment-priority-hierarchies/role-hierarchy-priority-rules/role-inheritance-resolution.md) — Implements concentric relation models where high-level roles inherit all permissions from lower-level roles via graph traversal. ([source](https://openfga.dev/docs/modeling/advanced/iot)) - [Accessible Resource Querying](https://awesome-repositories.com/f/security-cryptography/granular-access-controls/resource-level-access-controls/accessible-resource-querying.md) — Implements reverse lookups to identify all objects a principal is authorized to access. ([source](https://openfga.dev/docs/use-cases/ai-agent-authorization)) - [Ownership-Based Access Controls](https://awesome-repositories.com/f/security-cryptography/granular-access-controls/resource-level-access-controls/ownership-based-access-controls.md) — Establishes ownership relations between parent and child objects to restrict and determine resource access. ([source](https://openfga.dev/docs/modeling/advanced/github)) - [Granular Permission Systems](https://awesome-repositories.com/f/security-cryptography/granular-permission-systems.md) — Creates distinct relations to differentiate between general and privileged access based on data sensitivity. ([source](https://openfga.dev/docs/industries/healthcare)) - [Permission Inheritance](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/access-control-models/permission-based-security/permission-inheritance.md) — Implements mechanisms that propagate security settings and permissions from parent resources to their children. ([source](https://openfga.dev/docs/modeling/parent-child)) - [Relationship Expansion](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls/relationship-expansion.md) — Retrieves a full tree of users and usersets that hold a specific relationship to an object. ([source](https://openfga.dev/docs/modeling/building-blocks/usersets)) - [Runtime Relationship Injection](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls/runtime-relationship-injection.md) — Allows temporary relationship data to be processed during a single request without persisting it to the store. ([source](https://openfga.dev/docs/interacting/contextual-tuples)) - [Permitted Action Discoveries](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/policy-enforcement-engines/action-resolution-policies/permitted-action-discoveries.md) — Provides an API to discover all actions a user can perform on a resource to dynamically update UI elements. ([source](https://openfga.dev/docs/interacting/authzen)) - [Model Versioning](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/authorization-and-user-administration/access-control-authorization/authorization-services/model-versioning.md) — Supports immutable versioning of authorization models to maintain consistency and enable safe transitions between policy iterations. ([source](https://openfga.dev/docs/getting-started/immutable-models)) - [Custom Role Definitions](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/user-management/user-role-management/custom-role-definitions.md) — Allows the creation of user-specified roles and permissions defined at the individual object level. ([source](https://openfga.dev/docs/modeling)) - [Runtime Role Creation](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/user-management/user-role-management/custom-role-definitions/runtime-role-creation.md) — Enables the creation of arbitrary sets of roles and their association with permissions at runtime. ([source](https://openfga.dev/docs/modeling/custom-roles)) - [Just-in-Time Access](https://awesome-repositories.com/f/security-cryptography/just-in-time-access.md) — Restricts permission to resources for specific time windows by evaluating the current time during the access check. ([source](https://openfga.dev/docs/modeling/agents/mcp-authorization)) - [Permission Delegation](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/permission-delegation.md) — Grants autonomous agents bounded access to resources through explicit relationships for specific tasks. ([source](https://openfga.dev/docs/use-cases/ai-agent-authorization)) - [Transitive Permission Rule Definitions](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/transitive-permission-rule-definitions.md) — Defines hierarchical relationship rules where permissions on a parent object automatically grant access to its children. ([source](https://openfga.dev/docs/adopters/openlane)) - [Bulk Tuple Writes](https://awesome-repositories.com/f/security-cryptography/permission-systems/permission-request-workflows/bulk-permission-checkers/bulk-tuple-writes.md) — Modifies access for large sets of resources simultaneously via high-performance batch writes. ([source](https://openfga.dev/docs/industries/crm)) - [Model Version Pinning](https://awesome-repositories.com/f/security-cryptography/request-authorization-enforcers/model-version-pinning.md) — Locks API requests to a specific model version to ensure consistent authorization behavior and performance. ([source](https://openfga.dev/docs/getting-started/tuples-api-best-practices)) - [OpenFGA Authorization Integration](https://awesome-repositories.com/f/security-cryptography/request-authorization-enforcers/openfga-authorization-integration.md) — Connects applications via language-specific libraries to verify permissions and manage relationships using an external server. ([source](https://openfga.dev/)) - [Accessible Resource Filtering](https://awesome-repositories.com/f/security-cryptography/resource-access-control/accessible-resource-filtering.md) — Provides the ability to return a list of objects a user is permitted to interact with to filter client views. ([source](https://openfga.dev/docs/use-cases/mcp-server-authorization)) - [Role-Based Access Control](https://awesome-repositories.com/f/security-cryptography/role-based-access-control.md) — Assigns permissions to users through the definition and assignment of static or custom roles. ([source](https://openfga.dev/docs/best-practices/modeling-roles)) - [Union Conditions](https://awesome-repositories.com/f/security-cryptography/role-based-access-control/conditional-access-rules/union-conditions.md) — Implements authorization logic that grants access if any one of several relationship criteria is satisfied. ([source](https://openfga.dev/docs/modeling/advanced/slack)) - [Authorized Subject Listing](https://awesome-repositories.com/f/security-cryptography/security/policies/host-resource-access/file-system-access-controls/path-access-restrictions/path-access-restrictions/subject-access-restrictions/permission-listings/authorized-subject-listing.md) — Retrieves all users or identities that hold a specific permission to act upon a given resource. ([source](https://openfga.dev/docs/interacting/authzen)) - [Access Logic Validations](https://awesome-repositories.com/f/security-cryptography/sensitive-data-access-controls/logical-access-rules/access-logic-validations.md) — Runs predefined test cases against models and tuples to validate that authorization rules behave as expected. ([source](https://openfga.dev/docs/modeling/store-file-format)) - [Access Exclusion Lists](https://awesome-repositories.com/f/security-cryptography/user-access-management/access-exclusion-lists.md) — Prevents specific users or groups from accessing resources by applying an explicit exclusion operator. ([source](https://openfga.dev/docs/modeling/blocklists)) ### Software Engineering & Architecture - [Fine-Grained Access Control](https://awesome-repositories.com/f/software-engineering-architecture/hierarchical-object-access-control/object-level-authorizations/fine-grained-access-control.md) — Implements precise, object-level authorization mechanisms using relationship tuples and conditional logic. ([source](https://openfga.dev/docs/fga)) - [Graph Traversal Engines](https://awesome-repositories.com/f/software-engineering-architecture/recursive-validation-engines/recursive-tree-traversers/dependency-tree-traversers/path-based-tree-traversers/graph-traversal-engines.md) — Resolves indirect permissions by traversing chains of associations and hierarchical parent-child links. - [Authorization Tuple Injection](https://awesome-repositories.com/f/software-engineering-architecture/contextual-data-injection/authorization-tuple-injection.md) — Processes temporary relationship data at request time to support dynamic and situational access rules. - [Authorization Model Testing](https://awesome-repositories.com/f/software-engineering-architecture/core-business-logic/logic-verification-utilities/infrastructure-logic-verification/model-based-verification/authorization-model-testing.md) — Validates authorization logic by running predefined tests against a model to ensure expected results. ([source](https://openfga.dev/docs/modeling/testing)) - [Expression Languages](https://awesome-repositories.com/f/software-engineering-architecture/expression-languages.md) — Evaluates dynamic attribute-based conditions during authorization checks using a standardized expression language. - [Multi-Object Permission Verification](https://awesome-repositories.com/f/software-engineering-architecture/hierarchical-object-access-control/multi-object-permission-verification.md) — Checks authorization for a large set of objects in a single request to reduce latency. ([source](https://openfga.dev/docs/getting-started/perform-check)) - [Authorization Schemas](https://awesome-repositories.com/f/software-engineering-architecture/schema-driven-generators/authorization-schemas.md) — Uses language definitions to map relationships to permissions, eliminating the need for manual tuning of access rules. ([source](https://openfga.dev/docs/adopters/grafana)) - [Transactional Outbox Patterns](https://awesome-repositories.com/f/software-engineering-architecture/transactional-outbox-patterns.md) — Ensures data consistency by coupling database writes with authorization changes using a transactional outbox pattern. ### Artificial Intelligence & ML - [Agent Access Controls](https://awesome-repositories.com/f/artificial-intelligence-ml/agent-access-controls.md) — Defines and enforces precise access limits and operational scopes for autonomous AI agents. ([source](https://openfga.dev/docs/modeling/agents)) - [Authorization Model Pipelines](https://awesome-repositories.com/f/artificial-intelligence-ml/model-deployment-pipelines/authorization-model-pipelines.md) — Enables automated testing and deployment of authorization models through CI pipelines. ([source](https://openfga.dev/docs/fga)) ### Data & Databases - [Model Specifications](https://awesome-repositories.com/f/data-databases/entity-relationship-definitions/authorization-relations/model-specifications.md) — Provides a domain-specific language for defining the object types and relationships that govern all access control logic. ([source](https://openfga.dev/docs/configuration-language)) - [Relationship Data Storage](https://awesome-repositories.com/f/data-databases/relationship-data-storage.md) — Provides a specialized persistence layer for storing subject-object relationship tuples used in access control decisions. ([source](https://openfga.dev/docs/concepts)) - [Concurrent Update Resolution](https://awesome-repositories.com/f/data-databases/concurrent-update-resolution.md) — Resolves conflicts during simultaneous writes to the authorization store to maintain data consistency. ([source](https://openfga.dev/docs/adopters/headspace)) - [Atomic Transaction Coordinators](https://awesome-repositories.com/f/data-databases/concurrent-write-optimizations/atomic-transaction-coordinators.md) — Ensures data consistency by coupling database writes and authorization changes using a transactional outbox pattern. ([source](https://openfga.dev/docs/adopters/vitrolife)) - [Authorization Result Caches](https://awesome-repositories.com/f/data-databases/data-engineering-infrastructure/caching-performance/caching-strategies/query-result-caching/method-result-caches/authorization-result-caches.md) — Caches authorization decisions in memory to minimize latency for repetitive access checks. ([source](https://openfga.dev/docs/best-practices/running-in-production)) - [Public Access Controls](https://awesome-repositories.com/f/data-databases/data-feeds/public-access-controls.md) — Grants permissions to all users of a specific type to enable open access to objects. ([source](https://openfga.dev/docs/modeling/advanced/gdrive)) - [Authorized ID Retrieval](https://awesome-repositories.com/f/data-databases/data-retrieval/authorization-data-retrievals/authorized-id-retrieval.md) — Fetches a list of resource identifiers a user has permission to access to facilitate efficient database filtering. ([source](https://openfga.dev/docs/modeling/agents/rag-authorization)) - [Authorization Schema Managers](https://awesome-repositories.com/f/data-databases/data-schema-management/schema-versioning/authorization-schema-managers.md) — Maintains immutable iterations of authorization logic to enable safe transitions and consistent behavior. - [Authorization Relations](https://awesome-repositories.com/f/data-databases/entity-relationship-definitions/authorization-relations.md) — Defines authorization relations where possessing one specific relationship automatically grants another within a hierarchy. ([source](https://openfga.dev/docs/modeling/building-blocks/concentric-relationships)) - [Multi-Tenant Data Management](https://awesome-repositories.com/f/data-databases/multi-tenant-data-management.md) — Ensures strict tenant separation by isolating data and permissions across different organizations. - [Pluggable Database Backends](https://awesome-repositories.com/f/data-databases/persistent-storage-backends/pluggable-database-backends.md) — Supports diverse data stores including PostgreSQL, MySQL, and SQLite for relationship tuple storage. - [Authorization Store Backends](https://awesome-repositories.com/f/data-databases/persistent-storage-backends/relational-storage-backends/authorization-store-backends.md) — Supports persisting authorization tuples and models across PostgreSQL, MySQL, and in-memory storage. ([source](https://cdn.jsdelivr.net/gh/openfga/openfga@main/README.md)) - [Read Replicas](https://awesome-repositories.com/f/data-databases/read-replicas.md) — Scales read throughput by distributing authorization queries across PostgreSQL replicas. ([source](https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga)) - [Relationship Change Retrievals](https://awesome-repositories.com/f/data-databases/relationship-data-storage/relationship-change-retrievals.md) — Provides paginated lists of relationship changes to allow external systems to synchronize their local authorization state. ([source](https://openfga.dev/docs/interacting/read-tuple-changes)) - [Authorization-Based Search Filtering](https://awesome-repositories.com/f/data-databases/search-result-filtering/authorization-based-search-filtering.md) — Filters database search results by verifying user permissions for each record using high-performance batch requests. ([source](https://openfga.dev/docs/interacting/search-with-permissions)) - [Local Permission Index Syncing](https://awesome-repositories.com/f/data-databases/secondary-indexes/local-indexes/local-permission-index-syncing.md) — Consumes a stream of authorization changes to maintain a local cache for high-performance permission intersections. ([source](https://openfga.dev/docs/interacting/search-with-permissions)) ### Development Tools & Productivity - [ReBAC Engines](https://awesome-repositories.com/f/development-tools-productivity/authorization-rule-engines/rebac-engines.md) — Implements a Relationship-Based Access Control (ReBAC) engine to manage complex hierarchies and nested permissions. - [Relationship](https://awesome-repositories.com/f/development-tools-productivity/change-tracking/relationship.md) — Maintains a queryable history of relationship updates to provide a full audit trail of permission changes. ([source](https://openfga.dev/docs/industries/healthcare)) - [CLI Administration Tools](https://awesome-repositories.com/f/development-tools-productivity/cli-administration-tools.md) — Provides a command line tool to manage stores, import/export models, and handle data migration. ([source](https://openfga.dev/docs/fga)) ### Networking & Communication - [Permission Inheritance Management](https://awesome-repositories.com/f/networking-communication/communication-protocols-architectures/communication-paradigms/group-membership-management/permission-inheritance-management.md) — Assigns permissions to user groups and handles the inheritance of those permissions through membership. ([source](https://openfga.dev/docs/modeling)) - [Immediate Permission Revocation](https://awesome-repositories.com/f/networking-communication/communication-protocols-architectures/communication-paradigms/group-membership-management/immediate-permission-revocation.md) — Removes relationship tuples to instantly strip a user of all inherited group permissions. ([source](https://openfga.dev/docs/interacting/managing-group-membership)) - [Nested Group Memberships](https://awesome-repositories.com/f/networking-communication/communication-protocols-architectures/communication-paradigms/group-membership-management/nested-group-memberships.md) — Supports inherited access by allowing groups to be members of other groups. ([source](https://openfga.dev/docs/modeling/advanced/github)) ### DevOps & Infrastructure - [Policy-as-Code Definitions](https://awesome-repositories.com/f/devops-infrastructure/infrastructure-as-code/policy-as-code-definitions.md) — Implements authorization logic as version-controlled code to enable automated testing and safe deployments via CI/CD pipelines. ([source](https://openfga.dev/docs/adopters/headspace)) - [Gradual Rollouts](https://awesome-repositories.com/f/devops-infrastructure/release-lifecycle-management/feature-orchestration/gradual-rollouts.md) — Supports gradual rollouts of new authorization logic via shadow checks and traffic shifts to validate changes. ([source](https://openfga.dev/docs/getting-started/immutable-models)) ### System Administration & Monitoring - [Access Control Synchronizers](https://awesome-repositories.com/f/system-administration-monitoring/access-control-synchronizers.md) — Reconciles authorization states between two systems using full or differential synchronization of relationship tuples. ([source](https://openfga.dev/docs/adopters/vitrolife)) - [Permission Auditing Tools](https://awesome-repositories.com/f/system-administration-monitoring/permission-managers/permission-display-sequences/permission-auditing-tools.md) — Identifies which users hold specific permissions at a given time to ensure security compliance. ([source](https://openfga.dev/docs/industries/banking)) - [Relationship-Based Grouping](https://awesome-repositories.com/f/system-administration-monitoring/user-group-management/relationship-based-grouping.md) — Groups users into sets based on their relationship to an object to manage access in bulk. ([source](https://openfga.dev/docs/modeling/building-blocks/usersets)) ### Part of an Awesome List - [Security And Privacy](https://awesome-repositories.com/f/awesome-lists/security/security-and-privacy.md) — High-performance authorization engine. - [Security & Privacy](https://awesome-repositories.com/f/awesome-lists/security/security-privacy.md) — Fine-grained authorization engine based on Zanzibar.