Authorization

Fine-grained access control using OpenFGA.

Overview

Authorization decisions are handled by OpenFGA, enabling relationship-based access control (ReBAC) across services.

OpenFGA runs internally on the ravenhelm_net Docker network and stores data in PostgreSQL.

Components

• OpenFGA API: internal HTTP and gRPC endpoints
• PostgreSQL: openfga database
• Policy models: defined per service/domain

Typical Flow

Request → Service → OpenFGA → Allow/Deny

Operational Notes

• Keep OpenFGA internal-only (no Traefik exposure).
• Use service accounts for policy evaluation.
• Version policy models in a repository and apply via migration steps.

Related

• Security/Authentication
• Infrastructure/PostgreSQL