Permission System
OpenFGA-based permission system for fine-grained authorization.
Authorization Model
TODO: Document OpenFGA authorization model:
- Object types (user, organization, application, resource)
- Relations (owner, admin, member, viewer, can_read, can_write)
- Permission inheritance
Permission Declaration
Applications declare permissions in manifest:
requiredPermissions- Permissions the app needsexposedPermissions- Permissions the app provides
TODO: Add manifest example
Permission Checks
TODO: Document how to check permissions:
- In Node.js SDK
- In Frontend SDK
- In GraphQL resolvers
- Via OpenFGA API
Permission Scopes
TODO: Document permission scopes:
- Platform-level
- Organization-level
- Application-level
- Resource-level
Dangerous Permissions
TODO: Document dangerous permissions that require explicit consent:
- System configuration
- User data access
- Payment processing
- External API access
Tuple Management
TODO: Document OpenFGA tuple management:
- Creating tuples
- Updating tuples
- Deleting tuples
- Querying tuples
Best Practices
TODO: Document best practices:
- Follow principle of least privilege
- Use role-based permissions
- Audit permission changes
- Document all permissions
- Test permission checks