Check permissions of multiple stores in one request

[HeneryHawk]

Hi,
Thank you very much for OpenFGA and this great tool.

We operate several multi-tenant SaaS apps and would like to offer OpenFGA as a platform service to all applications for implementing authorization. We thought that each application should have its own store where the permissions for that application are managed in order to logically separate the application data. There should also be a platform store where basic permissions are maintained, including the assignment of a super admin permission.
At runtime, we would then like to check whether a user has a permission or is a super admin.
Is this possible, since these two pieces of information are stored in different stores (application store & platform store)?

We have implemented our own SDK that abstracts OpenFGA and actually always performs bulk checks. A bulk check because the actual application permission is checked and the super admin permission, and if one of the two checks is successful, access is granted.

The fallback would be to move all permissions to the same store and not separate the applications.

                +-----------------+
                |  Platform Store |                          <- Holds the super admin permission
                +--------+--------+
                         |
            +------------+------------+
            |                         |
    +-------v-------+         +-------v-------+
    |  App A Store  |         |  App B Store  |              <- Holds the application permissions
    +---------------+         +---------------+

Thanks for the support

[dyeam0]

Hello @HeneryHawk, conceptually the authorization model in OpenFGA is store-centric. Therefore, a single check request cannot be spanned across multiple stores. This is inherent to the current design.

Although, what you can do, is design a model that has separate applications defined across "modules". Take a look at the Modular Models feature. From what you described as your requirements, Modular Models should be able to meet your use case.

[HeneryHawk]

Hi @dyeam0,
thanks for your reply.
My idea was that every product has its own store to separate the authorization data of the products. I also looked into modular models and this would also solve the issue. But I would prefer separate stores. This way a product can update their schema without interfering there products schema / authorization data. This feels a little bit clearer to me.

Regards

[dyeam0]

Hi @HeneryHawk, totally understand that. We have heard from others who have also wanted to use separate stores per product to partition authorization data.

For your requirement that each product can update its schema without interfering with others, that is still possible when using Modular Models in a single store. This is one of the reasons Modular Models was built, to support multiple applications or domains in a single store while keeping their definitions well isolated. Each product can live in its own module, and you can use source control “code owners” features (for example, GitHub Code Owners or GitLab Code Owners) to define which team owns and reviews changes to each module. This lets you keep clear ownership and review boundaries even though the data lives in one store.

The idea of checks that span across multiple stores has come up before. For transparency, this would require significant design work, so it is not something that is on the current roadmap.