Glossary / Authorization
Fine-Grained Authorization (FGA)
Fine-grained authorization decides access at the level of individual resources and relationships, answering questions like whether this specific user can edit this specific document, rather than relying on broad roles alone.
Also: FGA, relationship-based access control, ReBAC
Fine-grained authorization moves access decisions from coarse roles to specific resources and relationships. Instead of granting a whole role broad permissions, it can express rules such as a user being an editor of one document, a viewer of another, and a member of a particular team, then answer permission checks against those facts.
Two common models underpin it. Attribute-based access control decides using attributes of the user, resource, and context. Relationship-based access control, popularized by the Zanzibar design, decides using a graph of relationships between subjects and objects.
For CIAM and the applications behind it, fine-grained authorization matters as products add sharing, collaboration, and tenant isolation, where a simple admin-or-user split is no longer enough to express who can do what.
Sources
- NIST SP 800-162, Guide to Attribute Based Access Control: https://csrc.nist.gov/pubs/sp/800/162/upd2/final
Related terms
Standards
- NIST SP 800-162