Global Roles

[AdamJSoftware]

In my authorization system I have the ability to assign roles to users. This is nice as roles are stored in one default location. Looking at openfga. It seems that its very focused on "user" permissions. And if I want to remodel roles. I would have to create a separate type in the store. I feel like this can lead to some headaches as now we will have to re-enter the roles into the store and make sure they are synchronized with the authorization server. This leads me to the following questions

1. Is this an anti-pattern? Should the authorization server not handle roles?
2. If this is the case, and I create a type role in my store. How can I then use my roles across multiple stores as from reading the documentation it seems that stores cannot share context? If I have a separation of concerns architecture where multiple different features are separated into different stores. It would seem like a headache to try and sync the roles between the different stores. A global/parent store in which all other stores can inherit from would seem like a good idea.

[aaguiarz]

Hi @AdamJSoftware

One approach you can take is using Contextual Tuples and send the roles that way https://openfga.dev/docs/modeling/token-claims-contextual-tuples.

What Authorization service are you using? We plan to provide ways to synchronize data from some AuthZ services to OpenFGA.

In general, we recommend that you have a single store if the users and the domain are the same. This avoids having to do multiple checks to multiple stores for some authorization decisions.