Is it possible to check a permission as at a given time?

[velmohan]

I am trying to use OpenFGA in a application where auditing is a secondary requirement. For example, we might have to answer questions like, did user:A have access to document:X at 12pm on 1/5/2023? If so, how did he get the access?

[rhamzeh]

Hey @velmohan - it's not something supported by the engine at run-time. As in you will not be able to ask the running server that and get the answer you expect.

Whether we do introduce it in the future is an open question - we certainly have all the data needed to do so.

But what you are asking is still possible, if you are willing to do some work.

Before I get into that I will briefly explain the different components of OpenFGA:

• (A) Authorization Model
• (B) Relationship Tuples

For (A), you are able to query at runtime whether someone has access based on any model in your store. Each model is immutable, so it cannot be modified once created.
The intention behind immutable models isn't specifically for checking access at a previous point in time, but rather to enable functionality such as:

• Testing upcoming model deployments: You can run queries on a new model and compare the results with your current production model to ensure you did not introduce any problems
• Gradual model roll-outs: Because each check can target a model, we recommend distributing the model id to target in your configuration engine. If your configuration engine supports it, you would be able to gradually roll-out your model to a certain percentage of users and monitor for any issues before expanding the roll-out.
• It allows you to do "secondary shallow checks", which means as you are preparing to roll out a new model, you can check in production against the current and upcoming models and alert if there are any discrepancies in the authorization decisions.

For (B), the tuples are not immutable, so as you delete tuples, they will be deleted from the store. We also store a historical append-only changelog table of all the tuple modifications. At runtime you can only evaluate access (Check) based on the relationship tuples and not on the changelog.

What does all this mean to you?

If you wish to check for access at a certain point in time, you need to:

• Create a new store
• Write your chosen authorization model
• Read the changelog (GET /changes endpoint) from the first store and replay it into the second store up to the desired time period.
• Call Check to see if a user has had access at that point int time and recursively call Expand if you want to understand why

[velmohan]

Thanks for the detailed response @rhamzeh. That makes perfect sense. I did think of using the "changes" endpoint but I was not sure how to get back to the older authz model. Many thanks again.