{"id":31007740,"url":"https://github.com/permitio/fga-tradeoffs","last_synced_at":"2026-02-13T00:49:10.768Z","repository":{"id":251114188,"uuid":"836428972","full_name":"permitio/fga-tradeoffs","owner":"permitio","description":"A demonstration of fine-grained authorization modeling in 3 different ways ","archived":false,"fork":false,"pushed_at":"2025-01-09T11:08:56.000Z","size":42,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-09-05T22:02:27.250Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/permitio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-31T20:38:23.000Z","updated_at":"2025-01-09T11:08:11.000Z","dependencies_parsed_at":"2025-01-10T08:01:44.506Z","dependency_job_id":null,"html_url":"https://github.com/permitio/fga-tradeoffs","commit_stats":null,"previous_names":["permitio/fga-tradeoffs"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/permitio/fga-tradeoffs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/permitio%2Ffga-tradeoffs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/permitio%2Ffga-tradeoffs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/permitio%2Ffga-tradeoffs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/permitio%2Ffga-tradeoffs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/permitio","download_url":"https://codeload.github.com/permitio/fga-tradeoffs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/permitio%2Ffga-tradeoffs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274915617,"owners_count":25373194,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-13T02:00:10.085Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-13T03:48:27.408Z","updated_at":"2026-02-13T00:49:10.726Z","avatar_url":"https://github.com/permitio.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fine Grained Authorization Trade-offs\n\nThis repository contains three possible trade-offs when considering fine-grained authorization that contains both conditions and relationships.\n\nThe three possible trade-offs that are demonstrated are:\n\n- Coupling policy and enforcement\n- Complex Access Control Rules\n- Data manipulation\n\nFor more information on each and to learn more, refer to the following [blog post](https://www.permit.io/blog/possible-tradoffs-of-fine-grained-authorization)\n\n## Project Structure\n\n#### Data\nThe data that we are using to demonstrate the trade-offs are a set of visits with relationships with diagnoses and practitioners.\nAn allowed visit is a visit that is not concealed, its related diagnoses are not concealed, and its practitioner is advertised.\n\nAll the mock data is stored in the `data/data.json` file.\n```js\n// Visit\n{\n    \"appointment_id\": \"123\",\n    \"practitioner_id\": \"123456\",\n    \"diagnosis\": [\"y4500\"],\n    \"concealed\": false\n}\n\n// Diagnosis\n{\n    \"id\": \"y4500\",\n    \"concealment\": false\n}\n\n// Practitioner\n{\n    \"practitioner_id\": \"123456\",\n    \"is_advertised\": true\n}\n```\n\n#### Tests\nThe project's main test file is the `index.js` file, which contains four types of policy checks that require both conditions and relationships to be checked.\n\nAll the tests filter the visits array and should return the following result:\n```javascript\n[true, false, false, false, true, true]\n```\n\nThe tests are:\n1. Simple policy configuration with the trade-off of using complex enforcement code\n2. Graph-based policy configuration with the trade-off of data manipulation and extra conditional edges and special nodes\n3. Policy configuration with the trade-off of complex access control rules in the Rego language\n\n##### Bonus test:\n\u003e Demonstration of a simple solution by Permit.io that solves the problem with a simple policy configuration and enforcement code\n\nEach test starts by cleaning the data and some policies from the Permit.io environment. Then, it applies the relevant policy data and runs the test.\n\n#### Policy Configuration\nBesides the tests and the data, the project contains a `main.tf` file that applies the policy configuration to the Permit.io environment.\n\n#### Policies\nThe `policy` folder contains policy configuration in the Rego language used in the third test.\n\n### `lib` folder\nThe `lib` folder contains all the code used to sync data to Permit.io and perform the policy checks.\n\n## Running the code\n\nThe code is written in JavaScript and uses Permit.io to base the authorization service. Running the project requires you to follow the following steps:\n\n\u003e Preqrequisites: Node.js, npm, terraform, and docker installed\n\n1. Clone the repository\n2. Run `npm install` to install the dependencies\n3. Get your Permit.io API key from [here](https://app.permit.io/). (open a free account if you don't have one)\n4. Copy the `.env.template` file to an `.env` file and add your Permit.io API key in the `PERMIT_API_KEY` and `TF_VAR_PERMIT_API_KEY`.\n5. Apply the policy configuration to a clean environment in your Permit.io account by running:\n   ```bash\n   terraform init                                                                                                                                                                                  ✔  9s   12:57:07 \n   terraform plan\n   terraform apply\n   ```\n   After this step, your Permit policy editor should look like the following:\n   ![image](https://github.com/user-attachments/assets/b9387368-0fb1-4ffa-9722-2b947ea5c1b8)\n\n6. Run the Permit.io PDP docker container by running (ensure that you load the Permit.io API key in the environment):\n   ```bash\n   docker run -p 7766:7000 -p 8181:8181 --rm --env PDP_API_KEY=$PERMIT_API_KEY --env PDP_DEBUG=true permitio/pdp-v2:latest\n   ```\n6. Run the tests with the `node index` command.\n\nThe desired output should be:\n```\nFlat filter result:  [true,false,false,false,true,true]\nGraph filter result:  [true,false,false,false,true,true]\nCustom rego check result:  [true,false,false,false,true,true]\nSingle check result:  [true,false,false,false,true,true]\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpermitio%2Ffga-tradeoffs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpermitio%2Ffga-tradeoffs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpermitio%2Ffga-tradeoffs/lists"}