Who Needs Roles Anymore? Introducing OpenFGA, the Future of SaaS

Who Needs Roles Anymore? Introducing OpenFGA, the Future of SaaSKiah Imani 🇧🇧

Ever felt like you’re performing a circus act when dealing with user permissions in your saas app?...

Ever felt like you’re performing a circus act when dealing with user permissions in your saas app? Don’t worry, you’re not alone. Traditional Role-Based Access Control (RBAC) might have been fine when your biggest concern was “Admin vs. Viewer,” but most applications are a lot more complex than that. Think Slack, Notion, or GitHub where access isn’t just about having a certain title, but about belonging to specific teams, organizations, or projects (sometimes all at once).
That’s where OpenFGA takes the stage with a pretty dope concept called Relationship-Based Access Control (ReBAC). Say goodbye to a million static roles and hello to a system that actually understands how humans (and their projects) really work.

Why RBAC Feels Like Ancient History

Let’s be forreal: RBAC basically lumps permissions into neat little buckets (Admin, Editor, Viewer). Which sounds great until you realize you need 14 variations of “Editor” just to handle all the unique scenarios in your multi-tenant saas app. Orgs have complicated hierarchies. Projects sometimes have external contributors who need limited access. And that’s just Monday.
Pretty soon, you’re drowning in roles: JuniorEditor, SeniorEditor, Project123Editor, TemporaryExternalEditorButOnlySometimes. Every time someone changes teams or gets hired as a contractor, you’re stuck juggling roles again. Yikes!

Meet ReBAC: Because It’s All About Relationships

Rather than forcing people into a static label, Relationship-Based Access Control says, “Hey, let’s base access on who’s related to what.” Is Bob the owner of Project Alpha? Great, give him full reign. Is Alice a viewer of that project’s design doc? Sure, let her see it but not edit it. Once Bob leaves the project, you just remove that single relationship no need to break out the chainsaw on your entire role structure.
Key Idea: Relationships > Roles
Owner of a project
Member of an organization
Viewer of a specific document
Collaborator on a task
In ReBAC, these relationships are front and center. It’s like creating a spiderweb of connections when one strand changes, you just tweak that strand.

OpenFGA: Putting Fine-Grained Authorization to Work

OpenFGA is an open-source tool that brings ReBAC to life. It’s built to handle scale, performance, and an ever-growing list of complicated relationships without making you tear your hair out.
Example Time: A Multi-Tenant Collaboration Platform

-Organizations & Teams

user:alice -> member -> organization:acme
team:design -> belongs_to -> organization:acme
user:bob -> member -> team:design
Enter fullscreen mode Exit fullscreen mode

-Translation: Alice is in Acme Org, Bob’s in the Design Team. Instant clarity. No “AcmeDesignTeamAdminJunior” roles needed.

-Projects

user:alice -> owner -> project:website-redesign
team:design -> owner -> project:logo-revamp
user:bob -> collaborator -> project:website-redesign
Enter fullscreen mode Exit fullscreen mode

Now, if Alice wants Bob’s help on the website redesign, she just sets him up as a collaborator. Easy, right?

-Documents

user:alice -> viewer -> document:wireframes
user:bob -> editor -> document:wireframes
Enter fullscreen mode Exit fullscreen mode

If Bob moves to a different project, just remove that relationship. No fuss, no re-labeling.

Why ReBAC (and OpenFGA) Win in the Real World

- Granular control minus the headaches
Each resource is guarded by relationships. Want to keep tight control? Just specify the exact relationship needed.
Dynamic updates
If Bob leaves Team Design, you just remove “member -> team:design.” Instantly, Bob’s out. No rummaging through role definitions.

- Cleaner maintenance
Fewer roles mean fewer migraines. Your business logic evolves, and your relationships update accordingly. No dusty policy docs to maintain.

- Better Security
By focusing on specific relationships, you’re less likely to give out blanket permissions. Fine-grained is safer.

Bringing It All Together

If you’ve ever banged your head against a desk over RBAC, you know it can turn messy fast. Especially in multi-tenant apps, where “Admin” can mean 20 different things. By switching to a relationship-based approach with OpenFGA, you align your access model to how real humans actually operate. That means no more monstrous role spreadsheets, no more “this is how it’s always been,” and definitely more time to build your product.

Parting Thoughts

It’s 2025 y’all, time to retire that ancient, one-size-fits-all approach. OpenFGA gives you the flexibility to handle complex user relationships with elegance. Whether you’re cooking up the next Slack, managing external contractors, or just tired of editing roles for your friends named Bob, ReBAC can save you from permissions purgatory.

And if you want to learn more about exactly how to make this happen, come check out my talk on OpenFGA at NDC Security in Oslo on Thursday, 23 Jan. I’ll be talking about how to model ReBAC for real-world projects. Your future self (and your users) will send you a virtual fist bump.