"Zanzibar-Style Authorization with OpenFGA: Modeling, Evaluation, and Scale"
Modern products rarely fail authorization because the rules are unclear; they fail because the rules don't scale, don't evolve safely, or can't be explained when incidents hit. This book targets experienced engineers and architects who need to move beyond RBAC/ACL shortcuts and build relationship-based authorization that stays correct under real-world complexity. If you're designing multi-tenant platforms, hierarchical resources, or delegation-heavy collaboration systems, this is a practical, production-minded guide to doing it with OpenFGA.
You'll learn the Zanzibar mental model-authorization as a typed relationship graph plus userset rewrites-and then translate it into OpenFGA's concrete primitives: stores, tuples, models, and evaluation APIs. The book develops advanced modeling skills (types, relations, unions/intersections/differences, and tuple-to-userset indirection), then drills into evaluation semantics: how Check actually decides, how Expand supports explainability, and how contextual tuples enable request-scoped policy inputs. It also tackles search-with-permissions and ListObjects at scale, focusing on latency, correctness, and fanout control.
Throughout, the emphasis is on safe evolution and operations: schema 1.1 type restrictions, immutable model rollouts with model ID pinning, migration playbooks, datastore tradeoffs, and guardrails for change management and incident response. Readers should already be comfortable with distributed systems and API-driven architecture; the reward is