## Relationship-Based Access Control in Frontegg The ReBAC (Relationship-Based Access Control) feature in Frontegg is a flexible authorization system that allows you to define and manage access control based on the relationships between entities — such as users, files, and folders — and the actions that can be performed based on those relationships. ### What is ReBAC in Frontegg? ReBAC in Frontegg enables fine-grained authorization decisions by modeling entities, their relationships, and the actions they can perform. This model reflects real-world associations more naturally, especially in complex systems where permissions depend on who the user is related to, what resource they want to access, and how they’re connected. Frontegg’s ReBAC lets you go beyond static roles by defining access permissions based on the relationship between a user and a specific resource. #### Use cases Ownership and role-based permissions grant elevated privileges (like `edit` or `delete`) to users with designated roles (e.g., `owner`, `admin`) over specific resources they control. ### How to use #### Define your access model To begin, navigate to [ENVIRONMENT] → Configurations → Entitlements → ReBAC in the Frontegg Portal. For example, let’s say your app has documents, and users can be `editors` or `viewers` of specific documents. In this case, you'll need to create the `user` and `document` entity types, define the relations (`viewer`, `editor`), and map actions (`read`, `write`) to those relations. * **An entity type**: `document` * **Relations**: `viewer`, `editor` * **Actions**: `read`, `write` mapped to those relations Follow the steps below to configure your model. ##### Create the user entity 1. Go to the **Entity** tab. 2. Click **Create Entity**. 3. Set the **Key** to `user` and optionally add a description. 4. Click **Create**. This entity type will be used as the subject in your relationships. To edit an entity later, click the three dots next to the entity and select **Edit Entity** to update attributes or change the configuration. ##### Create the document entity 1. Go to the **Entity** tab. 2. Click **Create Entity**. 3. Set the **Key** to `document` and optionally add a description. 4. Click **Create**. ##### Create a relation 1. Go to the **Entity** tab. 2. Click the three dots in the same row as the entity you want to edit, and select **Edit entity**. 3. Go to the **Relations** tab. 4. Click **Create Relation**. 5. Enter the **Relation Key** (e.g., `viewer`, `editor`). 6. Select `user` as the **Subject Entity** from the dropdown. 7. Click **Create**. You can delete or edit relations later from the same tab. ##### Create an action 1. Go to the **Entity** tab. 2. Click the three dots in the same row as the `document` entity, and select **Edit entity**. 3. Go to the **Actions** tab. 4. Click **Create Action**. 5. Enter the **Action Key** (e.g., `read`, `write`). 6. Select the **Relations** that grant this action from the dropdown. 7. Click **Create**. You can edit or delete actions later if needed. #### Assign relationships between entities Now that your model is defined, you assign direct relations between your entities using API calls. To do this: 1. Go to the **Associations** tab. 2. Click **Create Association**. 3. Select the **Target Entity** (e.g., `document`). 4. Enter the **Target ID** (e.g., `doc_456`). 5. Select the **Relation** (e.g., `editor`). 6. Select the **Subject Entity** (e.g., `user`). 7. Enter the **Subject ID** (e.g., `user_123`). 8. Click **Create** to establish the relationship. Alternatively, you can assign relationships by calling the `POST /resources/relations/v1/assign` endpoint with the following payload: br ```json { "assignments": [ { "subjectEntityTypeKey": "user", // The type of the subject (e.g., user, group) "subjectKey": "anthony@email-of.his", // The unique identifier of the subject "relationKey": "reader", // The name of the relation to assign "targetEntityTypeKey": "document", // The type of the target resource "targetKey": "document-1.doc" // The unique identifier of the target } ] } ``` br This API call creates a direct relationship between the specified subject and target. If the relation already exists, it will not be duplicated. To remove a relation, use the `POST /resources/relations/v1/unassign` endpoint with the same payload structure. #### Enforce access in your app After setting up your entities, relations, actions, and assigning the appropriate relationships, the next step is to enforce access control inside your application. This is typically done during request handling or in middleware layers by checking whether a user is allowed to perform a given action on a resource. ##### Using the SDK You use the `@frontegg/e10s-client` SDK to send an authorization check to the **Entitlements Agent**, which makes the final decision based on the ReBAC configuration. To use the SDK, you must have the Entitlements Agent properly set up and running in your environment. First, install the SDK: br ```bash npm install @frontegg/e10s-client ``` br Next, initialize the client: br ```typescript import { EntitlementsClientFactory, RequestContextType } from '@frontegg/e10s-client'; const e10sClient = EntitlementsClientFactory.create({ pdpHost: 'http://localhost:8181' // URL to your deployed Entitlements Agent }); ``` br Then, at the point in your application where access needs to be checked: br ```ts const entitlementsCheck = await e10sClient.isEntitledTo( { entityType: 'user', key: 'user_123' }, { type: RequestContextType.Entity, entityType: 'document', key: 'doc_456', action: 'read', }, ); ``` br And handle the result: br ```ts if (!entitlementsCheck.result) { return res.status(403).json({ message: 'Access denied', reason: result.justification }); } ``` ##### Using the API If you're not using the SDK, you can make a direct HTTP call to the Entitlements Agent's check API by sending a POST request to: ```bash http://[your-server]/v1/data/e10s/fga/is_entitled_to_target ``` br With the following payload: br ```json { "input":{ "subjectContext":{ "entityType": "alien", "key": "user-1" }, "requestContext":{ "entityType": "file", "key": "file-1", "action":"read" } } } ```