Relationship-Based Access Control in Frontegg

The ReBAC (Relationship-Based Access Control) feature in Frontegg is a flexible authorization system that allows you to define and manage access control based on the relationships between entities — such as users, files, and folders — and the actions that can be performed based on those relationships.

What is ReBAC in Frontegg?

ReBAC in Frontegg enables fine-grained authorization decisions by modeling entities, their relationships, and the actions they can perform. This model reflects real-world associations more naturally, especially in complex systems where permissions depend on who the user is related to, what resource they want to access, and how they’re connected.

Frontegg’s ReBAC lets you go beyond static roles by defining access permissions based on the relationship between a user and a specific resource.

Use cases

Ownership and role-based permissions grant elevated privileges (like edit or delete) to users with designated roles (e.g., owner, admin) over specific resources they control.

How to use

Define your access model

To begin, navigate to [ENVIRONMENT] → Configurations → Entitlements → ReBAC in the Frontegg Portal.

For example, let’s say your app has documents, and users can be editors or viewers of specific documents. In this case, you'll need to create the user and document entity types, define the relations (viewer, editor), and map actions (read, write) to those relations.

• An entity type: document
• Relations: viewer, editor
• Actions: read, write mapped to those relations

Follow the steps below to configure your model.

Create the user entity

1. Go to the Entity tab.
2. Click Create Entity.
3. Set the Key to user and optionally add a description.
4. Click Create.

This entity type will be used as the subject in your relationships.

To edit an entity later, click the three dots next to the entity and select Edit Entity to update attributes or change the configuration.

Create the document entity

1. Go to the Entity tab.
2. Click Create Entity.
3. Set the Key to document and optionally add a description.
4. Click Create.

Create a relation

1. Go to the Entity tab.
2. Click the three dots in the same row as the entity you want to edit, and select Edit entity.
3. Go to the Relations tab.
4. Click Create Relation.
5. Enter the Relation Key (e.g., viewer, editor).
6. Select user as the Subject Entity from the dropdown.
7. Click Create.

You can delete or edit relations later from the same tab.

Create an action

1. Go to the Entity tab.
2. Click the three dots in the same row as the document entity, and select Edit entity.
3. Go to the Actions tab.
4. Click Create Action.
5. Enter the Action Key (e.g., read, write).
6. Select the Relations that grant this action from the dropdown.
7. Click Create.

You can edit or delete actions later if needed.

Assign relationships between entities

Now that your model is defined, you assign direct relations between your entities using API calls. To do this:

1. Go to the Associations tab.
2. Click Create Association.
3. Select the Target Entity (e.g., document).
4. Enter the Target ID (e.g., doc_456).
5. Select the Relation (e.g., editor).
6. Select the Subject Entity (e.g., user).
7. Enter the Subject ID (e.g., user_123).
8. Click Create to establish the relationship.

Alternatively, you can assign relationships by calling the POST /resources/relations/v1/assign endpoint with the following payload:

{
  "assignments": [
    {
      "subjectEntityTypeKey": "user",             // The type of the subject (e.g., user, group)
      "subjectKey": "anthony@email-of.his",       // The unique identifier of the subject
      "relationKey": "reader",                    // The name of the relation to assign
      "targetEntityTypeKey": "document",          // The type of the target resource
      "targetKey": "document-1.doc"               // The unique identifier of the target
    }
  ]
}

This API call creates a direct relationship between the specified subject and target. If the relation already exists, it will not be duplicated.

To remove a relation, use the POST /resources/relations/v1/unassign endpoint with the same payload structure.

Enforce access in your app

After setting up your entities, relations, actions, and assigning the appropriate relationships, the next step is to enforce access control inside your application. This is typically done during request handling or in middleware layers by checking whether a user is allowed to perform a given action on a resource.

Using the SDK

You use the @frontegg/e10s-client SDK to send an authorization check to the Entitlements Agent, which makes the final decision based on the ReBAC configuration. To use the SDK, you must have the Entitlements Agent properly set up and running in your environment.

First, install the SDK:

npm install @frontegg/e10s-client

Next, initialize the client:

import { EntitlementsClientFactory, RequestContextType } from '@frontegg/e10s-client';

const e10sClient = EntitlementsClientFactory.create({
  pdpHost: 'http://localhost:8181' // URL to your deployed Entitlements Agent
});

Then, at the point in your application where access needs to be checked:

const entitlementsCheck = await e10sClient.isEntitledTo(
	{ entityType: 'user', key: 'user_123' },
	{
		type: RequestContextType.Entity,
		entityType: 'document',
		key: 'doc_456',
		action: 'read',
	},
);

And handle the result:

if (!entitlementsCheck.result) {
  return res.status(403).json({
    message: 'Access denied',
    reason: result.justification
  });
}

Using the API

If you're not using the SDK, you can make a direct HTTP call to the Entitlements Agent's check API by sending a POST request to:

http://localhost:8181/v1/data/e10s/fga/is_entitled_to_target

With the following payload:

{
    "input":{
        "subjectContext":{
            "entityType": "alien",
	        "key": "user-1"
        },
        "requestContext":{
            "entityType": "file",
	        "key": "file-1",
            "action":"read" 
        }
    }
}