Case study

RBAC to Fine-Grained Authorization

Replaced a flat JWT-based role model with Fine-Grained Authorization (FGA) to support workspace-scoped permissions, coordinating adoption across the cloud portal and product teams.

OpenFGA
TypeScript
Node.js
Auth0
React
REST APIs
JWT

Context

The existing authorization model embedded a user's role directly in the JWT. This worked for single-workspace accounts, but broke down as larger customers needed distinct permission sets across multiple independent workspaces.

Because role claims lived in the token, the system had no way to express workspace-level grants without issuing separate tokens per workspace—which was untenable at scale.

The migration had to be adopted by both the cloud portal and the product, requiring cross-team coordination so that enforcement was consistent at every layer: API, background jobs, and frontend route guards.

Approach

Replaced JWT role claims with Fine-Grained Authorization (FGA), modeling workspace-scoped permissions as relationship tuples. This moved policy evaluation out of the token and into a dedicated service that could be queried at runtime.
Worked across the cloud portal and product teams to replace inline role checks with FGA evaluation calls. Provided shared middleware and helper utilities so each team could adopt FGA incrementally without a flag-day cutover.
Built migration tooling to translate existing JWT roles into FGA tuples, ran parity checks against the old model, and maintained a compatibility shim during the transition window to keep both enforcement paths live.

Outcomes

Enabled large tenants to manage independent permission sets across dozens of workspaces.
Replaced opaque JWT role strings with an auditable, queryable permission graph—making policy review straightforward for security and compliance.
Cross-team adoption succeeded without a forced cutover: each team migrated incrementally using the shared tooling and shim layer.