Check out v4 of the Fauna CLI

v4 of the Fauna CLI is now in beta.

The new version introduces enhancements to the developer experience, including an improved authentication workflow. To get started, check out the CLI v4 quick start.

Authorization

This guide provides a high-level overview of authorization in Fauna.

Roles

Fauna uses secrets for authorization. You create a secret through authentication.

Each secret can have one or more roles. The roles determine the secret’s privileges, which control data access.

Fauna ships with built-in roles. You can also create user-defined roles. User-defined roles let you grant privileges to specific resources, such as collections or user-defined functions (UDFs).

See Roles

Attribute-based access control (ABAC)

Fauna supports both role-based access control (RBAC) and attribute-based access control (ABAC).

In an ABAC model, you conditionally grant a user or system access to data based on attributes. For example, you can adjust access based on:

  • The user’s current location, status, or recent activity

  • An accessed document’s current status or field values

  • Date or time of day

Unlike many systems, Fauna checks privileges and dynamically grants access at query time for every query.

See Attribute-based access control (ABAC)

User-defined functions

A role can grant the privilege to call a server-side user-defined function (UDF).

When you define a UDF, you can specify an optional role. If provided, the UDF runs using the role’s privileges, regardless of the secret used to call it. This lets you grant access to sensitive data in a controlled, prescribed way — without granting broader privileges.

You can customize the format of data returned by a UDF. This lets you mask, transform, or remove specific fields as needed.

See User-defined functions (UDFs)

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!