This guide provides a high-level overview of authorization in Fauna.


Fauna uses secrets for authorization. You create a secret through authentication.

Each secret can have one or more roles. The roles determine the secret’s privileges, which control data access.

Fauna ships with built-in roles. You can also create user-defined roles. User-defined roles let you grant privileges to specific resources, such as collections or user-defined functions (UDFs).

See Roles

Attribute-based access control (ABAC)

Fauna supports both role-based access control (RBAC) and attribute-based access control (ABAC).

In an ABAC model, you conditionally grant a user or system access to data based on attributes. For example, you can adjust access based on:

  • The user’s current location, status, or recent activity

  • An accessed document’s current status or field values

  • Date or time of day

Unlike many systems, Fauna checks privileges and dynamically grants access at query time for every query.

See Attribute-based access control (ABAC)

User-defined functions

A role can grant the privilege to call a server-side user-defined function (UDF).

When you define a UDF, you can specify an optional role. If provided, the UDF runs using the role’s privileges, regardless of the secret used to call it. This lets you grant access to sensitive data in a controlled, prescribed way — without granting broader privileges.

You can customize the format of data returned by a UDF. This lets you mask, transform, or remove specific fields as needed.

See User-defined functions

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email

Thank you for your feedback!