FGA

There are three layers in authorization: relation, attribute, and role mapping. First, relations are saved in the database, with roles treated as binary relations. Attributes, also called permissions, should not be stored in the database since the policy mapping roles to permissions can be easily changed. As a result, the policy code that maps permissions to actions lives at the code level, which checks by composing relations between subject users/groups and resources.