Identity is easy. Business authorization is the real design problem.
This PoC separates local OIDC login, OpenFGA relationship checks, and Cerbos business policies. It is small on purpose so the trade-offs stay visible.
Demo users
All three realm users share the same password so you can switch personas quickly.
| User | Purpose | Password |
|---|---|---|
| bob | underwriter with assigned and out-of-scope policy examples | Password123! |
| alice | agent with agency-based relationship inheritance | Password123! |
| brenda | billing specialist with object-level billing ownership | Password123! |
What each component proves
Use the Policy Workspace for relationship stories, the Billing Desk for clear coarse-role separation, the Org Viewer for business data, and the Decision Viewer for the combined allow or deny trace.
UI surfaces
The Decision Viewer now doubles as a relationship explorer and policy explorer. OpenFGA's built-in Playground remains local-only at http://127.0.0.1:13003/playground because the upstream iframe only works on localhost. Cerbos Hub is the recommended browser UI for policy lifecycle once you sign in and upload the prepared ZIP.