Enabling access control and enhanced user experience

The client operates multiple business units, utilizing a combination of legacy and modern systems. Integrating OpenFGA's relationship-based authorization model across these varied platforms demanded significant engineering coordination.
Maintaining consistent authorization data across distributed systems proved challenging—especially where applications had to perform dual writes to both business databases and OpenFGA. These complexities were magnified by the client's scale and global presence.
Given the client's role in critical sectors like infrastructure and industrial automation, security and compliance were non-negotiable. The OpenFGA implementation had to enforce strict access controls, support detailed auditing, and meet regulatory standards.
Adding to the challenge, Nagarro received no prior documentation about the client's existing authorization setup, requiring all relevant information to be discovered from scratch.

We created a Centralized Access Management (CAM) solution powered by OpenFGA, which acts as a single source of truth for determining who can access what based on their roles and relationships within the organization.

We ensured that OpenFGA works with existing enterprise platforms and external services, enabling seamless data flow between systems in real-time. The system handles client's initial data migration from existing systems and keeps everything in sync with ongoing, incremental updates.

We set up DynamoDB listeners that instantly catch any permission changes and propagate them throughout the system. When users update access rights or roles in the frontend, the integration layer detects these changes, processes them through OpenFGA, and stores the updates properly in the CAM backend.

The CAM database doesn't store any personally identifiable information - just internal user IDs. This approach minimizes security risks while maintaining snappy performance.

The CAM system not only centralizes access control decisions but also enhances the entire user experience — by fixing broken processes, reducing confusion, and making it easy for both users and administrators to manage access smoothly and securely.

Both external admins (people managing access from partner or third-party organizations) and end users (regular users requesting access) now have a much easier and clearer experience.

In the earlier systems, if a user's access request was rejected, they were permanently stuck in a "denied" state — they couldn't try again or fix their mistake. The new system allows rejected users to re-register, select the correct company details, and start anew. This is especially helpful when users make an error during their initial registration.