Questions on authorization with v2

[llfrank21]

Hi, I'm currently trying to have a self hosted Flipt server, and I have questions regarding authorization.

• In input request, is the resource field changed to scope now?
• And currently when I check the logs, I can only see namespace and environment for this scope field. I never see a request with scope of flag or segment. Is it possible that they are not implemented yet?

[markphelps]

Hi @llfrank21 ! Great questions about Flipt v2 authorization. Let me clarify based on the v2 implementation:

1. Yes, resource is now scope in v2

You're correct - in v2, the request structure has changed from using resource/subject fields to using a scope field. This is a breaking change from v1.

2. You'll only see environment and namespace scopes - this is by design

You're absolutely right in your observation. In v2, Flipt has intentionally simplified the authorization model to only have two scope types:

• environment scope: Controls who can manage namespaces within an environment (create, delete namespaces)
• namespace scope: Controls who can manage resources (flags, segments, rules, etc.) within a namespace

There are no longer separate flag or segment resource types in v2 authorization. All flag and segment operations are authorized at the namespace level with the
scope: "namespace".

For example:

• Creating a flag in the frontend namespace → scope: "namespace", environment: "production", namespace: "frontend", action: "create"
• Updating a segment in the backend namespace → scope: "namespace", environment: "staging", namespace: "backend", action: "update"

This simplification means you control access at the namespace level. If a user has create permission for a namespace, they can create any resource type (flags,
segments, etc.) within that namespace. This aligns better with Flipt v2's environment-first architecture and reduces policy complexity.

The v2 authorization model follows this hierarchy:

1. Global - full access to everything
2. Environment - manage namespaces within environments
3. Namespace - manage resources within namespaces

I've got a PR up on the docs repo to hopefully make this more clear in the future and to describe the differences between v1 and v2 authz: flipt-io/docs#353

[llfrank21]

Thank you so much!