Docs: How Oso Cloud Works
We get a lot of questions about how Oso Cloud works, what you can do with it, and how it helps you organize authorization data and logic. To answer these, we put our ideas down in a new doc called How Oso Cloud Works.
Give it a read and get acquainted with our new managed product:
New Facts-Based Approach and APIs
While roles and relationships cover a wide range of authorization use cases, many companies have additional requirements involving some form of attributes. We’ve made it possible to represent attribute-based authorization so now Oso Cloud covers all commonly-seen authorization models:
The Policy Builder has examples of how to use these patterns in your Oso Cloud policies.
To support such a wide variety of ways to think about authorization, we switched from storingroles and relations to storing more general facts. Read more about facts in How Oso Cloud Works.
In moving to this more general facts-based approach, we will soon be removing the /roles and /relations endpoints in the Oso Cloud HTTP API in favor of the more general /facts endpoint. We recommend updating to the latest versions of the Oso Cloud CLI and client libraries to prepare for this change.
Support for Multiple Environments
We’ve exposed an interface for managing multiple versions of your Oso Cloud policy and data to allow for better development and testing workflows. Just as you might have both a staging and production database, now you can have a staging and production authorization engine.
Each environment in Oso Cloud uses a different API key, which you can access (and reset!) from the web interface. This means that your application code doesn’t need to know what environment it’s accessing, you can just treat your API keys the same way you treat other configuration values that vary across deployments (such as your database handles).
Additionally, backups can be accessed across environments, which makes it possible to copy data from one environment to another. This can make maintaining dev/prod parity much easier. You can read more here.
Changelog (April - May)
Quickstart & Next Steps
Our team is happy to help you get started with Oso Cloud. If you'd like to try out any of these new features get started here and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.
Oso Cloud is now in public beta. You can use your GitHub login to get access to the Oso Cloud Sandbox, a test environment that supports all the latest features. We’re frequently rolling out new features to the Sandbox, like our recent web and command line interfaces and client library updates (currently in Python, Go, and Node.js). Go to the Oso Cloud Sandbox to get your API key, and run through our quickstart guide to get started. For production access, reach out.
Policy Builder
Many developers start by trying to understand what authorization model they have. All they’ve heard of is “roles” or “attributes.” Oso Cloud’s new Policy Builder gives you more structure than that by giving names to common patterns, like “org charts,” and showing you how to model those patterns in Oso. The Policy Builder is a tool that helps you try out different models that might apply to you and model them using Oso:
Note: for more detailed documentation on these patterns, you can also read our Authorization Building Blocks guide.
Guide: Add Oso Cloud to your App
Before adopting Oso Cloud, you’ll want to get a feel for what the process of adding it to your app looks like. That’s what this guide on adding Oso Cloud to your app is for — it shows you how to use the Oso Cloud client libraries (Python/Node/Go) to perform authorization checks in your app. The guide walks you through updating authorization data and enforcing authorization decisions in the language of your choice.
To get started adding Oso Cloud to your app, read the guide.
Oso Cloud Dashboard
We’ve built a new dashboard for Oso Cloud! It now summarizes the data you’ve added (e.g., roles and relations) and also logs for recent authorization requests to your Oso Cloud instance.
Oso Cloud Audit Logs for Authorization Requests
We recently spoke with an Oso user who said: “Authorization systems are so tricky – they never tell you when they’re working.”
Not anymore :)
Now you can see that Oso Cloud is authorizing (or denying) requests in real time. The Logs page contains all recent authorization logs for authorize and list requests to your Oso Cloud instance. (For the Sandbox, we persist the last 512 logs for you. There’s no limit for production.)
Changelog (Mar - April)
Quickstart & Next Steps
Oso Cloud is in public beta. You can get started here, and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.
Here’s the latest on Oso Cloud:
Visualize Your Authorization Model
One of the hardest problems in authorization is modeling. Should you represent this as a role or a relationship? How do you represent what’s going on in your app as authorization logic? To help you understand your model better, we’re experimenting with a model visualizer.
Today, the visualizer takes your Oso policy and displays it as a graph. For instance, this is what our GitClub application looks in the visualizer:
The visualizer currently supports resource blocks, which is how you model role-based access control (RBAC) in Oso. If you want to see what the visualizer would look like for your model, set up a 1x1 with the engineer who built it.
Oso Cloud Docs
Oso Cloud docs are live.
For an Introduction to Oso Cloud, Quickstart, and API docs go to: https://cloud-docs.osohq.com/.
Changelog (Feb-Mar)
Quickstart & Next Steps
Oso Cloud is in closed beta, but we have docs available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.
We’ve been thinking about Oso Cloud for 2+ years. Here’s a preview while it’s in closed beta.
What is Oso Cloud
Oso Cloud is a fully-managed authorization service. You use it to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between services in your backend.
As with the open source Oso library, you write policies in our declarative authorization language, Polar, to describe who is allowed to do what in your app, e.g., an admin role at an organization always grants users write access to resources that the organization owns. Oso can then efficiently use those policies to make authorization decisions.
But in contrast to the library, Oso Cloud lives separately from your applications, and stores its own data:
An Oso Cloud server exposes three APIs:
We provide client libraries to integrate Oso Cloud with your application, as well as a CLI for development and testing.
Changelog (Nov-Feb)
Quickstart & Next Steps
Oso Cloud is in closed beta, but we have a preview Quickstart Guide available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.