What is Oso Cloud exactly?
Oso Cloud is authorization as a service. It lets you model common authorization patterns, store authorization-relevant data, and respond to all authorization questions from your app.
Concretely, it consists of the following pieces:
- A declarative policy language (called Polar) for writing authorization logic.
- Oso Cloud, the service, which stores authorization data (like roles) and responds to permission checks and related. questions over an HTTP API. Our servers are replicated globally for <10ms latency and >99.99% uptime.
- Clients for most popular programming languages, and a CLI for interacting with our APIs.
- A UI that lets you interact with our APIs, as well as additional tooling, like a debugger.
What data should I store in Oso Cloud?
When using Oso Cloud, you store your authorization policy and only the data necessary to perform authorization. Typically this is roles, permissions, groups, and any attributes that are primarily used for authorization (e.g., whether a resource is public or private).
Data to store in Oso Cloud
The table below shows some common authorization models and the types of data you'd store in Oso Cloud for each model.
|Authorization Model||Example Policy Rules||Example Data Stored in Oso Cloud|
|Role Based||Admins can add new members.||Holden has the role admin in organization GillCorp.|
|Relationship Based||Any member in an organization can see repos in the organization.||Juno is a member of the organization GillCorp.|
|Attribute Based||Anyone on the public internet can read public repos.||Repo xyz555 is public.|
Data you don’t need to store in Oso Cloud
You probably won't store all authorization-relevant data in Oso Cloud. Specifically, data that you use heavily in other parts of the application and that change often you might just keep in your application database (like relationships between files and folders). For these cases, you can just send that data as context at request time. Here are some examples:
|Authorization Model||Example Policy Rules||Example Contextual Data Sent at Request Time|
|Nested resources||You can delete comments on an issue if you own the issue.||Issue pqr123 is the parent of comment abc999.|
|User-resource relationships||The writer of a comment can edit that comment.||Willow is the writer of comment abc999.|
- What data should I store in Oso Cloud? (opens in a new tab)
- When to use contextual data? (opens in a new tab)
How do you secure Oso Cloud?
We secure Oso Cloud using operational practices that create reliability for our business and mitigate security risks. Here are some of the things we do:
- Require Single-Sign-On and Two-Factor Authentication for all systems with customer data
- Enforce hardware-backed WebAuthN Two-Factor Authentication wherever possible
- Follow strict CI/CD practices and use automated tools to build, test, and release versions of Oso Cloud
- Collect and analyze logs from our critical vendors to assess security events in real time
- Maintain backups of critical infrastructure and practice our recovery procedures in the event of emergencies
We also take data privacy very seriously. While our operations practices minimize security risks, we also ensure that customer data is:
- Never shared with 3rd parties
- Kept securely within our VPCs and private AWS resources
- Stored using per-customer isolation
- Encrypted, both in flight to Oso Cloud and while at rest
What is Polar?
Polar is the Oso policy language. It is a declarative, logic-based language that is optimized for handling the ambiguity inherent in writing authorization policies. We build and maintain Polar as a key part of our open source authorization framework.
Does Oso do authentication or user management?
No, Oso assumes that you have a system in place for authenticating users and that you're storing user data elsewhere (e.g., in a database, hosted service). You can use user information as parameters in rules, but Oso is not a substitute for an identity or authentication provider. For that, we quite like Stytch (opens in a new tab), as do many of our customers.
Talk to an Oso Engineer
If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.